mirror of
git://slackware.nl/current.git
synced 2024-12-28 09:59:53 +01:00
5a12e7c134
Wed Aug 26 10:00:38 CDT 2009 Slackware 13.0 x86_64 is released as stable! Thanks to everyone who helped make this release possible -- see the RELEASE_NOTES for the credits. The ISOs are off to the replicator. This time it will be a 6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD. We're taking pre-orders now at store.slackware.com. Please consider picking up a copy to help support the project. Once again, thanks to the entire Slackware community for all the help testing and fixing things and offering suggestions during this development cycle. As always, have fun and enjoy! -P.
178 lines
6.8 KiB
Text
178 lines
6.8 KiB
Text
# openvpn.conf.sample
|
|
#
|
|
# This is a sample configuration file for OpenVPN.
|
|
# Not all options are listed here; you can find good documentation
|
|
# about all of the options in OpenVPN's manual page - openvpn(8).
|
|
#
|
|
# You can make a P-t-P connection by creating a shared key,
|
|
# copying this key to other hosts in your network, and changing
|
|
# the IP addresses in this file.
|
|
#
|
|
# Commented options are provided for some typical configurations
|
|
|
|
# Change the "search" path to /etc/openvpn
|
|
# All files referenced in this configuration will be relative to
|
|
# whatever directory is specified here - we default to /etc/openvpn
|
|
cd /etc/openvpn
|
|
|
|
# If running as a server, which local IP address should OpenVPN
|
|
# listen on? Specify this as either a hostname or IP address. If
|
|
# this is left blank, OpenVPN will default to listening on all
|
|
# interfaces.
|
|
#local a.b.c.d
|
|
|
|
# This option defines the IP or DNS name of the other side of your VPN
|
|
# connection. This option is needed if you are making client or P-t-P
|
|
# connections. If you are the server, use "local" instead. This may
|
|
# be specified as a domain name or IP address.
|
|
#remote vpn.server.org
|
|
|
|
# This option defins the protocol to use. Valid options are:
|
|
# udp, tcp-server, or tcp-client. Default is udp, and generally
|
|
# speaking, tcp is a bad idea.
|
|
proto udp
|
|
|
|
# This option defines the port on which your server will be listening
|
|
# or trying to connect. The default is 1194
|
|
port 1194
|
|
|
|
# This option defines whether to use LZO compression.
|
|
# If enabled, it must be enabled at both ends of the VPN connection.
|
|
#comp-lzo
|
|
|
|
# Debug level (default 1)
|
|
#verb 3
|
|
|
|
# VPN logfile location
|
|
# If you don't specify a location here, logging will be done through
|
|
# syslogd and write to /var/log/messages
|
|
log-append /var/log/openvpn.log
|
|
|
|
# If you want to use OpenVPN as a daemon, uncomment this line.
|
|
# Generally speaking, servers should run OpenVPN as a daemon
|
|
# and clients should not.
|
|
#daemon
|
|
|
|
# Device type to use, you can choose between tun or tap.
|
|
# TUN is the most common option. If you have multiple connections,
|
|
# it is a good idea to bind each connection to a separate TUN/TAP
|
|
# interface using tunX/tapX, where X is the number of each interface.
|
|
dev tun
|
|
|
|
# This option prevents OpenVPN from closing and re-opening the tun/tap
|
|
# device every time it receives a SIGUSR1 signal
|
|
#persist-tun
|
|
|
|
# This is similar to the previous option, but it prevents OpenVPN from
|
|
# re-reading the key files every time
|
|
#persist-key
|
|
|
|
# If you are using a client-server architecture, you need to specify the
|
|
# role of your computer in your VPN network. To use one of these options,
|
|
# you need to configure TLS options too.
|
|
#
|
|
# To use the "server" option, you must specify a network subnet such
|
|
# as 172.16.1.0 255.255.255.0. The first number is the network, the
|
|
# second is the netmask. OpenVPN will take the first available IP
|
|
# for itself (in our example, 172.16.1.1) and the rest will be
|
|
# given to connecting clients dynamically.
|
|
#
|
|
# Leave these commented out if you are using OpenVPN in bridging mode.
|
|
#
|
|
#server 10.1.2.0 255.255.255.0
|
|
#client
|
|
|
|
