1 | # Originally /usr/share/doc/packages/openvpn/sample-config-files/tls-home.conf |
---|
2 | # Set up for Jacinth by jimc on 2009-09-24. This is openvpn-2.0beta5 |
---|
3 | # Revision history: |
---|
4 | # 2015-07-16 jimc Upgrade tls-cipher and DH params for Logjam |
---|
5 | # 2015-01-25 jimc New jfcarter.net addressing, use Startcom cert |
---|
6 | # 2014-05-04 jimc Switch back to CouchNet host certificate |
---|
7 | # 2014-02-01 jimc Made a new conf using 443/tcp for firewall traversal |
---|
8 | # 2012-08-xx jimc Switch to using Startcom cert for jacinth.jfcarter.net |
---|
9 | # 2011-05-15 jimc Reactivate on Jacinth, version 2.1.0, use own host key |
---|
10 | |
---|
11 | # General Parameters |
---|
12 | |
---|
13 | # Verbosity. 0=fatal only, 1=startup + nonfatal errs, 2 = cert + crypto names, |
---|
14 | # 3=TLS debug stuff, up to 11. |
---|
15 | verb 1 |
---|
16 | mute 10 |
---|
17 | |
---|
18 | # Drop privileges and enter chroot jail. (Can't, no access to tunnel device) |
---|
19 | # user nobody |
---|
20 | # group nobody |
---|
21 | # chroot /etc/openvpn/jail |
---|
22 | |
---|
23 | # Preserve root-only files and options. |
---|
24 | persist-key |
---|
25 | persist-local-ip |
---|
26 | persist-remote-ip |
---|
27 | persist-tun |
---|
28 | |
---|
29 | # Lock key and buffers in memory, keeping them out of the swap file. |
---|
30 | mlock |
---|
31 | |
---|
32 | # Use a dynamic tun device. (Could also be tap, for ether bridging.) |
---|
33 | dev tun |
---|
34 | tun-ipv6 |
---|
35 | |
---|
36 | # MTU for tunnel (outer) packets. Over-conservative default 1300, recommended |
---|
37 | # is (link_mtu - 28) deducting the UDP header, i.e. 1472 for a standard link |
---|
38 | # of MTU = 1500. The default seems to work OK in v2.0. |
---|
39 | # link-mtu 1472 |
---|
40 | |
---|
41 | # Path MTU discovery, should DF (don't fragment) be set? no, maybe, yes. |
---|
42 | # "maybe" uses per-route heuristics to decide. |
---|
43 | mtu-disc maybe |
---|
44 | |
---|
45 | # Empirically verify the MTU. Results logged after about 3 minutes. |
---|
46 | # Requires equivalent support on the other end. |
---|
47 | # (Only for UDP) mtu-test |
---|
48 | |
---|
49 | # Send pings to keep conntracks alive and detect a dead peer, only if connected. |
---|
50 | # This expands to: ping 51; ping-restart 2*31; push "ping 15"; |
---|
51 | # push "ping-restart 31" |
---|
52 | keepalive 15 31 |
---|
53 | ping-timer-rem |
---|
54 | |
---|
55 | # Don't complain about not knowing IP addresses. |
---|
56 | ifconfig-nowarn |
---|
57 | |
---|
58 | # Parameters of Server |
---|
59 | |
---|
60 | # Multi-client server, uses dynamic addresses from 192.9.200.144/28, |
---|
61 | # 16 addresses, 4 per client and the server takes 1 set. |
---|
62 | mode server |
---|
63 | server 192.9.200.144 255.255.255.240 |
---|
64 | # As of OpenVPN-2.3.2 server pools of 64..112 bits (128-b = 64..16) are allowed |
---|
65 | server-ipv6 2001:470:1f05:844::3:0/112 |
---|
66 | max-clients 3 |
---|
67 | |
---|
68 | # Connection freq, N connects per S seconds. Resist denial of service attacks. |
---|
69 | # (Only for UDP) |
---|
70 | # connect-freq 1 1 |
---|
71 | |
---|
72 | # Our OpenVPN peer: wait for something to connect to the server. |
---|
73 | # remote its.host.name |
---|
74 | |
---|
75 | # Allow reconnects with a different IP address (DHCP renew does that sometimes) |
