Update cipher to use the default openvpn ciphers (Fixes #196)

kyl191 · Dec 23, 2024 · cdaceb0 · cdaceb0
1 parent d9f1824
commit cdaceb0
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -113,7 +113,7 @@ These options change how OpenVPN itself works.
 |------------------------------------|---------|-------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | openvpn_auth_alg                   | string  |             | SHA256      | Set `auth` authentication algoritm.                                                                                                                             |
 | openvpn_ca_key                     | dict    |             | `unset`     | Contain "crt" and "key". If not set, CA cert and key will be automatically generated on the target system.                                                      |
-| openvpn_cipher                     | string  |             | AES-256-CBC | Set `cipher` option for server and client.                                                                                                                      |
+| openvpn_cipher                     | string  |             | `unset`     | Set `data-cipher` option for server and client.                                                                                                                      |
 | openvpn_crl_path                   | string  |             | `unset`     | Define a path to the CRL file for server revocation check.                                                                                                      |
 | openvpn_duplicate_cn               | boolean | true, false | false       | Add `duplicate-cn` option to server config - this allows clients to connect multiple times with the one key. NOTE: client ip addresses won't be static anymore! |
 | openvpn_rsa_bits                   | int     |             | 2048        | Number of bits used to protect generated certificates                                                                                                           |

diff --git a/defaults/main/openvpn.yml b/defaults/main/openvpn.yml
@@ -21,7 +21,7 @@ openvpn_lan_source_ip: "{{ ansible_default_ipv4.address }}"
 
 # Security
 openvpn_auth_alg: SHA256
-openvpn_cipher: AES-256-CBC
+openvpn_cipher: ~
 openvpn_duplicate_cn: false
 openvpn_rsa_bits: 2048
 openvpn_use_crl: false

diff --git a/templates/client.ovpn.j2 b/templates/client.ovpn.j2
@@ -2,7 +2,9 @@ client
 
 tls-client
 auth {{ openvpn_auth_alg }}
-cipher {{ openvpn_cipher }}
+{% if openvpn_cipher %}
+data-ciphers {{ openvpn_cipher }}
+{% endif %}
 remote-cert-tls server
 {% if openvpn_use_modern_tls %}
 tls-version-min 1.2

diff --git a/templates/server.conf.j2 b/templates/server.conf.j2
@@ -26,7 +26,9 @@ tls-auth {{ openvpn_key_dir }}/ta.key 0
 {% endif %}
 tls-server
 auth {{ openvpn_auth_alg | default('SHA256') }}
-cipher {{ openvpn_cipher }}
+{% if openvpn_cipher %}
+data-ciphers {{ openvpn_cipher }}
+{% endif %}
 {% if openvpn_tun_mtu %}
 tun-mtu {{ openvpn_tun_mtu }}
 {% endif %}