From 0f117352c7f52b741c1e320046e72dd40e4f174e Mon Sep 17 00:00:00 2001
From: angristan <angristan@pm.me>
Date: Mon, 24 Sep 2018 14:33:08 +0200
Subject: [PATCH] Remove hardcoded ciphers from Fedora systemd service

---
 openvpn-install.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index dd83dd6..99f8bad 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -799,10 +799,16 @@ verb 3" >> /etc/openvpn/server.conf
 	if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then
 		# Don't modify package-provided service
 		cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
+		
 		# Workaround to fix OpenVPN service on OpenVZ
 		sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
 		# Another workaround to keep using /etc/openvpn/
 		sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
+		# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
+		if [[ "$OS" == "fedora" ]];then
+			sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
+		fi
+
 		systemctl daemon-reload
 		systemctl restart openvpn-server@server
 		systemctl enable openvpn-server@server
@@ -814,10 +820,12 @@ verb 3" >> /etc/openvpn/server.conf
 	else
 		# Don't modify package-provided service
 		cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service
+		
 		# Workaround to fix OpenVPN service on OpenVZ
 		sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service
 		# Another workaround to keep using /etc/openvpn/
 		sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service
+		
 		systemctl daemon-reload
 		systemctl restart openvpn@server
 		systemctl enable openvpn@server