TinCanTech

Just to add a little clarity. OpenVPN will select the best/highest (what ever term you use to describe the security level) between peers. For example: - Server running Linux may...

Personally, if you decide to change the script, I would make it a user choice .. with a FAQ.

Your two links above relate directly to the data channel not the control channel. > Maybe we can default to TLS_CHACHA20_POLY1305_SHA256 in the script instead of TLS_AES_256_GCM_SHA384 for performance? This...

> When the OP/Developer will update this script to enable us to select 'TLS 1.3' on installation? That will be when: * OpenSSL makes this a suitable option * OpenVPN...

Absolutely unique certificate names is down to EasyRSA. Since EasyRSA v3.0.6 this was changed to allow certificate renewal. So, with a new version of EasyRSA this would allow you to...

> So, if I understand correctly there are two issues: > > **A revoked client that is connected will stay connected until it disconnects/reconnects** > > That sounds plausible, maybe...

> > A certificate revocation list is only read during initial connection phase, so a client would have to reconnect if it has been revoked in the mean time. >...

**Updated**: ----- @randomshell - Unique CNs is a function of the SSL lib, see `index.txt.attr` in the EasyRSA PKI folder. Before EasyRSA v306 this was set to make all CNs...

> If I understood correctly it seems to be the issue OpenVPN/easy-rsa#105 It is related, however, it is not the same issue. For whatever reason the owner has not acknowledge...

> @randomshell - Unique CNs is a function of the SSL lib, see `index.txt.attr` in the EasyRSA PKI folder. > Before EasyRSA v306 this was set to make all CNs...