mirror of
git://slackware.nl/current.git
synced 2025-01-12 08:03:03 +01:00
179 lines
6.8 KiB
Text
179 lines
6.8 KiB
Text
|
# openvpn.conf.sample
|
||
|
#
|
||
|
# This is a sample configuration file for OpenVPN.
|
||
|
# Not all options are listed here; you can find good documentation
|
||
|
# about all of the options in OpenVPN's manual page - openvpn(8).
|
||
|
#
|
||
|
# You can make a P-t-P connection by creating a shared key,
|
||
|
# copying this key to other hosts in your network, and changing
|
||
|
# the IP addresses in this file.
|
||
|
#
|
||
|
# Commented options are provided for some typical configurations
|
||
|
|
||
|
# Change the "search" path to /etc/openvpn
|
||
|
# All files referenced in this configuration will be relative to
|
||
|
# whatever directory is specified here - we default to /etc/openvpn
|
||
|
cd /etc/openvpn
|
||
|
|
||
|
# If running as a server, which local IP address should OpenVPN
|
||
|
# listen on? Specify this as either a hostname or IP address. If
|
||
|
# this is left blank, OpenVPN will default to listening on all
|
||
|
# interfaces.
|
||
|
#local a.b.c.d
|
||
|
|
||
|
# This option defines the IP or DNS name of the other side of your VPN
|
||
|
# connection. This option is needed if you are making client or P-t-P
|
||
|
# connections. If you are the server, use "local" instead. This may
|
||
|
# be specified as a domain name or IP address.
|
||
|
#remote vpn.server.org
|
||
|
|
||
|
# This option defins the protocol to use. Valid options are:
|
||
|
# udp, tcp-server, or tcp-client. Default is udp, and generally
|
||
|
# speaking, tcp is a bad idea.
|
||
|
proto udp
|
||
|
|
||
|
# This option defines the port on which your server will be listening
|
||
|
# or trying to connect. The default is 1194
|
||
|
port 1194
|
||
|
|
||
|
# This option defines whether to use LZO compression.
|
||
|
# If enabled, it must be enabled at both ends of the VPN connection.
|
||
|
#comp-lzo
|
||
|
|
||
|
# Debug level (default 1)
|
||
|
#verb 3
|
||
|
|
||
|
# VPN logfile location
|
||
|
# If you don't specify a location here, logging will be done through
|
||
|
# syslogd and write to /var/log/messages
|
||
|
log-append /var/log/openvpn.log
|
||
|
|
||
|
# If you want to use OpenVPN as a daemon, uncomment this line.
|
||
|
# Generally speaking, servers should run OpenVPN as a daemon
|
||
|
# and clients should not.
|
||
|
#daemon
|
||
|
|
||
|
# Device type to use, you can choose between tun or tap.
|
||
|
# TUN is the most common option. If you have multiple connections,
|
||
|
# it is a good idea to bind each connection to a separate TUN/TAP
|
||
|
# interface using tunX/tapX, where X is the number of each interface.
|
||
|
dev tun
|
||
|
|
||
|
# This option prevents OpenVPN from closing and re-opening the tun/tap
|
||
|
# device every time it receives a SIGUSR1 signal
|
||
|
#persist-tun
|
||
|
|
||
|
# This is similar to the previous option, but it prevents OpenVPN from
|
||
|
# re-reading the key files every time
|
||
|
#persist-key
|
||
|
|
||
|
# If you are using a client-server architecture, you need to specify the
|
||
|
# role of your computer in your VPN network. To use one of these options,
|
||
|
# you need to configure TLS options too.
|
||
|
#
|
||
|
# To use the "server" option, you must specify a network subnet such
|
||
|
# as 172.16.1.0 255.255.255.0. The first number is the network, the
|
||
|
# second is the netmask. OpenVPN will take the first available IP
|
||
|
# for itself (in our example, 172.16.1.1) and the rest will be
|
||
|
# given to connecting clients dynamically.
|
||
|
#
|
||
|
# Leave these commented out if you are using OpenVPN in bridging mode.
|
||
|
#
|
||
|
#server 10.1.2.0 255.255.255.0
|
||
|
#client
|
||
|
|
||
|
# This option defines a file with IP address to client mapping.
|
||
|
# This is useful in general, and necessary if clients use persist-tun.
|
||
|
#ifconfig-pool-persist ips.txt
|
||
|
|
||
|
# Enable this option if you want clients connected to this VPN to be
|
||
|
# able to talk directly to each other
|
||
|
