1 | # harden settings recommended by https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server |
---|
2 | cipher AES-256-CBC |
---|
3 | auth SHA512 |
---|
4 | tls-version-min 1.2 |
---|
5 | tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA |
---|
6 | |
---|
7 | |
---|
8 | # Which local IP address should OpenVPN |
---|
9 | # listen on? (optional) |
---|
10 | ;local a.b.c.d |
---|
11 | |
---|
12 | # Which TCP/UDP port should OpenVPN listen on? |
---|
13 | # If you want to run multiple OpenVPN instances |
---|
14 | # on the same machine, use a different port |
---|
15 | # number for each one. You will need to |
---|
16 | # open up this port on your firewall. |
---|
17 | port 443 |
---|
18 | |
---|
19 | # TCP or UDP server? |
---|
20 | proto tcp |
---|
21 | ;proto udp |
---|
22 | |
---|
23 | # "dev tun" will create a routed IP tunnel, |
---|
24 | # "dev tap" will create an ethernet tunnel. |
---|
25 | # Use "dev tap0" if you are ethernet bridging |
---|
26 | # and have precreated a tap0 virtual interface |
---|
27 | # and bridged it with your ethernet interface. |
---|
28 | # If you want to control access policies |
---|
29 | # over the VPN, you must create firewall |
---|
30 | # rules for the the TUN/TAP interface. |
---|
31 | # On non-Windows systems, you can give |
---|
32 | # an explicit unit number, such as tun0. |
---|
33 | # On Windows, use "dev-node" for this. |
---|
34 | # On most systems, the VPN will not function |
---|
35 | # unless you partially or fully disable |
---|
36 | # the firewall for the TUN/TAP interface. |
---|
37 | ;dev tap |
---|
38 | dev tun |
---|
39 | |
---|
40 | # Windows needs the TAP-Win32 adapter name |
---|
41 | # from the Network Connections panel if you |
---|
42 | # have more than one. On XP SP2 or higher, |
---|
43 | # you may need to selectively disable the |
---|
44 | # Windows firewall for the TAP adapter. |
---|
45 | # Non-Windows systems usually don't need this. |
---|
46 | ;dev-node MyTap |
---|
47 | |
---|
48 | # SSL/TLS root certificate (ca), certificate |
---|
49 | # (cert), and private key (key). Each client |
---|
50 | # and the server must have their own cert and |
---|
51 | # key file. The server and all clients will |
---|
52 | # use the same ca file. |
---|
53 | # |
---|
54 | # See the "easy-rsa" directory for a series |
---|
55 | # of scripts for generating RSA certificates |
---|
56 | # and private keys. Remember to use |
---|
57 | # a unique Common Name for the server |
---|
58 | # and each of the client certificates. |
---|
59 | # |
---|
60 | # Any X509 key management system can be used. |
---|
61 | # OpenVPN can also use a PKCS #12 formatted key file |
---|
62 | # (see "pkcs12" directive in man page). |
---|
63 | ca /etc/openvpn/server/ca.crt |
---|
64 | cert /etc/openvpn/server/myserver.crt |
---|
65 | key /etc/openvpn/server/myserver.key # This file should be kept secret |
---|
66 | #crl-verify /etc/openvpn/server/crl.pem |
---|
67 | |
---|
68 | # Diffie hellman parameters. |
---|
69 | # Generate your own with: |
---|
70 | # openssl dhparam -out dh2048.pem 2048 |
---|
71 | dh /etc/openvpn/server/dh.pem |
---|
72 | |
---|
73 | # Network topology |
---|
74 | # Should be subnet (addressing via IP) |
---|
75 | # unless Windows clients v2.0.9 and lower have to |
---|
76 | # be supported (then net30, i.e. a /30 per client) |
---|
77 | # Defaults to net30 (not recommended) |
---|
78 | ;topology subnet |
---|
79 | |
---|
80 | # Configure server mode and supply a VPN subnet |
---|
81 | # for OpenVPN to draw client addresses from. |
---|
82 | # The server will take 10.8.0.1 for itself, |
---|
83 | # the rest will be made available to clients. |
---|
84 | # Each client will be able to reach the server |
---|
85 | # on 10.8.0.1. Comment this line out if you are |
---|
86 | # ethernet bridging. See the man page for more info. |
---|
87 | server 10.8.0.0 255.255.255.0 |
---|
88 | |
---|
89 | # Maintain a record of client <-> virtual IP address |
---|
90 | # associations in this file. If OpenVPN goes down or |
---|
91 | # is restarted, reconnecting clients can be assigned |
---|
92 | # the same virtual IP address from the pool that was |
---|
93 | # previously assigned. |
---|
94 | ifconfig-pool-persist ipp.txt |
---|
95 | |
---|
96 | # Configure server mode for ethernet bridging. |
---|
97 | # You must first use your OS's bridging capability |
---|
98 | # to bridge the TAP interface with the ethernet |
---|
