masterthesis/openvpn-config/server.conf

105 lines
2.6 KiB
Plaintext
Raw Normal View History

2018-09-03 10:21:39 +02:00
# Listen on 1194 for both IPv4 and IPv6
port 1194
proto udp
proto udp6
2018-09-19 21:48:08 +02:00
# Since we have more than one ip address, this makes openvpn respond with sender addresses
multihome
2018-09-03 10:21:39 +02:00
# We're using the layer 3 tunnel device
dev tun
2018-09-19 21:48:08 +02:00
# Certificates (relative paths work, too)
2018-09-20 15:04:54 +02:00
ca inform/ca.crt
cert inform/aither.inform.hs-hannover.de.crt
key inform/aither.inform.hs-hannover.de.key
2018-09-19 14:09:30 +02:00
# Assume tls server role
tls-server
# Diffie-Hellman parameters
2018-09-20 15:04:54 +02:00
dh inform/dh.pem
2018-09-03 10:21:39 +02:00
2018-09-19 13:12:41 +02:00
# Certificate revocation list
2018-09-20 15:04:54 +02:00
crl-verify inform/crl.pem
2018-09-19 13:12:41 +02:00
2018-09-03 10:21:39 +02:00
# Make sure the client presents a certificate with "client role"
remote-cert-tls client
# Allow multiple connections using the same certificate?
2018-09-19 21:48:08 +02:00
# Currently, we do.
duplicate-cn
2018-09-03 10:21:39 +02:00
2018-09-19 14:09:30 +02:00
# We're using subnet topology
2018-09-19 12:23:33 +02:00
topology subnet
2018-09-03 10:21:39 +02:00
# Use this IPv4 range for clients (/16, so we can cope with all possible clients)
2018-09-19 12:23:33 +02:00
server 10.2.0.0 255.255.0.0
2018-09-03 10:21:39 +02:00
# Use this IPv6 network for clients
server-ipv6 2001:638:614:1750::/64
# Do we need persistence here?
2018-09-19 21:48:08 +02:00
# No, not yet. Probably never.
2018-09-20 15:07:52 +02:00
#ifconfig-pool-persist inform/ipp.txt
2018-09-03 10:21:39 +02:00
# Make sure the client can still reach the OpenVPN server via its default gateway
push "route remote_host 255.255.255.255 net_gateway"
2018-09-19 12:23:33 +02:00
# Push routes for local IPv4 networks
2018-09-21 19:59:27 +02:00
# DMZ
push "route 141.71.38.0 255.255.255.0 vpn_gateway"
# Inform
2018-09-19 12:23:33 +02:00
push "route 141.71.30.0 255.255.254.0 vpn_gateway"
2018-09-21 19:59:27 +02:00
# Edu
2018-09-19 12:23:33 +02:00
push "route 192.168.99.0 255.255.255.0 vpn_gateway"
2018-09-21 19:59:27 +02:00
# NAO
push "route 192.168.90.0 255.255.255.0 vpn_gateway"
# iDrac
push "route 192.168.70.0 255.255.255.0 vpn_gateway"
# Cluster
push "route 10.0.20.0 255.255.255.0 vpn_gateway"
# educloud
push "route 10.0.30.0 255.255.255.0 vpn_gateway"
# experimental ipv6 network
push "route 10.0.40.0 255.255.255.0 vpn_gateway"
# server network from H-IT for KMS
push "route 141.71.2.0 255.255.255.0 vpn_gateway"
2018-09-03 10:21:39 +02:00
# Push routes for local IPv6 networks
2018-09-19 21:48:08 +02:00
# (The vpn_gateway placeholder does not work here.)
2018-09-21 19:59:27 +02:00
# DMZ
push "route-ipv6 2001:638:614:1780::/64 2001:638:614:1750::1"
# Inform
push "route-ipv6 2001:638:614:1720::/64 2001:638:614:1750::1"
2018-09-21 19:59:27 +02:00
# Edu
push "route-ipv6 2001:638:614:1721::/64 2001:638:614:1750::1"
2018-09-21 19:59:27 +02:00
# NAO
push "route-ipv6 2001:638:614:1722::/64 2001:638:614:1750::1"
# Cluster
push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1"
2018-09-03 10:21:39 +02:00
2018-09-19 14:09:30 +02:00
# Specific settings regarding TLS, chiphers and hash algorithms
cipher AES-256-GCM
auth SHA256
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min "1.2"
2018-09-03 10:21:39 +02:00
# Make sure to detect broken sessions
keepalive 10 60
# These are needed for reduced privileges? Probably yes.
persist-key
persist-tun
# Reduced privileges
user nobody
2018-09-07 19:21:17 +02:00
group nogroup
2018-09-03 10:21:39 +02:00
# Logging settings
verb 3
mute 5
2018-09-21 19:59:27 +02:00
# Have a status log
status inform/status.log