forked from Chocobozzz/OpenVPN-Admin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserver.conf
90 lines (74 loc) · 2.16 KB
/
server.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
## GENERAL ##
# TCP, port 443, tunneling
mode server
proto tcp
port 443
dev tun
## KEY, CERTS AND NETWORK CONFIGURATION ##
# Identity
ca ca.crt
# Public key
cert server.crt
# Private key
key server.key
# Symmetric encryption
dh dh.pem
# Improve security (DDOS, port flooding...)
# 0 for the server, 1 for the client
tls-auth ta.key 0
# Encryption protocol
cipher AES-256-CBC
# Network
# Subnetwork, the server will be the 10.8.0.1 and clients will take the other ips
server 10.8.0.0 255.255.255.0
# Redirect all IP network traffic originating on client machines to pass through the OpenVPN server
push "redirect-gateway def1"
# Alternatives DNS (FDN)
push "dhcp-option DNS 80.67.169.12"
push "dhcp-option DNS 80.67.169.40"
# (OpenDNS)
# push "dhcp-option DNS 208.67.222.222"
# push "dhcp-option DNS 208.67.220.220"
# (Google)
# push "dhcp-option DNS 8.8.8.8"
# push "dhcp-option DNS 8.8.4.4"
# Ping every 10 seconds and if after 120 seconds the client doesn't respond we disconnect
keepalive 10 120
# Regenerate key each 5 hours (disconnect the client)
reneg-sec 18000
## SECURITY ##
# Downgrade privileges of the daemon
user nobody
group nogroup
# Persist keys (because we are nobody, so we couldn't read them again)
persist-key
# Don't close and re open TUN/TAP device
persist-tun
# Enable compression
comp-lzo
## LOG ##
# Verbosity
# 3/4 for a normal utilisation
verb 3
# Max 20 messages of the same category
mute 20
# Log gile where we put the clients status
status openvpn-status.log
# Log file
log-append /var/log/openvpn.log
# Configuration directory of the clients
client-config-dir ccd
## PASS ##
# Autoriser l'exécution de scripts externes en passant les mots de passe via les variables d'environnement
script-security 3 system
# Use the authenticated username as the common name, rather than the common name from the client cert
username-as-common-name
# Client certificate non requried
client-cert-not-required
# Use the connection script when a user wants to login
auth-user-pass-verify scripts/login.sh via-env
# Maximum of clients
max-clients 50
# Run this scripts when the client connects/disconnects
client-connect scripts/connect.sh
client-disconnect scripts/disconnect.sh