LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23199 Commits
1 Branch
46 MiB
Tree: f4150da17a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f4150da17a'
${ noResults }
openwrt-packages-dist/net/openvpn/files/openvpn.config

493 lines
16 KiB
Raw Normal View History

openvpn: import from base Signed-off-by: Rosen Penev <rosenp@gmail.com>
4 years ago
openvpn: update to 2.5.0 New features: * Per client tls-crypt keys * ChaCha20-Poly1305 can be used to encrypt the data channel * Routes are added/removed via Netlink instead of ifconfig/route (unless iproute2 support is enabled). * VLAN support when using a TAP device Significant changes: * Server support can no longer be disabled. * Crypto support can no longer be disabled, remove nossl variant. * Blowfish (BF-CBC) is no longer implicitly the default cipher. OpenVPN peers prior to 2.4, or peers with data cipher negotiation disabled, will not be able to connect to a 2.5 peer unless option data_fallback_ciphers is set on the 2.5 peer and it contains a cipher supported by the client. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
4 years ago
openvpn: import from base Signed-off-by: Rosen Penev <rosenp@gmail.com>
4 years ago
openvpn: disable LZO support by default OpenVPN recommends disabling compression, as it may weaken the security of the connection. For users who need compression, we build with LZ4 support by default. LZO in OpenVPN pulls in liblzo at approx. 32 kB. OpenWrt users will no longer be able to connect to OpenVPN peers that require LZO compression, unless they build the OpenVPN package themselves. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
4 years ago
openvpn: update to 2.5.0 New features: * Per client tls-crypt keys * ChaCha20-Poly1305 can be used to encrypt the data channel * Routes are added/removed via Netlink instead of ifconfig/route (unless iproute2 support is enabled). * VLAN support when using a TAP device Significant changes: * Server support can no longer be disabled. * Crypto support can no longer be disabled, remove nossl variant. * Blowfish (BF-CBC) is no longer implicitly the default cipher. OpenVPN peers prior to 2.4, or peers with data cipher negotiation disabled, will not be able to connect to a 2.5 peer unless option data_fallback_ciphers is set on the 2.5 peer and it contains a cipher supported by the client. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
4 years ago
openvpn: import from base Signed-off-by: Rosen Penev <rosenp@gmail.com>
4 years ago
openvpn: update to 2.5.0 New features: * Per client tls-crypt keys * ChaCha20-Poly1305 can be used to encrypt the data channel * Routes are added/removed via Netlink instead of ifconfig/route (unless iproute2 support is enabled). * VLAN support when using a TAP device Significant changes: * Server support can no longer be disabled. * Crypto support can no longer be disabled, remove nossl variant. * Blowfish (BF-CBC) is no longer implicitly the default cipher. OpenVPN peers prior to 2.4, or peers with data cipher negotiation disabled, will not be able to connect to a 2.5 peer unless option data_fallback_ciphers is set on the 2.5 peer and it contains a cipher supported by the client. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
4 years ago
openvpn: import from base Signed-off-by: Rosen Penev <rosenp@gmail.com>
4 years ago
 
  1. package openvpn
  2. 

  3. #################################################
  4. # Sample to include a custom config file.       #
  5. #################################################
  6. 

  7. config openvpn custom_config
  8. 

  9. 	# Set to 1 to enable this instance:
  10. 	option enabled 0
  11. 

  12. 	# Include OpenVPN configuration
  13. 	option config /etc/openvpn/my-vpn.conf
  14. 

  15. 

  16. #################################################
  17. # Sample OpenVPN 2.0 uci config for             #
  18. # multi-client server.                          #
  19. #################################################
  20. 

  21. config openvpn sample_server
  22. 

  23. 	# Set to 1 to enable this instance:
  24. 	option enabled 0
  25. 

  26. 	# Which local IP address should OpenVPN
  27. 	# listen on? (optional)
  28. #	option local 0.0.0.0
  29. 

