## GENERAL ### TCP or UDP, port 443, tunnelingmode serverproto tcp4por

1. ## GENERAL ##
2.  
3. # TCP or UDP, port 443, tunneling
4. mode server
5. proto tcp4
6. port 443
7. port-share 127.0.0.1 4443
8. dev tun
9.  
10. ## KEY, CERTS AND NETWORK CONFIGURATION ##
11. # Identity
12. ca /etc/openvpn/server/ca.crt
13. # Public key
14. cert /etc/openvpn/server/shawn-route.crt
15. # Private key
16. key /etc/openvpn/server/shawn-route.key
17. # Symmetric encryption
18. #DH and CRL key
19. dh /etc/openvpn/server/dh.pem
20. #crl-verify /etc/openvpn/server/crl.pem
21. # Improve security (DDOS, port flooding...)
22.  
23.  
24. # TLS Security
25. cipher AES-256-CBC
26. # 0 for the server, 1 for the client
27. # tls-auth ta.key 0
28. auth SHA512
29. auth-nocache loop
30.  
31. #Enable multiple client to connect with same certificate key
32. duplicate-cn
33.  
34. # Network
35. # Subnetwork, the server will be the 10.8.0.1 and clients will take the other ips
36. server 10.8.0.0 255.255.255.0
37.  
38. # Allows for local resources to still be reached while connected to OpenVPN server
39. #push "route 192.168.0.1 255.255.255.0"
40. #push "route 192.168.1.0 255.255.255.0"
41. route "192.168.0.1 255.255.255.0 10.8.0.0"
42.  
43. # Redirect all IP network traffic originating on client machines to pass through the OpenVPN server
44. push "redirect-gateway def1"
45.  
46. # Alternatives DNS (FDN)
47. #push "dhcp-option DNS 80.67.169.12"
48. #push "dhcp-option DNS 80.67.169.40"
49. push "dhcp-option DNS 10.8.0.1"
50.  
51. # (OpenDNS)
52. # push "dhcp-option DNS 208.67.222.222"
53. # push "dhcp-option DNS 208.67.220.220"
54.  
55. # (Google)
56. # push "dhcp-option DNS 8.8.8.8"
57. # push "dhcp-option DNS 8.8.4.4"
58.  
59. # Ping every 10 seconds and if after 120 seconds the client doesn't respond we disconnect
60. keepalive 10 120
61. # Regenerate key each 5 hours (disconnect the client)
62. reneg-sec 18000
63.  
64. ## SECURITY ##
65.  
66. # Downgrade privileges of the daemon
67. user nobody
68. group nobody
69.  
70. # Persist keys (because we are nobody, so we couldn't read them again)
71. persist-key
72. # Don't close and re open TUN/TAP device
73. persist-tun
74. # Enable compression
75. comp-lzo
76.  
77. ## LOG ##
78.  
79. # Verbosity
80. # 3/4 for a normal utilisation
81. verb 3
82. # Max 20 messages of the same category
83. mute 20
84. # Log gile where we put the clients status
85. status openvpn-status.log
86. # Log file
87. log-append /var/log/openvpn.log
88. # Configuration directory of the clients
89. client-config-dir ccd
90.  
91. ## PASS ##
92.  
93. # Allow running external scripts with password in ENV variables
94. script-security 3
95.  
96. # Use the authenticated username as the common name, rather than the common name from the client cert
97. username-as-common-name
98. # Client certificate is not required
99. verify-client-cert none
100. # Use the connection script when a user wants to login
101. auth-user-pass-verify scripts/login.sh via-env
102. # Maximum of clients
103. max-clients 50
104. # Run this scripts when the client connects/disconnects
105. client-connect scripts/connect.sh
106. client-disconnect scripts/disconnect.sh