API tools faq
paste
Advertisement
Guest User

body007

a guest
Feb 11th, 2010
391
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.03 KB | None | 0 0
raw download clone embed print report
  1. #################################################
  2. # Sample OpenVPN 2.0 config file for #
  3. # multi-client server. #
  4. # #
  5. # This file is for the server side #
  6. # of a many-clients <-> one-server #
  7. # OpenVPN configuration. #
  8. # #
  9. # OpenVPN also supports #
  10. # single-machine <-> single-machine #
  11. # configurations (See the Examples page #
  12. # on the web site for more info). #
  13. # #
  14. # This config should work on Windows #
  15. # or Linux/BSD systems. Remember on #
  16. # Windows to quote pathnames and use #
  17. # double backslashes, e.g.: #
  18. # "C:\\Program Files\\OpenVPN\\config\\foo.key" #
  19. # #
  20. # Comments are preceded with '#' or ';' #
  21. #################################################
  22.  
  23. # Which local IP address should OpenVPN
  24. # listen on? (optional)
  25. ;local a.b.c.d
  26.  
  27. # Which TCP/UDP port should OpenVPN listen on?
  28. # If you want to run multiple OpenVPN instances
  29. # on the same machine, use a different port
  30. # number for each one. You will need to
  31. # open up this port on your firewall.
  32. port 1194
  33.  
  34. # TCP or UDP server?
  35. proto tcp
  36. ;proto udp
  37.  
  38. # "dev tun" will create a routed IP tunnel,
  39. # "dev tap" will create an ethernet tunnel.
  40. # Use "dev tap0" if you are ethernet bridging
  41. # and have precreated a tap0 virtual interface
  42. # and bridged it with your ethernet interface.
  43. # If you want to control access policies
  44. # over the VPN, you must create firewall
  45. # rules for the the TUN/TAP interface.
  46. # On non-Windows systems, you can give
  47. # an explicit unit number, such as tun0.
  48. # On Windows, use "dev-node" for this.
  49. # On most systems, the VPN will not function
  50. # unless you partially or fully disable
  51. # the firewall for the TUN/TAP interface.
  52. ;dev tap
  53. dev tun
  54.  
  55. # Windows needs the TAP-Win32 adapter name
  56. # from the Network Connections panel if you
  57. # have more than one. On XP SP2 or higher,
  58. # you may need to selectively disable the
  59. # Windows firewall for the TAP adapter.
  60. # Non-Windows systems usually don't need this.
  61. ;dev-node MyTap
  62.  
  63. # SSL/TLS root certificate (ca), certificate
  64. # (cert), and private key (key). Each client
  65. # and the server must have their own cert and
  66. # key file. The server and all clients will
  67. # use the same ca file.
  68. #
  69. # See the "easy-rsa" directory for a series
  70. # of scripts for generating RSA certificates
  71. # and private keys. Remember to use
  72. # a unique Common Name for the server
  73. # and each of the client certificates.
  74. #
  75. # Any X509 key management system can be used.
  76. # OpenVPN can also use a PKCS #12 formatted key file
  77. # (see "pkcs12" directive in man page).
  78. ca ca.crt
  79. cert vpn-szerver.crt
  80. key vpn-szerver.key # This file should be kept secret
  81.  
  82. # Diffie hellman parameters.
  83. # Generate your own with:
  84. # openssl dhparam -out dh1024.pem 1024
  85. # Substitute 2048 for 1024 if you are using
  86. # 2048 bit keys.
  87. dh dh2048.pem
  88.  
  89. # Configure server mode and supply a VPN subnet
  90. # for OpenVPN to draw client addresses from.
  91. # The server will take 10.8.0.1 for itself,
  92. # the rest will be made available to clients.
  93. # Each client will be able to reach the server
  94. # on 10.8.0.1. Comment this line out if you are
  95. # ethernet bridging. See the man page for more info.
