# Listen on 1194 for both IPv4 and IPv6 port 1194 multihome proto udp proto udp6 # We're using the layer 3 tunnel device dev tun # Certificates ca /etc/openvpn/vpnserver/ca.crt cert /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.crt key /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.key # Assume tls server role tls-server # Diffie-Hellman parameters dh /etc/openvpn/vpnserver/dh.pem # Certificate revocation list crl-verify /etc/openvpn/vpnserver/crl.pem # Make sure the client presents a certificate with "client role" remote-cert-tls client # Allow multiple connections using the same certificate? #duplicate-cn # We're using subnet topology topology subnet # Use this IPv4 range for clients (/16, so we can cope with all possible clients) server 10.2.0.0 255.255.0.0 # Use this IPv6 network for clients server-ipv6 2001:638:614:1750::/64 # Do we need persistence here? # No, not yet. #ifconfig-pool-persist /etc/openvpn/vpnserver/ipp.txt # Make sure the client can still reach the OpenVPN server via its default gateway push "route remote_host 255.255.255.255 net_gateway" # Push routes for local IPv4 networks push "route 141.71.30.0 255.255.254.0 vpn_gateway" push "route 192.168.99.0 255.255.255.0 vpn_gateway" push "route 10.3.1.0 255.255.255.0 vpn_gateway" push "route 10.0.0.0 255.255.255.0 vpn_gateway" # Push the whole /56 block for IPv6 push "route-ipv6 2003:638:614:1700::/56" # Specific settings regarding TLS, chiphers and hash algorithms cipher AES-256-GCM auth SHA256 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 tls-version-min "1.2" # Make sure to detect broken sessions keepalive 10 60 # These are needed for reduced privileges? Probably yes. persist-key persist-tun # Reduced privileges user nobody group nogroup # Logging settings verb 3 mute 5 # Have a status log if needed. # status /etc/openvpn/vpnserver/status.log