openvpn: revise sample configuration

Update the openvpn sample configurations to use modern options in favor
of deprecated ones, suggest more sane default settings and add some
warnings.

* Add tls_crypt and ncp_disable to the sample configuration
* Replace nsCertType with remote_cert_tls in client sample configuration
* Comment out "option compress", compression should not be preferred
* Advise 2048-bit Diffie-Hellman parameters by default
* Add warnings about compression and use of Blowfish (BF-CBC)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>

diff --git a/package/network/services/openvpn/files/openvpn.config b/package/network/services/openvpn/files/openvpn.config
index 1fd846f558f1b113089095982e7944cef12100a1..3de1881e35d89663e103e49c9b20b7f048175958 100644 (file)
--- a/package/network/services/openvpn/files/openvpn.config
+++ b/package/network/services/openvpn/files/openvpn.config
@@ -77,10 +77,10 @@ config openvpn sample_server
 
        # Diffie hellman parameters.
        # Generate your own with:
-       #   openssl dhparam -out dh1024.pem 1024
+       #   openssl dhparam -out dh2048.pem 2048
        # Substitute 2048 for 1024 if you are using
-       # 2048 bit keys.
-       option dh /etc/openvpn/dh1024.pem
+       # 1024 bit keys.
+       option dh /etc/openvpn/dh2048.pem
 
        # Configure server mode and supply a VPN subnet
        # for OpenVPN to draw client addresses from.
@@ -228,10 +228,52 @@ config openvpn sample_server
        # This file is secret:
 #      option tls_auth "/etc/openvpn/ta.key 0"
 
+       # For additional privacy, a shared secret key
+       # can be used for both authentication (as in tls_auth)
+       # and encryption of the TLS control channel.
+       #
+       # Generate a shared secret with:
+       # openvpn --genkey --secret ta.key
+       #
+       # The server and each client must have
+       # a copy of this key.
+       #
+       # tls_auth and tls_crypt should NOT
+       # be combined, as tls_crypt implies tls_auth.
+       # Use EITHER tls_crypt, tls_auth, or neither option.
+#      option tls_crypt "/etc/openvpn/ta.key"
+
+       # Set the minimum required TLS protocol version
+       # for all connections.
+       #
+       # Require at least TLS 1.1
+#      option tls_version_min "1.1"
+       # Require at least TLS 1.2
+#      option tls_version_min "1.2"
+       # Require TLS 1.2, or the highest version supported
+       # on the system
+#      option tls_version_min "1.2 'or-highest'"
+
+       # OpenVPN versions 2.4 and later will attempt to
+       # automatically negotiate the most secure cipher
+       # between the client and server, regardless of a
+       # configured "option cipher" (see below).
+       # Automatic negotiation is recommended.
+       #
+       # Uncomment this option to disable this behavior,
+       # and force all OpenVPN peers to use the configured
+       # cipher option instead (not recommended).
+#      option ncp_disable
+
        # Select a cryptographic cipher.
        # This config item must be copied to
        # the client config file as well.
-       # Blowfish (default):
+       #
+       # To see all supported ciphers, run:
+       # openvpn --show-ciphers
+       #
+       # Blowfish (default for backwards compatibility,
+       # but not recommended due to weaknesses):
 #      option cipher BF-CBC
        # AES:
 #      option cipher AES-128-CBC
@@ -241,11 +283,16 @@ config openvpn sample_server
        # Enable compression on the VPN link.
        # If you enable it here, you must also
        # enable it in the client config file.
+       #
+       # Compression is not recommended, as compression and
+       # encryption in combination can weaken the security
+       # of the connection.
+       #
        # LZ4 requires OpenVPN 2.4+ client and server
 #      option compress lz4
        # LZO is compatible with most OpenVPN versions
        # (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
-       option compress lzo
+#      option compress lzo
 
        # The maximum number of concurrently connected
        # clients we want to allow.
@@ -371,7 +418,7 @@ config openvpn sample_client
        option key /etc/openvpn/client.key
 
        # Verify server certificate by checking
-       # that the certicate has the nsCertType
+       # that the certicate has the key usage
        # field set to "server".  This is an
        # important precaution to protect against
        # a potential attack discussed here:
@@ -381,12 +428,27 @@ config openvpn sample_client
        # your server certificates with the nsCertType
        # field set to "server".  The build_key_server
        # script in the easy_rsa folder will do this.
-#      option ns_cert_type server
+#      option remote_cert_tls server
 
        # If a tls_auth key is used on the server
        # then every client must also have the key.
 #      option tls_auth "/etc/openvpn/ta.key 1"
 
+       # If a tls_crypt key is used on the server
+       # every client must also have the key.
+#      option tls_crypt "/etc/openvpn/ta.key"
+
+       # Set the minimum required TLS protocol version
+       # for all connections.
+       #
+       # Require at least TLS 1.1
+#      option tls_version_min "1.1"
+       # Require at least TLS 1.2
+#      option tls_version_min "1.2"
+       # Require TLS 1.2, or the highest version supported
+       # on the system
+#      option tls_version_min "1.2 'or-highest'"
+
        # Select a cryptographic cipher.
        # If the cipher option is used on the server
        # then you must also specify it here.
@@ -395,10 +457,15 @@ config openvpn sample_client
        # Enable compression on the VPN link.
        # Don't enable this unless it is also
        # enabled in the server config file.
+       #
+       # Compression is not recommended, as compression and
+       # encryption in combination can weaken the security
+       # of the connection.
+       #
        # LZ4 requires OpenVPN 2.4+ on server and client
 #      option compress lz4
        # LZO is compatible with most OpenVPN versions
-       option compress lzo
+#      option compress lzo
 
        # Set log file verbosity.
        option verb 3