masterthesis/openvpn-config/client.conf

79 lines
2.5 KiB
Plaintext
Raw Normal View History

2018-09-03 10:21:39 +02:00
# This is the client configuration
client
2018-09-27 10:36:27 +02:00
# No need to bind on specific interfaces, just send packets to the openvpn server
2018-09-03 10:21:39 +02:00
nobind
# Send udp packets to port 1194
port 1194
proto udp
2018-09-27 10:36:27 +02:00
# We're using the virtual network interface on layer 3
2018-09-03 10:21:39 +02:00
dev tun
2018-09-19 12:23:33 +02:00
# Specify vpn server
remote vpn-test.inform.hs-hannover.de 1194
2018-09-03 10:21:39 +02:00
2018-09-27 10:36:27 +02:00
# Certificates to use. EDIT THIS SECTION to reflect your situation
ca /etc/openvpn/vpnclient/ca.crt
cert /etc/openvpn/vpnclient/jan-philipp.timme@stud.hs-hannover.de.crt
key /etc/openvpn/vpnclient/jan-philipp.timme@stud.hs-hannover.de.key
2018-09-03 10:21:39 +02:00
2018-09-27 10:54:57 +02:00
# Prevent OpenVPN from caching the password of your private key in memory.
# Depending on your use case for OpenVPN, enabling this option can provide more protection
# for your private key (and more password prompts during an OpenVPN session)
#auth-nocache
2018-09-27 10:36:27 +02:00
# Assume client role in tls handshake
2018-09-19 14:09:30 +02:00
tls-client
2018-09-03 10:21:39 +02:00
# Make sure the server presents a certificate with "server role"
2018-09-27 10:36:27 +02:00
# This way people with proper client certificates are unable to impersonate the server
2018-09-03 10:21:39 +02:00
remote-cert-tls server
2018-10-08 11:27:33 +02:00
### START BLOCK CRYPTOGRAPHY
2018-09-19 14:09:30 +02:00
# Specific settings regarding TLS, chiphers and hash algorithms
2018-09-27 10:36:27 +02:00
# DO NOT CHANGE THIS unless you receive explicit instructions to do so
2018-10-08 11:27:33 +02:00
# These settings need to be identical in client and server configuration!
# Protect data channel with this cipher
2018-09-19 14:09:30 +02:00
cipher AES-256-GCM
2018-10-08 11:27:33 +02:00
# Authenticate packets in data and control channel using HMAC with this
# message digest algorithm
2018-09-19 14:09:30 +02:00
auth SHA256
2018-10-08 11:27:33 +02:00
# Use this specific cipher to secure the control channel
2018-09-19 14:09:30 +02:00
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2018-10-08 11:27:33 +02:00
# Only allow TLS version 1.2 and higher
2018-09-19 14:09:30 +02:00
tls-version-min "1.2"
2018-10-08 11:27:33 +02:00
# Use this elliptic curve for ECDHE within chosen tls-cipher
ecdh-curve brainpoolP512r1
### END BLOCK CRYPTOGRAPHY
2018-09-27 10:36:27 +02:00
# Reduce connection timeout so connection problems are visible sooner
connect-timeout 20
# Notify server on client shutdown/restart events, so old sessions get terminated immediately
# Try to send notification 3 times (because we're using UDP)
explicit-exit-notify 3
2018-09-03 10:21:39 +02:00
2018-09-27 10:36:27 +02:00
# Send ping message every ten seconds, expect session loss after 30 seconds of no response
keepalive 10 30
2018-09-27 10:36:27 +02:00
# Enable these if you plan to enable running on reduced privileges
# These options allow to keep the private key and the virtual network device handle in memory
#persist-key
#persist-tun
2018-09-03 10:21:39 +02:00
2018-09-27 10:36:27 +02:00
# Reduce privileges after launch (uncomment and adapt on unix/linux system)
2018-09-27 10:57:05 +02:00
# Note: On some systems, the group is called "nobody" instead of "nogroup"
2018-09-20 16:20:16 +02:00
#user nobody
2018-09-27 10:57:05 +02:00
#group nogroup
2018-09-03 10:21:39 +02:00
# Logging settings
verb 3
mute 5