forked from ISTI-ansible-roles/ansible-roles
Corrections to the openvpn templates.
This commit is contained in:
parent
6106c46bfa
commit
bc8e0736cc
|
@ -1,117 +1,31 @@
|
|||
##############################################
|
||||
# Sample client-side OpenVPN 2.0 config file #
|
||||
# for connecting to multi-client server. #
|
||||
# #
|
||||
# This configuration can be used by multiple #
|
||||
# clients, however each client should have #
|
||||
# its own cert and key files. #
|
||||
# #
|
||||
# On Windows, you might want to rename this #
|
||||
# file so it has a .ovpn extension #
|
||||
##############################################
|
||||
|
||||
# Specify that we are a client and that we
|
||||
# will be pulling certain config file directives
|
||||
# from the server.
|
||||
client
|
||||
|
||||
# Use the same setting as you are using on
|
||||
# the server.
|
||||
# On most systems, the VPN will not function
|
||||
# unless you partially or fully disable
|
||||
# the firewall for the TUN/TAP interface.
|
||||
dev {{ openvpn_dev }}
|
||||
|
||||
# Are we connecting to a TCP or
|
||||
# UDP server? Use the same setting as
|
||||
# on the server.
|
||||
proto {{ openvpn_protocol }}
|
||||
|
||||
# The hostname/IP and port of the server.
|
||||
# You can have multiple remote entries
|
||||
# to load balance between the servers.
|
||||
{% for srv in openvpn_remote_servers %}
|
||||
remote {{ srv.host }} {{ srv.port }}
|
||||
{% endfor %}
|
||||
|
||||
# Choose a random host from the remote
|
||||
# list for load-balancing. Otherwise
|
||||
# try hosts in the order specified.
|
||||
remote-random
|
||||
|
||||
# Keep trying indefinitely to resolve the
|
||||
# host name of the OpenVPN server. Very useful
|
||||
# on machines which are not permanently connected
|
||||
# to the internet such as laptops.
|
||||
resolv-retry infinite
|
||||
|
||||
# Most clients don't need to bind to
|
||||
# a specific local port number.
|
||||
nobind
|
||||
|
||||
{% if openvpn_run_unprivileged %}
|
||||
# Downgrade privileges after initialization (non-Windows only)
|
||||
user {{ openvpn_unprivileged_user }}
|
||||
group {{ openvpn_unprivileged_group }}
|
||||
{% endif %}
|
||||
|
||||
# Try to preserve some state across restarts.
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
# If you are connecting through an
|
||||
# HTTP proxy to reach the actual OpenVPN
|
||||
# server, put the proxy server/IP and
|
||||
# port number here. See the man page
|
||||
# if your proxy server requires
|
||||
# authentication.
|
||||
;http-proxy-retry # retry on connection failures
|
||||
;http-proxy [proxy server] [proxy port #]
|
||||
|
||||
# Wireless networks often produce a lot
|
||||
# of duplicate packets. Set this flag
|
||||
# to silence duplicate packet warnings.
|
||||
;mute-replay-warnings
|
||||
|
||||
# SSL/TLS parms.
|
||||
# See the server config file for more
|
||||
# description. It's best to use
|
||||
# a separate .crt/.key file pair
|
||||
# for each client. A single ca
|
||||
# file can be used for all clients.
|
||||
ca {{ openvpn_ca }}
|
||||
cert {{ openvpn_cert }}
|
||||
key {{ openvpn_key }}
|
||||
|
||||
# Verify server certificate by checking that the
|
||||
# certificate has the correct key usage set.
|
||||
# This is an important precaution to protect against
|
||||
# a potential attack discussed here:
|
||||
# http://openvpn.net/howto.html#mitm
|
||||
#
|
||||
# To use this feature, you will need to generate
|
||||
# your server certificates with the keyUsage set to
|
||||
# digitalSignature, keyEncipherment
|
||||
# and the extendedKeyUsage to
|
||||
# serverAuth
|
||||
# EasyRSA can do this for you.
|
||||
{% if openvpn_cert_auth_enabled %}
|
||||
tls-client
|
||||
remote-cert-tls server
|
||||
{% endif %}
|
||||
|
||||
# If a tls-auth key is used on the server
|
||||
# then every client must also have the key.
|
||||
tls-auth {{ openvpn_tls_auth }} 1
|
||||
|
||||
# Select a cryptographic cipher.
|
||||
# If the cipher option is used on the server
|
||||
# then you must also specify it here.
|
||||
# Note that v2.4 client/server will automatically
|
||||
# negotiate AES-256-GCM in TLS mode.
|
||||
# See also the ncp-cipher option in the manpage
|
||||
key-direction 1
|
||||
cipher AES-256-CBC
|
||||
|
||||
keepalive {{ openvpn_keepalive }}
|
||||
# Set log file verbosity.
|
||||
verb {{ openvpn_verbosity_log }}
|
||||
# Silence repeating messages
|
||||
|
|
|
@ -1,127 +1,69 @@
|
|||
mode {{ openvpn_mode }}
|
||||
dev {{ openvpn_dev }}
|
||||
|
||||
port {{ openvpn_port }}
|
||||
proto {{ openvpn_protocol }}
|
||||
|
||||
topology subnet
|
||||
|
||||
server {{ openvpn_server_net }}
|
||||
|
||||
ifconfig-pool-persist ipp/ipp.txt
|
||||
|
||||
client-config-dir ccd
|
||||
# EXAMPLE: Suppose the client
|
||||
# having the certificate common name "Thelonious"
|
||||
# also has a small subnet behind his connecting
|
||||
# machine, such as 192.168.40.128/255.255.255.248.
|
||||
# First, uncomment out these lines:
|
||||
;route 192.168.40.128 255.255.255.248
|
||||
# Then create a file ccd/Thelonious with this line:
|
||||
# iroute 192.168.40.128 255.255.255.248
|
||||
# This will allow Thelonious' private subnet to
|
||||
# access the VPN. This example will only work
|
||||
# if you are routing, not bridging, i.e. you are
|
||||
# using "dev tun" and "server" directives.
|
||||
|
||||
# EXAMPLE: Suppose you want to give
|
||||
# Thelonious a fixed VPN IP address of 10.9.0.1.
|
||||
# First uncomment out these lines:
|
||||
;client-config-dir ccd
|
||||
;route 10.9.0.0 255.255.255.252
|
||||
# Then add this line to ccd/Thelonious:
|
||||
# ifconfig-push 10.9.0.1 10.9.0.2
|
||||
|
||||
# Suppose that you want to enable different
|
||||
# firewall access policies for different groups
|
||||
# of clients. There are two methods:
|
||||
# (1) Run multiple OpenVPN daemons, one for each
|
||||
# group, and firewall the TUN/TAP interface
|
||||
# for each group/daemon appropriately.
|
||||
# (2) (Advanced) Create a script to dynamically
|
||||
# modify the firewall in response to access
|
||||
# from different clients. See man
|
||||
# page for more info on learn-address script.
|
||||
;learn-address ./script
|
||||
|
||||
{% if openvpn_client_routes is defined %}
|
||||
{% for route in openvpn_client_routes %}
|
||||
route {{ route }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_push_routes is defined %}
|
||||
{% for route in openvpn_push_routes %}
|
||||
push "route {{ route }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_push_settings is defined %}
|
||||
{% for dhcp_opt in openvpn_push_settings %}
|
||||
push "{{ dhcp_opt }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# Select a cryptographic cipher.
|
||||
# This config item must be copied to
|
||||
# the client config file as well.
|
||||
# Note that v2.4 client/server will automatically
|
||||
# negotiate AES-256-GCM in TLS mode.
|
||||
# See also the ncp-cipher option in the manpage
|
||||
cipher AES-256-CBC
|
||||
|
||||
{% if openvpn_compression_enabled %}
|
||||
compress lz4-v2
|
||||
push "compress lz4-v2"
|
||||
{% endif %}
|
||||
|
||||
keepalive {{ openvpn_keepalive }}
|
||||
|
||||
{% if openvpn_cert_auth_enabled %}
|
||||
tls-server
|
||||
{% endif %}
|
||||
|
||||
tls-auth {{ openvpn_tls_auth }} 0
|
||||
key-direction 0
|
||||
dh {{ openvpn_dh }}
|
||||
ca {{ openvpn_ca }}
|
||||
cert {{ openvpn_cert }}
|
||||
key {{ openvpn_key }}
|
||||
|
||||
{% if not openvpn_cert_auth_enabled %}
|
||||
# Disable cert-auth
|
||||
client-cert-not-required
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_username_pam_auth %}
|
||||
username-as-common-name
|
||||
# PAM login
|
||||
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_ldap_auth %}
|
||||
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_ldap_perl_auth %}
|
||||
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
|
||||
script-security 3 execve
|
||||
{% endif %}
|
||||
|
||||
max-clients {{ openvpn_max_clients }}
|
||||
|
||||
persist-tun
|
||||
persist-key
|
||||
|
||||
status status/openvpn-status.log
|
||||
|
||||
{% if openvpn_run_unprivileged %}
|
||||
user {{ openvpn_unprivileged_user }}
|
||||
group {{ openvpn_unprivileged_group }}
|
||||
{% endif %}
|
||||
|
||||
verb {{ openvpn_verbosity_log }}
|
||||
mute {{ openvpn_mute_after }}
|
||||
|
||||
{% if openvpn_protocol == 'udp' %}
|
||||
# Notify the client that when the server restarts so it
|
||||
# can automatically reconnect.
|
||||
explicit-exit-notify 1
|
||||
{% endif %}
|
||||
|
|
Loading…
Reference in New Issue