-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathtls-server-template.conf
93 lines (67 loc) · 2.9 KB
/
tls-server-template.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#what port we should listen on?
port 443
#TCP or UDP? and client or server config?
proto tcp-server
### Begin Crypto Section
ca ca.crt # CA certificate (public key)
key server.key # server private key - This file should be kept secret
cert server.crt # server certificate (public key) signed by the CA
tls-auth ta.key 0 # Shared Static TLS key should be 1 on clients and 0 on servers
dh dh.pem # hiffie Hellman Ephemeral key - needed on server only for Perfect Forward Secrecy
# Crypto to be used for the actual VPN connection once Authentication has been completed
# using AES with a 256bit key and CBC (chiper block chaining)
#MUST match on the client and server
cipher AES-256-CBC
#Cipher setup for the TLS authentication
# using TLS DHE (Dhiffie Hellman Ephemeral) with RSA public/private crypto and AES 256bit as the Symetric crypto
# and SHA1 as the hashing algorithm
# this does neee an update
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
### End Crpyto section
### VPN Server NETWORK CONFIG
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.1.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.1.1
server 10.8.1.0 255.255.255.0
### END VPN Server NETWORK CONFIG
##############################################
#
### Boring stuff below here that you shouldn't need to play with. But by all means read
#
##############################################
# man openvpn will tell you most of what these options are about
#Set the server to use tls and set it to a server role in the TLS negotiation
tls-server
# To ensure that hosts that connect in are clients.
#ties in with tls-server setting
remote-cert-tls client
#enable compression
comp-lzo
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 60 second time period.
keepalive 10 120
# Run the pingtimer only if we have a remote address.
# Normally recommended for servers as we don't want to start clocking timesouts
# until the remote peer has actually connected fully
ping-timer-rem
#these two options ensure that between openvpn restarts (required by server disconnect for example)
# that the key and tun device will stay available. This is important as it allows openvpn to drop its root rights
# once its setup the connetion the first time.
persist-key
persist-tun
#tun or tap is the choice.. I don't think anyone uses tap anymore, unless its a complex custom setup..
dev tun