masterthesis/openvpn-config/vpnserver.conf

# Listen on 1194 for both IPv4 and IPv6
port 1194
multihome
proto udp
proto udp6

# We're using the layer 3 tunnel device
dev tun

# Certificates
ca /etc/openvpn/vpnserver/ca.crt
cert /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.crt
key /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.key

# Assume tls server role
tls-server

# Diffie-Hellman parameters
dh /etc/openvpn/vpnserver/dh.pem

# Certificate revocation list
crl-verify /etc/openvpn/vpnserver/crl.pem

# Make sure the client presents a certificate with "client role"
remote-cert-tls client

# Allow multiple connections using the same certificate?
#duplicate-cn

# We're using subnet topology
topology subnet

# Use this IPv4 range for clients (/16, so we can cope with all possible clients)
server 10.2.0.0 255.255.0.0

# Use this IPv6 network for clients
server-ipv6 2001:638:614:1750::/64

# Do we need persistence here?
# No, not yet.
#ifconfig-pool-persist /etc/openvpn/vpnserver/ipp.txt

# Make sure the client can still reach the OpenVPN server via its default gateway
push "route remote_host 255.255.255.255 net_gateway"

# Push routes for local IPv4 networks
push "route 141.71.30.0 255.255.254.0 vpn_gateway"
push "route 192.168.99.0 255.255.255.0 vpn_gateway"
push "route 10.3.1.0 255.255.255.0 vpn_gateway"
push "route 10.0.0.0 255.255.255.0 vpn_gateway"

# Push the whole /56 block for IPv6
push "route-ipv6 2003:638:614:1700::/56"

# Specific settings regarding TLS, chiphers and hash algorithms
cipher AES-256-GCM
auth SHA256
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min "1.2"

# Make sure to detect broken sessions
keepalive 10 60

# These are needed for reduced privileges? Probably yes.
persist-key
persist-tun

# Reduced privileges
user nobody
group nogroup

# Logging settings
verb 3
mute 5

# Have a status log if needed.
# status /etc/openvpn/vpnserver/status.log
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00			`# Listen on 1194 for both IPv4 and IPv6`
			`port 1194`
Autosave 2018-09-19 18:11:07 +02:00			`multihome`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00			`proto udp`
			`proto udp6`

			`# We're using the layer 3 tunnel device`
			`dev tun`

			`# Certificates`
			`ca /etc/openvpn/vpnserver/ca.crt`
Update openvpn config 2018-09-19 12:23:33 +02:00			`cert /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.crt`
			`key /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.key`
Update openvpn config one more time 2018-09-19 14:09:30 +02:00
			`# Assume tls server role`
			`tls-server`

			`# Diffie-Hellman parameters`
Remove dh params from client configuration 2018-09-12 11:59:43 +02:00			`dh /etc/openvpn/vpnserver/dh.pem`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
Add note about how to refresh CRL 2018-09-19 13:12:41 +02:00			`# Certificate revocation list`
			`crl-verify /etc/openvpn/vpnserver/crl.pem`

Include openvpn config skeletons 2018-09-03 10:21:39 +02:00			`# Make sure the client presents a certificate with "client role"`
			`remote-cert-tls client`

			`# Allow multiple connections using the same certificate?`
			`#duplicate-cn`

Update openvpn config one more time 2018-09-19 14:09:30 +02:00			`# We're using subnet topology`
Update openvpn config 2018-09-19 12:23:33 +02:00			`topology subnet`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
			`# Use this IPv4 range for clients (/16, so we can cope with all possible clients)`
Update openvpn config 2018-09-19 12:23:33 +02:00			`server 10.2.0.0 255.255.0.0`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
			`# Use this IPv6 network for clients`
			`server-ipv6 2001:638:614:1750::/64`

			`# Do we need persistence here?`
Update openvpn config 2018-09-19 12:23:33 +02:00			`# No, not yet.`
			`#ifconfig-pool-persist /etc/openvpn/vpnserver/ipp.txt`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
			`# Make sure the client can still reach the OpenVPN server via its default gateway`
			`push "route remote_host 255.255.255.255 net_gateway"`

Update openvpn config 2018-09-19 12:23:33 +02:00			`# Push routes for local IPv4 networks`
			`push "route 141.71.30.0 255.255.254.0 vpn_gateway"`
			`push "route 192.168.99.0 255.255.255.0 vpn_gateway"`
			`push "route 10.3.1.0 255.255.255.0 vpn_gateway"`
			`push "route 10.0.0.0 255.255.255.0 vpn_gateway"`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
			`# Push the whole /56 block for IPv6`
			`push "route-ipv6 2003:638:614:1700::/56"`

Update openvpn config one more time 2018-09-19 14:09:30 +02:00			`# Specific settings regarding TLS, chiphers and hash algorithms`
			`cipher AES-256-GCM`
			`auth SHA256`
			`tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384`
			`tls-version-min "1.2"`

Include openvpn config skeletons 2018-09-03 10:21:39 +02:00			`# Make sure to detect broken sessions`
			`keepalive 10 60`

			`# These are needed for reduced privileges? Probably yes.`
			`persist-key`
			`persist-tun`

			`# Reduced privileges`
			`user nobody`
Fix a bad bug that i did not catch yet 2018-09-07 19:21:17 +02:00			`group nogroup`
Include openvpn config skeletons 2018-09-03 10:21:39 +02:00
			`# Logging settings`
			`verb 3`
			`mute 5`

Update openvpn config 2018-09-19 12:23:33 +02:00			`# Have a status log if needed.`
			`# status /etc/openvpn/vpnserver/status.log`