API tools faq
paste
Advertisement
trupsalms

openvpn.conf

trupsalms
Oct 14th, 2019
282
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.78 KB | None | 0 0
raw download clone embed print report
  1. ## GENERAL ##
  2.  
  3. # TCP or UDP, port 443, tunneling
  4. mode server
  5. proto tcp4
  6. port 443
  7. port-share 127.0.0.1 4443
  8. dev tun
  9.  
  10. ## KEY, CERTS AND NETWORK CONFIGURATION ##
  11. # Identity
  12. ca /etc/openvpn/server/ca.crt
  13. # Public key
  14. cert /etc/openvpn/server/shawn-route.crt
  15. # Private key
  16. key /etc/openvpn/server/shawn-route.key
  17. # Symmetric encryption
  18. #DH and CRL key
  19. dh /etc/openvpn/server/dh.pem
  20. #crl-verify /etc/openvpn/server/crl.pem
  21. # Improve security (DDOS, port flooding...)
  22.  
  23.  
  24. # TLS Security
  25. cipher AES-256-CBC
  26. # 0 for the server, 1 for the client
  27. # tls-auth ta.key 0
  28. auth SHA512
  29. auth-nocache
  30.  
  31. # Uncomment this directive to allow different
  32. # clients to be able to "see" each other.
  33. # By default, clients will only see the server.
  34. # To force clients to only see the server, you
  35. # will also need to appropriately firewall the
  36. # server's TUN/TAP interface.
  37. ;client-to-client
  38.  
  39. # Uncomment this directive if multiple clients# might connect with the same certificate/key
  40. # files or common names. This is recommended
  41. # only for testing purposes. For production use,
  42. # each client should have its own certificate/key
  43. # pair.
  44. ## IF YOU HAVE NOT GENERATED INDIVIDUAL
  45. # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
  46. # EACH HAVING ITS OWN UNIQUE "COMMON NAME",
  47. # UNCOMMENT THIS LINE OUT.
  48. duplicate-cn
  49.  
  50. # Network
  51. # Subnetwork, the server will be the 10.8.0.1 and clients #will take the other ips
  52. server 10.8.0.0 255.255.255.0
  53. # adittional settings for ipv6:
  54. server-ipv6 fd40:618e:307a:0::/64
  55. push "route-ipv6 ::/0"
  56. push "route-metric 2000"
  57.  
  58. # Maintain a record of client <-> virtual IP address
  59. # associations in this file. If OpenVPN goes down or
  60. # is restarted, reconnecting clients can be assigned
  61. # the same virtual IP address from the pool that was
  62. # previously assigned.
  63. ifconfig-pool-persist ipp.txt
  64.  
  65. # Allows for local resources to still be reached while #connected to OpenVPN server.
  66. #push "route 192.168.0.1 255.255.255.0"
  67. #push "route 192.168.1.0 255.255.255.0"
  68. push "route 192.168.0.0 255.255.0.0 net_gateway"
  69. push "route 192.168.1.0 255.255.0.0 net_gateway"
  70.  
  71. # Redirect all IP network traffic originating on client #machines to pass through the OpenVPN server.
  72. push "redirect-gateway def1"
  73.  
  74. # Alternatives DNS (FDN)
  75. #push "dhcp-option DNS 80.67.169.12"
  76. #push "dhcp-option DNS 80.67.169.40"
  77. push "dhcp-option DNS 10.8.0.1"
  78.  
  79. # (OpenDNS)
  80. # push "dhcp-option DNS 208.67.222.222"
  81. # push "dhcp-option DNS 208.67.220.220"
  82.  
  83. # (Google)
  84. # push "dhcp-option DNS 8.8.8.8"
  85. # push "dhcp-option DNS 8.8.4.4"
  86.  
  87. # Ping every 10 seconds and if after 120 seconds the #client doesn't respond we disconnect.
  88. keepalive 10 120
  89. # Regenerate key each 5 hours (disconnect the client)
  90. reneg-sec 18000
  91.  
  92. ## SECURITY ##
  93.  
  94. # Downgrade privileges of the daemon
  95. user nobody
  96. group nobody
  97.  
  98. # Persist keys (because we are nobody, so we couldn't #read them again)
  99. persist-key
  100. # Don't close and re open TUN/TAP device
  101. persist-tun
  102. # Enable compression
  103. comp-lzo
  104.  
  105. ## LOG ##
  106.  
  107. # Verbosity
  108. # 3/4 for a normal utilisation
  109. verb 3
  110. # Max 20 messages of the same category
  111. mute 20
  112. # Log gile where we put the clients status
  113. status openvpn-status.log
  114. # Log file
  115. log-append /var/log/openvpn.log
  116. # Configuration directory of the clients
  117. client-config-dir ccd
  118.  
  119. ## PASS ##
  120.  
  121. # Allow running external scripts with password in ENV variables
  122. script-security 3
  123.  
  124. # Use the authenticated username as the common #name, rather than the common name from the client #cert.
  125. username-as-common-name
  126. # Client certificate is not required
  127. verify-client-cert none
  128. # Use the connection script when a user wants to login
  129. auth-user-pass-verify scripts/login.sh via-env
  130. # Maximum of clients
  131. max-clients 50
  132. # Run this scripts when the client connects/disconnects
  133. client-connect scripts/connect.sh
  134. client-disconnect scripts/disconnect.sh
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!