#client-to-client
|
||
|
|
||
|
# This option defines the directory in which configuration files for clients
|
||
|
# will reside. With individual files you can make each client get different
|
||
|
# options using "push" parameters
|
||
|
#client-config-dir ccd
|
||
|
|
||
|
# If you are using P-t-P, you need to specify the IP addresses at both ends
|
||
|
# of your VPN connection. The IP addresses are reversed at the other side.
|
||
|
#
|
||
|
# You can use this to specify client IP addresses in ccd files (on server)
|
||
|
# or directly in client configuration
|
||
|
#ifconfig 10.1.2.1 10.1.2.2
|
||
|
|
||
|
# You can set routes to specific networks. In the sample below, "vpn_gateway"
|
||
|
# is an internal OpenVPN alias to your VPN gateway - leave it as is.
|
||
|
# This will enable you to talk with the networks behind your VPN server.
|
||
|
# Multiple routes can be specified.
|
||
|
#
|
||
|
# +------------+ <eth>-<tun> <tun>-<eth> +------------+
|
||
|
# | Network1 |---| VPN1 |--[10.1.2.0/24]--| VPN2 |---| Network2 |
|
||
|
# +------------+ +------+ +------+ +------------+
|
||
|
# 192.168.0.0/24 192.168.2.0/24
|
||
|
#
|
||
|
# The sample below shows how VPN1 server can reach Network2
|
||
|
#route 192.168.2.0 255.255.255.0 vpn_gateway
|
||
|
|
||
|
# You can send clients many network configuration options using the
|
||
|
# "push" directive and sending commands.
|
||
|
# Multiple "push" directives can be used. You should only put global
|
||
|
# "push" directives here. You can "push" different options to
|
||
|
# different clients in per-client configuration files. See
|
||
|
# "client-config-dir" above.
|
||
|
#
|
||
|
# Using the same network configuration that you see above, the route statment
|
||
|
# here allows VPN2 to reach Network1
|
||
|
#push "route-delay 2 600"
|
||
|
#push "route 192.168.2.0 255.255.255.0 vpn_gateway"
|
||
|
#push "persist-key"
|
||
|
|
||
|
# This option sets the encryption algorithm to use in the VPN connection.
|
||
|
# Available options are:
|
||
|
# DES-CBC, RC2-CBC, DES-EDE-CBC, DES-EDE3-CBC,
|
||
|
# DESX-CBC, BF-CBC, RC2-40-CBC, CAST5-CBC,
|
||
|
# RC2-64-CBC, AES-128-CBC, AES-192-CBC and AES-256-CBC
|
||
|
cipher BF-CBC
|
||
|
|
||
|
# Shared Key Connection
|
||
|
# ---------------------
|
||
|
# Secret is one shared key between the hosts that want to connect through VPNs.
|
||
|
# Without secret or TLS options, your data will not be encrypted.
|
||
|
#
|
||
|
# To generate an encryption key do:
|
||
|
# openvpn --genkey --secret /etc/openvpn/keys/shared.key
|
||
|
#
|
||
|
# Do the above on one host and copy it to the others
|
||
|
secret keys/shared.key
|
||
|
|
||
|
# TLS Connections
|
||
|
# ---------------
|
||
|
# TLS must be used if you use option "server" or "client"
|
||
|
# The basic idea there is: You have one Certificate Authority, and all
|
||
|
# machines in your VPN network need to have individual certificates and
|
||
|
# keys signed by Certificate Authority. This means each client can
|
||
|
# have its own key, making it easier to revoke a key without copying
|
||
|
# a shared secret key to every client.
|
||
|
#
|
||
|
# Inside the /usr/doc/openvpn-$VERSION documentation directory, you can
|
||
|
# find "easy-rsa" scripts to make certificate and key management easier.
|
||
|
|
||
|
# Certificate Authority file
|
||
|
# This file must be identical on all hosts that connect to your VPN
|
||
|
#ca certs/ca.crt
|
||
|
|
||
|
# If you are the server, you need to specify some Diffie Hellman parameters.
|
||
|
# OpenVPN provides some sample .pem files in documentation directory
|
||
|
#dh my-dh.pem
|
||
|
|
||
|
# Certificate and Key signed by Certificate Authority
|
||
|
# Each machine needs to have their own unique certificate
|
||
|
#cert certs/machine.cert
|
||
|
#key keys/machine.key
|
||
|
|
||
|
# To prevent some DoS attacks we can add another authentication layer in the
|
||
|
# TLS control channel. This needs to be enabled at both ends to work
|
||
|
# client uses the value 1; server uses the value 0
|
||
|
#tls-auth keys/shared.key 0
|
||
|
|