2018-09-03 10:21:39 +02:00
|
|
|
# Listen on 1194 for both IPv4 and IPv6
|
|
|
|
port 1194
|
|
|
|
proto udp
|
|
|
|
proto udp6
|
|
|
|
|
2018-09-19 21:48:08 +02:00
|
|
|
# Since we have more than one ip address, this makes openvpn respond with sender addresses
|
|
|
|
multihome
|
|
|
|
|
2018-09-03 10:21:39 +02:00
|
|
|
# We're using the layer 3 tunnel device
|
|
|
|
dev tun
|
|
|
|
|
2018-09-19 21:48:08 +02:00
|
|
|
# Certificates (relative paths work, too)
|
2018-09-20 15:04:54 +02:00
|
|
|
ca inform/ca.crt
|
|
|
|
cert inform/aither.inform.hs-hannover.de.crt
|
|
|
|
key inform/aither.inform.hs-hannover.de.key
|
2018-09-19 14:09:30 +02:00
|
|
|
|
|
|
|
# Assume tls server role
|
|
|
|
tls-server
|
|
|
|
|
|
|
|
# Diffie-Hellman parameters
|
2018-09-20 15:04:54 +02:00
|
|
|
dh inform/dh.pem
|
2018-09-03 10:21:39 +02:00
|
|
|
|
2018-09-19 13:12:41 +02:00
|
|
|
# Certificate revocation list
|
2018-09-20 15:04:54 +02:00
|
|
|
crl-verify inform/crl.pem
|
2018-09-19 13:12:41 +02:00
|
|
|
|
2018-09-03 10:21:39 +02:00
|
|
|
# Make sure the client presents a certificate with "client role"
|
|
|
|
remote-cert-tls client
|
|
|
|
|
|
|
|
# Allow multiple connections using the same certificate?
|
2018-09-19 21:48:08 +02:00
|
|
|
# Currently, we do.
|
|
|
|
duplicate-cn
|
2018-09-03 10:21:39 +02:00
|
|
|
|
2018-09-19 14:09:30 +02:00
|
|
|
# We're using subnet topology
|
2018-09-19 12:23:33 +02:00
|
|
|
topology subnet
|
2018-09-03 10:21:39 +02:00
|
|
|
|
|
|
|
# Use this IPv4 range for clients (/16, so we can cope with all possible clients)
|
2018-09-19 12:23:33 +02:00
|
|
|
server 10.2.0.0 255.255.0.0
|
2018-09-03 10:21:39 +02:00
|
|
|
|
|
|
|
# Use this IPv6 network for clients
|
|
|
|
server-ipv6 2001:638:614:1750::/64
|
|
|
|
|
|
|
|
# Do we need persistence here?
|
2018-09-19 21:48:08 +02:00
|
|
|
# No, not yet. Probably never.
|
2018-09-20 15:07:52 +02:00
|
|
|
#ifconfig-pool-persist inform/ipp.txt
|
2018-09-03 10:21:39 +02:00
|
|
|
|
|
|
|
# Make sure the client can still reach the OpenVPN server via its default gateway
|
|
|
|
push "route remote_host 255.255.255.255 net_gateway"
|
|
|
|
|
2018-09-19 12:23:33 +02:00
|
|
|
# Push routes for local IPv4 networks
|
|
|
|
push "route 141.71.30.0 255.255.254.0 vpn_gateway"
|
|
|
|
push "route 192.168.99.0 255.255.255.0 vpn_gateway"
|
|
|
|
push "route 10.3.1.0 255.255.255.0 vpn_gateway"
|
|
|
|
push "route 10.0.0.0 255.255.255.0 vpn_gateway"
|
2018-09-03 10:21:39 +02:00
|
|
|
|
|
|
|
# Push the whole /56 block for IPv6
|
2018-09-19 21:48:08 +02:00
|
|
|
# (The vpn_gateway placeholder does not work here.)
|
|
|
|
push "route-ipv6 2003:638:614:1700::/56 2001:638:614:1750::1"
|
2018-09-03 10:21:39 +02:00
|
|
|
|
2018-09-19 14:09:30 +02:00
|
|
|
# Specific settings regarding TLS, chiphers and hash algorithms
|
|
|
|
cipher AES-256-GCM
|
|
|
|
auth SHA256
|
|
|
|
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
|
|
|
tls-version-min "1.2"
|
|
|
|
|
2018-09-03 10:21:39 +02:00
|
|
|
# Make sure to detect broken sessions
|
|
|
|
keepalive 10 60
|
|
|
|
|
|
|
|
# These are needed for reduced privileges? Probably yes.
|
|
|
|
persist-key
|
|
|
|
persist-tun
|
|
|
|
|
|
|
|
# Reduced privileges
|
|
|
|
user nobody
|
2018-09-07 19:21:17 +02:00
|
|
|
group nogroup
|
2018-09-03 10:21:39 +02:00
|
|
|
|
|
|
|
# Logging settings
|
|
|
|
verb 3
|
|
|
|
mute 5
|
|
|
|
|
2018-09-19 12:23:33 +02:00
|
|
|
# Have a status log if needed.
|
2018-09-19 21:48:08 +02:00
|
|
|
# We do not need it.
|
2018-09-20 15:07:52 +02:00
|
|
|
# status inform/status.log
|