OpenVPN-Admin/installation/server.conf

## GENERAL ##

# TCP or UDP, port 443, tunneling
mode server
proto tcp
port 443
dev tun

## KEY, CERTS AND NETWORK CONFIGURATION ##
# Identity
ca ca.crt
# Public key
cert server.crt
# Private key
key server.key
# Symmetric encryption
dh dh.pem
# Improve security (DDOS, port flooding...)
# 0 for the server, 1 for the client
tls-auth ta.key 0
# Encryption protocol
cipher AES-256-CBC

# Network
# Subnetwork, the server will be the 10.8.0.1 and clients will take the other ips
server 10.8.0.0 255.255.255.0

# Redirect all IP network traffic originating on client machines to pass through the OpenVPN server
push "redirect-gateway def1"

# Alternatives DNS (FDN)
push "dhcp-option DNS 80.67.169.12"
push "dhcp-option DNS 80.67.169.40"

# (OpenDNS)
# push "dhcp-option DNS 208.67.222.222"
# push "dhcp-option DNS 208.67.220.220"

# (Google)
# push "dhcp-option DNS 8.8.8.8"
# push "dhcp-option DNS 8.8.4.4"

# Ping every 10 seconds and if after 120 seconds the client doesn't respond we disconnect
keepalive 10 120
# Regenerate key each 5 hours (disconnect the client)
reneg-sec 18000

## SECURITY ##

# Downgrade privileges of the daemon
user nobody
group nogroup

# Persist keys (because we are nobody, so we couldn't read them again)
persist-key
# Don't close and re open TUN/TAP device
persist-tun
# Enable compression
comp-lzo

## LOG ##

# Verbosity
# 3/4 for a normal utilisation
verb 3
# Max 20 messages of the same category
mute 20
# Log gile where we put the clients status
status openvpn-status.log
# Log file
log-append /var/log/openvpn.log
# Configuration directory of the clients
client-config-dir ccd

## PASS ##

# Allow running external scripts with password in ENV variables
script-security 3

# Use the authenticated username as the common name, rather than the common name from the client cert
username-as-common-name
# Client certificate is not required 
verify-client-cert none
# Use the connection script when a user wants to login
auth-user-pass-verify scripts/login.sh via-env
# Maximum of clients
max-clients 50
# Run this scripts when the client connects/disconnects
client-connect scripts/connect.sh
client-disconnect scripts/disconnect.sh
Big refresh 2015-07-09 14:26:07 +02:00			`## GENERAL ##`

Add UDP support 2017-07-26 16:14:56 +02:00			`# TCP or UDP, port 443, tunneling`
Big refresh 2015-07-09 14:26:07 +02:00			`mode server`
			`proto tcp`
			`port 443`
			`dev tun`

			`## KEY, CERTS AND NETWORK CONFIGURATION ##`
			`# Identity`
			`ca ca.crt`
			`# Public key`
			`cert server.crt`
			`# Private key`
			`key server.key`
			`# Symmetric encryption`
Remove useless sed at the installation step 2016-09-11 19:18:06 +02:00			`dh dh.pem`
Big refresh 2015-07-09 14:26:07 +02:00			`# Improve security (DDOS, port flooding...)`
			`# 0 for the server, 1 for the client`
			`tls-auth ta.key 0`
			`# Encryption protocol`
			`cipher AES-256-CBC`

			`# Network`
			`# Subnetwork, the server will be the 10.8.0.1 and clients will take the other ips`
			`server 10.8.0.0 255.255.255.0`

			`# Redirect all IP network traffic originating on client machines to pass through the OpenVPN server`
			`push "redirect-gateway def1"`

			`# Alternatives DNS (FDN)`
Remove useless sed at the installation step 2016-09-11 19:18:06 +02:00			`push "dhcp-option DNS 80.67.169.12"`
Big refresh 2015-07-09 14:26:07 +02:00			`push "dhcp-option DNS 80.67.169.40"`

			`# (OpenDNS)`
Remove useless sed at the installation step 2016-09-11 19:18:06 +02:00			`# push "dhcp-option DNS 208.67.222.222"`
Big refresh 2015-07-09 14:26:07 +02:00			`# push "dhcp-option DNS 208.67.220.220"`

			`# (Google)`
Remove useless sed at the installation step 2016-09-11 19:18:06 +02:00			`# push "dhcp-option DNS 8.8.8.8"`
Big refresh 2015-07-09 14:26:07 +02:00			`# push "dhcp-option DNS 8.8.4.4"`

			`# Ping every 10 seconds and if after 120 seconds the client doesn't respond we disconnect`
			`keepalive 10 120`
			`# Regenerate key each 5 hours (disconnect the client)`
			`reneg-sec 18000`

			`## SECURITY ##`

			`# Downgrade privileges of the daemon`
			`user nobody`
			`group nogroup`

			`# Persist keys (because we are nobody, so we couldn't read them again)`
			`persist-key`
			`# Don't close and re open TUN/TAP device`
			`persist-tun`
			`# Enable compression`
			`comp-lzo`

			`## LOG ##`

			`# Verbosity`
			`# 3/4 for a normal utilisation`
			`verb 3`
			`# Max 20 messages of the same category`
			`mute 20`
			`# Log gile where we put the clients status`
			`status openvpn-status.log`
			`# Log file`
			`log-append /var/log/openvpn.log`
			`# Configuration directory of the clients`
			`client-config-dir ccd`

			`## PASS ##`

Fix configuration on openvpn > 2.4 2017-06-19 15:54:35 +02:00			`# Allow running external scripts with password in ENV variables`
			`script-security 3`
Big refresh 2015-07-09 14:26:07 +02:00
			`# Use the authenticated username as the common name, rather than the common name from the client cert`
			`username-as-common-name`
Fix deprecated option in server configuration 2017-08-03 13:56:26 +02:00			`# Client certificate is not required`
			`verify-client-cert none`
Big refresh 2015-07-09 14:26:07 +02:00			`# Use the connection script when a user wants to login`
			`auth-user-pass-verify scripts/login.sh via-env`
			`# Maximum of clients`
			`max-clients 50`
			`# Run this scripts when the client connects/disconnects`
			`client-connect scripts/connect.sh`
Remove useless sed at the installation step 2016-09-11 19:18:06 +02:00			`client-disconnect scripts/disconnect.sh`