Ticket #933: server443.conf

# Originally /usr/share/doc/packages/openvpn/sample-config-files/tls-home.conf
# Set up for Jacinth by jimc on 2009-09-24.  This is openvpn-2.0beta5
# Revision history:
#   2015-07-16  jimc    Upgrade tls-cipher and DH params for Logjam
#   2015-01-25  jimc    New jfcarter.net addressing, use Startcom cert
#   2014-05-04  jimc    Switch back to CouchNet host certificate
#   2014-02-01  jimc    Made a new conf using 443/tcp for firewall traversal
#   2012-08-xx  jimc    Switch to using Startcom cert for jacinth.jfcarter.net
#   2011-05-15  jimc    Reactivate on Jacinth, version 2.1.0, use own host key

# General Parameters

# Verbosity. 0=fatal only, 1=startup + nonfatal errs, 2 = cert + crypto names,
# 3=TLS debug stuff, up to 11.
verb 1
mute 10

# Drop privileges and enter chroot jail.  (Can't, no access to tunnel device)
# user nobody
# group nobody
# chroot /etc/openvpn/jail

# Preserve root-only files and options.
persist-key
persist-local-ip
persist-remote-ip
persist-tun

# Lock key and buffers in memory, keeping them out of the swap file.
mlock

# Use a dynamic tun device.  (Could also be tap, for ether bridging.)
dev tun
tun-ipv6

# MTU for tunnel (outer) packets.  Over-conservative default 1300, recommended
# is (link_mtu - 28) deducting the UDP header, i.e. 1472 for a standard link 
# of MTU = 1500.  The default seems to work OK in v2.0.
# link-mtu 1472

# Path MTU discovery, should DF (don't fragment) be set? no, maybe, yes.
# "maybe" uses per-route heuristics to decide.
mtu-disc maybe

# Empirically verify the MTU.  Results logged after about 3 minutes.
# Requires equivalent support on the other end.
# (Only for UDP) mtu-test

# Send pings to keep conntracks alive and detect a dead peer, only if connected.
# This expands to: ping 51; ping-restart 2*31; push "ping 15"; 
# push "ping-restart 31"
keepalive 15 31
ping-timer-rem

# Don't complain about not knowing IP addresses.
ifconfig-nowarn

# Parameters of Server

# Multi-client server, uses dynamic addresses from 192.9.200.144/28,
# 16 addresses, 4 per client and the server takes 1 set.  
mode server
server 192.9.200.144 255.255.255.240
# As of OpenVPN-2.3.2 server pools of 64..112 bits (128-b = 64..16) are allowed
server-ipv6 2001:470:1f05:844::3:0/112
max-clients 3

# Connection freq, N connects per S seconds.  Resist denial of service attacks.
# (Only for UDP)
# connect-freq 1 1

# Our OpenVPN peer: wait for something to connect to the server.
# remote its.host.name

# Allow reconnects with a different IP address (DHCP renew does that sometimes)
float

# This command allows one user to have more than one connection at a time,
# e.g. from multiple machines on his home net.  
duplicate-cn

# Many hotel wi-fi services pass only very few ports such as 80 and 443. 
# Similarly, VPN ports are blocked nationally by China, Dubai, UAE.  
# I need to get through that kind of crap.  

# Protocol (udp, tcp-server, tcp-client).  udp is the default, and usually best.
proto tcp-server

# Port (default is 1194 per official IANA assignment; formerly 5000)
port 443

# If there are multiple clients, internally route between them.
client-to-client

# The client should handle its own ifconfig and routes (default gateway).
# We don't push those out.

# https://wiki.debian.org/OpenVPN recommends to push a DNS server for Android.
push "dhcp-option DNS 192.9.200.193"

# Crypto Parameters (must match the peer, can't push them)

# HMAC algorithm (anti-tampering checksum)
auth SHA256

# Cryptographic cipher on main data channel (not used in tls-server/client mode)
cipher AES-256-CBC

# Use LZO compression (with adaptive shutoff)
comp-lzo

# TLS Parameters

# Polarity of this host (tls-client or tls-server)
tls-server

# TLS encryption algo(s), colon separated.  `openvpn --show-tls` for a list. 30
# ciphers in default list starting with DHE-RSA-AES256-SHA (most preferred)
# down to EXP-RC4-MD5 (40 bits).  Copy from Apache to mitigate Logjam.  
tls-cipher DEFAULT:+aRSA:+SHA:!aNULL:!DES:!3DES:!RC4:!MD5:!PSK:!DSS:!CAMELLIA:!SEED:!SRP:!AES256

# Diffie-Hellman parameters (2048 bits).  Only needed on the server, which 
# sends it to the client.  
# jimc/CouchNet hack: use our own, to mitigate Logjam (CVE-2015-4000)
dh /etc/ssl/hostcerts/dhparams.pem

# Certificate Authority file (symbolic links to the real locations).
# This is/are (concatenated) the CA that signed the client certs, could be
# several.  An intermediate CA may appear here, and if so, the trust anchor
# should also appear.  See also extra-certs.  Use capath for a directory, but
# trusting client certs signed by commercial trust vendors is a bad idea.
ca /etc/ssl/ca/host.pth

# The server's host certificate and private key (unencrypted).  The trust
# chain may be appended (and omit extra-certs).  
cert /etc/ssl/hostcerts/hostw.cia
key /etc/ssl/private/hostw.key

# For a HMAC on all control channel packets, resists DoS better.  2048 bits.
key-direction 0
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
wouldntyouliketoknow....
-----END OpenVPN Static key V1-----
</tls-auth>