# Listen on 1194 for both IPv4 and IPv6 port 1194 proto udp proto udp6 # Since we have more than one ip address, this makes openvpn respond with sender addresses multihome # We're using the layer 3 tunnel device dev tun # Certificates (relative paths work, too) ca inform/ca.crt cert inform/aither.inform.hs-hannover.de.crt key inform/aither.inform.hs-hannover.de.key # Assume tls server role tls-server # Diffie-Hellman parameters dh inform/dh.pem # Certificate revocation list crl-verify inform/crl.pem # Make sure the client presents a certificate with "client role" remote-cert-tls client # Allow multiple connections using the same certificate? # Currently, we do. duplicate-cn # We're using subnet topology topology subnet # Use this IPv4 range for clients (/16, so we can cope with all possible clients) server 10.2.0.0 255.255.0.0 # Use this IPv6 network for clients server-ipv6 2001:638:614:1750::/64 # Do we need persistence here? # No, not yet. Probably never. #ifconfig-pool-persist inform/ipp.txt # Make sure the client can still reach the OpenVPN server via its default gateway push "route remote_host 255.255.255.255 net_gateway" # Push routes for local IPv4 networks push "route 141.71.30.0 255.255.254.0 vpn_gateway" push "route 192.168.99.0 255.255.255.0 vpn_gateway" push "route 10.3.1.0 255.255.255.0 vpn_gateway" push "route 10.0.0.0 255.255.255.0 vpn_gateway" # Push the whole /56 block for IPv6 # (The vpn_gateway placeholder does not work here.) push "route-ipv6 2003:638:614:1700::/56 2001:638:614:1750::1" # Specific settings regarding TLS, chiphers and hash algorithms cipher AES-256-GCM auth SHA256 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 tls-version-min "1.2" # Make sure to detect broken sessions keepalive 10 60 # These are needed for reduced privileges? Probably yes. persist-key persist-tun # Reduced privileges user nobody group nogroup # Logging settings verb 3 mute 5 # Have a status log if needed. # We do not need it. # status inform/status.log