  30. 	# Which TCP/UDP port should OpenVPN listen on?
  31. 	# If you want to run multiple OpenVPN instances
  32. 	# on the same machine, use a different port
  33. 	# number for each one.  You will need to
  34. 	# open up this port on your firewall.
  35. 	option port 1194
  36. 

  37. 	# TCP or UDP server?
  38. #	option proto tcp
  39. 	option proto udp
  40. 

  41. 	# "dev tun" will create a routed IP tunnel,
  42. 	# "dev tap" will create an ethernet tunnel.
  43. 	# Use "dev tap0" if you are ethernet bridging
  44. 	# and have precreated a tap0 virtual interface
  45. 	# and bridged it with your ethernet interface.
  46. 	# If you want to control access policies
  47. 	# over the VPN, you must create firewall
  48. 	# rules for the the TUN/TAP interface.
  49. 	# On non-Windows systems, you can give
  50. 	# an explicit unit number, such as tun0.
  51. 	# On Windows, use "dev-node" for this.
  52. 	# On most systems, the VPN will not function
  53. 	# unless you partially or fully disable
  54. 	# the firewall for the TUN/TAP interface.
  55. #	option dev tap
  56. 	option dev tun
  57. 

  58. 	# SSL/TLS root certificate (ca), certificate
  59. 	# (cert), and private key (key).  Each client
  60. 	# and the server must have their own cert and
  61. 	# key file.  The server and all clients will
  62. 	# use the same ca file.
  63. 	#
  64. 	# See the "easy-rsa" directory for a series
  65. 	# of scripts for generating RSA certificates
  66. 	# and private keys.  Remember to use
  67. 	# a unique Common Name for the server
  68. 	# and each of the client certificates.
  69. 	#
  70. 	# Any X509 key management system can be used.
  71. 	# OpenVPN can also use a PKCS #12 formatted key file
  72. 	# (see "pkcs12" directive in man page).
  73. 	option ca /etc/openvpn/ca.crt
  74. 	option cert /etc/openvpn/server.crt
  75. 	# This file should be kept secret:
  76. 	option key /etc/openvpn/server.key
  77. 

  78. 	# Diffie hellman parameters.
  79. 	# Generate your own with:
  80. 	#   openssl dhparam -out dh2048.pem 2048
  81. 	# Substitute 2048 for 1024 if you are using
  82. 	# 1024 bit keys.
  83. 	option dh /etc/openvpn/dh2048.pem
  84. 

  85. 	# Configure server mode and supply a VPN subnet
  86. 	# for OpenVPN to draw client addresses from.
  87. 	# The server will take 10.8.0.1 for itself,
  88. 	# the rest will be made available to clients.
  89. 	# Each client will be able to reach the server
  90. 	# on 10.8.0.1. Comment this line out if you are
  91. 	# ethernet bridging. See the man page for more info.
  92. 	option server "10.8.0.0 255.255.255.0"
  93. 

  94. 	# Maintain a record of client <-> virtual IP address
  95. 	# associations in this file.  If OpenVPN goes down or
  96. 	# is restarted, reconnecting clients can be assigned
  97. 	# the same virtual IP address from the pool that was
  98. 	# previously assigned.
  99. 	option ifconfig_pool_persist /tmp/ipp.txt
  100. 

  101. 	# Configure server mode for ethernet bridging.
  102. 	# You must first use your OS's bridging capability
  103. 	# to bridge the TAP interface with the ethernet
  104. 	# NIC interface.  Then you must manually set the
  105. 	# IP/netmask on the bridge interface, here we
  106. 	# assume 10.8.0.4/255.255.255.0.  Finally we
  107. 	# must set aside an IP range in this subnet
  108. 	# (start=10.8.0.50 end=10.8.0.100) to allocate
  109. 	# to connecting clients.  Leave this line commented
  110. 	# out unless you are ethernet bridging.
  111. #	option server_bridge "10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100"
  112. 

  113. 	# Push routes to the client to allow it
  114. 	# to reach other private subnets behind
  115. 	# the server.  Remember that these
  116. 	# private subnets will also need
  117. 	# to know to route the OpenVPN client
  118. 	# address pool (10.8.0.0/255.255.255.0)
  119. 	# back to the OpenVPN server.
  120. #	list push "route 192.168.10.0 255.255.255.0"
  121. #	list push "route 192.168.20.0 255.255.255.0"
  122. 

