thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Merge branch 'Friz-zy-master' 

Closes #429
Allen Riddell 9 years ago
parent
48f1086416 6cc6756ce1
commit
e4e7c7484c
2 changed files with 23 additions and 3 deletions
Unified View Show Diff Stats
  1. 14
    1
      roles/vpn/templates/etc_openvpn_server.conf.j2
  2. 9
    2
      vars/defaults.yml

+ 14
- 1
roles/vpn/templates/etc_openvpn_server.conf.j2 View File

188 
 # or bridge the TUN/TAP interface to the internet
 188 
 # or bridge the TUN/TAP interface to the internet
189 
 # in order for this to work properly).
 189 
 # in order for this to work properly).
190 
 ;push "redirect-gateway def1 bypass-dhcp"
 190 
 ;push "redirect-gateway def1 bypass-dhcp"
191 
+;push "dhcp-option DNS 8.8.8.8"
191 
 push "redirect-gateway def1"
 192 
 push "redirect-gateway def1"
192 
 push "dhcp-option DNS 10.8.0.1"
 193 
 push "dhcp-option DNS 10.8.0.1"
193
194
298 
 # 4 is reasonable for general usage
 299 
 # 4 is reasonable for general usage
299 
 # 5 and 6 can help to debug connection problems
 300 
 # 5 and 6 can help to debug connection problems
300 
 # 9 is extremely verbose
 301 
 # 9 is extremely verbose
301 
-verb 3
302 
+verb {{ openvpn_verb }}
302
303
303 
 # Silence repeating messages.  At most 20
 304 
 # Silence repeating messages.  At most 20
304 
 # sequential messages of the same message
 305 
 # sequential messages of the same message
305 
 # category will be output to the log.
 306 
 # category will be output to the log.
306 
 ;mute 20
 307 
 ;mute 20
308 
+
309 
+# Openvpn changes length of network packets
310 
+# in a way which depends on cipher and hash-sum
311 
+# algorithms. This can be used for fingerprinting.
312 
+# Mask your settings by using a lower mtu.
313 
+# Check your settings here: witch.valdikss.org.ru
314 
+tun-mtu {{ openvpn_mtu }}
315 
+
316 
+# Set TLS settings
317 
+# Only for openvpn 2.3.3 and >2.3.4
318 
+{{ openvpn_tls_version_min }}
319 
+{{ openvpn_tls_cipher }}

+ 9
- 2
vars/defaults.yml View File

81 
 tarsnap_version: 1.0.35
 81 
 tarsnap_version: 1.0.35
82
82
83 
 # vpn
 83 
 # vpn
84 
+# Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
85 
+# Check privacy: http://witch.valdikss.org.ru/
84 
 # openvpn_key_country: (required)
 86 
 # openvpn_key_country: (required)
85 
 # openvpn_key_province: (required)
 87 
 # openvpn_key_province: (required)
86 
 # openvpn_key_city: (required)
 88 
 # openvpn_key_city: (required)
89 
 openvpn_days_valid: "1825"
 91 
 openvpn_days_valid: "1825"
90 
 openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
 92 
 openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
91 
 openvpn_key_size: "2048"
 93 
 openvpn_key_size: "2048"
92 
-openvpn_cipher: "BF-CBC"
93 
-openvpn_auth_digest: "SHA1"
94 
+openvpn_cipher: "AES-256-CBC"
95 
+openvpn_auth_digest: "SHA512"
94 
 openvpn_path: "/etc/openvpn"
 96 
 openvpn_path: "/etc/openvpn"
95 
 openvpn_ca: "{{ openvpn_path }}/ca"
 97 
 openvpn_ca: "{{ openvpn_path }}/ca"
96 
 openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
 98 
 openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
98 
 openvpn_server: "{{ domain }}"
 100 
 openvpn_server: "{{ domain }}"
99 
 openvpn_port: "1194"
 101 
 openvpn_port: "1194"
100 
 openvpn_protocol: "udp"
 102 
 openvpn_protocol: "udp"
103 
+openvpn_mtu: "1300"
104 
+openvpn_verb: "3" # "0" for anonymity
105 
+# uncomment for openvpn 2.3.3 and >2.3.4
106 
+openvpn_tls_version_min: "" # "tls-version-min 1.2"
107 
+openvpn_tls_cipher: "" # "tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
101 
 # openvpn_clients: (required)
 108 
 # openvpn_clients: (required)
102
109
103 
 # webmail
 110 
 # webmail

Write Preview
Loading…
Cancel
Save