## GENERAL ## # TCP, port 443, tunneling mode server proto tcp port 443 dev tun ## KEY, CERTS AND NETWORK CONFIGURATION ## # Identity ca ca.crt # Public key cert server.crt # Private key key server.key # Symmetric encryption dh dh1024.pem # Improve security (DDOS, port flooding...) # 0 for the server, 1 for the client tls-auth ta.key 0 # Encryption protocol cipher AES-256-CBC # Network # Subnetwork, the server will be the 10.8.0.1 and clients will take the other ips server 10.8.0.0 255.255.255.0 # Redirect all IP network traffic originating on client machines to pass through the OpenVPN server push "redirect-gateway def1" # Alternatives DNS (FDN) push "dhcp-option DNS 80.67.169.12" push "dhcp-option DNS 80.67.169.40" # (OpenDNS) # push "dhcp-option DNS 208.67.222.222" # push "dhcp-option DNS 208.67.220.220" # (Google) # push "dhcp-option DNS 8.8.8.8" # push "dhcp-option DNS 8.8.4.4" # Ping every 10 seconds and if after 120 seconds the client doesn't respond we disconnect keepalive 10 120 # Regenerate key each 5 hours (disconnect the client) reneg-sec 18000 ## SECURITY ## # Downgrade privileges of the daemon user nobody group nogroup # Persist keys (because we are nobody, so we couldn't read them again) persist-key # Don't close and re open TUN/TAP device persist-tun # Enable compression comp-lzo ## LOG ## # Verbosity # 3/4 for a normal utilisation verb 3 # Max 20 messages of the same category mute 20 # Log gile where we put the clients status status openvpn-status.log # Log file log-append /var/log/openvpn.log # Configuration directory of the clients client-config-dir ccd ## PASS ## # Autoriser l'exécution de scripts externes en passant les mots de passe via les variables d'environnement script-security 3 system # Use the authenticated username as the common name, rather than the common name from the client cert username-as-common-name # Client certificate non requried client-cert-not-required # Use the connection script when a user wants to login auth-user-pass-verify scripts/login.sh via-env # Maximum of clients max-clients 50 # Run this scripts when the client connects/disconnects client-connect scripts/connect.sh client-disconnect scripts/disconnect.sh