  123. 	# To assign specific IP addresses to specific
  124. 	# clients or if a connecting client has a private
  125. 	# subnet behind it that should also have VPN access,
  126. 	# use the subdirectory "ccd" for client-specific
  127. 	# configuration files (see man page for more info).
  128. 

  129. 	# EXAMPLE: Suppose the client
  130. 	# having the certificate common name "Thelonious"
  131. 	# also has a small subnet behind his connecting
  132. 	# machine, such as 192.168.40.128/255.255.255.248.
  133. 	# First, uncomment out these lines:
  134. #	option client_config_dir /etc/openvpn/ccd
  135. #	list route "192.168.40.128 255.255.255.248"
  136. 	# Then create a file ccd/Thelonious with this line:
  137. 	#   iroute 192.168.40.128 255.255.255.248
  138. 	# This will allow Thelonious' private subnet to
  139. 	# access the VPN.  This example will only work
  140. 	# if you are routing, not bridging, i.e. you are
  141. 	# using "dev tun" and "server" directives.
  142. 

  143. 	# EXAMPLE: Suppose you want to give
  144. 	# Thelonious a fixed VPN IP address of 10.9.0.1.
  145. 	# First uncomment out these lines:
  146. #	option client_config_dir /etc/openvpn/ccd
  147. #	list route "10.9.0.0 255.255.255.252"
  148. #	list route "192.168.100.0 255.255.255.0"
  149. 	# Then add this line to ccd/Thelonious:
  150. 	#   ifconfig-push "10.9.0.1 10.9.0.2"
  151. 

  152. 	# Suppose that you want to enable different
  153. 	# firewall access policies for different groups
  154. 	# of clients.  There are two methods:
  155. 	# (1) Run multiple OpenVPN daemons, one for each
  156. 	#     group, and firewall the TUN/TAP interface
  157. 	#     for each group/daemon appropriately.
  158. 	# (2) (Advanced) Create a script to dynamically
  159. 	#     modify the firewall in response to access
  160. 	#     from different clients.  See man
  161. 	#     page for more info on learn-address script.
  162. #	option learn_address /etc/openvpn/script
  163. 

  164. 	# If enabled, this directive will configure
  165. 	# all clients to redirect their default
  166. 	# network gateway through the VPN, causing
  167. 	# all IP traffic such as web browsing and
  168. 	# and DNS lookups to go through the VPN
  169. 	# (The OpenVPN server machine may need to NAT
  170. 	# the TUN/TAP interface to the internet in
  171. 	# order for this to work properly).
  172. 	# CAVEAT: May break client's network config if
  173. 	# client's local DHCP server packets get routed
  174. 	# through the tunnel.  Solution: make sure
  175. 	# client's local DHCP server is reachable via
  176. 	# a more specific route than the default route
  177. 	# of 0.0.0.0/0.0.0.0.
  178. #	list push "redirect-gateway"
  179. 

  180. 	# Certain Windows-specific network settings
  181. 	# can be pushed to clients, such as DNS
  182. 	# or WINS server addresses.  CAVEAT:
  183. 	# http://openvpn.net/faq.html#dhcpcaveats
  184. #	list push "dhcp-option DNS 10.8.0.1"
  185. #	list push "dhcp-option WINS 10.8.0.1"
  186. 

  187. 	# Uncomment this directive to allow different
  188. 	# clients to be able to "see" each other.
  189. 	# By default, clients will only see the server.
  190. 	# To force clients to only see the server, you
  191. 	# will also need to appropriately firewall the
  192. 	# server's TUN/TAP interface.
  193. #	option client_to_client 1
  194. 

