From bbf967fe326a8570e50cb3678d5614dcc12bd432 Mon Sep 17 00:00:00 2001
From: Stefan Davis <stefan@turnkeylinux.org>
Date: Tue, 29 Oct 2024 10:22:25 +1100
Subject: [PATCH] fix bad tls config

---
 conf.d/main                             | 3 +++
 overlay/usr/local/bin/openvpn-addclient | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/conf.d/main b/conf.d/main
index ec46eb6..3f1a58e 100755
--- a/conf.d/main
+++ b/conf.d/main
@@ -35,3 +35,6 @@ systemctl enable openvpn@server
 
 # enable openvpn-tun service (creates /dev/net/tun device in containers - closes #1011)
 systemctl enable openvpn-tun.service
+
+echo 'cipher AES-256-GCM' >> /etc/openvpn/server.conf
+echo 'auth SHA512' >> /etc/openvpn/server.conf
diff --git a/overlay/usr/local/bin/openvpn-addclient b/overlay/usr/local/bin/openvpn-addclient
index 8bb2ef1..c6e3d7d 100755
--- a/overlay/usr/local/bin/openvpn-addclient
+++ b/overlay/usr/local/bin/openvpn-addclient
@@ -107,8 +107,8 @@ proto udp
 remote-cert-tls server
 $auth_nocache
 
-cipher AES-256-CBC
-auth SHA256
+cipher AES-256-GCM
+auth SHA512
 
 tls-client
 dev tun