---|
76 | float |
---|
77 | |
---|
78 | # This command allows one user to have more than one connection at a time, |
---|
79 | # e.g. from multiple machines on his home net. |
---|
80 | duplicate-cn |
---|
81 | |
---|
82 | # Many hotel wi-fi services pass only very few ports such as 80 and 443. |
---|
83 | # Similarly, VPN ports are blocked nationally by China, Dubai, UAE. |
---|
84 | # I need to get through that kind of crap. |
---|
85 | |
---|
86 | # Protocol (udp, tcp-server, tcp-client). udp is the default, and usually best. |
---|
87 | proto tcp-server |
---|
88 | |
---|
89 | # Port (default is 1194 per official IANA assignment; formerly 5000) |
---|
90 | port 443 |
---|
91 | |
---|
92 | # If there are multiple clients, internally route between them. |
---|
93 | client-to-client |
---|
94 | |
---|
95 | # The client should handle its own ifconfig and routes (default gateway). |
---|
96 | # We don't push those out. |
---|
97 | |
---|
98 | # https://wiki.debian.org/OpenVPN recommends to push a DNS server for Android. |
---|
99 | push "dhcp-option DNS 192.9.200.193" |
---|
100 | |
---|
101 | # Crypto Parameters (must match the peer, can't push them) |
---|
102 | |
---|
103 | # HMAC algorithm (anti-tampering checksum) |
---|
104 | auth SHA256 |
---|
105 | |
---|
106 | # Cryptographic cipher on main data channel (not used in tls-server/client mode) |
---|
107 | cipher AES-256-CBC |
---|
108 | |
---|
109 | # Use LZO compression (with adaptive shutoff) |
---|
110 | comp-lzo |
---|
111 | |
---|
112 | # TLS Parameters |
---|
113 | |
---|
114 | # Polarity of this host (tls-client or tls-server) |
---|
115 | tls-server |
---|
116 | |
---|
117 | # TLS encryption algo(s), colon separated. `openvpn --show-tls` for a list. 30 |
---|
118 | # ciphers in default list starting with DHE-RSA-AES256-SHA (most preferred) |
---|
119 | # down to EXP-RC4-MD5 (40 bits). Copy from Apache to mitigate Logjam. |
---|
120 | tls-cipher DEFAULT:+aRSA:+SHA:!aNULL:!DES:!3DES:!RC4:!MD5:!PSK:!DSS:!CAMELLIA:!SEED:!SRP:!AES256 |
---|
121 | |
---|
122 | # Diffie-Hellman parameters (2048 bits). Only needed on the server, which |
---|
123 | # sends it to the client. |
---|
124 | # jimc/CouchNet hack: use our own, to mitigate Logjam (CVE-2015-4000) |
---|
125 | dh /etc/ssl/hostcerts/dhparams.pem |
---|
126 | |
---|
127 | # Certificate Authority file (symbolic links to the real locations). |
---|
128 | # This is/are (concatenated) the CA that signed the client certs, could be |
---|
129 | # several. An intermediate CA may appear here, and if so, the trust anchor |
---|
130 | # should also appear. See also extra-certs. Use capath for a directory, but |
---|
131 | # trusting client certs signed by commercial trust vendors is a bad idea. |
---|
132 | ca /etc/ssl/ca/host.pth |
---|
133 | |
---|
134 | # The server's host certificate and private key (unencrypted). The trust |
---|
135 | # chain may be appended (and omit extra-certs). |
---|
136 | cert /etc/ssl/hostcerts/hostw.cia |
---|
137 | key /etc/ssl/private/hostw.key |
---|
138 | |
---|
139 | # For a HMAC on all control channel packets, resists DoS better. 2048 bits. |
---|
140 | key-direction 0 |
---|
141 | <tls-auth> |
---|
142 | -----BEGIN OpenVPN Static key V1----- |
---|
143 | wouldntyouliketoknow.... |
---|
144 | -----END OpenVPN Static key V1----- |
---|
145 | </tls-auth> |
---|
146 | |
---|