# This option defines a file with IP address to client mapping.
|
|
# This is useful in general, and necessary if clients use persist-tun.
|
|
#ifconfig-pool-persist ips.txt
|
|
|
|
# Enable this option if you want clients connected to this VPN to be
|
|
# able to talk directly to each other
|
|
#client-to-client
|
|
|
|
# This option defines the directory in which configuration files for clients
|
|
# will reside. With individual files you can make each client get different
|
|
# options using "push" parameters
|
|
#client-config-dir ccd
|
|
|
|
# If you are using P-t-P, you need to specify the IP addresses at both ends
|
|
# of your VPN connection. The IP addresses are reversed at the other side.
|
|
#
|
|
# You can use this to specify client IP addresses in ccd files (on server)
|
|
# or directly in client configuration
|
|
#ifconfig 10.1.2.1 10.1.2.2
|
|
|
|
# You can set routes to specific networks. In the sample below, "vpn_gateway"
|
|
# is an internal OpenVPN alias to your VPN gateway - leave it as is.
|
|
# This will enable you to talk with the networks behind your VPN server.
|
|
# Multiple routes can be specified.
|
|
#
|
|
# +------------+ <eth>-<tun> <tun>-<eth> +------------+
|
|
# | Network1 |---| VPN1 |--[10.1.2.0/24]--| VPN2 |---| Network2 |
|
|
# +------------+ +------+ +------+ +------------+
|
|
# 192.168.0.0/24 192.168.2.0/24
|
|
#
|
|
# The sample below shows how VPN1 server can reach Network2
|
|
#route 192.168.2.0 255.255.255.0 vpn_gateway
|
|
|
|
# You can send clients many network configuration options using the
|
|
# "push" directive and sending commands.
|
|
# Multiple "push" directives can be used. You should only put global
|
|
# "push" directives here. You can "push" different options to
|
|
# different clients in per-client configuration files. See
|
|
# "client-config-dir" above.
|
|
#
|
|
# Using the same network configuration that you see above, the route statment
|
|
# here allows VPN2 to reach Network1
|
|
#push "route-delay 2 600"
|
|
#push "route 192.168.2.0 255.255.255.0 vpn_gateway"
|
|
#push "persist-key"
|
|
|
|
# This option sets the encryption algorithm to use in the VPN connection.
|
|
# Available options are:
|
|
# DES-CBC, RC2-CBC, DES-EDE-CBC, DES-EDE3-CBC,
|
|
# DESX-CBC, BF-CBC, RC2-40-CBC, CAST5-CBC,
|
|
# RC2-64-CBC, AES-128-CBC, AES-192-CBC and AES-256-CBC
|
|
cipher BF-CBC
|
|
|
|
# Shared Key Connection
|
|
# ---------------------
|
|
# Secret is one shared key between the hosts that want to connect through VPNs.
|
|
# Without secret or TLS options, your data will not be encrypted.
|
|
#
|
|
# To generate an encryption key do:
|
|
# openvpn --genkey --secret /etc/openvpn/keys/shared.key
|
|
#
|
|
# Do the above on one host and copy it to the others
|
|
secret keys/shared.key
|
|
|
|
# TLS Connections
|
|
# ---------------
|
|
# TLS must be used if you use option "server" or "client"
|
|
# The basic idea there is: You have one Certificate Authority, and all
|
|
# machines in your VPN network need to have individual certificates and
|
|
# keys signed by Certificate Authority. This means each client can
|
|
# have its own key, making it easier to revoke a key without copying
|
|
# a shared secret key to every client.
|
|
#
|
|
# Inside the /usr/doc/openvpn-$VERSION documentation directory, you can
|
|
# find "easy-rsa" scripts to make certificate and key management easier.
|
|
|
|
# Certificate Authority file
|
|
# This file must be identical on all hosts that connect to your VPN
|
|
#ca certs/ca.crt
|
|
|
|
# If you are the server, you need to specify some Diffie Hellman parameters.
|
|
# OpenVPN provides some sample .pem files in documentation directory
|
|
#dh my-dh.pem
|
|
|
|
# Certificate and Key signed by Certificate Authority
|
|
# Each machine needs to have their own unique certificate
|
|
#cert certs/machine.cert
|
|
#key keys/machine.key
|
|
|
|
# To prevent some DoS attacks we can add another authentication layer in the
|
|
# TLS control channel. This needs to be enabled at both ends to work
|
|
# client uses the value 1; server uses the value 0
|
|
#tls-auth keys/shared.key 0
|
|
|