  96. server 10.8.0.0 255.255.255.0
  97.  
  98. # Maintain a record of client <-> virtual IP address
  99. # associations in this file. If OpenVPN goes down or
  100. # is restarted, reconnecting clients can be assigned
  101. # the same virtual IP address from the pool that was
  102. # previously assigned.
  103. ifconfig-pool-persist ipp.txt
  104.  
  105. # Configure server mode for ethernet bridging.
  106. # You must first use your OS's bridging capability
  107. # to bridge the TAP interface with the ethernet
  108. # NIC interface. Then you must manually set the
  109. # IP/netmask on the bridge interface, here we
  110. # assume 10.8.0.4/255.255.255.0. Finally we
  111. # must set aside an IP range in this subnet
  112. # (start=10.8.0.50 end=10.8.0.100) to allocate
  113. # to connecting clients. Leave this line commented
  114. # out unless you are ethernet bridging.
  115. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
  116.  
  117. # Push routes to the client to allow it
  118. # to reach other private subnets behind
  119. # the server. Remember that these
  120. # private subnets will also need
  121. # to know to route the OpenVPN client
  122. # address pool (10.8.0.0/255.255.255.0)
  123. # back to the OpenVPN server.
  124. ;push "route 192.168.10.0 255.255.255.0"
  125. ;push "route 192.168.20.0 255.255.255.0"
  126.  
  127. # To assign specific IP addresses to specific
  128. # clients or if a connecting client has a private
  129. # subnet behind it that should also have VPN access,
  130. # use the subdirectory "ccd" for client-specific
  131. # configuration files (see man page for more info).
  132.  
  133. # EXAMPLE: Suppose the client
  134. # having the certificate common name "Thelonious"
  135. # also has a small subnet behind his connecting
  136. # machine, such as 192.168.40.128/255.255.255.248.
  137. # First, uncomment out these lines:
  138. ;client-config-dir ccd
  139. ;route 192.168.40.128 255.255.255.248
  140. # Then create a file ccd/Thelonious with this line:
  141. # iroute 192.168.40.128 255.255.255.248
  142. # This will allow Thelonious' private subnet to
  143. # access the VPN. This example will only work
  144. # if you are routing, not bridging, i.e. you are
  145. # using "dev tun" and "server" directives.
  146.  
  147. # EXAMPLE: Suppose you want to give
  148. # Thelonious a fixed VPN IP address of 10.9.0.1.
  149. # First uncomment out these lines:
  150. ;client-config-dir ccd
  151. ;route 10.9.0.0 255.255.255.252
  152. # Then add this line to ccd/Thelonious:
  153. # ifconfig-push 10.9.0.1 10.9.0.2
  154.  
  155. # Suppose that you want to enable different
  156. # firewall access policies for different groups
  157. # of clients. There are two methods:
  158. # (1) Run multiple OpenVPN daemons, one for each
  159. # group, and firewall the TUN/TAP interface
  160. # for each group/daemon appropriately.
  161. # (2) (Advanced) Create a script to dynamically
  162. # modify the firewall in response to access
  163. # from different clients. See man
  164. # page for more info on learn-address script.
  165. ;learn-address ./script
  166.  
  167. # If enabled, this directive will configure
  168. # all clients to redirect their default
  169. # network gateway through the VPN, causing
  170. # all IP traffic such as web browsing and
  171. # and DNS lookups to go through the VPN
  172. # (The OpenVPN server machine may need to NAT
  173. # the TUN/TAP interface to the internet in
  174. # order for this to work properly).
  175. # CAVEAT: May break client's network config if
  176. # client's local DHCP server packets get routed
  177. # through the tunnel. Solution: make sure
  178. # client's local DHCP server is reachable via
  179. # a more specific route than the default route
  180. # of 0.0.0.0/0.0.0.0.
  181. ;push "redirect-gateway"
  182.  
