SHARE
TWEET

Untitled

trupsalms Oct 14th, 2019 88 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ## GENERAL ##
  2.  
  3. # TCP or UDP, port 443, tunneling
  4. mode server
  5. proto tcp4
  6. port 443
  7. port-share 127.0.0.1 4443
  8. dev tun
  9.  
  10. ## KEY, CERTS AND NETWORK CONFIGURATION ##
  11. # Identity
  12. ca /etc/openvpn/server/ca.crt
  13. # Public key
  14. cert /etc/openvpn/server/shawn-route.crt
  15. # Private key
  16. key /etc/openvpn/server/shawn-route.key
  17. # Symmetric encryption
  18. #DH and CRL key
  19. dh /etc/openvpn/server/dh.pem
  20. #crl-verify /etc/openvpn/server/crl.pem
  21. # Improve security (DDOS, port flooding...)
  22.  
  23.  
  24. # TLS Security
  25. cipher AES-256-CBC
  26. # 0 for the server, 1 for the client
  27. # tls-auth ta.key 0
  28. auth SHA512
  29. auth-nocache
  30.  
  31. # Uncomment this directive to allow different
  32. # clients to be able to "see" each other.
  33. # By default, clients will only see the server.
  34. # To force clients to only see the server, you
  35. # will also need to appropriately firewall the
  36. # server's TUN/TAP interface.
  37. ;client-to-client
  38.  
  39. # Uncomment this directive if multiple clients# might connect with the same certificate/key
  40. # files or common names. This is recommended
  41. # only for testing purposes. For production use,
  42. # each client should have its own certificate/key
  43. # pair.
  44. ## IF YOU HAVE NOT GENERATED INDIVIDUAL
  45. # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
  46. # EACH HAVING ITS OWN UNIQUE "COMMON NAME",
  47. # UNCOMMENT THIS LINE OUT.
  48. duplicate-cn
  49.  
  50. # Network
  51. # Subnetwork, the server will be the 10.8.0.1 and clients #will take the other ips
  52. server 10.8.0.0 255.255.255.0
  53. # adittional settings for ipv6:
  54. server-ipv6 fd40:618e:307a:0::/64
  55. push "route-ipv6 ::/0"
  56. push "route-metric 2000"
  57.  
  58. # Maintain a record of client <-> virtual IP address
  59. # associations in this file. If OpenVPN goes down or
  60. # is restarted, reconnecting clients can be assigned
  61. # the same virtual IP address from the pool that was
  62. # previously assigned.
  63. ifconfig-pool-persist ipp.txt
  64.  
  65. # Allows for local resources to still be reached while #connected to OpenVPN server.
  66. #push "route 192.168.0.1 255.255.255.0"
  67. #push "route 192.168.1.0 255.255.255.0"
  68. #push "route 192.168.0.0 255.255.255.0 net_gateway"
  69. #push "route 192.168.1.0 255.255.255.0 net_gateway"
  70.  
  71. # Redirect all IP network traffic originating on client
  72. #machines to pass through the OpenVPN server.
  73. push "redirect-gateway def1"
  74.  
  75. # Alternatives DNS (FDN)
  76. #push "dhcp-option DNS 80.67.169.12"
  77. #push "dhcp-option DNS 80.67.169.40"
  78. push "dhcp-option DNS 10.8.0.1"
  79.  
  80. # (OpenDNS)
  81. # push "dhcp-option DNS 208.67.222.222"
  82. # push "dhcp-option DNS 208.67.220.220"
  83.  
  84. # (Google)
  85. # push "dhcp-option DNS 8.8.8.8"
  86. # push "dhcp-option DNS 8.8.4.4"
  87.  
  88. # Ping every 10 seconds and if after 120 seconds the #client doesn't respond we disconnect.
  89. keepalive 10 120
  90. # Regenerate key each 5 hours (disconnect the client)
  91. reneg-sec 18000
  92.  
  93. ## SECURITY ##
  94.  
  95. # Downgrade privileges of the daemon
  96. user nobody
  97. group nobody
  98.  
  99. # Persist keys (because we are nobody, so we couldn't #read them again)
  100. persist-key
  101. # Don't close and re open TUN/TAP device
  102. persist-tun
  103. # Enable compression
  104. comp-lzo
  105.  
  106. ## LOG ##
  107.  
  108. # Verbosity
  109. # 3/4 for a normal utilisation
  110. verb 3
  111. # Max 20 messages of the same category
  112. mute 20
  113. # Log gile where we put the clients status
  114. status openvpn-status.log
  115. # Log file
  116. log-append /var/log/openvpn.log
  117. # Configuration directory of the clients
  118. client-config-dir ccd
  119.  
  120. ## PASS ##
  121.  
  122. # Allow running external scripts with password in ENV variables
  123. script-security 3
  124.  
  125. # Use the authenticated username as the common #name, rather than the common name from the client #cert.
  126. username-as-common-name
  127. # Client certificate is not required
  128. verify-client-cert none
  129. # Use the connection script when a user wants to login
  130. auth-user-pass-verify scripts/login.sh via-env
  131. # Maximum of clients
  132. max-clients 50
  133. # Run this scripts when the client connects/disconnects
  134. client-connect scripts/connect.sh
  135. client-disconnect scripts/disconnect.sh
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top