diff options
author | Micah Anderson <micah@riseup.net> | 2022-06-14 17:49:15 -0400 |
---|---|---|
committer | Micah Anderson <micah@riseup.net> | 2022-06-14 17:51:50 -0400 |
commit | e8fa914c52731dd284df23345c3c1e0e935e28ca (patch) | |
tree | 58df61688aea1d42214547ad2b3427125f7350fe | |
parent | 64ba42fe4376fe1be7f26a4e3b2a7452c5e91f57 (diff) |
openvpn: migrate deprecated 'cipher' and add fall-back to old cipher
-rw-r--r-- | config/roles/openvpn/templates/tcp.conf.j2 | 2 | ||||
-rw-r--r-- | config/roles/openvpn/templates/udp.conf.j2 | 2 | ||||
-rw-r--r-- | group_vars/all/openvpn_config.yml | 2 |
3 files changed, 4 insertions, 2 deletions
diff --git a/config/roles/openvpn/templates/tcp.conf.j2 b/config/roles/openvpn/templates/tcp.conf.j2 index 958c612..252f315 100644 --- a/config/roles/openvpn/templates/tcp.conf.j2 +++ b/config/roles/openvpn/templates/tcp.conf.j2 @@ -5,7 +5,7 @@ ca /etc/leap/ca/leap_ca_bundle.crt cert /etc/credentials/sspki/openvpn/cert.pem key /etc/credentials/sspki/openvpn/private.key dh /etc/leap/keys/dh.pem -cipher AES-256-GCM +data-ciphers AES-256-GCM:AES-128-CBC tls-version-min 1.2 dev tun duplicate-cn diff --git a/config/roles/openvpn/templates/udp.conf.j2 b/config/roles/openvpn/templates/udp.conf.j2 index 3da2231..640a450 100644 --- a/config/roles/openvpn/templates/udp.conf.j2 +++ b/config/roles/openvpn/templates/udp.conf.j2 @@ -5,7 +5,7 @@ ca /etc/leap/ca/leap_ca_bundle.crt cert /etc/credentials/sspki/openvpn/cert.pem key /etc/credentials/sspki/openvpn/private.key dh /etc/leap/keys/dh.pem -cipher AES-256-GCM +data-ciphers AES-256-GCM:AES-128-CBC tls-version-min 1.2 dev tun duplicate-cn diff --git a/group_vars/all/openvpn_config.yml b/group_vars/all/openvpn_config.yml index fcc3bfe..9c04665 100644 --- a/group_vars/all/openvpn_config.yml +++ b/group_vars/all/openvpn_config.yml @@ -3,6 +3,7 @@ openvpn_config: 'tls-version-min': '1.2' 'auth': 'SHA512' 'cipher': 'AES-256-GCM' + 'data-ciphers': 'AES-256-GCM' 'keepalive': '10 30' 'tls-cipher': 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384' 'dev': 'tun' @@ -12,6 +13,7 @@ openvpn_config: 'persist-key': true 'key-direction': '1' 'verb': '3' + 'float': '' # You can leave this rfc1918 ip block as it is openvpn_tcp_network: "10.41.0.0/21" |