############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. dev {{ openvpn_dev }} # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. proto {{ openvpn_protocol }} # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. {% for srv in openvpn_remote_servers %} remote {{ srv.host }} {{ srv.port }} {% endfor %} # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind {% if openvpn_run_unprivileged %} # Downgrade privileges after initialization (non-Windows only) user {{ openvpn_unprivileged_user }} group {{ openvpn_unprivileged_group }} {% endif %} # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca {{ openvpn_ca }} cert {{ openvpn_cert }} key {{ openvpn_key }} # Verify server certificate by checking that the # certificate has the correct key usage set. # This is an important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the keyUsage set to # digitalSignature, keyEncipherment # and the extendedKeyUsage to # serverAuth # EasyRSA can do this for you. {% if openvpn_cert_auth_enabled %} tls-client remote-cert-tls server {% endif %} # If a tls-auth key is used on the server # then every client must also have the key. tls-auth {{ openvpn_tls_auth }} 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC # Set log file verbosity. verb {{ openvpn_verbosity_log }} # Silence repeating messages mute {{ openvpn_mute_after }}