masterthesis/openvpn-config/server.conf

# Listen on 1194 for both IPv4 and IPv6
port 1194
proto udp
proto udp6

# Since we have more than one ip address, this makes openvpn respond
# with the right sender address
multihome

# We're using the virtual network interface on layer 3
dev tun

# Certificates to use. Paths are relative to config file location.
ca inform/ca.crt
cert inform/aither.inform.hs-hannover.de.crt
key inform/aither.inform.hs-hannover.de.key

# Assume server role in tls handshake
tls-server

# Diffie-Hellman parameter file
# (not needed for TLS cipher with ECDHE instead of DHE)
dh inform/dh.pem

# Certificate revocation list location
# Make sure this file is always valid, otherwise OpenVPN refuses to (re)start!
crl-verify inform/crl.pem

# Make sure the client presents a certificate with "client role"
remote-cert-tls client

# Allow multiple connections using the same certificate?
# There is no reason to not allow this, so it is allowed.
duplicate-cn

# We're using subnet topology for IPv4 tunnel connectivity
topology subnet

# Use this IPv4 range for clients (/16, so we can cope with potential 500 clients)
server 10.2.0.0 255.255.0.0

# Use this IPv6 network for clients
server-ipv6 2001:638:614:1750::/64

# Make sure the client can still reach the OpenVPN server via its IPv4 default gateway
# This is needed because the IPv4 route for DMZ is pushed below,
# which overlaps the OpenVPN server IPv4 address.
push "route remote_host 255.255.255.255 net_gateway"

# Push routes for local IPv4 networks
#
# DMZ
push "route 141.71.38.0 255.255.255.0 vpn_gateway"
# Inform
push "route 141.71.30.0 255.255.254.0 vpn_gateway"
# Edu
push "route 192.168.99.0 255.255.255.0 vpn_gateway"
# NAO
push "route 192.168.90.0 255.255.255.0 vpn_gateway"
# iDrac
push "route 192.168.70.0 255.255.255.0 vpn_gateway"
# Cluster
push "route 10.0.20.0 255.255.255.0 vpn_gateway"
# educloud
push "route 10.0.30.0 255.255.255.0 vpn_gateway"
# experimental ipv6 network
push "route 10.0.40.0 255.255.255.0 vpn_gateway"
# server network from H-IT for KMS
push "route 141.71.2.0 255.255.255.0 vpn_gateway"

# Push routes for local IPv6 networks
# (The vpn_gateway placeholder does not work here.)
# Note: IPv6 routes that overlap the IPv6 address of the OpenVPN server will
# automatically trigger creating a direct route to the OpenVPN server on the client.
#
# DMZ
push "route-ipv6 2001:638:614:1780::/64 2001:638:614:1750::1"
# Inform
push "route-ipv6 2001:638:614:1720::/64 2001:638:614:1750::1"
# Edu
push "route-ipv6 2001:638:614:1721::/64 2001:638:614:1750::1"
# NAO
push "route-ipv6 2001:638:614:1722::/64 2001:638:614:1750::1"
# Cluster
push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1"
# experimental ipv6 network
push "route-ipv6 2001:638:614:1744::/64 2001:638:614:1750::1"

### START BLOCK CRYPTOGRAPHY
# Specific settings regarding TLS, chiphers and hash algorithms
# DO NOT CHANGE THIS unless you receive explicit instructions to do so
# These settings need to be identical in client and server configuration!

# Protect data channel with this cipher
cipher AES-256-GCM

# Authenticate packets in data and control channel using HMAC with this
# message digest algorithm
auth SHA256

# Use this specific cipher to secure the control channel
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

# Only allow TLS version 1.2 and higher
tls-version-min "1.2"
### END BLOCK CRYPTOGRAPHY

# Disable cipher negotiation on server side
ncp-disable

# Send ping message every ten seconds, expect session loss after 60 seconds of no response
keepalive 10 30

# Notify clients when the server restarts or shuts down.
# Default behaviour: Tell clients to try to connect to the same server again.
explicit-exit-notify 1

# Enable these if you plan to enable running on reduced privileges
# These options allow to keep the private key and the virtual network device handle in memory
persist-key
persist-tun

# Reduce privileges after launch (uncomment and adapt on unix/linux system)
user nobody
group nogroup

# Logging settings
# - `verb 3` is enough for debugging most issues
# - `verb 0` is recommended for regular operation
verb 3
mute 5

