Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I misread your question, my apologies. At a quick glance (and a very quick one at that), Streisand's OpenVPN setup is configured to work on both TCP and UDP ports, where as the references project is being templated from [https://github.com/Stouts/Stouts.openvpn/tree/9c83736608e4cc...]. Looking at the linked project's setup, it seems it's using outdated configurations for OpenVPN (BF-CBC instead of AES-CBC, 1024 bit keys instead of 2048) [https://github.com/Stouts/Stouts.openvpn/blob/9c83736608e4cc...]. It's also configured to log info where as Streisand tries its best not to.


I may have to fork the Stouts.openvpn role.

I also am not pleased that their easy-rsa tarball is not easily auditable rather than pulling it as a subrepository directly from OpenVPN.

edit: I have audited the easy-rsa tarball. It's still not a totally appropriate way to manage things.


easy-rsa 3 has saner defaults, especially how it configures OpenSSL, so if you fork that would be a good place to start.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: