Corrections to the openvpn templates.

2019-03-13 13:18:45 +01:00 · 2019-03-13 13:18:45 +01:00 · bc8e0736cc
parent 6106c46bfa
commit bc8e0736cc
2 changed files with 5 additions and 149 deletions
--- a/openvpn/templates/client.conf.j2
+++ b/openvpn/templates/client.conf.j2
@ -1,117 +1,31 @@
-##############################################
-# Sample client-side OpenVPN 2.0 config file #
-# for connecting to multi-client server.     #
-#                                            #
-# This configuration can be used by multiple #
-# clients, however each client should have   #
-# its own cert and key files.                #
-#                                            #
-# On Windows, you might want to rename this  #
-# file so it has a .ovpn extension           #
-##############################################
-
-# Specify that we are a client and that we
-# will be pulling certain config file directives
-# from the server.
 client
-
-# Use the same setting as you are using on
-# the server.
-# On most systems, the VPN will not function
-# unless you partially or fully disable
-# the firewall for the TUN/TAP interface.
 dev {{ openvpn_dev }}
-
-# Are we connecting to a TCP or
-# UDP server?  Use the same setting as
-# on the server.
 proto {{ openvpn_protocol }}
-
-# The hostname/IP and port of the server.
-# You can have multiple remote entries
-# to load balance between the servers.
 {% for srv in openvpn_remote_servers %}
 remote {{ srv.host }} {{ srv.port }}
 {% endfor %}
-
-# Choose a random host from the remote
-# list for load-balancing.  Otherwise
-# try hosts in the order specified.
 remote-random
-
-# Keep trying indefinitely to resolve the
-# host name of the OpenVPN server.  Very useful
-# on machines which are not permanently connected
-# to the internet such as laptops.
 resolv-retry infinite
-
-# Most clients don't need to bind to
-# a specific local port number.
 nobind
-
 {% if openvpn_run_unprivileged %}
 # Downgrade privileges after initialization (non-Windows only)
 user {{ openvpn_unprivileged_user }}
 group {{ openvpn_unprivileged_group }}
 {% endif %}
-
 # Try to preserve some state across restarts.
 persist-key
 persist-tun
-
-# If you are connecting through an
-# HTTP proxy to reach the actual OpenVPN
-# server, put the proxy server/IP and
-# port number here.  See the man page
-# if your proxy server requires
-# authentication.
-;http-proxy-retry # retry on connection failures
-;http-proxy [proxy server] [proxy port #]
-
-# Wireless networks often produce a lot
-# of duplicate packets.  Set this flag
-# to silence duplicate packet warnings.
-;mute-replay-warnings
-
-# SSL/TLS parms.
-# See the server config file for more
-# description.  It's best to use
-# a separate .crt/.key file pair
-# for each client.  A single ca
-# file can be used for all clients.
 ca {{ openvpn_ca }}
 cert {{ openvpn_cert }}
 key {{ openvpn_key }}
-
-# Verify server certificate by checking that the
-# certificate has the correct key usage set.
-# This is an important precaution to protect against
-# a potential attack discussed here:
-#  http://openvpn.net/howto.html#mitm
-#
-# To use this feature, you will need to generate
-# your server certificates with the keyUsage set to
-#   digitalSignature, keyEncipherment
-# and the extendedKeyUsage to
-#   serverAuth
-# EasyRSA can do this for you.
 {% if openvpn_cert_auth_enabled %}
 tls-client
 remote-cert-tls server
 {% endif %}
-
-# If a tls-auth key is used on the server
-# then every client must also have the key.
 tls-auth {{ openvpn_tls_auth }} 1
-
-# Select a cryptographic cipher.
-# If the cipher option is used on the server
-# then you must also specify it here.
-# Note that v2.4 client/server will automatically
-# negotiate AES-256-GCM in TLS mode.
-# See also the ncp-cipher option in the manpage
+key-direction 1
 cipher AES-256-CBC
-
+keepalive {{ openvpn_keepalive }}
 # Set log file verbosity.
 verb {{ openvpn_verbosity_log }}
 # Silence repeating messages
--- a/openvpn/templates/server.conf.j2
+++ b/openvpn/templates/server.conf.j2
@ -1,127 +1,69 @@
 mode {{ openvpn_mode }}
 dev {{ openvpn_dev }}
-
 port {{ openvpn_port }}
 proto {{ openvpn_protocol }}
-
 topology subnet
-
 server {{ openvpn_server_net }}
-
 ifconfig-pool-persist ipp/ipp.txt
-
 client-config-dir ccd
-# EXAMPLE: Suppose the client
-# having the certificate common name "Thelonious"
-# also has a small subnet behind his connecting
-# machine, such as 192.168.40.128/255.255.255.248.
-# First, uncomment out these lines:
-;route 192.168.40.128 255.255.255.248
-# Then create a file ccd/Thelonious with this line:
-#   iroute 192.168.40.128 255.255.255.248
-# This will allow Thelonious' private subnet to
-# access the VPN.  This example will only work
-# if you are routing, not bridging, i.e. you are
-# using "dev tun" and "server" directives.
-
-# EXAMPLE: Suppose you want to give
-# Thelonious a fixed VPN IP address of 10.9.0.1.
-# First uncomment out these lines:
-;client-config-dir ccd
-;route 10.9.0.0 255.255.255.252
-# Then add this line to ccd/Thelonious:
-#   ifconfig-push 10.9.0.1 10.9.0.2
-
-# Suppose that you want to enable different
-# firewall access policies for different groups
-# of clients.  There are two methods:
-# (1) Run multiple OpenVPN daemons, one for each
-#     group, and firewall the TUN/TAP interface
-#     for each group/daemon appropriately.
-# (2) (Advanced) Create a script to dynamically
-#     modify the firewall in response to access
-#     from different clients.  See man
-#     page for more info on learn-address script.
-;learn-address ./script
-
 {% if openvpn_client_routes is defined %}
 {% for route in openvpn_client_routes %}
 route {{ route }}
 {% endfor %}
 {% endif %}
-
 {% if openvpn_push_routes is defined %}
 {% for route in openvpn_push_routes %}
 push "route {{ route }}"
 {% endfor %}
 {% endif %}
-
 {% if openvpn_push_settings is defined %}
 {% for dhcp_opt in openvpn_push_settings %}
 push "{{ dhcp_opt }}"
 {% endfor %}
 {% endif %}
-
-# Select a cryptographic cipher.
-# This config item must be copied to
-# the client config file as well.
-# Note that v2.4 client/server will automatically
-# negotiate AES-256-GCM in TLS mode.
-# See also the ncp-cipher option in the manpage
 cipher AES-256-CBC
-
 {% if openvpn_compression_enabled %}
 compress lz4-v2
 push "compress lz4-v2"
 {% endif %}
-
 keepalive {{ openvpn_keepalive }}
-
 {% if openvpn_cert_auth_enabled %}
 tls-server
 {% endif %}
-
 tls-auth {{ openvpn_tls_auth }} 0
+key-direction 0
 dh {{ openvpn_dh }}
 ca {{ openvpn_ca }}
 cert {{ openvpn_cert }}
 key {{ openvpn_key }}
-
 {% if not openvpn_cert_auth_enabled %}
 # Disable cert-auth
 client-cert-not-required
 {% endif %}
-
 {% if openvpn_username_pam_auth %}
 username-as-common-name
 # PAM login
 plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
 {% endif %}
-
 {% if openvpn_ldap_auth %}
 plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
 {% endif %}
-
 {% if openvpn_ldap_perl_auth %}
 auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
 script-security 3 execve
 {% endif %}
-
 max-clients {{ openvpn_max_clients }}
-
 persist-tun
 persist-key
-
 status status/openvpn-status.log
-
 {% if openvpn_run_unprivileged %}
 user {{ openvpn_unprivileged_user }}
 group {{ openvpn_unprivileged_group }}
 {% endif %}
-
 verb {{ openvpn_verbosity_log }}
 mute {{ openvpn_mute_after }}
-
+{% if openvpn_protocol == 'udp' %}
 # Notify the client that when the server restarts so it
 # can automatically reconnect.
 explicit-exit-notify 1
+{% endif %}