# Listen on 1194 for both IPv4 and IPv6 port 1194 proto udp proto udp6 # Since we have more than one ip address, this makes openvpn respond # with the right sender address multihome # We're using the virtual network interface on layer 3 dev tun # Certificates to use. Paths are relative to config file location. ca inform/ca.crt cert inform/aither.inform.hs-hannover.de.crt key inform/aither.inform.hs-hannover.de.key # Assume server role in tls handshake tls-server # Diffie-Hellman parameter file # (not needed for TLS cipher with ECDHE instead of DHE) dh inform/dh.pem # Certificate revocation list location # Make sure this file is always valid, otherwise OpenVPN refuses to (re)start! crl-verify inform/crl.pem # Make sure the client presents a certificate with "client role" remote-cert-tls client # Allow multiple connections using the same certificate? # There is no reason to not allow this, so it is allowed. duplicate-cn # We're using subnet topology for IPv4 tunnel connectivity topology subnet # Use this IPv4 range for clients (/16, so we can cope with potential 500 clients) server 10.2.0.0 255.255.0.0 # Use this IPv6 network for clients server-ipv6 2001:638:614:1750::/64 # Make sure the client can still reach the OpenVPN server via its IPv4 default gateway # This is needed because the IPv4 route for DMZ is pushed below, # which overlaps the OpenVPN server IPv4 address. push "route remote_host 255.255.255.255 net_gateway" # Push routes for local IPv4 networks # # DMZ push "route 141.71.38.0 255.255.255.0 vpn_gateway" # Inform push "route 141.71.30.0 255.255.254.0 vpn_gateway" # Edu push "route 192.168.99.0 255.255.255.0 vpn_gateway" # NAO push "route 192.168.90.0 255.255.255.0 vpn_gateway" # iDrac push "route 192.168.70.0 255.255.255.0 vpn_gateway" # Cluster push "route 10.0.20.0 255.255.255.0 vpn_gateway" # educloud push "route 10.0.30.0 255.255.255.0 vpn_gateway" # experimental ipv6 network push "route 10.0.40.0 255.255.255.0 vpn_gateway" # server network from H-IT for KMS push "route 141.71.2.0 255.255.255.0 vpn_gateway" # Push routes for local IPv6 networks # (The vpn_gateway placeholder does not work here.) # Note: IPv6 routes that overlap the IPv6 address of the OpenVPN server will # automatically trigger creating a direct route to the OpenVPN server on the client. # # DMZ push "route-ipv6 2001:638:614:1780::/64 2001:638:614:1750::1" # Inform push "route-ipv6 2001:638:614:1720::/64 2001:638:614:1750::1" # Edu push "route-ipv6 2001:638:614:1721::/64 2001:638:614:1750::1" # NAO push "route-ipv6 2001:638:614:1722::/64 2001:638:614:1750::1" # Cluster push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1" # experimental ipv6 network push "route-ipv6 2001:638:614:1744::/64 2001:638:614:1750::1" ### START BLOCK CRYPTOGRAPHY # Specific settings regarding TLS, chiphers and hash algorithms # DO NOT CHANGE THIS unless you receive explicit instructions to do so # These settings need to be identical in client and server configuration! # Protect data channel with this cipher cipher AES-256-GCM # Authenticate packets in data and control channel using HMAC with this # message digest algorithm auth SHA256 # Use this specific cipher to secure the control channel tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 # Only allow TLS version 1.2 and higher tls-version-min "1.2" ### END BLOCK CRYPTOGRAPHY # Disable cipher negotiation on server side ncp-disable # Send ping message every ten seconds, expect session loss after 60 seconds of no response keepalive 10 30 # Notify clients when the server restarts or shuts down. # Default behaviour: Tell clients to try to connect to the same server again. explicit-exit-notify 1 # Enable these if you plan to enable running on reduced privileges # These options allow to keep the private key and the virtual network device handle in memory persist-key persist-tun # Reduce privileges after launch (uncomment and adapt on unix/linux system) user nobody group nogroup # Logging settings # - `verb 3` is enough for debugging most issues # - `verb 0` is recommended for regular operation verb 3 mute 5 # Print a list of active sessions into this file # This might be helpful if you plan big maintenance status inform/status.log