99 | # NIC interface. Then you must manually set the |
---|
100 | # IP/netmask on the bridge interface, here we |
---|
101 | # assume 10.8.0.4/255.255.255.0. Finally we |
---|
102 | # must set aside an IP range in this subnet |
---|
103 | # (start=10.8.0.50 end=10.8.0.100) to allocate |
---|
104 | # to connecting clients. Leave this line commented |
---|
105 | # out unless you are ethernet bridging. |
---|
106 | ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 |
---|
107 | |
---|
108 | # Configure server mode for ethernet bridging |
---|
109 | # using a DHCP-proxy, where clients talk |
---|
110 | # to the OpenVPN server-side DHCP server |
---|
111 | # to receive their IP address allocation |
---|
112 | # and DNS server addresses. You must first use |
---|
113 | # your OS's bridging capability to bridge the TAP |
---|
114 | # interface with the ethernet NIC interface. |
---|
115 | # Note: this mode only works on clients (such as |
---|
116 | # Windows), where the client-side TAP adapter is |
---|
117 | # bound to a DHCP client. |
---|
118 | ;server-bridge |
---|
119 | |
---|
120 | # Push routes to the client to allow it |
---|
121 | # to reach other private subnets behind |
---|
122 | # the server. Remember that these |
---|
123 | # private subnets will also need |
---|
124 | # to know to route the OpenVPN client |
---|
125 | # address pool (10.8.0.0/255.255.255.0) |
---|
126 | # back to the OpenVPN server. |
---|
127 | ;push "route 192.168.10.0 255.255.255.0" |
---|
128 | ;push "route 192.168.20.0 255.255.255.0" |
---|
129 | |
---|
130 | # To assign specific IP addresses to specific |
---|
131 | # clients or if a connecting client has a private |
---|
132 | # subnet behind it that should also have VPN access, |
---|
133 | # use the subdirectory "ccd" for client-specific |
---|
134 | # configuration files (see man page for more info). |
---|
135 | |
---|
136 | # EXAMPLE: Suppose the client |
---|
137 | # having the certificate common name "Thelonious" |
---|
138 | # also has a small subnet behind his connecting |
---|
139 | # machine, such as 192.168.40.128/255.255.255.248. |
---|
140 | # First, uncomment out these lines: |
---|
141 | ;client-config-dir ccd |
---|
142 | ;route 192.168.40.128 255.255.255.248 |
---|
143 | # Then create a file ccd/Thelonious with this line: |
---|
144 | # iroute 192.168.40.128 255.255.255.248 |
---|
145 | # This will allow Thelonious' private subnet to |
---|
146 | # access the VPN. This example will only work |
---|
147 | # if you are routing, not bridging, i.e. you are |
---|
148 | # using "dev tun" and "server" directives. |
---|
149 | |
---|
150 | # EXAMPLE: Suppose you want to give |
---|
151 | # Thelonious a fixed VPN IP address of 10.9.0.1. |
---|
152 | # First uncomment out these lines: |
---|
153 | ;client-config-dir ccd |
---|
154 | ;route 10.9.0.0 255.255.255.252 |
---|
155 | # Then add this line to ccd/Thelonious: |
---|
156 | # ifconfig-push 10.9.0.1 10.9.0.2 |
---|
157 | |
---|
158 | # Suppose that you want to enable different |
---|
159 | # firewall access policies for different groups |
---|
160 | # of clients. There are two methods: |
---|
161 | # (1) Run multiple OpenVPN daemons, one for each |
---|
162 | # group, and firewall the TUN/TAP interface |
---|
163 | # for each group/daemon appropriately. |
---|
164 | # (2) (Advanced) Create a script to dynamically |
---|
165 | # modify the firewall in response to access |
---|
166 | # from different clients. See man |
---|
167 | # page for more info on learn-address script. |
---|
168 | ;learn-address ./script |
---|
169 | |
---|
170 | # If enabled, this directive will configure |
---|
171 | # all clients to redirect their default |
---|
172 | # network gateway through the VPN, causing |
---|
173 | # all IP traffic such as web browsing and |
---|
174 | # and DNS lookups to go through the VPN |
---|
175 | # (The OpenVPN server machine may need to NAT |
---|
176 | # or bridge the TUN/TAP interface to the internet |
---|
177 | # in order for this to work properly). |
---|
178 | push "redirect-gateway def1 bypass-dhcp" |
---|
179 | |
---|
180 | # Certain Windows-specific network settings |
---|
181 | # can be pushed to clients, such as DNS |
---|
182 | # or WINS server addresses. CAVEAT: |
---|
183 | # http://openvpn.net/faq.html#dhcpcaveats |
---|
184 | # The addresses below refer to the public |
---|
185 | # DNS servers provided by opendns.com. |
---|
186 | ##push "dhcp-option DNS 8.8.8.8" |
---|
