From patchwork Mon Mar 4 13:01:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3629 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:1888:b0:559:d8ef:cc57 with SMTP id r8csp2640545max; Mon, 4 Mar 2024 05:02:38 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUGb8/a4ENJEX0EpxqdleI/c9lxOndpmux2raZQdQUKva+UitKAD9iHjRIMex7fvjBm4WHtgJEP5Ua0ZXtVQMLroHUHEXU= X-Google-Smtp-Source: AGHT+IFo9+90Ywo72DOIGpymLOJeH8QEq0eofiNcnaAaq6V5bw0bl1z0NjNt8XsfzAAuHyenKGTB X-Received: by 2002:a05:6a20:3691:b0:1a1:4766:5b1a with SMTP id s17-20020a056a20369100b001a147665b1amr5321903pze.1.1709557358039; Mon, 04 Mar 2024 05:02:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1709557358; cv=none; d=google.com; s=arc-20160816; b=IvoSX6GT2bBGrohBUWRy4eeAT5RIk595Ca/GYjuB9d6vxIg/ZyTclfBHGweOFHu7xa Y7GvklvOk/RT7XIwmN6njDIKop+osUdkJDPi/BR4Dc7d0Aax2UIM9Gt0+qec1Rb4LCXv AeC4b4AKfWEHSuBpcd1asWhl/J1SJC8X9dVGdiD6xNg4yZCH02tmg7J4TnnosmflbjI6 CUOPEJc9koAtHUXeA0OmSnFgmtSAsVBJxJazyqFUIOOEOTYMfqG8LNqr3yT6aQ/Bffy2 jtUh07xHb1groD7KKxOLubePJ7FHeIkIgE9CqQeoel7b+c4sP0E9fg8iGZ013LyQMwUE HOaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=8P/Co+C6GNOccA2Plqwjhrcoz/T2esQe3ZuAgFRMrU0=; fh=GFP4qDxgyJ2WEPo/oeLZg3Mj4NqvY1j2nTvTt7psNwg=; b=Lrc8vbBQUaZ3Wsixb3H+ZpyT9bEqjTT1QuO6q+4cplmXbOJkOaMYqu8hh0/DlVLTz7 lyv4oLAEc/UaSl8QOjc6vJAYyu3iOVtYNobtxKdxxNagMNONsN7PKNBPtGE0VIlLxCqx UGdKQO0cor9yUGKr9Wp68knK37281HzsxW6y7tAGqaAKb69ElmNENbiN7deKjGV7Bq3U /TdZOy8NKAVZpJpfAcaN9yPKr2Axf2fQjEj2Lny952hb8UWuNuFo2D1ojB6oJBFe5mas +mS66TJ1sPgxgcQ1QMHXYtw2qQEbpMVHCy9gYsJGlMai965iGLMYP2b4mn+w5KTJW1jV xIzA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TrWWwBQ0; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MntnCPy9; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=A9u+ictI; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id c5-20020a6566c5000000b005db38f35248si8177255pgw.395.2024.03.04.05.02.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Mar 2024 05:02:38 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TrWWwBQ0; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MntnCPy9; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=A9u+ictI; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rh7xB-0008WC-Pe; Mon, 04 Mar 2024 13:02:02 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rh7x9-0008Vw-Rm for openvpn-devel@lists.sourceforge.net; Mon, 04 Mar 2024 13:02:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gZ8IflWphwwVW7li/hNauf6LHhUaQS2ZF8lv/pcewqY=; b=TrWWwBQ06rKc/U+8A5j8qm2X2j AJN3EVZIwP2EckG6DD0SJxYXvCoC46cSok2mM45qlJylKJ9rk6McHQefPzbDbcQn5ElgRHSSn6R1K 5x2d5/UPLQSqY2DqGzu+pFyzuVM5gXuUKwhjusFdbHLPgdXEqZOMdl4DgECHGQxT6rQw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=gZ8IflWphwwVW7li/hNauf6LHhUaQS2ZF8lv/pcewqY=; b=M ntnCPy9pNEdZ1UPQawVVKMYLwDPTzvKMqDXjGEQa8zmaIK/wq9B8xxF5kbe//xRSe0sOSWx8XJZUb GRvALlQJMmdz1optnPCCpocAEuexGbV4KLzSSJ5MCFbllaQFGpLjN1UHfozRp3fbZVB+kbwbT+ROP 5HTyk6bcJwYYmKkY=; Received: from mail-wr1-f41.google.com ([209.85.221.41]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rh7wz-0002BO-Lr for openvpn-devel@lists.sourceforge.net; Mon, 04 Mar 2024 13:02:00 +0000 Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-33e2248948bso1380370f8f.0 for ; Mon, 04 Mar 2024 05:01:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1709557309; x=1710162109; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=gZ8IflWphwwVW7li/hNauf6LHhUaQS2ZF8lv/pcewqY=; b=A9u+ictI/YdRsUJsjQZdzKJ7YtmWaUfSnTuyPL6RzRKmxw6sjb+B6rbmtHMErZPJhW qtXw1ZS6+bXus4Vn8X8mLyVNW0VrdM55UuJV5LYISPFZaDUX4ulCCKuw9lb42FkYAC9Y NHbNb1riGPGwolGFkSF5Qt/7TKUgxz6QKUPoQJw+51CeaswKXzqjX6VI7NX8gFnFX6tZ +9b6CfPBXSDBt1CgwoM3NytRvXk5r7qqsvGi3Dk17qfWDt2gQh13tODu0Bg07d8PYG2k kOm6KX6kb+cvyteM13/GuIs9Z9cqLcukwwMpMVG0ZHc3XRqvy/sT8umYDyFDrOyrCQN0 /vMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709557309; x=1710162109; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gZ8IflWphwwVW7li/hNauf6LHhUaQS2ZF8lv/pcewqY=; b=S20F+UmEQjfPeT8UfAVV4kJW1ZBGzw1yWdo8bOHXzCao0YiCdDB9UDEUpI4jGsQa4r tg7OAl1UUP++PYOuwOyAZZ4xVG0Df+T+JYRlf93AMPG1unovZFRionc1WL1lOzV100K3 ww+r7koNQFYveqsp7Y79YBif5tKbbGMRR89Tc2BTUyxxTbB6geS755sHNCji+TxDzuBp la5330f4r33JbiN1cERj7bORKIg1GGwU90gnCKvekkuBilX7PMX2w5MosH5wILjIfki/ sg7iMLG4ajtg6dDWoTajvFGgoWcZK5SexoodVKv8KRf39hivuO1rQrqzCA/NHvedvZE9 I0xw== X-Gm-Message-State: AOJu0Yz7+LvV0WBh1ePEQ+dQabXL4KV7dfqsjKOTO68ZAqhHDUvh6VDA xyB2dsZfRWdOLo4Sl0GCiznxciAXNYw8V+o2d8EFWyFjRDg2BEs3iNFOrATF7+5VNnhH7Brx5lF a X-Received: by 2002:a5d:4b07:0:b0:33d:7d88:cae5 with SMTP id v7-20020a5d4b07000000b0033d7d88cae5mr6420345wrq.69.1709557309237; Mon, 04 Mar 2024 05:01:49 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id h5-20020adf9cc5000000b0033dd9b050f9sm12049637wre.14.2024.03.04.05.01.