summaryrefslogtreecommitdiff
path: root/main/openvpn/sample/sample-config-files
diff options
context:
space:
mode:
Diffstat (limited to 'main/openvpn/sample/sample-config-files')
-rw-r--r--main/openvpn/sample/sample-config-files/client.conf17
-rw-r--r--main/openvpn/sample/sample-config-files/loopback-client2
-rw-r--r--main/openvpn/sample/sample-config-files/loopback-server3
-rw-r--r--main/openvpn/sample/sample-config-files/server.conf6
-rw-r--r--main/openvpn/sample/sample-config-files/tls-office.conf2
5 files changed, 14 insertions, 16 deletions
diff --git a/main/openvpn/sample/sample-config-files/client.conf b/main/openvpn/sample/sample-config-files/client.conf
index 58b2038b..050ef600 100644
--- a/main/openvpn/sample/sample-config-files/client.conf
+++ b/main/openvpn/sample/sample-config-files/client.conf
@@ -89,18 +89,19 @@ ca ca.crt
cert client.crt
key client.key
-# Verify server certificate by checking
-# that the certicate has the nsCertType
-# field set to "server". This is an
-# important precaution to protect against
+# Verify server certificate by checking that the
+# certicate has the correct key usage set.
+# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
-# your server certificates with the nsCertType
-# field set to "server". The build-key-server
-# script in the easy-rsa folder will do this.
-ns-cert-type server
+# your server certificates with the keyUsage set to
+# digitalSignature, keyEncipherment
+# and the extendedKeyUsage to
+# serverAuth
+# EasyRSA can do this for you.
+remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
diff --git a/main/openvpn/sample/sample-config-files/loopback-client b/main/openvpn/sample/sample-config-files/loopback-client
index d7f59e69..ebbd1cf4 100644
--- a/main/openvpn/sample/sample-config-files/loopback-client
+++ b/main/openvpn/sample/sample-config-files/loopback-client
@@ -17,9 +17,9 @@ dev null
verb 3
reneg-sec 10
tls-client
+remote-cert-tls server
ca sample-keys/ca.crt
key sample-keys/client.key
cert sample-keys/client.crt
-cipher DES-EDE3-CBC
ping 1
inactive 120 10000000
diff --git a/main/openvpn/sample/sample-config-files/loopback-server b/main/openvpn/sample/sample-config-files/loopback-server
index 9d21bcec..8cb97be0 100644
--- a/main/openvpn/sample/sample-config-files/loopback-server
+++ b/main/openvpn/sample/sample-config-files/loopback-server
@@ -17,10 +17,9 @@ dev null
verb 3
reneg-sec 10
tls-server
-dh sample-keys/dh1024.pem
+dh sample-keys/dh2048.pem
ca sample-keys/ca.crt
key sample-keys/server.key
cert sample-keys/server.crt
-cipher DES-EDE3-CBC
ping 1
inactive 120 10000000
diff --git a/main/openvpn/sample/sample-config-files/server.conf b/main/openvpn/sample/sample-config-files/server.conf
index 467d5b8a..701be3cc 100644
--- a/main/openvpn/sample/sample-config-files/server.conf
+++ b/main/openvpn/sample/sample-config-files/server.conf
@@ -81,10 +81,8 @@ key server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
-# openssl dhparam -out dh1024.pem 1024
-# Substitute 2048 for 1024 if you are using
-# 2048 bit keys.
-dh dh1024.pem
+# openssl dhparam -out dh2048.pem 2048
+dh dh2048.pem
# Network topology
# Should be subnet (addressing via IP)
diff --git a/main/openvpn/sample/sample-config-files/tls-office.conf b/main/openvpn/sample/sample-config-files/tls-office.conf
index f790f469..d1961444 100644
--- a/main/openvpn/sample/sample-config-files/tls-office.conf
+++ b/main/openvpn/sample/sample-config-files/tls-office.conf
@@ -26,7 +26,7 @@ up ./office.up
tls-server
# Diffie-Hellman Parameters (tls-server only)
-dh dh1024.pem
+dh dh2048.pem
# Certificate Authority file
ca my-ca.crt