  195. 	# Uncomment this directive if multiple clients
  196. 	# might connect with the same certificate/key
  197. 	# files or common names.  This is recommended
  198. 	# only for testing purposes.  For production use,
  199. 	# each client should have its own certificate/key
  200. 	# pair.
  201. 	#
  202. 	# IF YOU HAVE NOT GENERATED INDIVIDUAL
  203. 	# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
  204. 	# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
  205. 	# UNCOMMENT THIS LINE OUT.
  206. #	option duplicate_cn 1
  207. 

  208. 	# The keepalive directive causes ping-like
  209. 	# messages to be sent back and forth over
  210. 	# the link so that each side knows when
  211. 	# the other side has gone down.
  212. 	# Ping every 10 seconds, assume that remote
  213. 	# peer is down if no ping received during
  214. 	# a 120 second time period.
  215. 	option keepalive "10 120"
  216. 

  217. 	# For extra security beyond that provided
  218. 	# by SSL/TLS, create an "HMAC firewall"
  219. 	# to help block DoS attacks and UDP port flooding.
  220. 	#
  221. 	# Generate with:
  222. 	#   openvpn --genkey --secret ta.key
  223. 	#
  224. 	# The server and each client must have
  225. 	# a copy of this key.
  226. 	# The second parameter should be '0'
  227. 	# on the server and '1' on the clients.
  228. 	# This file is secret:
  229. #	option tls_auth "/etc/openvpn/ta.key 0"
  230. 

  231. 	# For additional privacy, a shared secret key
  232. 	# can be used for both authentication (as in tls_auth)
  233. 	# and encryption of the TLS control channel.
  234. 	#
  235. 	# Generate a shared secret with:
  236. 	# openvpn --genkey --secret ta.key
  237. 	#
  238. 	# The server and each client must have
  239. 	# a copy of this key.
  240. 	#
  241. 	# tls_auth and tls_crypt should NOT
  242. 	# be combined, as tls_crypt implies tls_auth.
  243. 	# Use EITHER tls_crypt, tls_auth, or neither option.
  244. #	option tls_crypt "/etc/openvpn/ta.key"
  245. 

  246. 	# Set the minimum required TLS protocol version
  247. 	# for all connections.
  248. 	#
  249. 	# Require at least TLS 1.1
  250. #	option tls_version_min "1.1"
  251. 	# Require at least TLS 1.2
  252. #	option tls_version_min "1.2"
  253. 	# Require TLS 1.2, or the highest version supported
  254. 	# on the system
  255. #	option tls_version_min "1.2 'or-highest'"
  256. 

  257. 	# List the preferred ciphers to use for the data channel.
  258. 	# Run openvpn --show-ciphers to see all supported ciphers.
  259. #	list data_ciphers 'AES-256-GCM'
  260. #	list data_ciphers 'AES-128-GCM'
  261. #	list data_ciphers 'CHACHA20-POLY1305'
  262. 

  263. 	# Set a fallback cipher in order to be compatible with
  264. 	# peers that do not support cipher negotiation.
  265. 	#
  266. 	# Use AES-256-CBC as fallback
  267. #	option data_ciphers_fallback 'AES-128-CBC'
  268. 	# Use AES-128-CBC as fallback
  269. #	option data_ciphers_fallback 'AES-256-CBC'
  270. 	# Use Triple-DES as fallback
  271. #	option data_ciphers_fallback 'DES-EDE3-CBC'
  272. 	# Use BF-CBC as fallback
  273. #	option data_ciphers_fallback 'BF-CBC'
  274. 

  275. 	# OpenVPN versions 2.4 and later will attempt to
  276. 	# automatically negotiate the most secure cipher
  277. 	# between the client and server, regardless of a
  278. 	# configured "option cipher" (see below).
  279. 	# Automatic negotiation is recommended.
  280. 	#
  281. 	# Uncomment this option to disable this behavior,
  282. 	# and force all OpenVPN peers to use the configured
  283. 	# cipher option instead (not recommended).
  284. #	option ncp_disable
  285. 

