Untitled

## GENERAL ##

# TCP or UDP, port 443, tunneling
mode server
proto tcp4
port 443
port-share 127.0.0.1 4443
dev tun

## KEY, CERTS AND NETWORK CONFIGURATION ##
# Identity
ca /etc/openvpn/server/ca.crt
# Public key
cert /etc/openvpn/server/shawn-route.crt
# Private key
key /etc/openvpn/server/shawn-route.key
# Symmetric encryption
#DH and CRL key
dh /etc/openvpn/server/dh.pem
#crl-verify /etc/openvpn/server/crl.pem
# Improve security (DDOS, port flooding...)


# TLS Security
cipher AES-256-CBC
# 0 for the server, 1 for the client
# tls-auth ta.key 0
auth SHA512
auth-nocache

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client

# Uncomment this directive if multiple clients# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
## IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
duplicate-cn

# Network
# Subnetwork, the server will be the 10.8.0.1 and clients #will take the other ips
server 10.8.0.0 255.255.255.0
# adittional settings for ipv6:
server-ipv6 fd40:618e:307a:0::/64
push "route-ipv6 ::/0"
push "route-metric 2000"

# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Allows for local resources to still be reached while #connected to OpenVPN server.
#push "route 192.168.0.1 255.255.255.0"
#push "route 192.168.1.0 255.255.255.0"
#push "route 192.168.0.0 255.255.255.0 net_gateway"
#push "route 192.168.1.0 255.255.255.0 net_gateway"

# Redirect all IP network traffic originating on client
#machines to pass through the OpenVPN server.
push "redirect-gateway def1"

# Alternatives DNS (FDN)
#push "dhcp-option DNS 80.67.169.12"
#push "dhcp-option DNS 80.67.169.40"
push "dhcp-option DNS 10.8.0.1"

# (OpenDNS)
# push "dhcp-option DNS 208.67.222.222"
# push "dhcp-option DNS 208.67.220.220"

# (Google)
# push "dhcp-option DNS 8.8.8.8"
# push "dhcp-option DNS 8.8.4.4"

# Ping every 10 seconds and if after 120 seconds the #client doesn't respond we disconnect.
keepalive 10 120
# Regenerate key each 5 hours (disconnect the client)
reneg-sec 18000

## SECURITY ##

# Downgrade privileges of the daemon
user nobody
group nobody

# Persist keys (because we are nobody, so we couldn't #read them again)
persist-key
# Don't close and re open TUN/TAP device
persist-tun
# Enable compression
comp-lzo

## LOG ##

# Verbosity
# 3/4 for a normal utilisation
verb 3
# Max 20 messages of the same category
mute 20
# Log gile where we put the clients status
status openvpn-status.log
# Log file
log-append /var/log/openvpn.log
# Configuration directory of the clients
client-config-dir ccd

## PASS ##

# Allow running external scripts with password in ENV variables
script-security 3

# Use the authenticated username as the common #name, rather than the common name from the client #cert.
username-as-common-name
# Client certificate is not required
verify-client-cert none
# Use the connection script when a user wants to login
auth-user-pass-verify scripts/login.sh via-env
# Maximum of clients
max-clients 50
# Run this scripts when the client connects/disconnects
client-connect scripts/connect.sh
client-disconnect scripts/disconnect.sh