thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Merge branch 'Friz-zy-master' 

Closes #429
Allen Riddell 9 years ago
parent
48f1086416 6cc6756ce1
commit
e4e7c7484c
2 changed files with 23 additions and 3 deletions
Split View Show Diff Stats
  1. 14
    1
      roles/vpn/templates/etc_openvpn_server.conf.j2
  2. 9
    2
      vars/defaults.yml

+ 14
- 1
roles/vpn/templates/etc_openvpn_server.conf.j2 View File 

@@ -188,6 +188,7 @@ ifconfig-pool-persist ipp.txt
188 188 
 # or bridge the TUN/TAP interface to the internet
189 189 
 # in order for this to work properly).
190 190 
 ;push "redirect-gateway def1 bypass-dhcp"
191 
+;push "dhcp-option DNS 8.8.8.8"
191 192 
 push "redirect-gateway def1"
192 193 
 push "dhcp-option DNS 10.8.0.1"
193 194 
 
@@ -298,9 +299,21 @@ status openvpn-status.log
298 299 
 # 4 is reasonable for general usage
299 300 
 # 5 and 6 can help to debug connection problems
300 301 
 # 9 is extremely verbose
301 
-verb 3
302 
+verb {{ openvpn_verb }}
302 303
303 304 
 # Silence repeating messages.  At most 20
304 305 
 # sequential messages of the same message
305 306 
 # category will be output to the log.
306 307 
 ;mute 20
308 
+
309 
+# Openvpn changes length of network packets
310 
+# in a way which depends on cipher and hash-sum
311 
+# algorithms. This can be used for fingerprinting.
312 
+# Mask your settings by using a lower mtu.
313 
+# Check your settings here: witch.valdikss.org.ru
314 
+tun-mtu {{ openvpn_mtu }}
315 
+
316 
+# Set TLS settings
317 
+# Only for openvpn 2.3.3 and >2.3.4
318 
+{{ openvpn_tls_version_min }}
319 
+{{ openvpn_tls_cipher }}

+ 9
- 2
vars/defaults.yml View File 

@@ -81,6 +81,8 @@ owncloud_db_database: owncloud
81 81 
 tarsnap_version: 1.0.35
82 82
83 83 
 # vpn
84 
+# Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
85 
+# Check privacy: http://witch.valdikss.org.ru/
84 86 
 # openvpn_key_country: (required)
85 87 
 # openvpn_key_province: (required)
86 88 
 # openvpn_key_city: (required)
 
@@ -89,8 +91,8 @@ tarsnap_version: 1.0.35
89 91 
 openvpn_days_valid: "1825"
90 92 
 openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
91 93 
 openvpn_key_size: "2048"
92 
-openvpn_cipher: "BF-CBC"
93 
-openvpn_auth_digest: "SHA1"
94 
+openvpn_cipher: "AES-256-CBC"
95 
+openvpn_auth_digest: "SHA512"
94 96 
 openvpn_path: "/etc/openvpn"
95 97 
 openvpn_ca: "{{ openvpn_path }}/ca"
96 98 
 openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
 
@@ -98,6 +100,11 @@ openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
98 100 
 openvpn_server: "{{ domain }}"
99 101 
 openvpn_port: "1194"
100 102 
 openvpn_protocol: "udp"
103 
+openvpn_mtu: "1300"
104 
+openvpn_verb: "3" # "0" for anonymity
105 
+# uncomment for openvpn 2.3.3 and >2.3.4
106 
+openvpn_tls_version_min: "" # "tls-version-min 1.2"
107 
+openvpn_tls_cipher: "" # "tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
101 108 
 # openvpn_clients: (required)
102 109
103 110 
 # webmail

Write Preview
Loading…
Cancel
Save