Minor fixups in config

2018-09-19 21:48:08 +02:00 · 2018-09-19 21:48:08 +02:00 · 7dbe58aeda
parent 0d62622f15
commit 7dbe58aeda
2 changed files with 12 additions and 6 deletions
--- a/openvpn-config/vpnclient.conf
+++ b/openvpn-config/vpnclient.conf
@ -14,7 +14,7 @@ dev tun
 # Specify vpn server
 remote vpn-test.inform.hs-hannover.de 1194

-# Certificates
+# Certificates (relative paths work, too)
 ca /etc/openvpn/vpnclient/ca.crt
 cert /etc/openvpn/vpnclient/jan-philipp.timme@hs-hannover.de.crt
 key /etc/openvpn/vpnclient/jan-philipp.timme@hs-hannover.de.key
@ -39,6 +39,7 @@ persist-key
 persist-tun

 # Reduced privileges if possible (uncomment and adapt on unix/linux system)
+# Note: On some systems, the group is "nobody" instead of "nogroup".
 user nobody
 group nogroup

--- a/openvpn-config/vpnserver.conf
+++ b/openvpn-config/vpnserver.conf
@ -1,13 +1,15 @@
 # Listen on 1194 for both IPv4 and IPv6
 port 1194
-multihome
 proto udp
 proto udp6

+# Since we have more than one ip address, this makes openvpn respond with sender addresses
+multihome
+
 # We're using the layer 3 tunnel device
 dev tun

-# Certificates
+# Certificates (relative paths work, too)
 ca /etc/openvpn/vpnserver/ca.crt
 cert /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.crt
 key /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.key
@ -25,7 +27,8 @@ crl-verify /etc/openvpn/vpnserver/crl.pem
 remote-cert-tls client

 # Allow multiple connections using the same certificate?
-#duplicate-cn
+# Currently, we do.
+duplicate-cn

 # We're using subnet topology
 topology subnet
@ -37,7 +40,7 @@ server 10.2.0.0 255.255.0.0
 server-ipv6 2001:638:614:1750::/64

 # Do we need persistence here?
-# No, not yet.
+# No, not yet. Probably never.
 #ifconfig-pool-persist /etc/openvpn/vpnserver/ipp.txt

 # Make sure the client can still reach the OpenVPN server via its default gateway
@ -50,7 +53,8 @@ push "route 10.3.1.0 255.255.255.0 vpn_gateway"
 push "route 10.0.0.0 255.255.255.0 vpn_gateway"

 # Push the whole /56 block for IPv6
-push "route-ipv6 2003:638:614:1700::/56"
+# (The vpn_gateway placeholder does not work here.)
+push "route-ipv6 2003:638:614:1700::/56 2001:638:614:1750::1"

 # Specific settings regarding TLS, chiphers and hash algorithms
 cipher AES-256-GCM
@ -74,4 +78,5 @@ verb 3
 mute 5

 # Have a status log if needed.
+# We do not need it.
 # status /etc/openvpn/vpnserver/status.log