masterthesis/openvpn-config/vpnserver.conf
2018-09-19 18:11:07 +02:00

78 lines
1.8 KiB
Plaintext

# Listen on 1194 for both IPv4 and IPv6
port 1194
multihome
proto udp
proto udp6
# We're using the layer 3 tunnel device
dev tun
# Certificates
ca /etc/openvpn/vpnserver/ca.crt
cert /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.crt
key /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.key
# Assume tls server role
tls-server
# Diffie-Hellman parameters
dh /etc/openvpn/vpnserver/dh.pem
# Certificate revocation list
crl-verify /etc/openvpn/vpnserver/crl.pem
# Make sure the client presents a certificate with "client role"
remote-cert-tls client
# Allow multiple connections using the same certificate?
#duplicate-cn
# We're using subnet topology
topology subnet
# Use this IPv4 range for clients (/16, so we can cope with all possible clients)
server 10.2.0.0 255.255.0.0
# Use this IPv6 network for clients
server-ipv6 2001:638:614:1750::/64
# Do we need persistence here?
# No, not yet.
#ifconfig-pool-persist /etc/openvpn/vpnserver/ipp.txt
# Make sure the client can still reach the OpenVPN server via its default gateway
push "route remote_host 255.255.255.255 net_gateway"
# Push routes for local IPv4 networks
push "route 141.71.30.0 255.255.254.0 vpn_gateway"
push "route 192.168.99.0 255.255.255.0 vpn_gateway"
push "route 10.3.1.0 255.255.255.0 vpn_gateway"
push "route 10.0.0.0 255.255.255.0 vpn_gateway"
# Push the whole /56 block for IPv6
push "route-ipv6 2003:638:614:1700::/56"
# Specific settings regarding TLS, chiphers and hash algorithms
cipher AES-256-GCM
auth SHA256
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min "1.2"
# Make sure to detect broken sessions
keepalive 10 60
# These are needed for reduced privileges? Probably yes.
persist-key
persist-tun
# Reduced privileges
user nobody
group nogroup
# Logging settings
verb 3
mute 5
# Have a status log if needed.
# status /etc/openvpn/vpnserver/status.log