137 lines
4.1 KiB
Plaintext
137 lines
4.1 KiB
Plaintext
# Listen on 1194 for both IPv4 and IPv6
|
|
port 1194
|
|
proto udp
|
|
proto udp6
|
|
|
|
# Since we have more than one ip address, this makes openvpn respond
|
|
# with the right sender address
|
|
multihome
|
|
|
|
# We're using the virtual network interface on layer 3
|
|
dev tun
|
|
|
|
# Certificates to use. Paths are relative to config file location.
|
|
ca inform/ca.crt
|
|
cert inform/aither.inform.hs-hannover.de.crt
|
|
key inform/aither.inform.hs-hannover.de.key
|
|
|
|
# Assume server role in tls handshake
|
|
tls-server
|
|
|
|
# Diffie-Hellman parameter file
|
|
# (not needed for TLS cipher with ECDHE instead of DHE)
|
|
dh none
|
|
|
|
# Certificate revocation list location
|
|
# Make sure this file is always valid, otherwise OpenVPN refuses to (re)start!
|
|
crl-verify inform/crl.pem
|
|
|
|
# Make sure the client presents a certificate with "client role"
|
|
remote-cert-tls client
|
|
|
|
# Allow multiple connections using the same certificate?
|
|
# There is no reason to not allow this, so it is allowed.
|
|
duplicate-cn
|
|
|
|
# We're using subnet topology for IPv4 tunnel connectivity
|
|
topology subnet
|
|
|
|
# Use this IPv4 range for clients (/16, so we can cope with potential 500 clients)
|
|
server 10.2.0.0 255.255.0.0
|
|
|
|
# Use this IPv6 network for clients
|
|
server-ipv6 2001:638:614:1750::/64
|
|
|
|
# Make sure the client can still reach the OpenVPN server via its IPv4 default gateway
|
|
# This is needed because the IPv4 route for DMZ is pushed below,
|
|
# which overlaps the OpenVPN server IPv4 address.
|
|
push "route remote_host 255.255.255.255 net_gateway"
|
|
|
|
# Push routes for local IPv4 networks
|
|
#
|
|
# DMZ
|
|
push "route 141.71.38.0 255.255.255.0 vpn_gateway"
|
|
# Inform
|
|
push "route 141.71.30.0 255.255.254.0 vpn_gateway"
|
|
# Edu
|
|
push "route 192.168.99.0 255.255.255.0 vpn_gateway"
|
|
# NAO
|
|
push "route 192.168.90.0 255.255.255.0 vpn_gateway"
|
|
# iDrac
|
|
push "route 192.168.70.0 255.255.255.0 vpn_gateway"
|
|
# Cluster
|
|
push "route 10.0.20.0 255.255.255.0 vpn_gateway"
|
|
# educloud
|
|
push "route 10.0.30.0 255.255.255.0 vpn_gateway"
|
|
# experimental ipv6 network
|
|
push "route 10.0.40.0 255.255.255.0 vpn_gateway"
|
|
# server network from H-IT for KMS
|
|
push "route 141.71.2.0 255.255.255.0 vpn_gateway"
|
|
|
|
# Push routes for local IPv6 networks
|
|
# (The vpn_gateway placeholder does not work here.)
|
|
# Note: IPv6 routes that overlap the IPv6 address of the OpenVPN server will
|
|
# automatically trigger creating a direct route to the OpenVPN server on the client.
|
|
#
|
|
# DMZ
|
|
push "route-ipv6 2001:638:614:1780::/64 2001:638:614:1750::1"
|
|
# Inform
|
|
push "route-ipv6 2001:638:614:1720::/64 2001:638:614:1750::1"
|
|
# Edu
|
|
push "route-ipv6 2001:638:614:1721::/64 2001:638:614:1750::1"
|
|
# NAO
|
|
push "route-ipv6 2001:638:614:1722::/64 2001:638:614:1750::1"
|
|
# Cluster
|
|
push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1"
|
|
# experimental ipv6 network
|
|
push "route-ipv6 2001:638:614:1744::/64 2001:638:614:1750::1"
|
|
|
|
### START BLOCK CRYPTOGRAPHY
|
|
# Specific settings regarding TLS, chiphers and hash algorithms
|
|
# DO NOT CHANGE THIS unless you receive explicit instructions to do so
|
|
# These settings need to be identical in client and server configuration!
|
|
|
|
# Protect data channel with this cipher
|
|
cipher AES-256-GCM
|
|
|
|
# Authenticate packets in data and control channel using HMAC with this
|
|
# message digest algorithm
|
|
auth SHA256
|
|
|
|
# Use this specific cipher to secure the control channel
|
|
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
|
|
|
# Only allow TLS version 1.2 and higher
|
|
tls-version-min "1.2"
|
|
|
|
# Use this elliptic curve for ECDHE within chosen tls-cipher
|
|
ecdh-curve brainpoolP512r1
|
|
### END BLOCK CRYPTOGRAPHY
|
|
|
|
# Disable cipher negotiation on server side
|
|
ncp-disable
|
|
|
|
# Send ping message every ten seconds, expect session loss after 60 seconds of no response
|
|
keepalive 10 60
|
|
|
|
# Notify clients when the server restarts or shuts down.
|
|
# Default behaviour: Tell clients to try to connect to the same server again.
|
|
explicit-exit-notify 1
|
|
|
|
# Enable these if you plan to enable running on reduced privileges
|
|
# These options allow to keep the private key and the virtual network device handle in memory
|
|
persist-key
|
|
persist-tun
|
|
|
|
# Reduce privileges after launch (uncomment and adapt on unix/linux system)
|
|
user nobody
|
|
group nogroup
|
|
|
|
# Logging settings
|
|
verb 3
|
|
mute 5
|
|
|
|
# Print a list of active sessions into this file
|
|
# This might be helpful if you plan big maintenance
|
|
status inform/status.log
|