  183. # Certain Windows-specific network settings
  184. # can be pushed to clients, such as DNS
  185. # or WINS server addresses. CAVEAT:
  186. # http://openvpn.net/faq.html#dhcpcaveats
  187. ;push "dhcp-option DNS 10.8.0.1"
  188. ;push "dhcp-option WINS 10.8.0.1"
  189.  
  190. # Uncomment this directive to allow different
  191. # clients to be able to "see" each other.
  192. # By default, clients will only see the server.
  193. # To force clients to only see the server, you
  194. # will also need to appropriately firewall the
  195. # server's TUN/TAP interface.
  196. client-to-client
  197.  
  198. # Uncomment this directive if multiple clients
  199. # might connect with the same certificate/key
  200. # files or common names. This is recommended
  201. # only for testing purposes. For production use,
  202. # each client should have its own certificate/key
  203. # pair.
  204. #
  205. # IF YOU HAVE NOT GENERATED INDIVIDUAL
  206. # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
  207. # EACH HAVING ITS OWN UNIQUE "COMMON NAME",
  208. # UNCOMMENT THIS LINE OUT.
  209. ;duplicate-cn
  210.  
  211. # The keepalive directive causes ping-like
  212. # messages to be sent back and forth over
  213. # the link so that each side knows when
  214. # the other side has gone down.
  215. # Ping every 10 seconds, assume that remote
  216. # peer is down if no ping received during
  217. # a 120 second time period.
  218. keepalive 10 120
  219.  
  220. # For extra security beyond that provided
  221. # by SSL/TLS, create an "HMAC firewall"
  222. # to help block DoS attacks and UDP port flooding.
  223. #
  224. # Generate with:
  225. # openvpn --genkey --secret ta.key
  226. #
  227. # The server and each client must have
  228. # a copy of this key.
  229. # The second parameter should be '0'
  230. # on the server and '1' on the clients.
  231. ;tls-auth ta.key 0 # This file is secret
  232.  
  233. # Select a cryptographic cipher.
  234. # This config item must be copied to
  235. # the client config file as well.
  236. ;cipher BF-CBC # Blowfish (default)
  237. ;cipher AES-128-CBC # AES
  238. ;cipher DES-EDE3-CBC # Triple-DES
  239.  
  240. # Enable compression on the VPN link.
  241. # If you enable it here, you must also
  242. # enable it in the client config file.
  243. comp-lzo
  244.  
  245. # The maximum number of concurrently connected
  246. # clients we want to allow.
  247. ;max-clients 100
  248.  
  249. # It's a good idea to reduce the OpenVPN
  250. # daemon's privileges after initialization.
  251. #
  252. # You can uncomment this out on
  253. # non-Windows systems.
  254. ;user nobody
  255. ;group nobody
  256.  
  257. # The persist options will try to avoid
  258. # accessing certain resources on restart
  259. # that may no longer be accessible because
  260. # of the privilege downgrade.
  261. persist-key
  262. persist-tun
  263.  
  264. # Output a short status file showing
  265. # current connections, truncated
  266. # and rewritten every minute.
  267. status openvpn-status.log
  268.  
  269. # By default, log messages will go to the syslog (or
  270. # on Windows, if running as a service, they will go to
  271. # the "\Program Files\OpenVPN\log" directory).
  272. # Use log or log-append to override this default.
  273. # "log" will truncate the log file on OpenVPN startup,
  274. # while "log-append" will append to it. Use one
  275. # or the other (but not both).
  276. ;log openvpn.log
  277. ;log-append openvpn.log
  278.  
  279. # Set the appropriate level of log
  280. # file verbosity.
  281. #
  282. # 0 is silent, except for fatal errors
  283. # 4 is reasonable for general usage
  284. # 5 and 6 can help to debug connection problems
  285. # 9 is extremely verbose
  286. verb 3
  287.  
  288. # Silence repeating messages. At most 20
  289. # sequential messages of the same message
  290. # category will be output to the log.
  291. ;mute 20
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!