  286. 	# Enable compression on the VPN link.
  287. 	# If you enable it here, you must also
  288. 	# enable it in the client config file.
  289. 	#
  290. 	# Compression is not recommended, as compression and
  291. 	# encryption in combination can weaken the security
  292. 	# of the connection.
  293. 	#
  294. 	# LZ4 requires OpenVPN 2.4+ client and server
  295. #	option compress lz4
  296. 	
  297. 	# Control how OpenVPN handles peers using compression
  298. 	#
  299. 	# Do not allow any connections using compression
  300. #	option allow_compression 'no'
  301. 	# Allow incoming compressed packets, but do not send compressed packets to other peers
  302. 	# This can be useful when migrating old configurations with compression activated
  303. #	option allow_compression 'asym'
  304. 	# Both incoming and outgoing packets may be compressed
  305. #	option allow_compression 'yes'
  306. 

  307. 	# The maximum number of concurrently connected
  308. 	# clients we want to allow.
  309. #	option max_clients 100
  310. 

  311. 	# The persist options will try to avoid
  312. 	# accessing certain resources on restart
  313. 	# that may no longer be accessible because
  314. 	# of the privilege downgrade.
  315. 	option persist_key 1
  316. 	option persist_tun 1
  317. 	option user nobody
  318. 

  319. 	# Output a short status file showing
  320. 	# current connections, truncated
  321. 	# and rewritten every minute.
  322. 	option status /tmp/openvpn-status.log
  323. 

  324. 	# By default, log messages will go to the syslog (or
  325. 	# on Windows, if running as a service, they will go to
  326. 	# the "\Program Files\OpenVPN\log" directory).
  327. 	# Use log or log-append to override this default.
  328. 	# "log" will truncate the log file on OpenVPN startup,
  329. 	# while "log-append" will append to it.  Use one
  330. 	# or the other (but not both).
  331. #	option log         /tmp/openvpn.log
  332. #	option log_append  /tmp/openvpn.log
  333. 

  334. 	# Set the appropriate level of log
  335. 	# file verbosity.
  336. 	#
  337. 	# 0 is silent, except for fatal errors
  338. 	# 4 is reasonable for general usage
  339. 	# 5 and 6 can help to debug connection problems
  340. 	# 9 is extremely verbose
  341. 	option verb 3
  342. 

  343. 	# Silence repeating messages.  At most 20
  344. 	# sequential messages of the same message
  345. 	# category will be output to the log.
  346. #	option mute 20
  347. 

  348. 

  349. ##############################################
  350. # Sample client-side OpenVPN 2.0 uci config  #
  351. # for connecting to multi-client server.     #
  352. ##############################################
  353. 

  354. config openvpn sample_client
  355. 

  356. 	# Set to 1 to enable this instance:
  357. 	option enabled 0
  358. 

  359. 	# Specify that we are a client and that we
  360. 	# will be pulling certain config file directives
  361. 	# from the server.
  362. 	option client 1
  363. 

  364. 	# Use the same setting as you are using on
  365. 	# the server.
  366. 	# On most systems, the VPN will not function
  367. 	# unless you partially or fully disable
  368. 	# the firewall for the TUN/TAP interface.
  369. #	option dev tap
  370. 	option dev tun
  371. 

  372. 	# Are we connecting to a TCP or
  373. 	# UDP server?  Use the same setting as
  374. 	# on the server.
  375. #	option proto tcp
  376. 	option proto udp
  377. 

  378. 	# The hostname/IP and port of the server.
  379. 	# You can have multiple remote entries
  380. 	# to load balance between the servers.
  381. 	list remote "my_server_1 1194"
  382. #	list remote "my_server_2 1194"
  383. 

  384. 	# Choose a random host from the remote
  385. 	# list for load_balancing.  Otherwise
  386. 	# try hosts in the order specified.
  387. #	option remote_random 1
  388. 

  389. 	# Keep trying indefinitely to resolve the
  390. 	# host name of the OpenVPN server.  Very useful
  391. 	# on machines which are not permanently connected
  392. 	# to the internet such as laptops.
  393. 	option resolv_retry infinite
  394. 

  395. 	# Most clients don't need to bind to
  396. 	# a specific local port number.
  397. 	option nobind 1
  398. 

