2015-07-09 14:26:07 +02:00
|
|
|
## GENERAL ##
|
|
|
|
|
2017-07-26 16:14:56 +02:00
|
|
|
# TCP or UDP, port 443, tunneling
|
2015-07-09 14:26:07 +02:00
|
|
|
mode server
|
|
|
|
proto tcp
|
|
|
|
port 443
|
|
|
|
dev tun
|
|
|
|
|
|
|
|
## KEY, CERTS AND NETWORK CONFIGURATION ##
|
|
|
|
# Identity
|
|
|
|
ca ca.crt
|
|
|
|
# Public key
|
|
|
|
cert server.crt
|
|
|
|
# Private key
|
|
|
|
key server.key
|
|
|
|
# Symmetric encryption
|
2016-09-11 19:18:06 +02:00
|
|
|
dh dh.pem
|
2015-07-09 14:26:07 +02:00
|
|
|
# Improve security (DDOS, port flooding...)
|
|
|
|
# 0 for the server, 1 for the client
|
|
|
|
tls-auth ta.key 0
|
|
|
|
# Encryption protocol
|
|
|
|
cipher AES-256-CBC
|
|
|
|
|
|
|
|
# Network
|
|
|
|
# Subnetwork, the server will be the 10.8.0.1 and clients will take the other ips
|
|
|
|
server 10.8.0.0 255.255.255.0
|
|
|
|
|
|
|
|
# Redirect all IP network traffic originating on client machines to pass through the OpenVPN server
|
|
|
|
push "redirect-gateway def1"
|
|
|
|
|
|
|
|
# Alternatives DNS (FDN)
|
2016-09-11 19:18:06 +02:00
|
|
|
push "dhcp-option DNS 80.67.169.12"
|
2015-07-09 14:26:07 +02:00
|
|
|
push "dhcp-option DNS 80.67.169.40"
|
|
|
|
|
|
|
|
# (OpenDNS)
|
2016-09-11 19:18:06 +02:00
|
|
|
# push "dhcp-option DNS 208.67.222.222"
|
2015-07-09 14:26:07 +02:00
|
|
|
# push "dhcp-option DNS 208.67.220.220"
|
|
|
|
|
|
|
|
# (Google)
|
2016-09-11 19:18:06 +02:00
|
|
|
# push "dhcp-option DNS 8.8.8.8"
|
2015-07-09 14:26:07 +02:00
|
|
|
# push "dhcp-option DNS 8.8.4.4"
|
|
|
|
|
|
|
|
# Ping every 10 seconds and if after 120 seconds the client doesn't respond we disconnect
|
|
|
|
keepalive 10 120
|
|
|
|
# Regenerate key each 5 hours (disconnect the client)
|
|
|
|
reneg-sec 18000
|
|
|
|
|
|
|
|
## SECURITY ##
|
|
|
|
|
|
|
|
# Downgrade privileges of the daemon
|
|
|
|
user nobody
|
|
|
|
group nogroup
|
|
|
|
|
|
|
|
# Persist keys (because we are nobody, so we couldn't read them again)
|
|
|
|
persist-key
|
|
|
|
# Don't close and re open TUN/TAP device
|
|
|
|
persist-tun
|
|
|
|
# Enable compression
|
|
|
|
comp-lzo
|
|
|
|
|
|
|
|
## LOG ##
|
|
|
|
|
|
|
|
# Verbosity
|
|
|
|
# 3/4 for a normal utilisation
|
|
|
|
verb 3
|
|
|
|
# Max 20 messages of the same category
|
|
|
|
mute 20
|
|
|
|
# Log gile where we put the clients status
|
|
|
|
status openvpn-status.log
|
|
|
|
# Log file
|
|
|
|
log-append /var/log/openvpn.log
|
|
|
|
# Configuration directory of the clients
|
|
|
|
client-config-dir ccd
|
|
|
|
|
|
|
|
## PASS ##
|
|
|
|
|
2017-06-19 15:54:35 +02:00
|
|
|
# Allow running external scripts with password in ENV variables
|
|
|
|
script-security 3
|
2015-07-09 14:26:07 +02:00
|
|
|
|
|
|
|
# Use the authenticated username as the common name, rather than the common name from the client cert
|
|
|
|
username-as-common-name
|
2017-08-03 13:56:26 +02:00
|
|
|
# Client certificate is not required
|
|
|
|
verify-client-cert none
|
2015-07-09 14:26:07 +02:00
|
|
|
# Use the connection script when a user wants to login
|
|
|
|
auth-user-pass-verify scripts/login.sh via-env
|
|
|
|
# Maximum of clients
|
|
|
|
max-clients 50
|
|
|
|
# Run this scripts when the client connects/disconnects
|
|
|
|
client-connect scripts/connect.sh
|
2016-09-11 19:18:06 +02:00
|
|
|
client-disconnect scripts/disconnect.sh
|