# This is the client configuration client # No need to bind on specific interfaces, just send packets to the openvpn server nobind # Send udp packets to port 1194 port 1194 proto udp # We're using the virtual network interface on layer 3 dev tun # Specify vpn server remote vpn-test.inform.hs-hannover.de 1194 # Certificates to use. EDIT THIS SECTION to reflect your situation ca /etc/openvpn/vpnclient/ca.crt cert /etc/openvpn/vpnclient/jan-philipp.timme@stud.hs-hannover.de.crt key /etc/openvpn/vpnclient/jan-philipp.timme@stud.hs-hannover.de.key # Prevent OpenVPN from caching the password of your private key in memory. # Depending on your use case for OpenVPN, enabling this option can provide more protection # for your private key (and more password prompts during an OpenVPN session) #auth-nocache # Assume client role in tls handshake tls-client # Make sure the server presents a certificate with "server role" # This way people with proper client certificates are unable to impersonate the server remote-cert-tls server ### START BLOCK CRYPTOGRAPHY # Specific settings regarding TLS, chiphers and hash algorithms # DO NOT CHANGE THIS unless you receive explicit instructions to do so # These settings need to be identical in client and server configuration! # Protect data channel with this cipher cipher AES-256-GCM # Authenticate packets in data and control channel using HMAC with this # message digest algorithm auth SHA256 # Use this specific cipher to secure the control channel tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 # Only allow TLS version 1.2 and higher tls-version-min "1.2" # Use this elliptic curve for ECDHE within chosen tls-cipher ecdh-curve brainpoolP512r1 ### END BLOCK CRYPTOGRAPHY # Reduce connection timeout so connection problems are visible sooner connect-timeout 20 # Notify server on client shutdown/restart events, so old sessions get terminated immediately # Try to send notification 3 times (because we're using UDP) explicit-exit-notify 3 # Send ping message every ten seconds, expect session loss after 30 seconds of no response keepalive 10 30 # Enable these if you plan to enable running on reduced privileges # These options allow to keep the private key and the virtual network device handle in memory #persist-key #persist-tun # Reduce privileges after launch (uncomment and adapt on unix/linux system) # Note: On some systems, the group is called "nobody" instead of "nogroup" #user nobody #group nogroup # Logging settings verb 3 mute 5