package openvpn ################################################# # Sample to include a custom config file. # ################################################# config openvpn custom_config # Set to 1 to enable this instance: option enabled 0 # Credentials to login #option username 'login' #option password 'password' # Password for client certificate #option cert_password 'cert_password' # Include OpenVPN configuration option config /etc/openvpn/my-vpn.conf ################################################# # Sample OpenVPN 2.0 uci config for # # multi-client server. # ################################################# config openvpn sample_server # Set to 1 to enable this instance: option enabled 0 # Which local IP address should OpenVPN # listen on? (optional) # option local 0.0.0.0 # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. option port 1194 # TCP or UDP server? # option proto tcp option proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap0" if you are ethernet bridging # and have precreated a tap0 virtual interface # and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. # option dev tap option dev tun # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). option ca /etc/openvpn/ca.crt option cert /etc/openvpn/server.crt # This file should be kept secret: option key /etc/openvpn/server.key # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh2048.pem 2048 # Substitute 2048 for 1024 if you are using # 1024 bit keys. option dh /etc/openvpn/dh2048.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. option server "10.8.0.0 255.255.255.0" # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. option ifconfig_pool_persist /tmp/ipp.txt # Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. # option server_bridge "10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100" # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. # list push "route 192.168.10.0 255.255.255.0" # list push "route 192.168.20.0 255.255.255.0" # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: # option client_config_dir /etc/openvpn/ccd # list route "192.168.40.128 255.255.255.248" # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives. # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: # option client_config_dir /etc/openvpn/ccd # list route "10.9.0.0 255.255.255.252" # list route "192.168.100.0 255.255.255.0" # Then add this line to ccd/Thelonious: # ifconfig-push "10.9.0.1 10.9.0.2" # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. # option learn_address /etc/openvpn/script # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # the TUN/TAP interface to the internet in # order for this to work properly). # CAVEAT: May break client's network config if # client's local DHCP server packets get routed # through the tunnel. Solution: make sure # client's local DHCP server is reachable via # a more specific route than the default route # of 0.0.0.0/0.0.0.0. # list push "redirect-gateway" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats # list push "dhcp-option DNS 10.8.0.1" # list push "dhcp-option WINS 10.8.0.1" # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. # option client_to_client 1 # Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. # option duplicate_cn 1 # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. option keepalive "10 120" # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. # This file is secret: # option tls_auth "/etc/openvpn/ta.key 0" # For additional privacy, a shared secret key # can be used for both authentication (as in tls_auth) # and encryption of the TLS control channel. # # Generate a shared secret with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # # tls_auth and tls_crypt should NOT # be combined, as tls_crypt implies tls_auth. # Use EITHER tls_crypt, tls_auth, or neither option. # option tls_crypt "/etc/openvpn/ta.key" # Set the minimum required TLS protocol version # for all connections. # # Require at least TLS 1.1 # option tls_version_min "1.1" # Require at least TLS 1.2 # option tls_version_min "1.2" # Require TLS 1.2, or the highest version supported # on the system # option tls_version_min "1.2 'or-highest'" # List the preferred ciphers to use for the data channel. # Run openvpn --show-ciphers to see all supported ciphers. # list data_ciphers 'AES-256-GCM' # list data_ciphers 'AES-128-GCM' # list data_ciphers 'CHACHA20-POLY1305' # Set a fallback cipher in order to be compatible with # peers that do not support cipher negotiation. # # Use AES-256-CBC as fallback # option data_ciphers_fallback 'AES-128-CBC' # Use AES-128-CBC as fallback # option data_ciphers_fallback 'AES-256-CBC' # Use Triple-DES as fallback # option data_ciphers_fallback 'DES-EDE3-CBC' # Use BF-CBC as fallback # option data_ciphers_fallback 'BF-CBC' # OpenVPN versions 2.4 and later will attempt to # automatically negotiate the most secure cipher # between the client and server, regardless of a # configured "option cipher" (see below). # Automatic negotiation is recommended. # # Uncomment this option to disable this behavior, # and force all OpenVPN peers to use the configured # cipher option instead (not recommended). # option ncp_disable # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. # # Compression is not recommended, as compression and # encryption in combination can weaken the security # of the connection. # # LZ4 requires OpenVPN 2.4+ client and server # option compress lz4 # Control how OpenVPN handles peers using compression # # Do not allow any connections using compression # option allow_compression 'no' # Allow incoming compressed packets, but do not send compressed packets to other peers # This can be useful when migrating old configurations with compression activated # option allow_compression 'asym' # Both incoming and outgoing packets may be compressed # option allow_compression 'yes' # The maximum number of concurrently connected # clients we want to allow. # option max_clients 100 # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. option persist_key 1 option persist_tun 1 option user nobody # Output a short status file showing # current connections, truncated # and rewritten every minute. option status /tmp/openvpn-status.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). # option log /tmp/openvpn.log # option log_append /tmp/openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose option verb 3 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. # option mute 20 ############################################## # Sample client-side OpenVPN 2.0 uci config # # for connecting to multi-client server. # ############################################## config openvpn sample_client # Set to 1 to enable this instance: option enabled 0 # Specify that we are a client and that we # will be pulling certain config file directives # from the server. option client 1 # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. # option dev tap option dev tun # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. # option proto tcp option proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. list remote "my_server_1 1194" # list remote "my_server_2 1194" # Choose a random host from the remote # list for load_balancing. Otherwise # try hosts in the order specified. # option remote_random 1 # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. option resolv_retry infinite # Most clients don't need to bind to # a specific local port number. option nobind 1 # Try to preserve some state across restarts. option persist_key 1 option persist_tun 1 option user nobody # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. # retry on connection failures: # option http_proxy_retry 1 # specify http proxy address and port: # option http_proxy "192.168.1.100 8080" # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. # option mute_replay_warnings 1 # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. option ca /etc/openvpn/ca.crt option cert /etc/openvpn/client.crt option key /etc/openvpn/client.key # Verify server certificate by checking # that the certicate has the key usage # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build_key_server # script in the easy_rsa folder will do this. # option remote_cert_tls server # If a tls_auth key is used on the server # then every client must also have the key. # option tls_auth "/etc/openvpn/ta.key 1" # If a tls_crypt key is used on the server # every client must also have the key. # option tls_crypt "/etc/openvpn/ta.key" # Set the minimum required TLS protocol version # for all connections. # # Require at least TLS 1.1 # option tls_version_min "1.1" # Require at least TLS 1.2 # option tls_version_min "1.2" # Require TLS 1.2, or the highest version supported # on the system # option tls_version_min "1.2 'or-highest'" # List the preferred ciphers for the data channel. # list data_ciphers 'AES-256-GCM' # list data_ciphers 'AES-128-GCM' # list data_ciphers 'CHACHA20-POLY1305' # Set a fallback cipher if you connect to a peer that does # not support cipher negotiation. # Use AES-256-CBC as fallback # option data_ciphers_fallback 'AES-128-CBC' # Use AES-128-CBC as fallback # option data_ciphers_fallback 'AES-256-CBC' # Use Triple-DES as fallback # option data_ciphers_fallback 'DES-EDE3-CBC' # Use BF-CBC as fallback # option data_ciphers_fallback 'BF-CBC' # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. # # Compression is not recommended, as compression and # encryption in combination can weaken the security # of the connection. # # LZ4 requires OpenVPN 2.4+ on server and client # option compress lz4 # Set log file verbosity. option verb 3 # Silence repeating messages # option mute 20