forked from antonputra/tutorials
-
Notifications
You must be signed in to change notification settings - Fork 1
/
server.conf
52 lines (52 loc) · 1.83 KB
/
server.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Port for OpenVPN
port 1194
# Protocol, can be tcp or udp
proto udp
# It will create a routed IP tunnel
dev tun
# Location of the Certificate Authority
ca /etc/openvpn/easy-rsa/pki/ca.crt
# Location of the OpenVPN certificate
cert /etc/openvpn/easy-rsa/pki/issued/openvpn-server.crt
# Location of the OpenVPN private key
key /etc/openvpn/easy-rsa/pki/private/openvpn-server.key
# Disable Diffie Hellman since we are using elliptic curves
dh none
# Location of the ta secret that used it is used as an additional HMAC signature
# to all SSL/TLS handshake packets for integrity verification.
tls-crypt /etc/openvpn/easy-rsa/ta.key 0
# Cipher to use
cipher AES-256-GCM
# Auth used to authenticate received packets
auth SHA256
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
server 10.8.0.0 255.255.255.0
# Location to save records of client <-> virtual IP address
ifconfig-pool-persist /var/log/openvpn/ipp.txt
# ping-like messages to be sent back and forth to check the status
keepalive 10 120
# Used reduce the OpenVPN daemon's privileges after initialization
user nobody
group nogroup
# Persist certain options that may no longer be available because of the privilege downgrade
persist-key
persist-tun
# Shows current connections
status /var/log/openvpn/openvpn-status.log
# Log verbosity
verb 3
# Notify the client when the server restarts so it can automatically reconnect
explicit-exit-notify 1
# Network topology
topology subnet
# Push route from AWS, 10.0.0.0/22
push "route 10.0.0.0 255.255.252.0"
# Push route from AWS, 10.0.16.0/20
push "route 10.0.16.0 255.255.240.0"
# Push route from AWS, 10.0.32.0/24
push "route 10.0.32.0 255.255.255.0"
# Push AWS name server since we want to use private hosted zones
push "dhcp-option DNS 10.0.0.2"
# Location of the Revoked Certificates
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem