Ticket #907: myserver.conf

File myserver.conf, 9.7 KB (added by darksky, 4 years ago)
Line 
1# harden settings recommended by https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server
2cipher AES-256-CBC
3auth SHA512
4tls-version-min 1.2
5tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
6
7
8# Which local IP address should OpenVPN
9# listen on? (optional)
10;local a.b.c.d
11
12# Which TCP/UDP port should OpenVPN listen on?
13# If you want to run multiple OpenVPN instances
14# on the same machine, use a different port
15# number for each one.  You will need to
16# open up this port on your firewall.
17port 443
18
19# TCP or UDP server?
20proto tcp
21;proto udp
22
23# "dev tun" will create a routed IP tunnel,
24# "dev tap" will create an ethernet tunnel.
25# Use "dev tap0" if you are ethernet bridging
26# and have precreated a tap0 virtual interface
27# and bridged it with your ethernet interface.
28# If you want to control access policies
29# over the VPN, you must create firewall
30# rules for the the TUN/TAP interface.
31# On non-Windows systems, you can give
32# an explicit unit number, such as tun0.
33# On Windows, use "dev-node" for this.
34# On most systems, the VPN will not function
35# unless you partially or fully disable
36# the firewall for the TUN/TAP interface.
37;dev tap
38dev tun
39
40# Windows needs the TAP-Win32 adapter name
41# from the Network Connections panel if you
42# have more than one.  On XP SP2 or higher,
43# you may need to selectively disable the
44# Windows firewall for the TAP adapter.
45# Non-Windows systems usually don't need this.
46;dev-node MyTap
47
48# SSL/TLS root certificate (ca), certificate
49# (cert), and private key (key).  Each client
50# and the server must have their own cert and
51# key file.  The server and all clients will
52# use the same ca file.
53#
54# See the "easy-rsa" directory for a series
55# of scripts for generating RSA certificates
56# and private keys.  Remember to use
57# a unique Common Name for the server
58# and each of the client certificates.
59#
60# Any X509 key management system can be used.
61# OpenVPN can also use a PKCS #12 formatted key file
62# (see "pkcs12" directive in man page).
63ca /etc/openvpn/server/ca.crt
64cert /etc/openvpn/server/myserver.crt
65key /etc/openvpn/server/myserver.key  # This file should be kept secret
66#crl-verify /etc/openvpn/server/crl.pem
67
68# Diffie hellman parameters.
69# Generate your own with:
70#   openssl dhparam -out dh2048.pem 2048
71dh /etc/openvpn/server/dh.pem
72
73# Network topology
74# Should be subnet (addressing via IP)
75# unless Windows clients v2.0.9 and lower have to
76# be supported (then net30, i.e. a /30 per client)
77# Defaults to net30 (not recommended)
78;topology subnet
79
80# Configure server mode and supply a VPN subnet
81# for OpenVPN to draw client addresses from.
82# The server will take 10.8.0.1 for itself,
83# the rest will be made available to clients.
84# Each client will be able to reach the server
85# on 10.8.0.1. Comment this line out if you are
86# ethernet bridging. See the man page for more info.
87server 10.8.0.0 255.255.255.0
88
89# Maintain a record of client <-> virtual IP address
90# associations in this file.  If OpenVPN goes down or
91# is restarted, reconnecting clients can be assigned
92# the same virtual IP address from the pool that was
93# previously assigned.
94ifconfig-pool-persist ipp.txt
95
96# Configure server mode for ethernet bridging.
97# You must first use your OS's bridging capability
98# to bridge the TAP interface with the ethernet
99# NIC interface.  Then you must manually set the
100# IP/netmask on the bridge interface, here we
101# assume 10.8.0.4/255.255.255.0.  Finally we
102# must set aside an IP range in this subnet
103# (start=10.8.0.50 end=10.8.0.100) to allocate
104# to connecting clients.  Leave this line commented
105# out unless you are ethernet bridging.
106;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
107
108# Configure server mode for ethernet bridging
109# using a DHCP-proxy, where clients talk
110# to the OpenVPN server-side DHCP server
111# to receive their IP address allocation
112# and DNS server addresses.  You must first use
113# your OS's bridging capability to bridge the TAP
114# interface with the ethernet NIC interface.
115# Note: this mode only works on clients (such as
116# Windows), where the client-side TAP adapter is
117# bound to a DHCP client.
118;server-bridge
119
120# Push routes to the client to allow it
121# to reach other private subnets behind
122# the server.  Remember that these
123# private subnets will also need
124# to know to route the OpenVPN client
125# address pool (10.8.0.0/255.255.255.0)
126# back to the OpenVPN server.
127;push "route 192.168.10.0 255.255.255.0"
128;push "route 192.168.20.0 255.255.255.0"
129
130# To assign specific IP addresses to specific
131# clients or if a connecting client has a private
132# subnet behind it that should also have VPN access,
133# use the subdirectory "ccd" for client-specific
134# configuration files (see man page for more info).
135
136# EXAMPLE: Suppose the client
137# having the certificate common name "Thelonious"
138# also has a small subnet behind his connecting
139# machine, such as 192.168.40.128/255.255.255.248.
140# First, uncomment out these lines:
141;client-config-dir ccd
142;route 192.168.40.128 255.255.255.248
143# Then create a file ccd/Thelonious with this line:
144#   iroute 192.168.40.128 255.255.255.248
145# This will allow Thelonious' private subnet to
146# access the VPN.  This example will only work
147# if you are routing, not bridging, i.e. you are
148# using "dev tun" and "server" directives.
149
150# EXAMPLE: Suppose you want to give
151# Thelonious a fixed VPN IP address of 10.9.0.1.
152# First uncomment out these lines:
153;client-config-dir ccd
154;route 10.9.0.0 255.255.255.252
155# Then add this line to ccd/Thelonious:
156#   ifconfig-push 10.9.0.1 10.9.0.2
157
158# Suppose that you want to enable different
159# firewall access policies for different groups
160# of clients.  There are two methods:
161# (1) Run multiple OpenVPN daemons, one for each
162#     group, and firewall the TUN/TAP interface
163#     for each group/daemon appropriately.
164# (2) (Advanced) Create a script to dynamically
165#     modify the firewall in response to access
166#     from different clients.  See man
167#     page for more info on learn-address script.
168;learn-address ./script
169
170# If enabled, this directive will configure
171# all clients to redirect their default
172# network gateway through the VPN, causing
173# all IP traffic such as web browsing and
174# and DNS lookups to go through the VPN
175# (The OpenVPN server machine may need to NAT
176# or bridge the TUN/TAP interface to the internet
177# in order for this to work properly).
178push "redirect-gateway def1 bypass-dhcp"
179
180# Certain Windows-specific network settings
181# can be pushed to clients, such as DNS
182# or WINS server addresses.  CAVEAT:
183# http://openvpn.net/faq.html#dhcpcaveats
184# The addresses below refer to the public
185# DNS servers provided by opendns.com.
186##push "dhcp-option DNS 8.8.8.8"
187##push "dhcp-option DNS 8.8.4.4"
188
189push "dhcp-option DNS 192.168.1.1"
190;push "dhcp-option DNS 208.67.220.220"
191
192# Uncomment this directive to allow different
193# clients to be able to "see" each other.
194# By default, clients will only see the server.
195# To force clients to only see the server, you
196# will also need to appropriately firewall the
197# server's TUN/TAP interface.
198;client-to-client
199
200# Uncomment this directive if multiple clients
201# might connect with the same certificate/key
202# files or common names.  This is recommended
203# only for testing purposes.  For production use,
204# each client should have its own certificate/key
205# pair.
206#
207# IF YOU HAVE NOT GENERATED INDIVIDUAL
208# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
209# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
210# UNCOMMENT THIS LINE OUT.
211;duplicate-cn
212
213# The keepalive directive causes ping-like
214# messages to be sent back and forth over
215# the link so that each side knows when
216# the other side has gone down.
217# Ping every 10 seconds, assume that remote
218# peer is down if no ping received during
219# a 120 second time period.
220keepalive 10 120
221
222# For extra security beyond that provided
223# by SSL/TLS, create an "HMAC firewall"
224# to help block DoS attacks and UDP port flooding.
225#
226# Generate with:
227#   openvpn --genkey --secret ta.key
228#
229# The server and each client must have
230# a copy of this key.
231# The second parameter should be '0'
232# on the server and '1' on the clients.
233tls-auth /etc/openvpn/server/ta.key 0 # This file is secret
234
235# Select a cryptographic cipher.
236# This config item must be copied to
237# the client config file as well.
238;cipher BF-CBC        # Blowfish (default)
239;cipher AES-128-CBC   # AES
240;cipher DES-EDE3-CBC  # Triple-DES
241
242# Enable compression on the VPN link.
243# If you enable it here, you must also
244# enable it in the client config file.
245comp-lzo
246
247# The maximum number of concurrently connected
248# clients we want to allow.
249max-clients 4
250
251# It's a good idea to reduce the OpenVPN
252# daemon's privileges after initialization.
253#
254# You can uncomment this out on
255# non-Windows systems.
256user nobody
257group nobody
258
259# The persist options will try to avoid
260# accessing certain resources on restart
261# that may no longer be accessible because
262# of the privilege downgrade.
263persist-key
264persist-tun
265
266# Output a short status file showing
267# current connections, truncated
268# and rewritten every minute.
269status openvpn-status.log
270
271# By default, log messages will go to the syslog (or
272# on Windows, if running as a service, they will go to
273# the "\Program Files\OpenVPN\log" directory).
274# Use log or log-append to override this default.
275# "log" will truncate the log file on OpenVPN startup,
276# while "log-append" will append to it.  Use one
277# or the other (but not both).
278;log         openvpn.log
279;log-append  openvpn.log
280
281# Set the appropriate level of log
282# file verbosity.
283#
284# 0 is silent, except for fatal errors
285# 4 is reasonable for general usage
286# 5 and 6 can help to debug connection problems
287# 9 is extremely verbose
288verb 3
289
290# Silence repeating messages.  At most 20
291# sequential messages of the same message
292# category will be output to the log.
293;mute 20