Hi, On Wed, Jan 07, 2026 at 01:24:30PM +0000, Stefan Grauvogl wrote: > tls-version-min 1.2 > tls-ciphersuites > TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 > tls-cipher ECDHE+AESGCM:ECDHE+AESCCM:DHE+AESGCM:DHE+AESCCM:!AESCCM8 > tls-groups > X25519:brainpoolP256r1:secp256r1:X448:brainpoolP384r1:secp384r1:brainpoolP512r1:secp521r1 > > data-ciphers CHACHA20-POLY1305:AES-256-GCM > data-ciphers-fallback AES-256-GCM > > auth sha512
Don't.
Unless you have a very specific need, and understand the full implications,
do not configure anything here. OpenVPN and OpenSSL defaults are likely
good enough, and worse, in 10 years from now on, your configs are likely
overtaken by time and creating compatibility problems.
> lport 2196
Don't, unless there is a very specific need.
(Having a restarting client on the same port as a previous client
connection is known to upset the server. Sometimes. Depending on
the current TLS state in the server... nobody has really had time to
dig into this, so the recommendation is to just use dynamic ports on
the client)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
