From 2e55fc8b2d42682cd1c26e9827b7b6f47fb51398 Mon Sep 17 00:00:00 2001 From: Magnus Kroken Date: Tue, 1 Dec 2020 10:57:07 +0100 Subject: openvpn: update to 2.5.0 New features: * Per client tls-crypt keys * ChaCha20-Poly1305 can be used to encrypt the data channel * Routes are added/removed via Netlink instead of ifconfig/route (unless iproute2 support is enabled). * VLAN support when using a TAP device Significant changes: * Server support can no longer be disabled. * Crypto support can no longer be disabled, remove nossl variant. * Blowfish (BF-CBC) is no longer implicitly the default cipher. OpenVPN peers prior to 2.4, or peers with data cipher negotiation disabled, will not be able to connect to a 2.5 peer unless option data_fallback_ciphers is set on the 2.5 peer and it contains a cipher supported by the client. Signed-off-by: Magnus Kroken --- net/openvpn/files/openvpn.options | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'net/openvpn/files/openvpn.options') diff --git a/net/openvpn/files/openvpn.options b/net/openvpn/files/openvpn.options index 5d7a387cd..7c641f7d4 100644 --- a/net/openvpn/files/openvpn.options +++ b/net/openvpn/files/openvpn.options @@ -1,10 +1,12 @@ OPENVPN_PARAMS=' +allow_compression askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers +bind_dev ca capath cd @@ -21,6 +23,7 @@ connect_retry connect_retry_max connect_timeout crl_verify +data_ciphers_fallback dev dev_node dev_type @@ -51,7 +54,6 @@ iroute_ipv6 keepalive key key_direction -key_method keysize learn_address link_mtu @@ -69,7 +71,6 @@ mssfix mtu_disc mute nice -ns_cert_type ping ping_exit ping_restart @@ -116,6 +117,9 @@ syslog tcp_queue_limit tls_auth tls_crypt +tls_crypt_v2 +tls_crypt_v2_verify +tls_export_cert tls_timeout tls_verify tls_version_min @@ -129,6 +133,8 @@ user verb verify_client_cert verify_x509_name +vlan_accept +vlan_pvid x509_username_field ' @@ -137,6 +143,7 @@ allow_recursive_routing auth_nocache auth_user_pass_optional bind +block_ipv6 ccd_exclusive client client_to_client @@ -185,10 +192,13 @@ tls_server up_delay up_restart username_as_common_name +vlan_tagging ' OPENVPN_LIST=' +data_ciphers ncp_ciphers tls_cipher tls_ciphersuites +tls_groups ' -- cgit v1.2.3