Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## GENERAL ##
- # TCP or UDP, port 443, tunneling
- mode server
- proto tcp4
- port 443
- port-share 127.0.0.1 4443
- dev tun
- ## KEY, CERTS AND NETWORK CONFIGURATION ##
- # Identity
- ca /etc/openvpn/server/ca.crt
- # Public key
- cert /etc/openvpn/server/shawn-route.crt
- # Private key
- key /etc/openvpn/server/shawn-route.key
- # Symmetric encryption
- #DH and CRL key
- dh /etc/openvpn/server/dh.pem
- #crl-verify /etc/openvpn/server/crl.pem
- # Improve security (DDOS, port flooding...)
- # TLS Security
- cipher AES-256-CBC
- # 0 for the server, 1 for the client
- # tls-auth ta.key 0
- auth SHA512
- auth-nocache
- # Uncomment this directive to allow different
- # clients to be able to "see" each other.
- # By default, clients will only see the server.
- # To force clients to only see the server, you
- # will also need to appropriately firewall the
- # server's TUN/TAP interface.
- ;client-to-client
- # Uncomment this directive if multiple clients# might connect with the same certificate/key
- # files or common names. This is recommended
- # only for testing purposes. For production use,
- # each client should have its own certificate/key
- # pair.
- ## IF YOU HAVE NOT GENERATED INDIVIDUAL
- # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
- # EACH HAVING ITS OWN UNIQUE "COMMON NAME",
- # UNCOMMENT THIS LINE OUT.
- duplicate-cn
- # Network
- # Subnetwork, the server will be the 10.8.0.1 and clients #will take the other ips
- server 10.8.0.0 255.255.255.0
- # adittional settings for ipv6:
- server-ipv6 fd40:618e:307a:0::/64
- push "route-ipv6 ::/0"
- push "route-metric 2000"
- # Maintain a record of client <-> virtual IP address
- # associations in this file. If OpenVPN goes down or
- # is restarted, reconnecting clients can be assigned
- # the same virtual IP address from the pool that was
- # previously assigned.
- ifconfig-pool-persist ipp.txt
- # Allows for local resources to still be reached while #connected to OpenVPN server.
- #push "route 192.168.0.1 255.255.255.0"
- #push "route 192.168.1.0 255.255.255.0"
- push "route 192.168.0.0 255.255.0.0 net_gateway"
- push "route 192.168.1.0 255.255.0.0 net_gateway"
- # Redirect all IP network traffic originating on client #machines to pass through the OpenVPN server.
- push "redirect-gateway def1"
- # Alternatives DNS (FDN)
- #push "dhcp-option DNS 80.67.169.12"
- #push "dhcp-option DNS 80.67.169.40"
- push "dhcp-option DNS 10.8.0.1"
- # (OpenDNS)
- # push "dhcp-option DNS 208.67.222.222"
- # push "dhcp-option DNS 208.67.220.220"
- # (Google)
- # push "dhcp-option DNS 8.8.8.8"
- # push "dhcp-option DNS 8.8.4.4"
- # Ping every 10 seconds and if after 120 seconds the #client doesn't respond we disconnect.
- keepalive 10 120
- # Regenerate key each 5 hours (disconnect the client)
- reneg-sec 18000
- ## SECURITY ##
- # Downgrade privileges of the daemon
- user nobody
- group nobody
- # Persist keys (because we are nobody, so we couldn't #read them again)
- persist-key
- # Don't close and re open TUN/TAP device
- persist-tun
- # Enable compression
- comp-lzo
- ## LOG ##
- # Verbosity
- # 3/4 for a normal utilisation
- verb 3
- # Max 20 messages of the same category
- mute 20
- # Log gile where we put the clients status
- status openvpn-status.log
- # Log file
- log-append /var/log/openvpn.log
- # Configuration directory of the clients
- client-config-dir ccd
- ## PASS ##
- # Allow running external scripts with password in ENV variables
- script-security 3
- # Use the authenticated username as the common #name, rather than the common name from the client #cert.
- username-as-common-name
- # Client certificate is not required
- verify-client-cert none
- # Use the connection script when a user wants to login
- auth-user-pass-verify scripts/login.sh via-env
- # Maximum of clients
- max-clients 50
- # Run this scripts when the client connects/disconnects
- client-connect scripts/connect.sh
- client-disconnect scripts/disconnect.sh
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement