# Server # # # Specifies what user/group to downgrade to. (openvpn starts running as root) # # user openvpn group openvpn # # # dev : Specifies What type of virtual interface to use (tun/tap) # Only use tap if you want to transparently tunnel ethernet segments # # dev tun # # # Persist the state of the key and the tunnel interface accross server reboots # Initializing these requires root and openvpn is no longer running as root # # persist-key persist-tun # # # Topology of the network # Either subnet, or point to point # # topology subnet # # # Listening port # Some public wifi blocks non-web ports, workaround: use udp53 or tcp443 # port 1194 # # # Protocol (tcp/udp) # If the connection between the sites is poor, performance sharply decreases if using tcp # # proto udp explicit-exit-notify 1 # only valid for udp # # # Connection keep-alive times. # If no traffic for 10s, send a ping, restart after 120s silence # # keepalive 10 120 # # # Cipher and protocol hardening # # # cipher AES-256-CBC ncp-ciphers AES-256-GCM:AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 # # # TLS server options # We expect the remote cert (connecting clients) to have a "TLS Web Client Auth" EKU flag # # tls-server remote-cert-eku "TLS Web Client Authentication" ca ca.crt cert server.crt key server.key dh dh.pem crl-verify crl.pem # # # TLS authentication (HMAC) # We generate the key with "openvpn --genkey --secret ta.key". We use '0' for server # tls-auth ta.key 0 auth SHA512 # # # Logging Directories # # status openvpn-status.log log /var/log/openvpn.log verb 3 # # # Client configuration directories # # client-config-dir ccd ifconfig-pool-persist ipp.txt # # # Client connection script # # client-connect /etc/openvpn/statuschange.sh client-disconnect /etc/openvpn/statuschange.sh script-security 2 # # # Address for the Virtual Subnet # You can generate a random one with $(ipcalc --random-private=24 -n | cut -d= -f2)` # # server 172.16.32.0 255.255.255.0 # # # Internally handle client-to-client connections # By default, client-to-client connections are routed by the server OS and require iptables FORWARD rules. # client-to-client # # # Options to 'push' to clients; commands the client runs after connect # In this case, we instruct the client to add routes to these networks # # push "route 192.168.1.0 255.255.255.0" push "redirect-gateway def1" # # # #
# Client ``` client remote example.com 1194 tls-client remote-cert-eku "TLS Web Server Authentication"

ca ca.crt
cert client.crt
key client.key

paste ta.key inside the tls-auth tags

key-direction 1

cipher AES-256-CBC
dev tun
proto udp
nobind
script-security 3
persist-key
persist-tun
auth sha512
keepalive 10 120
user nobody
group nobody