  399. 	# Try to preserve some state across restarts.
  400. 	option persist_key 1
  401. 	option persist_tun 1
  402. 	option user nobody
  403. 

  404. 	# If you are connecting through an
  405. 	# HTTP proxy to reach the actual OpenVPN
  406. 	# server, put the proxy server/IP and
  407. 	# port number here.  See the man page
  408. 	# if your proxy server requires
  409. 	# authentication.
  410. 	# retry on connection failures:
  411. #	option http_proxy_retry 1
  412. 	# specify http proxy address and port:
  413. #	option http_proxy "192.168.1.100 8080"
  414. 

  415. 	# Wireless networks often produce a lot
  416. 	# of duplicate packets.  Set this flag
  417. 	# to silence duplicate packet warnings.
  418. #	option mute_replay_warnings 1
  419. 

  420. 	# SSL/TLS parms.
  421. 	# See the server config file for more
  422. 	# description.  It's best to use
  423. 	# a separate .crt/.key file pair
  424. 	# for each client.  A single ca
  425. 	# file can be used for all clients.
  426. 	option ca /etc/openvpn/ca.crt
  427. 	option cert /etc/openvpn/client.crt
  428. 	option key /etc/openvpn/client.key
  429. 

  430. 	# Verify server certificate by checking
  431. 	# that the certicate has the key usage
  432. 	# field set to "server".  This is an
  433. 	# important precaution to protect against
  434. 	# a potential attack discussed here:
  435. 	#  http://openvpn.net/howto.html#mitm
  436. 	#
  437. 	# To use this feature, you will need to generate
  438. 	# your server certificates with the nsCertType
  439. 	# field set to "server".  The build_key_server
  440. 	# script in the easy_rsa folder will do this.
  441. #	option remote_cert_tls server
  442. 

  443. 	# If a tls_auth key is used on the server
  444. 	# then every client must also have the key.
  445. #	option tls_auth "/etc/openvpn/ta.key 1"
  446. 

  447. 	# If a tls_crypt key is used on the server
  448. 	# every client must also have the key.
  449. #	option tls_crypt "/etc/openvpn/ta.key"
  450. 

  451. 	# Set the minimum required TLS protocol version
  452. 	# for all connections.
  453. 	#
  454. 	# Require at least TLS 1.1
  455. #	option tls_version_min "1.1"
  456. 	# Require at least TLS 1.2
  457. #	option tls_version_min "1.2"
  458. 	# Require TLS 1.2, or the highest version supported
  459. 	# on the system
  460. #	option tls_version_min "1.2 'or-highest'"
  461. 

  462. 	# List the preferred ciphers for the data channel.
  463. #	list data_ciphers 'AES-256-GCM'
  464. #	list data_ciphers 'AES-128-GCM'
  465. #	list data_ciphers 'CHACHA20-POLY1305'
  466. 

  467. 	# Set a fallback cipher if you connect to a peer that does
  468. 	# not support cipher negotiation.
  469. 	# Use AES-256-CBC as fallback
  470. #	option data_ciphers_fallback 'AES-128-CBC'
  471. 	# Use AES-128-CBC as fallback
  472. #	option data_ciphers_fallback 'AES-256-CBC'
  473. 	# Use Triple-DES as fallback
  474. #	option data_ciphers_fallback 'DES-EDE3-CBC'
  475. 	# Use BF-CBC as fallback
  476. #	option data_ciphers_fallback 'BF-CBC'
  477. 

  478. 	# Enable compression on the VPN link.
  479. 	# Don't enable this unless it is also
  480. 	# enabled in the server config file.
  481. 	#
  482. 	# Compression is not recommended, as compression and
  483. 	# encryption in combination can weaken the security
  484. 	# of the connection.
  485. 	#
  486. 	# LZ4 requires OpenVPN 2.4+ on server and client
  487. #	option compress lz4
  488. 

  489. 	# Set log file verbosity.
  490. 	option verb 3
  491. 

  492. 	# Silence repeating messages
  493. #	option mute 20