From bbdabedbec5472404601568ccf94251df8d50a8c Mon Sep 17 00:00:00 2001 From: angristan Date: Sat, 22 Sep 2018 17:51:38 +0200 Subject: [PATCH] Add --auth choice (HMAC digest algorithm) --- openvpn-install.sh | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 25c4592..a33e90d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -288,6 +288,7 @@ function installOpenVPN () { CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" DH_TYPE="1" DH_CURVE="secp256r1" + HMAC_ALG="SHA256" else echo "" echo "Choose which cipher you want to use for the data channel:" @@ -456,6 +457,31 @@ function installOpenVPN () { esac ;; esac + echo "" + # The "auth" options behaves differently with AEAD ciphers + if [[ "$CIPHER" =~ CBC$ ]]; then + echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel." + elif [[ "$CIPHER" =~ GCM$ ]]; then + echo "The digest algorithm authenticates tls-auth packets from the control channel." + fi + echo "Which digest algorithm do you want to use for HMAC?" + echo " 1) SHA-256 (recommended)" + echo " 2) SHA-384" + echo " 3) SHA-512" + until [[ $HMAC_ALG_CHOICE =~ ^[1-3]$ ]]; do + read -rp "Digest algorithm [1-3]: " -e -i 1 HMAC_ALG_CHOICE + done + case $HMAC_ALG_CHOICE in + 1) + HMAC_ALG="SHA256" + ;; + 2) + HMAC_ALG="SHA384" + ;; + 3) + HMAC_ALG="SHA512" + ;; + esac fi echo "" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now." @@ -632,7 +658,7 @@ ca ca.crt cert $SERVER_NAME.crt key $SERVER_NAME.key tls-auth tls-auth.key 0 -auth SHA256 +auth $HMAC_ALG $CIPHER tls-server tls-version-min 1.2 @@ -759,7 +785,7 @@ persist-key persist-tun remote-cert-tls server verify-x509-name $SERVER_NAME name -auth SHA256 +auth $HMAC_ALG auth-nocache $CIPHER tls-client