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Mar 2024 05:01:48 -0800 (PST) From: "flichtenheld (Code Review)" X-Google-Original-From: "flichtenheld (Code Review)" X-Gerrit-PatchSet: 1 Date: Mon, 4 Mar 2024 13:01:48 +0000 To: plaisthos Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26 X-Gerrit-Change-Number: 532 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 685ffac0423207fe35dbd44a106a80394777b196 References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.41 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.41 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rh7wz-0002BO-Lr Subject: [Openvpn-devel] [M] Change in openvpn[master]: samples: Update sample configurations X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1792600816258446105?= X-GMAIL-MSGID: =?utf-8?q?1792600816258446105?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/532?usp=email to review the following change. Change subject: samples: Update sample configurations ...................................................................... samples: Update sample configurations - Remove compression settings. Not recommended anymore. - Remove old cipher setting. Replaced by data-cipher with sane defaults. - Remove/reword some old comments. e.g. no need to reference OpenVPN 1.x anymore. - Mention peer-fingerprint alternative. Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26 Signed-off-by: Frank Lichtenheld --- M sample/sample-config-files/README M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf 3 files changed, 21 insertions(+), 43 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/32/532/1 diff --git a/sample/sample-config-files/README b/sample/sample-config-files/README index d53ac79..1493dab 100644 --- a/sample/sample-config-files/README +++ b/sample/sample-config-files/README @@ -4,3 +4,5 @@ which is located at: http://openvpn.net/howto.html + +See also the openvpn-examples man page. diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index 15cb1b3..1c20e1b 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -1,5 +1,5 @@ ############################################## -# Sample client-side OpenVPN 2.0 config file # +# Sample client-side OpenVPN 2.6 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # @@ -105,20 +105,7 @@ # If a tls-auth key is used on the server # then every client must also have the key. -tls-auth ta.key 1 - -# Select a cryptographic cipher. -# If the cipher option is used on the server -# then you must also specify it here. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the data-ciphers option in the manpage -cipher AES-256-CBC - -# Enable compression on the VPN link. -# Don't enable this unless it is also -# enabled in the server config file. -#comp-lzo +;tls-auth ta.key 1 # Set log file verbosity. verb 3 diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index d9345b6..927c465 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -1,5 +1,5 @@ ################################################# -# Sample OpenVPN 2.0 config file for # +# Sample OpenVPN 2.6 config file for # # multi-client server. # # # # This file is for the server side # @@ -47,15 +47,15 @@ # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function -# unless you partially or fully disable +# unless you partially or fully disable/open # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the +# have more than one. +# You may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap @@ -66,8 +66,9 @@ # key file. The server and all clients will # use the same ca file. # -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates +# See the "easy-rsa" project at +# https://github.com/OpenVPN/easy-rsa +# for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. @@ -75,6 +76,13 @@ # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). +# +# If you do not want to maintain a CA +# and have a small number of clients +# you can also use self-signed certificates +# and use the peer-fingerprint option. +# See openvpn-examples man page for a +# configuration example. ca ca.crt cert server.crt key server.key # This file should be kept secret @@ -89,7 +97,7 @@ # unless Windows clients v2.0.9 and lower have to # be supported (then net30, i.e. a /30 per client) # Defaults to net30 (not recommended) -;topology subnet +topology subnet # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. @@ -218,7 +226,7 @@ # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. +# UNCOMMENT THIS LINE. ;duplicate-cn # The keepalive directive causes ping-like @@ -241,26 +249,7 @@ # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. -tls-auth ta.key 0 # This file is secret - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the ncp-cipher option in the manpage -cipher AES-256-CBC - -# Enable compression on the VPN link and push the -# option to the client (v2.4+ only, for earlier -# versions see below) -;compress lz4-v2 -;push "compress lz4-v2" - -# For compression compatible with older clients use comp-lzo -# If you enable it here, you must also -# enable it in the client config file. -;comp-lzo +;tls-auth ta.key 0 # This file is secret # The maximum number of concurrently connected # clients we want to allow.