-
-
Notifications
You must be signed in to change notification settings - Fork 21
server authentication scripts
TinCanTech edited this page Jan 3, 2022
·
7 revisions
Once you have got to this stage you can use ./easytls script
to configure the scripts for use by your Server.
The defaults are the best starting point. Then raise or lower your security level to accommodate for your clients.
OpenVPN allows for a Server to use either TLS-Auth or TLS-Crypt and both can be combined with TLS-Crypt-V2.
Your Server could use either --tls-auth
and --tls-crypt-v2
OR --tls-crypt
and --tls-crypt-v2
keys.
Easy-TLS accommodates this feature with the following security settings.
Note:
- Level
0-2
Allow for all types of TLS keys to connect. - Level
3-5
Only allow TLS-Crypt-V2 keys to connect.
Security levels:
+----------------------------------------
| TLS-Auth/Crypt and TLS-Crypt-V2 Server
+----------------------------------------
| [0] Low - Allow all keys to connect, hwaddr verification is not enforced.
|
| [1] Default - Do not require clients to push a hwaddr.
| TLS-Crypt-V2 keys with a hwaddr mismatch will be disconnected.
| TLS-Crypt-V2 keys without a hwaddr can connect.
| TLS Auth and Crypt-v1 keys can connect.
|
| [2] Medium - Require all clients to push a hwaddr.
| TLS-Crypt-V2 keys with a hwaddr mismatch will be disconnected.
| TLS-Crypt-V2 keys without a hwaddr can connect but must push a hwaddr.
| TLS Auth and Crypt-v1 keys can connect but must push a hwaddr.
+----------------------------------------
| TLS-Crypt-V2 ONLY Server
+----------------------------------------
| [3] Medium-High - Do not require clients to push a hwaddr.
| TLS-Crypt-V2 keys without a Hardware-address can connect.
|
| [4] High - Require all clients to push a hwaddr.
| TLS-Crypt-v2 keys without a hwaddr can connect but must push a hwaddr.
|
| [5] Very High - hwaddr verification is enforced on all clients.
| TLS-Crypt-V2 key must have a hwaddr and client must push a hwaddr.
Note: Levels 2, 4 and 5
may not work with some Client apps. (eg: Android)
Configure and use easytls-cryptv2-verify.sh