Corrections to the openvpn templates.

2019-03-13 13:18:45 +01:00 · 2019-03-13 13:18:45 +01:00 · bc8e0736cc
parent 6106c46bfa
commit bc8e0736cc
2 changed files with 5 additions and 149 deletions
--- a/openvpn/templates/client.conf.j2
+++ b/openvpn/templates/client.conf.j2
@ -1,117 +1,31 @@
 ##############################################
 # Sample client-side OpenVPN 2.0 config file #
 # for connecting to multi-client server.     #
 #                                            #
 # This configuration can be used by multiple #
 # clients, however each client should have   #
 # its own cert and key files.                #
 #                                            #
 # On Windows, you might want to rename this  #
 # file so it has a .ovpn extension           #
 ##############################################
 # Specify that we are a client and that we
 # will be pulling certain config file directives
 # from the server.
 client
 # Use the same setting as you are using on
 # the server.
 # On most systems, the VPN will not function
 # unless you partially or fully disable
 # the firewall for the TUN/TAP interface.
 dev {{ openvpn_dev }}
 # Are we connecting to a TCP or
 # UDP server?  Use the same setting as
 # on the server.
 proto {{ openvpn_protocol }}
 # The hostname/IP and port of the server.
 # You can have multiple remote entries
 # to load balance between the servers.
 {% for srv in openvpn_remote_servers %}
 remote {{ srv.host }} {{ srv.port }}
 {% endfor %}
 # Choose a random host from the remote
 # list for load-balancing.  Otherwise
 # try hosts in the order specified.
 remote-random
 # Keep trying indefinitely to resolve the
 # host name of the OpenVPN server.  Very useful
 # on machines which are not permanently connected
 # to the internet such as laptops.
 resolv-retry infinite
 # Most clients don't need to bind to
 # a specific local port number.
 nobind
 {% if openvpn_run_unprivileged %}
 # Downgrade privileges after initialization (non-Windows only)
 user {{ openvpn_unprivileged_user }}
 group {{ openvpn_unprivileged_group }}
 {% endif %}
 # Try to preserve some state across restarts.
 persist-key
 persist-tun
 # If you are connecting through an
 # HTTP proxy to reach the actual OpenVPN
 # server, put the proxy server/IP and
 # port number here.  See the man page
 # if your proxy server requires
 # authentication.
 ;http-proxy-retry # retry on connection failures
 ;http-proxy [proxy server] [proxy port #]
