From 48a9d99a218c6d83e3337c56b6cc7592e7ad12ae Mon Sep 17 00:00:00 2001
From: Magnus Kroken <mkroken@gmail.com>
Date: Mon, 27 Jul 2020 20:34:49 +0200
Subject: [PATCH] openvpn: revise sample configuration

Update the openvpn sample configurations to use modern options in favor
of deprecated ones, suggest more sane default settings and add some
warnings.

* Add tls_crypt and ncp_disable to the sample configuration
* Replace nsCertType with remote_cert_tls in client sample configuration
* Comment out "option compress", compression should not be preferred
* Advise 2048-bit Diffie-Hellman parameters by default
* Add warnings about compression and use of Blowfish (BF-CBC)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
---
 .../services/openvpn/files/openvpn.config     | 83 +++++++++++++++++--
 1 file changed, 75 insertions(+), 8 deletions(-)

diff --git a/package/network/services/openvpn/files/openvpn.config b/package/network/services/openvpn/files/openvpn.config
index 1fd846f558..3de1881e35 100644
--- a/package/network/services/openvpn/files/openvpn.config
+++ b/package/network/services/openvpn/files/openvpn.config
@@ -77,10 +77,10 @@ config openvpn sample_server
 
 	# Diffie hellman parameters.
 	# Generate your own with:
-	#   openssl dhparam -out dh1024.pem 1024
+	#   openssl dhparam -out dh2048.pem 2048
 	# Substitute 2048 for 1024 if you are using
-	# 2048 bit keys.
-	option dh /etc/openvpn/dh1024.pem
+	# 1024 bit keys.
+	option dh /etc/openvpn/dh2048.pem
 
 	# Configure server mode and supply a VPN subnet
 	# for OpenVPN to draw client addresses from.
@@ -228,10 +228,52 @@ config openvpn sample_server
 	# This file is secret:
 #	option tls_auth "/etc/openvpn/ta.key 0"
 
+	# For additional privacy, a shared secret key
+	# can be used for both authentication (as in tls_auth)
+	# and encryption of the TLS control channel.
+	#
+	# Generate a shared secret with:
+	# openvpn --genkey --secret ta.key
+	#
+	# The server and each client must have
+	# a copy of this key.
+	#
+	# tls_auth and tls_crypt should NOT
+	# be combined, as tls_crypt implies tls_auth.
+	# Use EITHER tls_crypt, tls_auth, or neither option.
+#	option tls_crypt "/etc/openvpn/ta.key"
+
+	# Set the minimum required TLS protocol version
+	# for all connections.
+	#
+	# Require at least TLS 1.1
+#	option tls_version_min "1.1"
+	# Require at least TLS 1.2
+#	option tls_version_min "1.2"
+	# Require TLS 1.2, or the highest version supported
+	# on the system
+#	option tls_version_min "1.2 'or-highest'"
+
+	# OpenVPN versions 2.4 and later will attempt to
+	# automatically negotiate the most secure cipher
+	# between the client and server, regardless of a
+	# configured "option cipher" (see below).
+	# Automatic negotiation is recommended.
+	#
+	# Uncomment this option to disable this behavior,
+	# and force all OpenVPN peers to use the configured
+	# cipher option instead (not recommended).
+#	option ncp_disable
+
 	# Select a cryptographic cipher.
 	# This config item must be copied to
 	# the client config file as well.
-	# Blowfish (default):
+	#
+	# To see all supported ciphers, run:
+	# openvpn --show-ciphers
+	#
+	# Blowfish (default for backwards compatibility,
+	# but not recommended due to weaknesses):
 #	option cipher BF-CBC
 	# AES:
 #	option cipher AES-128-CBC
@@ -241,11 +283,16 @@ config openvpn sample_server
 	# Enable compression on the VPN link.
 	# If you enable it here, you must also
 	# enable it in the client config file.
+	#
+	# Compression is not recommended, as compression and
+	# encryption in combination can weaken the security
+	# of the connection.
+	#
 	# LZ4 requires OpenVPN 2.4+ client and server
 #	option compress lz4
 	# LZO is compatible with most OpenVPN versions
 	# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
-	option compress lzo
+#	option compress lzo
 
 	# The maximum number of concurrently connected
 	# clients we want to allow.
@@ -371,7 +418,7 @@ config openvpn sample_client
 	option key /etc/openvpn/client.key
 
 	# Verify server certificate by checking
-	# that the certicate has the nsCertType
+	# that the certicate has the key usage
 	# field set to "server".  This is an
 	# important precaution to protect against
 	# a potential attack discussed here:
@@ -381,12 +428,27 @@ config openvpn sample_client
 	# your server certificates with the nsCertType
 	# field set to "server".  The build_key_server
 	# script in the easy_rsa folder will do this.
-#	option ns_cert_type server
+#	option remote_cert_tls server
 
 	# If a tls_auth key is used on the server
 	# then every client must also have the key.
 #	option tls_auth "/etc/openvpn/ta.key 1"
 
+	# If a tls_crypt key is used on the server
+	# every client must also have the key.
+#	option tls_crypt "/etc/openvpn/ta.key"
+
+	# Set the minimum required TLS protocol version
+	# for all connections.
+	#
+	# Require at least TLS 1.1
+#	option tls_version_min "1.1"
+	# Require at least TLS 1.2
+#	option tls_version_min "1.2"
+	# Require TLS 1.2, or the highest version supported
+	# on the system
+#	option tls_version_min "1.2 'or-highest'"
+
 	# Select a cryptographic cipher.
 	# If the cipher option is used on the server
 	# then you must also specify it here.
@@ -395,10 +457,15 @@ config openvpn sample_client
 	# Enable compression on the VPN link.
 	# Don't enable this unless it is also
 	# enabled in the server config file.
+	#
+	# Compression is not recommended, as compression and
+	# encryption in combination can weaken the security
+	# of the connection.
+	#
 	# LZ4 requires OpenVPN 2.4+ on server and client
 #	option compress lz4
 	# LZO is compatible with most OpenVPN versions
-	option compress lzo
+#	option compress lzo
 
 	# Set log file verbosity.
 	option verb 3