Add support for debian 12.
This commit is contained in:
@@ -223,10 +223,12 @@ else
|
||||
fi
|
||||
|
||||
|
||||
[[ "${SERVER_CIPHER,,}" = "none" ]] && SERVER_CIPHER="BF-CBC"
|
||||
[[ "${SERVER_CIPHER,,}" = "" ]] && SERVER_CIPHER="BF-CBC"
|
||||
[[ -n "$OPENVPN_SERVER" ]] || fatal "OpenVPN Server (parameter OPENVPN_SERVER ) not present!"
|
||||
[[ -n "$SERVER_PORT" ]] || fatal "Server Port (parameter SERVER_PORT ) not present!"
|
||||
|
||||
|
||||
if [[ -z "$LZO_COMPRESSION" ]]; then
|
||||
LZO_COMPRESSION=true
|
||||
LZO_COMPRESSION=false
|
||||
elif [[ "${LZO_COMPRESSION,,}" = "yes" ]] ; then
|
||||
LZO_COMPRESSION=true
|
||||
elif [[ "${LZO_COMPRESSION,,}" = "no" ]] ; then
|
||||
@@ -239,6 +241,7 @@ elif $LZO_COMPRESSION ; then
|
||||
LZO_COMPRESSION=true
|
||||
fi
|
||||
|
||||
|
||||
EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa"
|
||||
|
||||
if [[ -d "${OPENVPN_BASE_DIR}/pki" ]] ; then
|
||||
@@ -431,9 +434,17 @@ client
|
||||
;dev tap
|
||||
dev tun
|
||||
|
||||
# Windows needs the TAP-Win32 adapter name
|
||||
# from the Network Connections panel
|
||||
# if you have more than one. On XP SP2,
|
||||
# you may need to disable the firewall
|
||||
# for the TAP adapter.
|
||||
;dev-node MyTap
|
||||
|
||||
# Are we connecting to a TCP or
|
||||
# UDP server? Use the same setting as
|
||||
# on the server
|
||||
;proto tcp
|
||||
proto udp
|
||||
|
||||
# The hostname/IP and port of the server.
|
||||
@@ -443,6 +454,11 @@ remote $OPENVPN_SERVER $SERVER_PORT udp4
|
||||
|
||||
topology subnet
|
||||
|
||||
# Choose a random host from the remote
|
||||
# list for load-balancing. Otherwise
|
||||
# try hosts in the order specified.
|
||||
;remote-random
|
||||
|
||||
# Keep trying indefinitely to resolve the
|
||||
# host name of the OpenVPN server. Very useful
|
||||
# on machines which are not permanently connected
|
||||
@@ -453,10 +469,39 @@ resolv-retry infinite
|
||||
# a specific local port number.
|
||||
nobind
|
||||
|
||||
# Downgrade privileges after initialization (non-Windows only)
|
||||
;user openvpn
|
||||
;group openvpn
|
||||
|
||||
# If you are connecting through an
|
||||
# HTTP proxy to reach the actual OpenVPN
|
||||
# server, put the proxy server/IP and
|
||||
# port number here. See the man page
|
||||
# if your proxy server requires
|
||||
# authentication.
|
||||
;http-proxy-retry # retry on connection failures
|
||||
;http-proxy [proxy server] [proxy port #]
|
||||
|
||||
# Wireless networks often produce a lot
|
||||
# of duplicate packets. Set this flag
|
||||
# to silence duplicate packet warnings.
|
||||
;mute-replay-warnings
|
||||
|
||||
|
||||
# Try to preserve some state across restarts.
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
# SSL/TLS parms.
|
||||
# See the server config file for more
|
||||
# description. It's best to use
|
||||
# a separate .crt/.key file pair
|
||||
# for each client. A single ca
|
||||
# file can be used for all clients.
|
||||
;ca ${_CA_CERT}
|
||||
;cert ${_CLIENT_CERT}
|
||||
;key ${_CLIENT_KEY}
|
||||
|
||||
# Server CA
|
||||
<ca>
|
||||
EOF
|
||||
@@ -520,34 +565,24 @@ done < $_file
|
||||
cat << EOF >> "$_client_conf_file" 2> $log_file
|
||||
</key>
|
||||
|
||||
# Verify server certificate by checking
|
||||
# that the certicate has the nsCertType
|
||||
# field set to "server". This is an
|
||||
# important precaution to protect against
|
||||
# Verify server certificate by checking that the
|
||||
# certificate has the correct key usage set.
|
||||
# This is an important precaution to protect against
|
||||
# a potential attack discussed here:
|
||||
# http://openvpn.net/howto.html#mitm
|
||||
#
|
||||
# To use this feature, you will need to generate
|
||||
# your server certificates with the nsCertType
|
||||
# field set to "server". The build-key-server
|
||||
# script in the easy-rsa folder will do this.
|
||||
#
|
||||
# Note!
|
||||
# The option "ns-cert-type" has been deprecated since
|
||||
# version 2.4 and will be removed from later distributions.
|
||||
#
|
||||
# Use the modern equivalent "remote-cert-tls"
|
||||
#
|
||||
;ns-cert-type server
|
||||
# your server certificates with the keyUsage set to
|
||||
# digitalSignature, keyEncipherment
|
||||
# and the extendedKeyUsage to
|
||||
# serverAuth
|
||||
# EasyRSA can do this for you.
|
||||
remote-cert-tls server
|
||||
|
||||
# If a tls-auth key is used on the server
|
||||
# then every client must also have the key.
|
||||
#
|
||||
# Don't forget to set the 'key-direction' Parameter if using
|
||||
# Inline Key. Usualy , sever has key direction '0', while client
|
||||
# has ke direction '1'.
|
||||
#
|
||||
;tls-auth ${_TA_KEY} 1
|
||||
|
||||
key-direction 1
|
||||
<tls-auth>
|
||||
EOF
|
||||
@@ -572,18 +607,14 @@ cat << EOF >> "$_client_conf_file" 2> $log_file
|
||||
# Select a cryptographic cipher.
|
||||
# If the cipher option is used on the server
|
||||
# then you must also specify it here.
|
||||
;cipher BF-CBC # Blowfish (default)
|
||||
;cipher AES-128-CBC # AES
|
||||
;cipher DES-EDE3-CBC # Triple-DES
|
||||
# Note that v2.4 client/server will automatically
|
||||
# negotiate AES-256-GCM in TLS mode.
|
||||
# See also the data-ciphers option in the manpage
|
||||
EOF
|
||||
|
||||
if [[ -n "$SERVER_CIPHER" ]]; then
|
||||
cat <<EOF >> "$_client_conf_file" 2>> "$log_file"
|
||||
cipher $SERVER_CIPHER
|
||||
EOF
|
||||
else
|
||||
cat <<EOF >> "$_client_conf_file" 2>> "$log_file"
|
||||
cipher BF-CBC
|
||||
if [[ "${SERVER_CIPHER,,}" != "none" ]]; then
|
||||
cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
|
||||
cipher ${SERVER_CIPHER}
|
||||
EOF
|
||||
fi
|
||||
|
||||
|
||||
Reference in New Issue
Block a user