-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathtls-client-template.conf
75 lines (49 loc) · 2.26 KB
/
tls-client-template.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#host and port of our VPN server
remote hostname.domain.com 443
#send all traffic into the VPN
redirect-gateway
#TCP or UDP? and client or server config?
proto tcp-client
### Begin Crypto Section
#client certificates all located in keys subfolder
ca keys/ca.crt # CA certificate (public key)
key keys/client1-lappy.key # client private key - This file should be kept secret
cert keys/client1-lappy.crt # client certificate (public key) signed by the CA
tls-auth keys/ta.key 1 # Shared Static TLS key should be 1 on clients and 0 on servers
# Crypto to be used for the actual VPN connection once Authentication has been completed
# using AES with a 256bit key and CBC (chiper block chaining)
#MUST match on the client and server
cipher AES-256-CBC
#Cipher setup for the TLS authentication
# using TLS DHE (Dhiffie Hellman Ephemeral) with RSA public/private crypto and AES 256bit as the Symetric crypto
# and SHA1 as the hashing algorithm
# this does neee an update
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
### End Crpyto section
### Handy little configs that maybe useful (all commented out)
# force the client to use a specific DNS server when on the VPN connection
# dhcp-option DNS 8.8.8.8
#manually give a client a specific route into the server
# only used when you are NOT using redirect-gateway
#route 10.3.0.0 255.255.255.0
### End handy little things
##############################################
#
### Boring stuff below here that you shouldn't need to play with. But by all means read
#
##############################################
# man openvpn will tell you most of what these options are about
#Set the client to use tls and set it to a client role in the TLS negotiation
tls-client
#This is a useful security option for clients, to ensure that the host they connect to is a designated server.
#ties in with tls-client
remote-cert-tls server
#enable compression
comp-lzo
#these two options ensure that between openvpn restarts (required by server disconnect for example)
# that the key and tun device will stay available. This is important as it allows openvpn to drop its root rights
# once its setup the connetion the first time.
persist-key
persist-tun
#tun or tap is the choice.. I don't think anyone uses tap anymore, unless its a complex custom setup..
dev tun