Stouts · mikysal78 · Oct 13, 2020 · Oct 13, 2020 · Oct 15, 2020 · Oct 24, 2020
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -141,7 +141,7 @@ openvpn_client_to_client: true
 # `openvpn_client_to_client`).
 openvpn_client_to_client_via_ip: false
 
-openvpn_ccd: /etc/openvpn/ccd/
+openvpn_ccd: /etc/openvpn/ccd
 # The ccd (clients configuration directory). This will contain files with
 # configuration directives that the server will apply per connecting client.
 
@@ -163,6 +163,8 @@ openvpn_ccd_configs: []
 openvpn_client_conf_template: client.conf.j2
 # }}}
 # Authentication {{{
+openvpn_auth_digest_algorithm: SHA1
+
 # Use PAM authentication
 openvpn_use_pam: true
 openvpn_use_pam_users: []
@@ -184,6 +186,11 @@ openvpn_simple_auth_password: ""
 # Enable HMAC signature to TLS handshakes
 openvpn_tls_auth: false
 openvpn_tls_key: "ta.key"
+openvpn_tls_version_min: "1.2"  #example: 1.2
+openvpn_tls_version_max: "1.3"  #example: 1.2 or 1.3
+
+# Silence the output of replay warnings, which are a common false alarm on WiFi networks
+openvpn_mute_replay_warnings: false
 # }}}
 # Scripting {{{
 # A list of directories that the role should create and that should be

diff --git a/tasks/authentication/simple.yml b/tasks/authentication/simple.yml
@@ -5,7 +5,8 @@
     src: authentication/auth-client.sh.j2
     dest: "{{ openvpn_etcdir }}/auth-client.sh"
     mode: 0o755
-  when:
-    - openvpn_simple_auth | bool
-    - openvpn_simple_auth_password | bool
+  #when:
+  #  - openvpn_simple_auth | bool
+  #  - openvpn_simple_auth_password | bool
+  when: openvpn_simple_auth and openvpn_simple_auth_password
   notify: openvpn restart
diff --git a/templates/client.conf.j2 b/templates/client.conf.j2
@@ -47,6 +47,7 @@ persist-tun
 <key>
 {{ openvpn_client_keys_output |default([{'item':client,'stdout':''}])|selectattr('item', 'match', client)|map(attribute='stdout')|list|first }}
 </key>
+
 {% if openvpn_tls_auth %}
 key-direction 1
 <tls-auth>
@@ -67,19 +68,25 @@ key {{client}}.key
 # To use this feature, you will need to generate your server certificates with
 # the nsCertType field set to "server".  The build-key-server script in the
 # easy-rsa folder will do this.
-ns-cert-type server
+remote-cert-tls server
 
 {% if openvpn_tls_auth and not openvpn_unified_client_profiles -%}
 # Use a static pre-shared key (PSK)
 tls-auth {{openvpn_tls_key}} 1
+{% if openvpn_tls_version_min is defined -%}
+tls-version-min {{ openvpn_tls_version_min }}
+{% endif %}
+{% if openvpn_tls_version_max is defined -%}
+tls-version-max {{ openvpn_tls_version_max }}
+{% endif %}
 {% endif %}
 
 # Enable compression on the VPN link. Don't enable this unless it is also
 # enabled in the server config file.
 {% if openvpn_comp_lzo -%}
-comp-lzo
+compress lzo
 {% else -%}
-;comp-lzo
+;compress lzo
 {% endif %}
 
 # Set log file verbosity.

diff --git a/templates/server.conf.j2 b/templates/server.conf.j2
@@ -18,6 +18,10 @@ proto {{ openvpn_proto }}
 # Port sharing
 port-share 127.0.0.1 {{ openvpn_portshare }}
 {% endif %}
+{% if openvpn_auth_digest_algorithm is defined -%}
+# Auth Digest
+auth {{ openvpn_auth_digest_algorithm }}
+{% endif %}
 
 # Encrypt packets with cipher algorithm
 cipher {{ openvpn_cipher }}
@@ -54,15 +58,21 @@ dh {{ openvpn_keydir }}/dh.pem
 # Use a static pre-shared key (PSK)
 tls-auth {{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }} 0
 tls-server
+{% if openvpn_tls_version_min is defined -%}
+tls-version-min {{ openvpn_tls_version_min }}
+{% endif %}
+{% if openvpn_tls_version_max is defined -%}
+tls-version-max {{ openvpn_tls_version_max }}
+{% endif %}
 {% endif %}
 
-# Client configuration directory.
 {% if openvpn_ccd is defined -%}
+# Client configuration directory.
 client-config-dir {{ openvpn_ccd }}
 {% endif %}
 
-# Which VPN topology to use? (net30, subnet, p2p)
 {% if openvpn_topology is defined -%}
+# Which VPN topology to use? (net30, subnet, p2p)
 topology {{ openvpn_topology }}
 {% endif %}
 
@@ -100,20 +110,20 @@ script-security 2
 # the same virtual IP address from the pool that was previously assigned.
 ifconfig-pool-persist {{ openvpn_ifconfig_pool_persist }}
 
+{% if openvpn_keepalive != '' %}
 # The keepalive directive causes ping-like messages to be sent back and forth
 # over the link so that each side knows when the other side has gone down. Ping
 # every 10 seconds, assume that remote peer is down if no ping received during
 # a 120 second time period.
-{% if openvpn_keepalive != '' %}
 keepalive {{ openvpn_keepalive }}
 {% endif %}
 
 # Enable compression on the VPN link. If you enable it here, you must also
 # enable it in the client config file.
 {% if openvpn_comp_lzo -%}
-comp-lzo
+compress lzo
 {% else -%}
-;comp-lzo
+;compress lzo
 {% endif %}
 
 # The persist options will try to avoid accessing certain resources on restart
@@ -157,22 +167,26 @@ group {{openvpn_group}}
 group nogroup
 {% endif %}
 
+{% if openvpn_mute_replay_warnings %}
+# Silence the output of replay warnings, which are a common false alarm on WiFi networks
+mute-replay-warnings
+{% endif %}
+
+
 {% if openvpn_client_to_client %}
 client-to-client
 {% endif %}
-
 {% if openvpn_use_pam %}
-client-cert-not-required
+# client-cert-not-required ## Removed in openvpn 2.5
+verify-client-cert none
 plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn
 {% endif %}
-
 {% if openvpn_use_ldap %}
 plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution) }} "/etc/openvpn/auth-ldap.conf"
 {% endif %}
-
 {% if openvpn_simple_auth and openvpn_simple_auth_password %}
 auth-user-pass-verify auth-client.sh via-env
-script-security 3 execve
+script-security 3
 {% endif %}
 
 {% for option in openvpn_server_options %}