mirror of
https://github.com/Nyr/openvpn-install.git
synced 2024-11-24 05:56:08 +03:00
Support ios openvpn connect using CBC, SHA128 tls-cipher. Update readme.
This commit is contained in:
parent
a65523eb1c
commit
f376ce912f
@ -10,6 +10,9 @@ This fork includes :
|
|||||||
- Better encryption (see below)
|
- Better encryption (see below)
|
||||||
- TLS 1.2 only
|
- TLS 1.2 only
|
||||||
- AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
|
- AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
|
||||||
|
- Run server in unprivileged mode, reducing risks to the system
|
||||||
|
- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
|
||||||
|
- [Perfect forward secrecy](http://en.wikipedia.org/wiki/Forward_secrecy)
|
||||||
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
|
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
|
||||||
- Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
|
- Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
|
||||||
- Up-to-date OpenVPN (2.3.10) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
|
- Up-to-date OpenVPN (2.3.10) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
|
||||||
@ -30,12 +33,12 @@ Features :
|
|||||||
- 256 bits AES-GCM
|
- 256 bits AES-GCM
|
||||||
- SHA-384 RSA certificate
|
- SHA-384 RSA certificate
|
||||||
|
|
||||||
### Fast (lower encryption)
|
### Fast (lower encryption, supports openvpn connect [ios/android] clients)
|
||||||
Features :
|
Features :
|
||||||
- 2048 bits RSA private key
|
- 2048 bits RSA private key
|
||||||
- 2048 bits Diffie-Hellman key
|
- 2048 bits Diffie-Hellman key
|
||||||
- 128 bits AES-GCM
|
- 128 bits AES-CBC
|
||||||
- SHA-256 RSA certificate
|
- SHA-128 RSA certificate
|
||||||
|
|
||||||
## Compatibility
|
## Compatibility
|
||||||
|
|
||||||
|
@ -302,7 +302,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
|
|||||||
if [[ "$VARIANT" = '1' ]]; then
|
if [[ "$VARIANT" = '1' ]]; then
|
||||||
# If the user selected the fast, less hardened version
|
# If the user selected the fast, less hardened version
|
||||||
# Or if the user selected a non-existant variant, we fallback to fast
|
# Or if the user selected a non-existant variant, we fallback to fast
|
||||||
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
|
# iOS OpenVPN connect doesn't support GCM or SHA256, use next best
|
||||||
|
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf
|
||||||
elif [[ "$VARIANT" = '2' ]]; then
|
elif [[ "$VARIANT" = '2' ]]; then
|
||||||
# If the user selected the relatively slow, ultra hardened version
|
# If the user selected the relatively slow, ultra hardened version
|
||||||
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
|
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
|
||||||
@ -436,7 +437,7 @@ tls-client" > /etc/openvpn/client-common.txt
|
|||||||
if [[ "$VARIANT" = '1' ]]; then
|
if [[ "$VARIANT" = '1' ]]; then
|
||||||
# If the user selected the fast, less hardened version
|
# If the user selected the fast, less hardened version
|
||||||
# Or if the user selected a non-existant variant, we fallback to fast
|
# Or if the user selected a non-existant variant, we fallback to fast
|
||||||
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
|
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt
|
||||||
elif [[ "$VARIANT" = '2' ]]; then
|
elif [[ "$VARIANT" = '2' ]]; then
|
||||||
# If the user selected the relatively slow, ultra hardened version
|
# If the user selected the relatively slow, ultra hardened version
|
||||||
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt
|
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt
|
||||||
|
Loading…
Reference in New Issue
Block a user