 # Wireless networks often produce a lot
 # of duplicate packets.  Set this flag
 # to silence duplicate packet warnings.
 ;mute-replay-warnings
 # SSL/TLS parms.
 # See the server config file for more
 # description.  It's best to use
 # a separate .crt/.key file pair
 # for each client.  A single ca
 # file can be used for all clients.
 ca {{ openvpn_ca }}
 cert {{ openvpn_cert }}
 key {{ openvpn_key }}
 # Verify server certificate by checking that the
 # certificate has the correct key usage set.
 # This is an important precaution to protect against
 # a potential attack discussed here:
 #  http://openvpn.net/howto.html#mitm
 #
 # To use this feature, you will need to generate
 # your server certificates with the keyUsage set to
 #   digitalSignature, keyEncipherment
 # and the extendedKeyUsage to
 #   serverAuth
 # EasyRSA can do this for you.
 {% if openvpn_cert_auth_enabled %}
 tls-client
 remote-cert-tls server
 {% endif %}
 # If a tls-auth key is used on the server
 # then every client must also have the key.
 tls-auth {{ openvpn_tls_auth }} 1
-
+key-direction 1
 # Select a cryptographic cipher.
 # If the cipher option is used on the server
 # then you must also specify it here.
 # Note that v2.4 client/server will automatically
 # negotiate AES-256-GCM in TLS mode.
 # See also the ncp-cipher option in the manpage
 cipher AES-256-CBC
-
+keepalive {{ openvpn_keepalive }}
 # Set log file verbosity.
 verb {{ openvpn_verbosity_log }}
 # Silence repeating messages
--- a/openvpn/templates/server.conf.j2
+++ b/openvpn/templates/server.conf.j2
@ -1,127 +1,69 @@
 mode {{ openvpn_mode }}
 dev {{ openvpn_dev }}
 port {{ openvpn_port }}
 proto {{ openvpn_protocol }}
 topology subnet
 server {{ openvpn_server_net }}
 ifconfig-pool-persist ipp/ipp.txt
 client-config-dir ccd
 # EXAMPLE: Suppose the client
 # having the certificate common name "Thelonious"
 # also has a small subnet behind his connecting
 # machine, such as 192.168.40.128/255.255.255.248.
 # First, uncomment out these lines:
 ;route 192.168.40.128 255.255.255.248
 # Then create a file ccd/Thelonious with this line:
 #   iroute 192.168.40.128 255.255.255.248
 # This will allow Thelonious' private subnet to
 # access the VPN.  This example will only work
 # if you are routing, not bridging, i.e. you are
 # using "dev tun" and "server" directives.
 # EXAMPLE: Suppose you want to give
 # Thelonious a fixed VPN IP address of 10.9.0.1.
 # First uncomment out these lines:
 ;client-config-dir ccd
 ;route 10.9.0.0 255.255.255.252
 # Then add this line to ccd/Thelonious:
 #   ifconfig-push 10.9.0.1 10.9.0.2
 # Suppose that you want to enable different
 # firewall access policies for different groups
 # of clients.  There are two methods:
 # (1) Run multiple OpenVPN daemons, one for each
 #     group, and firewall the TUN/TAP interface
 #     for each group/daemon appropriately.
 # (2) (Advanced) Create a script to dynamically
 #     modify the firewall in response to access
 #     from different clients.  See man
 #     page for more info on learn-address script.
 ;learn-address ./script
 {% if openvpn_client_routes is defined %}
 {% for route in openvpn_client_routes %}
 route {{ route }}
 {% endfor %}
 {% endif %}
 {% if openvpn_push_routes is defined %}
 {% for route in openvpn_push_routes %}
 push "route {{ route }}"
 {% endfor %}
 {% endif %}
 {% if openvpn_push_settings is defined %}
 {% for dhcp_opt in openvpn_push_settings %}
 push "{{ dhcp_opt }}"
 {% endfor %}
 {% endif %}
 # Select a cryptographic cipher.
 # This config item must be copied to
 # the client config file as well.
 # Note that v2.4 client/server will automatically
 # negotiate AES-256-GCM in TLS mode.
 # See also the ncp-cipher option in the manpage
 cipher AES-256-CBC
 {% if openvpn_compression_enabled %}
 compress lz4-v2
 push "compress lz4-v2"
 {% endif %}
 keepalive {{ openvpn_keepalive }}
 {% if openvpn_cert_auth_enabled %}
 tls-server
 {% endif %}
 tls-auth {{ openvpn_tls_auth }} 0
 key-direction 0
 dh {{ openvpn_dh }}
 ca {{ openvpn_ca }}
 cert {{ openvpn_cert }}
 key {{ openvpn_key }}
 {% if not openvpn_cert_auth_enabled %}
 # Disable cert-auth
 client-cert-not-required
 {% endif %}
 {% if openvpn_username_pam_auth %}
 username-as-common-name
 # PAM login
 plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
 {% endif %}
 {% if openvpn_ldap_auth %}
 plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
 {% endif %}
 {% if openvpn_ldap_perl_auth %}
 auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
 script-security 3 execve
 {% endif %}
 max-clients {{ openvpn_max_clients }}
 persist-tun
 persist-key
 status status/openvpn-status.log
 {% if openvpn_run_unprivileged %}
 user {{ openvpn_unprivileged_user }}
 group {{ openvpn_unprivileged_group }}
 {% endif %}
 verb {{ openvpn_verbosity_log }}
 mute {{ openvpn_mute_after }}
-
+{% if openvpn_protocol == 'udp' %}
 # Notify the client that when the server restarts so it
 # can automatically reconnect.
 explicit-exit-notify 1
 {% endif %}