My One Backward Compatible Client Config For Multiple OS's and Ciphers
Posted: Mon Jul 17, 2017 3:16 am
Hi,
With the latest versions of OpenVPN introducing so many great new features I wanted to put together a single client config that is backwards compatible with some of the older embedded versions (2.3.x) works for Windows, Linux, MacOS, iOS and Android via TCP or UDP and supports multiple ciphers. Here is what I put together. It works really well in my testing but I wanted to get some feedback into potential security issues (besides user/pass)
With the latest versions of OpenVPN introducing so many great new features I wanted to put together a single client config that is backwards compatible with some of the older embedded versions (2.3.x) works for Windows, Linux, MacOS, iOS and Android via TCP or UDP and supports multiple ciphers. Here is what I put together. It works really well in my testing but I wanted to get some feedback into potential security issues (besides user/pass)
Universal Client Conf
remote <FQDN> 443 udp
;Ciphers Supported AES-256-GCM:AES-256-CBC:AES-128-GCM
cipher AES-128-CBC
;Delete ncp-ciphers and replace AES-128-CBC with your desired cipher
setenv ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
client
;Android Requirement
setenv CLIENT_CERT 0
;MacOS Up/Down Script Requirement
setenv script-security 2
verify-x509-name california name
dev tun
resolv-retry 20
route-delay 2
comp-lzo no
setenv route-method exe
;UDP Flag
setenv explicit-exit-notify 5
;Clear Windows DNS Cache
setenv register-dns
ignore-unknown-option script-security 2 CLIENT_CERT 0 route-method exe register-dns explicit-exit-notify 5 ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
remote-cert-tls server
nobind
auth-user-pass
verb 4
#No tls-crypt yet...
tls-auth [inline] 1
;Ciphers Supported AES-256-GCM:AES-256-CBC:AES-128-GCM
cipher AES-128-CBC
;Delete ncp-ciphers and replace AES-128-CBC with your desired cipher
setenv ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
client
;Android Requirement
setenv CLIENT_CERT 0
;MacOS Up/Down Script Requirement
setenv script-security 2
verify-x509-name california name
dev tun
resolv-retry 20
route-delay 2
comp-lzo no
setenv route-method exe
;UDP Flag
setenv explicit-exit-notify 5
;Clear Windows DNS Cache
setenv register-dns
ignore-unknown-option script-security 2 CLIENT_CERT 0 route-method exe register-dns explicit-exit-notify 5 ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
remote-cert-tls server
nobind
auth-user-pass
verb 4
#No tls-crypt yet...
tls-auth [inline] 1