90 lines
2.2 KiB
Plaintext
90 lines
2.2 KiB
Plaintext
## GENERAL ##
|
|
|
|
# TCP, port 443, tunneling
|
|
mode server
|
|
proto tcp
|
|
port 443
|
|
dev tun
|
|
|
|
## KEY, CERTS AND NETWORK CONFIGURATION ##
|
|
# Identity
|
|
ca ca.crt
|
|
# Public key
|
|
cert server.crt
|
|
# Private key
|
|
key server.key
|
|
# Symmetric encryption
|
|
dh dh1024.pem
|
|
# Improve security (DDOS, port flooding...)
|
|
# 0 for the server, 1 for the client
|
|
tls-auth ta.key 0
|
|
# Encryption protocol
|
|
cipher AES-256-CBC
|
|
|
|
# Network
|
|
# Subnetwork, the server will be the 10.8.0.1 and clients will take the other ips
|
|
server 10.8.0.0 255.255.255.0
|
|
|
|
# Redirect all IP network traffic originating on client machines to pass through the OpenVPN server
|
|
push "redirect-gateway def1"
|
|
|
|
# Alternatives DNS (FDN)
|
|
push "dhcp-option DNS 80.67.169.12"
|
|
push "dhcp-option DNS 80.67.169.40"
|
|
|
|
# (OpenDNS)
|
|
# push "dhcp-option DNS 208.67.222.222"
|
|
# push "dhcp-option DNS 208.67.220.220"
|
|
|
|
# (Google)
|
|
# push "dhcp-option DNS 8.8.8.8"
|
|
# push "dhcp-option DNS 8.8.4.4"
|
|
|
|
# Ping every 10 seconds and if after 120 seconds the client doesn't respond we disconnect
|
|
keepalive 10 120
|
|
# Regenerate key each 5 hours (disconnect the client)
|
|
reneg-sec 18000
|
|
|
|
## SECURITY ##
|
|
|
|
# Downgrade privileges of the daemon
|
|
user nobody
|
|
group nogroup
|
|
|
|
# Persist keys (because we are nobody, so we couldn't read them again)
|
|
persist-key
|
|
# Don't close and re open TUN/TAP device
|
|
persist-tun
|
|
# Enable compression
|
|
comp-lzo
|
|
|
|
## LOG ##
|
|
|
|
# Verbosity
|
|
# 3/4 for a normal utilisation
|
|
verb 3
|
|
# Max 20 messages of the same category
|
|
mute 20
|
|
# Log gile where we put the clients status
|
|
status openvpn-status.log
|
|
# Log file
|
|
log-append /var/log/openvpn.log
|
|
# Configuration directory of the clients
|
|
client-config-dir ccd
|
|
|
|
## PASS ##
|
|
|
|
# Autoriser l'exécution de scripts externes en passant les mots de passe via les variables d'environnement
|
|
script-security 3 system
|
|
|
|
# Use the authenticated username as the common name, rather than the common name from the client cert
|
|
username-as-common-name
|
|
# Client certificate non requried
|
|
client-cert-not-required
|
|
# Use the connection script when a user wants to login
|
|
auth-user-pass-verify scripts/login.sh via-env
|
|
# Maximum of clients
|
|
max-clients 50
|
|
# Run this scripts when the client connects/disconnects
|
|
client-connect scripts/connect.sh
|
|
client-disconnect scripts/disconnect.sh |