earl/openvpn-install
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support ncp-ciphers

Browse Source 
Since OpenVPN 2.4, there is negotiable crypto parameters (NCP)
It means you can use a cipher suite like with HTTPS. By default the suite is AES-256-GCM:AES-256-CBC, so that means than since 2.4 is out, everyone using a 2.4 client + server was using AES 256 GCM, regardless of the --cipher option. With this commit, the chosen cipher will be the only cipher in the NCP cipher list, thus fixing this issue.
This commit is contained in:
angristan 2018-09-22 18:18:36 +02:00
parent a85c13e4ec
commit 62c89af954
1 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
openvpn-install.sh
View File

@ -303,22 +303,22 @@ function installQuestions () {
done done
case $CIPHER_CHOICE in case $CIPHER_CHOICE in
1) 1)
CIPHER="cipher AES-128-GCM" CIPHER="AES-128-GCM"
;; ;;
2) 2)
CIPHER="cipher AES-192-GCM" CIPHER="AES-192-GCM"
;; ;;
3) 3)
CIPHER="cipher AES-256-GCM" CIPHER="AES-256-GCM"
;; ;;
4) 4)
CIPHER="cipher AES-128-CBC" CIPHER="AES-128-CBC"
;; ;;
5) 5)
CIPHER="cipher AES-192-CBC" CIPHER="AES-192-CBC"
;; ;;
6) 6)
CIPHER="cipher AES-256-CBC" CIPHER="AES-256-CBC"
;; ;;
esac esac
echo "" echo ""
@ -664,7 +664,8 @@ cert $SERVER_NAME.crt
key $SERVER_NAME.key key $SERVER_NAME.key
tls-auth tls-auth.key 0 tls-auth tls-auth.key 0
auth $HMAC_ALG auth $HMAC_ALG
$CIPHER cipher $CIPHER
ncp-ciphers $CIPHER
tls-server tls-server
tls-version-min 1.2 tls-version-min 1.2
tls-cipher $CC_CIPHER tls-cipher $CC_CIPHER
@ -792,7 +793,7 @@ remote-cert-tls server
verify-x509-name $SERVER_NAME name verify-x509-name $SERVER_NAME name
auth $HMAC_ALG auth $HMAC_ALG
auth-nocache auth-nocache
$CIPHER cipher $CIPHER
tls-client tls-client
tls-version-min 1.2 tls-version-min 1.2
tls-cipher $CC_CIPHER tls-cipher $CC_CIPHER