|
@@ -81,6 +81,8 @@ owncloud_db_database: owncloud
|
81
|
81
|
tarsnap_version: 1.0.36.1
|
82
|
82
|
|
83
|
83
|
# vpn
|
|
84
|
+# Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
|
|
85
|
+# Check privacy: http://witch.valdikss.org.ru/
|
84
|
86
|
# openvpn_key_country: (required)
|
85
|
87
|
# openvpn_key_province: (required)
|
86
|
88
|
# openvpn_key_city: (required)
|
|
@@ -89,8 +91,8 @@ tarsnap_version: 1.0.36.1
|
89
|
91
|
openvpn_days_valid: "1825"
|
90
|
92
|
openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
|
91
|
93
|
openvpn_key_size: "2048"
|
92
|
|
-openvpn_cipher: "BF-CBC"
|
93
|
|
-openvpn_auth_digest: "SHA1"
|
|
94
|
+openvpn_cipher: "AES-256-CBC"
|
|
95
|
+openvpn_auth_digest: "SHA512"
|
94
|
96
|
openvpn_path: "/etc/openvpn"
|
95
|
97
|
openvpn_ca: "{{ openvpn_path }}/ca"
|
96
|
98
|
openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
|
|
@@ -98,6 +100,11 @@ openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
|
98
|
100
|
openvpn_server: "{{ domain }}"
|
99
|
101
|
openvpn_port: "1194"
|
100
|
102
|
openvpn_protocol: "udp"
|
|
103
|
+openvpn_mtu: "1300"
|
|
104
|
+openvpn_verb: "3" # "0" for anonymity
|
|
105
|
+# uncomment for openvpn 2.3.3 and >2.3.4
|
|
106
|
+openvpn_tls_version_min: "" # "tls-version-min 1.2"
|
|
107
|
+openvpn_tls_cipher: "" # "tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
|
101
|
108
|
# openvpn_clients: (required)
|
102
|
109
|
|
103
|
110
|
# webmail
|