# Listen on 1194 for both IPv4 and IPv6 port 1194 proto udp proto udp6 # Since we have more than one ip address, this makes openvpn respond with sender addresses multihome # We're using the layer 3 tunnel device dev tun # Certificates (relative paths work, too) ca inform/ca.crt cert inform/aither.inform.hs-hannover.de.crt key inform/aither.inform.hs-hannover.de.key # Assume tls server role tls-server # Diffie-Hellman parameters dh inform/dh.pem # Certificate revocation list crl-verify inform/crl.pem # Make sure the client presents a certificate with "client role" remote-cert-tls client # Allow multiple connections using the same certificate? # Currently, we do. duplicate-cn # We're using subnet topology topology subnet # Use this IPv4 range for clients (/16, so we can cope with all possible clients) server 10.2.0.0 255.255.0.0 # Use this IPv6 network for clients server-ipv6 2001:638:614:1750::/64 # Do we need persistence here? # No, not yet. Probably never. #ifconfig-pool-persist inform/ipp.txt # Make sure the client can still reach the OpenVPN server via its default gateway push "route remote_host 255.255.255.255 net_gateway" # Push routes for local IPv4 networks # DMZ push "route 141.71.38.0 255.255.255.0 vpn_gateway" # Inform push "route 141.71.30.0 255.255.254.0 vpn_gateway" # Edu push "route 192.168.99.0 255.255.255.0 vpn_gateway" # NAO push "route 192.168.90.0 255.255.255.0 vpn_gateway" # iDrac push "route 192.168.70.0 255.255.255.0 vpn_gateway" # Cluster push "route 10.0.20.0 255.255.255.0 vpn_gateway" # educloud push "route 10.0.30.0 255.255.255.0 vpn_gateway" # experimental ipv6 network push "route 10.0.40.0 255.255.255.0 vpn_gateway" # server network from H-IT for KMS push "route 141.71.2.0 255.255.255.0 vpn_gateway" # Push routes for local IPv6 networks # (The vpn_gateway placeholder does not work here.) # DMZ push "route-ipv6 2001:638:614:1780::/64 2001:638:614:1750::1" # Inform push "route-ipv6 2001:638:614:1720::/64 2001:638:614:1750::1" # Edu push "route-ipv6 2001:638:614:1721::/64 2001:638:614:1750::1" # NAO push "route-ipv6 2001:638:614:1722::/64 2001:638:614:1750::1" # Cluster push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1" # Specific settings regarding TLS, chiphers and hash algorithms cipher AES-256-GCM auth SHA256 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 tls-version-min "1.2" # Make sure to detect broken sessions keepalive 10 60 # These are needed for reduced privileges? Probably yes. persist-key persist-tun # Reduced privileges user nobody group nogroup # Logging settings verb 3 mute 5 # Have a status log status inform/status.log