# Print a list of active sessions into this file
# This might be helpful if you plan big maintenance
status inform/status.log
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00			`# Listen on 1194 for both IPv4 and IPv6`
			`port 1194`
			`proto udp`
			`proto udp6`

Autosave 2018-09-27 10:36:27 +02:00			`# Since we have more than one ip address, this makes openvpn respond`
			`# with the right sender address`
Minor fixups in config 2018-09-19 21:48:08 +02:00			`multihome`

Autosave 2018-09-27 10:36:27 +02:00			`# We're using the virtual network interface on layer 3`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00			`dev tun`

Autosave 2018-09-27 10:36:27 +02:00			`# Certificates to use. Paths are relative to config file location.`
Update OpenVPN config files 2018-09-20 15:04:54 +02:00			`ca inform/ca.crt`
			`cert inform/aither.inform.hs-hannover.de.crt`
			`key inform/aither.inform.hs-hannover.de.key`
Update openvpn config one more time 2018-09-19 14:09:30 +02:00
Autosave 2018-09-27 10:36:27 +02:00			`# Assume server role in tls handshake`
Update openvpn config one more time 2018-09-19 14:09:30 +02:00			`tls-server`

Autosave 2018-09-27 10:36:27 +02:00			`# Diffie-Hellman parameter file`
Update OpenVPN config 2018-10-08 11:27:33 +02:00			`# (not needed for TLS cipher with ECDHE instead of DHE)`
Revert to non-ECDHE-cipher due to openvpn issue #963 2018-10-08 14:04:20 +02:00			`dh inform/dh.pem`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
Autosave 2018-09-27 10:36:27 +02:00			`# Certificate revocation list location`
			`# Make sure this file is always valid, otherwise OpenVPN refuses to (re)start!`
Update OpenVPN config files 2018-09-20 15:04:54 +02:00			`crl-verify inform/crl.pem`
Add note about how to refresh CRL 2018-09-19 13:12:41 +02:00
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00			`# Make sure the client presents a certificate with "client role"`
			`remote-cert-tls client`

			`# Allow multiple connections using the same certificate?`
Autosave 2018-09-27 10:36:27 +02:00			`# There is no reason to not allow this, so it is allowed.`
Minor fixups in config 2018-09-19 21:48:08 +02:00			`duplicate-cn`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
Autosave 2018-09-27 10:36:27 +02:00			`# We're using subnet topology for IPv4 tunnel connectivity`
Update openvpn config 2018-09-19 12:23:33 +02:00			`topology subnet`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
Autosave 2018-09-27 10:36:27 +02:00			`# Use this IPv4 range for clients (/16, so we can cope with potential 500 clients)`
Update openvpn config 2018-09-19 12:23:33 +02:00			`server 10.2.0.0 255.255.0.0`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
			`# Use this IPv6 network for clients`
			`server-ipv6 2001:638:614:1750::/64`

Autosave 2018-09-27 10:36:27 +02:00			`# Make sure the client can still reach the OpenVPN server via its IPv4 default gateway`
			`# This is needed because the IPv4 route for DMZ is pushed below,`
			`# which overlaps the OpenVPN server IPv4 address.`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00			`push "route remote_host 255.255.255.255 net_gateway"`

