2018-09-03 10:21:39 +02:00
|
|
|
# This is the client configuration
|
|
|
|
|
client
|
|
|
|
|
|
2018-09-27 10:36:27 +02:00
|
|
|
# No need to bind on specific interfaces, just send packets to the openvpn server
|
2018-09-03 10:21:39 +02:00
|
|
|
nobind
|
|
|
|
|
|
|
|
|
|
# Send udp packets to port 1194
|
|
|
|
|
port 1194
|
|
|
|
|
proto udp
|
|
|
|
|
|
2018-09-27 10:36:27 +02:00
|
|
|
# We're using the virtual network interface on layer 3
|
2018-09-03 10:21:39 +02:00
|
|
|
dev tun
|
|
|
|
|
|
2018-09-19 12:23:33 +02:00
|
|
|
# Specify vpn server
|
|
|
|
|
remote vpn-test.inform.hs-hannover.de 1194
|
2018-09-03 10:21:39 +02:00
|
|
|
|
2018-09-27 10:36:27 +02:00
|
|
|
# Certificates to use. EDIT THIS SECTION to reflect your situation
|
|
|
|
|
ca /etc/openvpn/vpnclient/ca.crt
|
|
|
|
|
cert /etc/openvpn/vpnclient/jan-philipp.timme@stud.hs-hannover.de.crt
|
|
|
|
|
key /etc/openvpn/vpnclient/jan-philipp.timme@stud.hs-hannover.de.key
|
2018-09-03 10:21:39 +02:00
|
|
|
|
2018-09-27 10:54:57 +02:00
|
|
|
# Prevent OpenVPN from caching the password of your private key in memory.
|
|
|
|
|
# Depending on your use case for OpenVPN, enabling this option can provide more protection
|
|
|
|
|
# for your private key (and more password prompts during an OpenVPN session)
|
|
|
|
|
#auth-nocache
|
|
|
|
|
|
2018-09-27 10:36:27 +02:00
|
|
|
# Assume client role in tls handshake
|
2018-09-19 14:09:30 +02:00
|
|
|
tls-client
|
|
|
|
|
|
2018-09-03 10:21:39 +02:00
|
|
|
# Make sure the server presents a certificate with "server role"
|
2018-09-27 10:36:27 +02:00
|
|
|
# This way people with proper client certificates are unable to impersonate the server
|
2018-09-03 10:21:39 +02:00
|
|
|
remote-cert-tls server
|
|
|
|
|
|
2018-10-08 11:27:33 +02:00
|
|
|
### START BLOCK CRYPTOGRAPHY
|
2018-09-19 14:09:30 +02:00
|
|
|
# Specific settings regarding TLS, chiphers and hash algorithms
|
2018-09-27 10:36:27 +02:00
|
|
|
# DO NOT CHANGE THIS unless you receive explicit instructions to do so
|
2018-10-08 11:27:33 +02:00
|
|
|
# These settings need to be identical in client and server configuration!
|
|
|
|
|
|
|
|
|
|
# Protect data channel with this cipher
|
2018-09-19 14:09:30 +02:00
|
|
|
cipher AES-256-GCM
|
2018-10-08 11:27:33 +02:00
|
|
|
|
|
|
|
|
# Authenticate packets in data and control channel using HMAC with this
|
|
|
|
|
# message digest algorithm
|
2018-09-19 14:09:30 +02:00
|
|
|
auth SHA256
|
2018-10-08 11:27:33 +02:00
|
|
|
|
|
|
|
|
# Use this specific cipher to secure the control channel
|
2018-10-08 14:04:20 +02:00
|
|
|
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
|
2018-10-08 11:27:33 +02:00
|
|
|
|
|
|
|
|
# Only allow TLS version 1.2 and higher
|
2018-09-19 14:09:30 +02:00
|
|
|
tls-version-min "1.2"
|
2018-10-08 11:27:33 +02:00
|
|
|
### END BLOCK CRYPTOGRAPHY
|
|
|
|
|
|
2018-09-27 10:36:27 +02:00
|
|
|
# Reduce connection timeout so connection problems are visible sooner
|
|
|
|
|
connect-timeout 20
|
|
|
|
|
|
|
|
|
|
# Notify server on client shutdown/restart events, so old sessions get terminated immediately
|
|
|
|
|
# Try to send notification 3 times (because we're using UDP)
|
|
|
|
|
explicit-exit-notify 3
|
2018-09-03 10:21:39 +02:00
|
|
|
|
2018-09-27 10:36:27 +02:00
|
|
|
# Enable these if you plan to enable running on reduced privileges
|
|
|
|
|
# These options allow to keep the private key and the virtual network device handle in memory
|
|
|
|
|
#persist-key
|
|
|
|
|
#persist-tun
|
2018-09-03 10:21:39 +02:00
|
|
|
|
2018-09-27 10:36:27 +02:00
|
|
|
# Reduce privileges after launch (uncomment and adapt on unix/linux system)
|
2018-09-27 10:57:05 +02:00
|
|
|
# Note: On some systems, the group is called "nobody" instead of "nogroup"
|
2018-09-20 16:20:16 +02:00
|
|
|
#user nobody
|
2018-09-27 10:57:05 +02:00
|
|
|
#group nogroup
|
2018-09-03 10:21:39 +02:00
|
|
|
|
|
|
|
|
# Logging settings
|
|
|
|
|
verb 3
|
|
|
|
|
mute 5
|
