From 868eea34770bd23f26b22b3ad4af59bd854c9f96 Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Tue, 12 Apr 2016 09:38:14 +0000
Subject: [PATCH] Support ios openvpn connect using CBC, SHA128 tls-cipher.
 Update readme.

---
 README.md          | 9 ++++++---
 openvpn-install.sh | 5 +++--
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 9015da3..2929311 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,9 @@ This fork includes :
 - Better encryption (see below)
 - TLS 1.2 only
 - AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
+- Run server in unprivileged mode, reducing risks to the system
+- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
+- [Perfect forward secrecy](http://en.wikipedia.org/wiki/Forward_secrecy)
 - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
 - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
 - Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
@@ -30,12 +33,12 @@ Features :
 - 256 bits AES-GCM
 - SHA-384 RSA certificate
 
-### Fast (lower encryption)
+### Fast (lower encryption, supports openvpn connect [ios/android] clients)
 Features :
 - 2048 bits RSA private key
 - 2048 bits Diffie-Hellman key
-- 128 bits AES-GCM
-- SHA-256 RSA certificate
+- 128 bits AES-CBC
+- SHA-128 RSA certificate
 
 ## Compatibility
 
diff --git a/openvpn-install.sh b/openvpn-install.sh
index 78a61f5..4135fcf 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -302,7 +302,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
+		# iOS OpenVPN connect doesn't support GCM or SHA256, use next best
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
@@ -436,7 +437,7 @@ tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt