60 lines
1.4 KiB
Plaintext
60 lines
1.4 KiB
Plaintext
# Listen on 1194 for both IPv4 and IPv6
|
|
port 1194
|
|
proto udp
|
|
proto udp6
|
|
|
|
# We're using the layer 3 tunnel device
|
|
dev tun
|
|
|
|
# Certificates
|
|
ca /etc/openvpn/vpnserver/ca.crt
|
|
cert /etc/openvpn/vpnserver/vpnserver.crt
|
|
key /etc/openvpn/vpnserver/vpnserver.key
|
|
dh /etc/openvpn/vpnserver/dh2048.pem
|
|
|
|
# Make sure the client presents a certificate with "client role"
|
|
remote-cert-tls client
|
|
|
|
# Allow multiple connections using the same certificate?
|
|
#duplicate-cn
|
|
|
|
# net30 is point-to-point, compatible with windows
|
|
# TODO: Topology subnet is supposed to work with windows just fine. CHECK THIS
|
|
topology net30
|
|
|
|
# Use this IPv4 range for clients (/16, so we can cope with all possible clients)
|
|
server 10.183.0.0 255.255.0.0
|
|
|
|
# Use this IPv6 network for clients
|
|
server-ipv6 2001:638:614:1750::/64
|
|
|
|
# Do we need persistence here?
|
|
ifconfig-pool-persist /etc/openvpn/vpnserver/ipp.txt
|
|
|
|
# Make sure the client can still reach the OpenVPN server via its default gateway
|
|
push "route remote_host 255.255.255.255 net_gateway"
|
|
|
|
# Push routes for local networks
|
|
push "route 172.16.20.0 255.255.255.0 vpn_gateway"
|
|
|
|
# Push the whole /56 block for IPv6
|
|
push "route-ipv6 2003:638:614:1700::/56"
|
|
|
|
# Make sure to detect broken sessions
|
|
keepalive 10 60
|
|
|
|
# These are needed for reduced privileges? Probably yes.
|
|
persist-key
|
|
persist-tun
|
|
|
|
# Reduced privileges
|
|
user nobody
|
|
group nogroup
|
|
|
|
# Logging settings
|
|
verb 3
|
|
mute 5
|
|
|
|
# Have a status log
|
|
status /etc/openvpn/vpnserver/status.log
|