Nis Wechselberg
6e8d01203a
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Signed-off-by: Nis Wechselberg <enbewe@enbewe.de>
111 lines
3.7 KiB
Django/Jinja
111 lines
3.7 KiB
Django/Jinja
###### ######## ## ## ######## ######## ### ##
|
|
## ## ## ### ## ## ## ## ## ## ##
|
|
## ## #### ## ## ## ## ## ## ##
|
|
## #### ###### ## ## ## ###### ######## ## ## ##
|
|
## ## ## ## #### ## ## ## ######### ##
|
|
## ## ## ## ### ## ## ## ## ## ##
|
|
###### ######## ## ## ######## ## ## ## ## ########
|
|
|
|
# Reduce the OpenVPN daemon's privileges after initialization
|
|
user nobody
|
|
group nogroup
|
|
|
|
# TCP or UDP server?
|
|
proto udp
|
|
proto udp6
|
|
|
|
# Subnet mode instead of p2p
|
|
topology subnet
|
|
|
|
# Which TCP/UDP port should OpenVPN listen on?
|
|
port {{ openvpn_server_port }}
|
|
|
|
# "dev tun" will create a routed IP tunnel, "dev tap" will create an
|
|
# ethernet tunnel
|
|
dev tun
|
|
|
|
# Enable compression on the VPN link
|
|
comp-lzo
|
|
|
|
# Maintain a record of client virtual IP address associations in this file.
|
|
ifconfig-pool-persist {{ openvpn_server_directory }}/ipp.txt
|
|
|
|
# Output a short status file showing current connections, truncated
|
|
# and rewritten every minute.
|
|
status {{ openvpn_server_directory }}/openvpn-status.log
|
|
|
|
# Configure server mode and supply a VPN subnet for OpenVPN to draw client
|
|
# addresses from. The server will take subnet ip .1 for itself, the rest will
|
|
# be made available to clients.
|
|
server {{ openvpn_server_ipv4_pool }} {{ openvpn_server_ipv4_subnet }}
|
|
server-ipv6 {{ openvpn_server_ipv6 }}
|
|
|
|
{% for route in openvpn_server_routes %}
|
|
route {{route.network }} {{ route.subnet }}
|
|
{% endfor %}
|
|
|
|
# Uncomment this directive to allow different clients to be able
|
|
# to "see" each other.
|
|
client-to-client
|
|
|
|
# Ping every 10 seconds, assume that remote peer is down if no ping received
|
|
# during a 120 second time period.
|
|
keepalive 10 120
|
|
|
|
# The persist options will try to avoid accessing certain resources on restart
|
|
# that may no longer be accessible because of the privilege downgrade.
|
|
persist-key
|
|
persist-tun
|
|
|
|
# Allow client specific configurations
|
|
client-config-dir {{ openvpn_server_directory }}/ccd
|
|
|
|
# Set the appropriate level of log
|
|
# file verbosity.
|
|
#
|
|
# 0 is silent, except for fatal errors
|
|
# 4 is reasonable for general usage
|
|
# 5 and 6 can help to debug connection problems
|
|
# 9 is extremely verbose
|
|
verb 4
|
|
|
|
|
|
###### ######## ###### ## ## ######## #### ######## ## ##
|
|
## ## ## ## ## ## ## ## ## ## ## ## ##
|
|
## ## ## ## ## ## ## ## ## ####
|
|
###### ###### ## ## ## ######## ## ## ##
|
|
## ## ## ## ## ## ## ## ## ##
|
|
## ## ## ## ## ## ## ## ## ## ## ##
|
|
###### ######## ###### ####### ## ## #### ## ##
|
|
# SSL/TLS root certificate (ca), certificate (cert), and private key (key)
|
|
ca {{ openvpn_server_ca }}
|
|
cert {{ openvpn_server_cert }}
|
|
key {{ openvpn_server_key }}
|
|
|
|
# Password for certificate provided in separate file
|
|
askpass {{ openvpn_server_passfile }}
|
|
auth-nocache
|
|
|
|
# Verify against revoked certificates
|
|
crl-verify {{ openvpn_server_crl }}
|
|
|
|
# Diffie hellman parameters
|
|
dh {{ openvpn_server_dhfile }}
|
|
|
|
# For extra security beyond that provided by SSL/TLS, create an "HMAC firewall"
|
|
# to help block DoS attacks and UDP port flooding.
|
|
# The server and each client must have a copy of this key.
|
|
# The second parameter should be '0' on the server and '1' on the clients.
|
|
tls-auth {{ openvpn_server_tlsauth }} 0
|
|
|
|
# Select a cryptographic cipher
|
|
cipher AES-256-CBC
|
|
|
|
# Improve message authentication
|
|
auth SHA256
|
|
|
|
# Enforce TLSv1.2
|
|
tls-version-min 1.2
|
|
|
|
# Limit the available cipersuites to reasonably safe choices
|
|
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
|