Update openvpn config 2018-09-19 12:23:33 +02:00			`# Push routes for local IPv4 networks`
Autosave 2018-09-27 10:36:27 +02:00			`#`
Update openvpn server config 2018-09-21 19:59:27 +02:00			`# DMZ`
			`push "route 141.71.38.0 255.255.255.0 vpn_gateway"`
			`# Inform`
Update openvpn config 2018-09-19 12:23:33 +02:00			`push "route 141.71.30.0 255.255.254.0 vpn_gateway"`
Update openvpn server config 2018-09-21 19:59:27 +02:00			`# Edu`
Update openvpn config 2018-09-19 12:23:33 +02:00			`push "route 192.168.99.0 255.255.255.0 vpn_gateway"`
Update openvpn server config 2018-09-21 19:59:27 +02:00			`# NAO`
			`push "route 192.168.90.0 255.255.255.0 vpn_gateway"`
			`# iDrac`
			`push "route 192.168.70.0 255.255.255.0 vpn_gateway"`
			`# Cluster`
			`push "route 10.0.20.0 255.255.255.0 vpn_gateway"`
			`# educloud`
			`push "route 10.0.30.0 255.255.255.0 vpn_gateway"`
			`# experimental ipv6 network`
			`push "route 10.0.40.0 255.255.255.0 vpn_gateway"`
			`# server network from H-IT for KMS`
			`push "route 141.71.2.0 255.255.255.0 vpn_gateway"`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
Only push routes that are really needed 2018-09-21 11:36:54 +02:00			`# Push routes for local IPv6 networks`
Minor fixups in config 2018-09-19 21:48:08 +02:00			`# (The vpn_gateway placeholder does not work here.)`
Autosave 2018-09-27 10:36:27 +02:00			`# Note: IPv6 routes that overlap the IPv6 address of the OpenVPN server will`
			`# automatically trigger creating a direct route to the OpenVPN server on the client.`
			`#`
Update openvpn server config 2018-09-21 19:59:27 +02:00			`# DMZ`
			`push "route-ipv6 2001:638:614:1780::/64 2001:638:614:1750::1"`
			`# Inform`
Only push routes that are really needed 2018-09-21 11:36:54 +02:00			`push "route-ipv6 2001:638:614:1720::/64 2001:638:614:1750::1"`
Update openvpn server config 2018-09-21 19:59:27 +02:00			`# Edu`
Only push routes that are really needed 2018-09-21 11:36:54 +02:00			`push "route-ipv6 2001:638:614:1721::/64 2001:638:614:1750::1"`
Update openvpn server config 2018-09-21 19:59:27 +02:00			`# NAO`
			`push "route-ipv6 2001:638:614:1722::/64 2001:638:614:1750::1"`
			`# Cluster`
			`push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1"`
Add experimental IPv6 network to server config 2018-09-27 11:41:03 +02:00			`# experimental ipv6 network`
			`push "route-ipv6 2001:638:614:1744::/64 2001:638:614:1750::1"`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
Update OpenVPN config 2018-10-08 11:27:33 +02:00			`### START BLOCK CRYPTOGRAPHY`
			`# Specific settings regarding TLS, chiphers and hash algorithms`
			`# DO NOT CHANGE THIS unless you receive explicit instructions to do so`
			`# These settings need to be identical in client and server configuration!`

			`# Protect data channel with this cipher`
Update openvpn config one more time 2018-09-19 14:09:30 +02:00			`cipher AES-256-GCM`
Update OpenVPN config 2018-10-08 11:27:33 +02:00
			`# Authenticate packets in data and control channel using HMAC with this`
			`# message digest algorithm`
Update openvpn config one more time 2018-09-19 14:09:30 +02:00			`auth SHA256`
Update OpenVPN config 2018-10-08 11:27:33 +02:00
			`# Use this specific cipher to secure the control channel`
Revert to non-ECDHE-cipher due to openvpn issue #963 2018-10-08 14:04:20 +02:00			`tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384`
Update OpenVPN config 2018-10-08 11:27:33 +02:00
			`# Only allow TLS version 1.2 and higher`
Update openvpn config one more time 2018-09-19 14:09:30 +02:00			`tls-version-min "1.2"`
Update OpenVPN config 2018-10-08 11:27:33 +02:00			`### END BLOCK CRYPTOGRAPHY`

Autosave 2018-09-27 10:36:27 +02:00			`# Disable cipher negotiation on server side`
			`ncp-disable`

			`# Send ping message every ten seconds, expect session loss after 60 seconds of no response`
Remove keepalive from client.conf, reduce keepalive timeout on server side 2018-10-10 17:03:11 +02:00			`keepalive 10 30`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
Autosave 2018-09-27 10:36:27 +02:00			`# Notify clients when the server restarts or shuts down.`
			`# Default behaviour: Tell clients to try to connect to the same server again.`
			`explicit-exit-notify 1`

			`# Enable these if you plan to enable running on reduced privileges`
			`# These options allow to keep the private key and the virtual network device handle in memory`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00			`persist-key`
			`persist-tun`

Autosave 2018-09-27 10:36:27 +02:00			`# Reduce privileges after launch (uncomment and adapt on unix/linux system)`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00			`user nobody`
Fix a bad bug that i did not catch yet 2018-09-07 19:21:17 +02:00			`group nogroup`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
			`# Logging settings`
Add remark about server side log level 2018-11-01 11:14:18 +01:00			# - `verb 3` is enough for debugging most issues
			# - `verb 0` is recommended for regular operation
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00			`verb 3`
			`mute 5`

Autosave 2018-09-27 10:36:27 +02:00			`# Print a list of active sessions into this file`
			`# This might be helpful if you plan big maintenance`
Autosave 2018-09-27 10:58:53 +02:00			`status inform/status.log`