ansible-roles/library/roles/openvpn/templates/server.conf.j2

70 lines
1.8 KiB
Django/Jinja

mode {{ openvpn_mode }}
dev {{ openvpn_dev }}
port {{ openvpn_port }}
proto {{ openvpn_protocol }}
topology subnet
server {{ openvpn_server_net }}
ifconfig-pool-persist ipp/ipp.txt
client-config-dir ccd
{% if openvpn_client_routes is defined %}
{% for route in openvpn_client_routes %}
route {{ route }}
{% endfor %}
{% endif %}
{% if openvpn_push_routes is defined %}
{% for route in openvpn_push_routes %}
push "route {{ route }}"
{% endfor %}
{% endif %}
{% if openvpn_push_settings is defined %}
{% for dhcp_opt in openvpn_push_settings %}
push "{{ dhcp_opt }}"
{% endfor %}
{% endif %}
cipher AES-256-CBC
{% if openvpn_compression_enabled %}
compress lz4-v2
push "compress lz4-v2"
{% endif %}
keepalive {{ openvpn_keepalive }}
{% if openvpn_cert_auth_enabled %}
tls-server
{% endif %}
tls-auth {{ openvpn_tls_auth }} 0
key-direction 0
dh {{ openvpn_dh }}
ca {{ openvpn_ca }}
cert {{ openvpn_cert }}
key {{ openvpn_key }}
{% if not openvpn_cert_auth_enabled %}
# Disable cert-auth
client-cert-not-required
{% endif %}
{% if openvpn_username_pam_auth %}
username-as-common-name
# PAM login
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
{% endif %}
{% if openvpn_ldap_auth %}
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
{% endif %}
{% if openvpn_ldap_perl_auth %}
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
script-security 3 execve
{% endif %}
max-clients {{ openvpn_max_clients }}
persist-tun
persist-key
status status/openvpn-status.log
{% if openvpn_run_unprivileged %}
user {{ openvpn_unprivileged_user }}
group {{ openvpn_unprivileged_group }}
{% endif %}
verb {{ openvpn_verbosity_log }}
mute {{ openvpn_mute_after }}
{% if openvpn_protocol == 'udp' %}
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1
{% endif %}