openvpn: client configuration for RSA and ECC

Provide the correct client configuration based on whether the server is using RSA or ECC. Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-01-21 07:55:00 +00:00 · 2020-11-09 01:32:43 +05:30 · 2020-11-09 01:32:43 +05:30 · a3df0342b7
commit a3df0342b7
parent 030e6ce98d
1 changed files with 51 additions and 9 deletions
--- a/actions/openvpn
+++ b/actions/openvpn
@ -49,12 +49,11 @@ verb 3

 tls-server
 tls-version-min 1.2
-tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
-cipher AES-256-GCM
+cipher AES-256-CBC
 script-security 2
 '''

-CLIENT_CONFIGURATION = '''
+CLIENT_CONFIGURATION_RSA = '''
 client
 remote {remote} 1194
 proto udp
@ -62,7 +61,26 @@ proto udp6
 dev tun
 nobind
 remote-cert-tls server
-cipher AES-256-GCM
+cipher AES-256-CBC
+comp-lzo
+redirect-gateway
+verb 3
+<ca>
+{ca}</ca>
+<cert>
+{cert}</cert>
+<key>
+{key}</key>'''
+
+CLIENT_CONFIGURATION_ECC = '''
+client
+remote {remote} 1194
+proto udp
+proto udp6
+dev tun
+nobind
+remote-cert-tls server
+cipher AES-256-CBC
 redirect-gateway
 verb 3
 <ca>
@ -74,7 +92,6 @@ verb 3

 CERTIFICATE_CONFIGURATION = {
    'EASYRSA_BATCH': '1',
-    'EASYRSA_ALGO': 'ec',
    'EASYRSA_DIGEST': 'sha512',
    'KEY_CONFIG': '/usr/share/easy-rsa/openssl-easyrsa.cnf',
    'KEY_DIR': KEYS_DIRECTORY,
@ -90,7 +107,17 @@ CERTIFICATE_CONFIGURATION = {
    'EASYRSA_REQ_NAME': 'FreedomBox'
 }

-COMMON_ARGS = {'env': CERTIFICATE_CONFIGURATION, 'cwd': KEYS_DIRECTORY}
+CERTIFICATE_CONFIGURATION_RSA = {
+    'EASYRSA_KEY_SIZE': '4096',
+    **CERTIFICATE_CONFIGURATION
+}
+
+CERTIFICATE_CONFIGURATION_ECC = {
+    'EASYRSA_ALGO': 'ec',
+    **CERTIFICATE_CONFIGURATION
+}
+
+COMMON_ARGS = {'env': CERTIFICATE_CONFIGURATION_ECC, 'cwd': KEYS_DIRECTORY}


 def parse_arguments():
@ -111,9 +138,19 @@ def parse_arguments():
    return parser.parse_args()


+def _is_using_ecc():
+    """Return whether the service is using ECC."""
+    if os.path.exists(SERVER_CONFIGURATION_PATH):
+        with open(SERVER_CONFIGURATION_PATH, 'r') as file_handle:
+            for line in file_handle:
+                if line.strip() == 'dh none':
+                    return True
+    return False
+
+
 def _is_setup():
    """Return whether setup is complete."""
-    return any(os.path.exists(fil) for fil in [DH_PARAMS, EC_PARAMS_DIR])
+    return _is_non_empty_file(DH_PARAMS) or os.path.exists(EC_PARAMS_DIR)


 def subcommand_is_setup(_):
@ -215,13 +252,18 @@ def subcommand_get_profile(arguments):
        subprocess.check_call([
            '/usr/share/easy-rsa/easyrsa', 'build-client-full', username,
            'nopass'
-        ], **COMMON_ARGS)
+        ], env=CERTIFICATE_CONFIGURATION_ECC if _is_using_ecc() else
+                              CERTIFICATE_CONFIGURATION_RSA,
+                              cwd=KEYS_DIRECTORY)

    user_certificate_string = _read_file(user_certificate)
    user_key_string = _read_file(user_key)
    ca_string = _read_file(CA_CERTIFICATE_PATH)

-    profile = CLIENT_CONFIGURATION.format(ca=ca_string,
+    client_configuration = CLIENT_CONFIGURATION_ECC if _is_using_ecc(
+    ) else CLIENT_CONFIGURATION_RSA
+
+    profile = client_configuration.format(ca=ca_string,
                                          cert=user_certificate_string,
                                          key=user_key_string,
                                          remote=remote_server)