###### ######## ## ## ######## ######## ### ## ## ## ## ### ## ## ## ## ## ## ## ## ## #### ## ## ## ## ## ## ## ## #### ###### ## ## ## ###### ######## ## ## ## ## ## ## ## #### ## ## ## ######### ## ## ## ## ## ### ## ## ## ## ## ## ###### ######## ## ## ######## ## ## ## ## ######## # Reduce the OpenVPN daemon's privileges after initialization user nobody group nogroup # TCP or UDP server? proto udp proto udp6 # Subnet mode instead of p2p topology subnet # Which TCP/UDP port should OpenVPN listen on? port {{ openvpn_server_port }} # "dev tun" will create a routed IP tunnel, "dev tap" will create an # ethernet tunnel dev tun # Enable compression on the VPN link comp-lzo # Maintain a record of client virtual IP address associations in this file. ifconfig-pool-persist {{ openvpn_server_directory }}/ipp.txt # Output a short status file showing current connections, truncated # and rewritten every minute. status {{ openvpn_server_directory }}/openvpn-status.log # Configure server mode and supply a VPN subnet for OpenVPN to draw client # addresses from. The server will take subnet ip .1 for itself, the rest will # be made available to clients. server {{ openvpn_server_ipv4_pool }} {{ openvpn_server_ipv4_subnet }} server-ipv6 {{ openvpn_server_ipv6 }} {% for route in openvpn_server_routes %} route {{route.network }} {{ route.subnet }} {% endfor %} # Uncomment this directive to allow different clients to be able # to "see" each other. client-to-client # Ping every 10 seconds, assume that remote peer is down if no ping received # during a 120 second time period. keepalive 10 120 # The persist options will try to avoid accessing certain resources on restart # that may no longer be accessible because of the privilege downgrade. persist-key persist-tun # Allow client specific configurations client-config-dir {{ openvpn_server_directory }}/ccd # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 ###### ######## ###### ## ## ######## #### ######## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #### ###### ###### ## ## ## ######## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ###### ######## ###### ####### ## ## #### ## ## # SSL/TLS root certificate (ca), certificate (cert), and private key (key) ca {{ openvpn_server_ca }} cert {{ openvpn_server_cert }} key {{ openvpn_server_key }} # Password for certificate provided in separate file askpass {{ openvpn_server_passfile }} auth-nocache # Verify against revoked certificates crl-verify {{ openvpn_server_crl }} # Diffie hellman parameters dh {{ openvpn_server_dhfile }} # For extra security beyond that provided by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # The server and each client must have a copy of this key. # The second parameter should be '0' on the server and '1' on the clients. tls-auth {{ openvpn_server_tlsauth }} 0 # Select a cryptographic cipher cipher AES-256-CBC # Improve message authentication auth SHA256 # Enforce TLSv1.2 tls-version-min 1.2 # Limit the available cipersuites to reasonably safe choices tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256