Skip to content

Commit

Permalink
Improve VPN ciphers
Browse files Browse the repository at this point in the history
- Improve security by removing support for modp1536 (DH group 5),
  which is less secure and rarely used by VPN clients. To do this,
  we specify modp2048 on the "ike=" line in ipsec.conf.
  • Loading branch information
hwdsl2 committed Sep 30, 2022
1 parent d2c962a commit b1a600f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion run.sh
Original file line number Diff line number Diff line change
Expand Up @@ -314,7 +314,7 @@ case $VPN_IKEV2_ONLY in
disable_ipsec_xauth=yes
;;
esac
ike_algs="aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
ike_algs="aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048"
ike_algs_addl=",aes256-sha2;modp1024,aes128-sha1;modp1024"
case $VPN_ENABLE_MODP1024 in
[yY][eE][sS])
Expand Down

0 comments on commit b1a600f

Please sign in to comment.