# openvpn.conf.sample # # This is a sample configuration file for OpenVPN. # Not all options are listed here; you can find good documentation # about all of the options in OpenVPN's manual page - openvpn(8). # # You can make a P-t-P connection by creating a shared key, # copying this key to other hosts in your network, and changing # the IP addresses in this file. # # Commented options are provided for some typical configurations # Change the "search" path to /etc/openvpn # All files referenced in this configuration will be relative to # whatever directory is specified here - we default to /etc/openvpn cd /etc/openvpn # If running as a server, which local IP address should OpenVPN # listen on? Specify this as either a hostname or IP address. If # this is left blank, OpenVPN will default to listening on all # interfaces. #local a.b.c.d # This option defines the IP or DNS name of the other side of your VPN # connection. This option is needed if you are making client or P-t-P # connections. If you are the server, use "local" instead. This may # be specified as a domain name or IP address. #remote vpn.server.org # This option defins the protocol to use. Valid options are: # udp, tcp-server, or tcp-client. Default is udp, and generally # speaking, tcp is a bad idea. proto udp # This option defines the port on which your server will be listening # or trying to connect. The default is 1194 port 1194 # This option defines whether to use LZO compression. # If enabled, it must be enabled at both ends of the VPN connection. #comp-lzo # Debug level (default 1) #verb 3 # VPN logfile location # If you don't specify a location here, logging will be done through # syslogd and write to /var/log/messages log-append /var/log/openvpn.log # If you want to use OpenVPN as a daemon, uncomment this line. # Generally speaking, servers should run OpenVPN as a daemon # and clients should not. #daemon # Device type to use, you can choose between tun or tap. # TUN is the most common option. If you have multiple connections, # it is a good idea to bind each connection to a separate TUN/TAP # interface using tunX/tapX, where X is the number of each interface. dev tun # This option prevents OpenVPN from closing and re-opening the tun/tap # device every time it receives a SIGUSR1 signal #persist-tun # This is similar to the previous option, but it prevents OpenVPN from # re-reading the key files every time #persist-key # If you are using a client-server architecture, you need to specify the # role of your computer in your VPN network. To use one of these options, # you need to configure TLS options too. # # To use the "server" option, you must specify a network subnet such # as 172.16.1.0 255.255.255.0. The first number is the network, the # second is the netmask. OpenVPN will take the first available IP # for itself (in our example, 172.16.1.1) and the rest will be # given to connecting clients dynamically. # # Leave these commented out if you are using OpenVPN in bridging mode. # #server 10.1.2.0 255.255.255.0 #client # This option defines a file with IP address to client mapping. # This is useful in general, and necessary if clients use persist-tun. #ifconfig-pool-persist ips.txt # Enable this option if you want clients connected to this VPN to be # able to talk directly to each other #client-to-client # This option defines the directory in which configuration files for clients # will reside. With individual files you can make each client get different # options using "push" parameters #client-config-dir ccd # If you are using P-t-P, you need to specify the IP addresses at both ends # of your VPN connection. The IP addresses are reversed at the other side. # # You can use this to specify client IP addresses in ccd files (on server) # or directly in client configuration #ifconfig 10.1.2.1 10.1.2.2 # You can set routes to specific networks. In the sample below, "vpn_gateway" # is an internal OpenVPN alias to your VPN gateway - leave it as is. # This will enable you to talk with the networks behind your VPN server. # Multiple routes can be specified. # # +------------+ - - +------------+ # | Network1 |---| VPN1 |--[10.1.2.0/24]--| VPN2 |---| Network2 | # +------------+ +------+ +------+ +------------+ # 192.168.0.0/24 192.168.2.0/24 # # The sample below shows how VPN1 server can reach Network2 #route 192.168.2.0 255.255.255.0 vpn_gateway # You can send clients many network configuration options using the # "push" directive and sending commands. # Multiple "push" directives can be used. You should only put global # "push" directives here. You can "push" different options to # different clients in per-client configuration files. See # "client-config-dir" above. # # Using the same network configuration that you see above, the route statment # here allows VPN2 to reach Network1 #push "route-delay 2 600" #push "route 192.168.2.0 255.255.255.0 vpn_gateway" #push "persist-key" # This option sets the encryption algorithm to use in the VPN connection. # Available options are: # DES-CBC, RC2-CBC, DES-EDE-CBC, DES-EDE3-CBC, # DESX-CBC, BF-CBC, RC2-40-CBC, CAST5-CBC, # RC2-64-CBC, AES-128-CBC, AES-192-CBC and AES-256-CBC cipher BF-CBC # Shared Key Connection # --------------------- # Secret is one shared key between the hosts that want to connect through VPNs. # Without secret or TLS options, your data will not be encrypted. # # To generate an encryption key do: # openvpn --genkey --secret /etc/openvpn/keys/shared.key # # Do the above on one host and copy it to the others secret keys/shared.key # TLS Connections # --------------- # TLS must be used if you use option "server" or "client" # The basic idea there is: You have one Certificate Authority, and all # machines in your VPN network need to have individual certificates and # keys signed by Certificate Authority. This means each client can # have its own key, making it easier to revoke a key without copying # a shared secret key to every client. # # Inside the /usr/doc/openvpn-$VERSION documentation directory, you can # find "easy-rsa" scripts to make certificate and key management easier. # Certificate Authority file # This file must be identical on all hosts that connect to your VPN #ca certs/ca.crt # If you are the server, you need to specify some Diffie Hellman parameters. # OpenVPN provides some sample .pem files in documentation directory #dh my-dh.pem # Certificate and Key signed by Certificate Authority # Each machine needs to have their own unique certificate #cert certs/machine.cert #key keys/machine.key # To prevent some DoS attacks we can add another authentication layer in the # TLS control channel. This needs to be enabled at both ends to work # client uses the value 1; server uses the value 0 #tls-auth keys/shared.key 0