187 | ##push "dhcp-option DNS 8.8.4.4" |
---|
188 | |
---|
189 | push "dhcp-option DNS 192.168.1.1" |
---|
190 | ;push "dhcp-option DNS 208.67.220.220" |
---|
191 | |
---|
192 | # Uncomment this directive to allow different |
---|
193 | # clients to be able to "see" each other. |
---|
194 | # By default, clients will only see the server. |
---|
195 | # To force clients to only see the server, you |
---|
196 | # will also need to appropriately firewall the |
---|
197 | # server's TUN/TAP interface. |
---|
198 | ;client-to-client |
---|
199 | |
---|
200 | # Uncomment this directive if multiple clients |
---|
201 | # might connect with the same certificate/key |
---|
202 | # files or common names. This is recommended |
---|
203 | # only for testing purposes. For production use, |
---|
204 | # each client should have its own certificate/key |
---|
205 | # pair. |
---|
206 | # |
---|
207 | # IF YOU HAVE NOT GENERATED INDIVIDUAL |
---|
208 | # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, |
---|
209 | # EACH HAVING ITS OWN UNIQUE "COMMON NAME", |
---|
210 | # UNCOMMENT THIS LINE OUT. |
---|
211 | ;duplicate-cn |
---|
212 | |
---|
213 | # The keepalive directive causes ping-like |
---|
214 | # messages to be sent back and forth over |
---|
215 | # the link so that each side knows when |
---|
216 | # the other side has gone down. |
---|
217 | # Ping every 10 seconds, assume that remote |
---|
218 | # peer is down if no ping received during |
---|
219 | # a 120 second time period. |
---|
220 | keepalive 10 120 |
---|
221 | |
---|
222 | # For extra security beyond that provided |
---|
223 | # by SSL/TLS, create an "HMAC firewall" |
---|
224 | # to help block DoS attacks and UDP port flooding. |
---|
225 | # |
---|
226 | # Generate with: |
---|
227 | # openvpn --genkey --secret ta.key |
---|
228 | # |
---|
229 | # The server and each client must have |
---|
230 | # a copy of this key. |
---|
231 | # The second parameter should be '0' |
---|
232 | # on the server and '1' on the clients. |
---|
233 | tls-auth /etc/openvpn/server/ta.key 0 # This file is secret |
---|
234 | |
---|
235 | # Select a cryptographic cipher. |
---|
236 | # This config item must be copied to |
---|
237 | # the client config file as well. |
---|
238 | ;cipher BF-CBC # Blowfish (default) |
---|
239 | ;cipher AES-128-CBC # AES |
---|
240 | ;cipher DES-EDE3-CBC # Triple-DES |
---|
241 | |
---|
242 | # Enable compression on the VPN link. |
---|
243 | # If you enable it here, you must also |
---|
244 | # enable it in the client config file. |
---|
245 | comp-lzo |
---|
246 | |
---|
247 | # The maximum number of concurrently connected |
---|
248 | # clients we want to allow. |
---|
249 | max-clients 4 |
---|
250 | |
---|
251 | # It's a good idea to reduce the OpenVPN |
---|
252 | # daemon's privileges after initialization. |
---|
253 | # |
---|
254 | # You can uncomment this out on |
---|
255 | # non-Windows systems. |
---|
256 | user nobody |
---|
257 | group nobody |
---|
258 | |
---|
259 | # The persist options will try to avoid |
---|
260 | # accessing certain resources on restart |
---|
261 | # that may no longer be accessible because |
---|
262 | # of the privilege downgrade. |
---|
263 | persist-key |
---|
264 | persist-tun |
---|
265 | |
---|
266 | # Output a short status file showing |
---|
267 | # current connections, truncated |
---|
268 | # and rewritten every minute. |
---|
269 | status openvpn-status.log |
---|
270 | |
---|
271 | # By default, log messages will go to the syslog (or |
---|
272 | # on Windows, if running as a service, they will go to |
---|
273 | # the "\Program Files\OpenVPN\log" directory). |
---|
274 | # Use log or log-append to override this default. |
---|
275 | # "log" will truncate the log file on OpenVPN startup, |
---|
276 | # while "log-append" will append to it. Use one |
---|
277 | # or the other (but not both). |
---|
278 | ;log openvpn.log |
---|
279 | ;log-append openvpn.log |
---|
280 | |
---|
281 | # Set the appropriate level of log |
---|
282 | # file verbosity. |
---|
283 | # |
---|
284 | # 0 is silent, except for fatal errors |
---|
285 | # 4 is reasonable for general usage |
---|
286 | # 5 and 6 can help to debug connection problems |
---|
287 | # 9 is extremely verbose |
---|
288 | verb 3 |
---|
289 | |
---|
290 | # Silence repeating messages. At most 20 |
---|
291 | # sequential messages of the same message |
---|
292 | # category will be output to the log. |
---|
293 | ;mute 20 |
---|