From bc8e0736cc3a0a58c098987272c77e43df96b37a Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 13 Mar 2019 13:18:45 +0100 Subject: [PATCH] Corrections to the openvpn templates. --- openvpn/templates/client.conf.j2 | 90 +------------------------------- openvpn/templates/server.conf.j2 | 64 ++--------------------- 2 files changed, 5 insertions(+), 149 deletions(-) diff --git a/openvpn/templates/client.conf.j2 b/openvpn/templates/client.conf.j2 index 81b82d41..efc12890 100644 --- a/openvpn/templates/client.conf.j2 +++ b/openvpn/templates/client.conf.j2 @@ -1,117 +1,31 @@ -############################################## -# Sample client-side OpenVPN 2.0 config file # -# for connecting to multi-client server. # -# # -# This configuration can be used by multiple # -# clients, however each client should have # -# its own cert and key files. # -# # -# On Windows, you might want to rename this # -# file so it has a .ovpn extension # -############################################## - -# Specify that we are a client and that we -# will be pulling certain config file directives -# from the server. client - -# Use the same setting as you are using on -# the server. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. dev {{ openvpn_dev }} - -# Are we connecting to a TCP or -# UDP server? Use the same setting as -# on the server. proto {{ openvpn_protocol }} - -# The hostname/IP and port of the server. -# You can have multiple remote entries -# to load balance between the servers. {% for srv in openvpn_remote_servers %} remote {{ srv.host }} {{ srv.port }} {% endfor %} - -# Choose a random host from the remote -# list for load-balancing. Otherwise -# try hosts in the order specified. remote-random - -# Keep trying indefinitely to resolve the -# host name of the OpenVPN server. Very useful -# on machines which are not permanently connected -# to the internet such as laptops. resolv-retry infinite - -# Most clients don't need to bind to -# a specific local port number. nobind - {% if openvpn_run_unprivileged %} # Downgrade privileges after initialization (non-Windows only) user {{ openvpn_unprivileged_user }} group {{ openvpn_unprivileged_group }} {% endif %} - # Try to preserve some state across restarts. persist-key persist-tun - -# If you are connecting through an -# HTTP proxy to reach the actual OpenVPN -# server, put the proxy server/IP and -# port number here. See the man page -# if your proxy server requires -# authentication. -;http-proxy-retry # retry on connection failures -;http-proxy [proxy server] [proxy port #] - -# Wireless networks often produce a lot -# of duplicate packets. Set this flag -# to silence duplicate packet warnings. -;mute-replay-warnings - -# SSL/TLS parms. -# See the server config file for more -# description. It's best to use -# a separate .crt/.key file pair -# for each client. A single ca -# file can be used for all clients. ca {{ openvpn_ca }} cert {{ openvpn_cert }} key {{ openvpn_key }} - -# Verify server certificate by checking that the -# certificate has the correct key usage set. -# This is an important precaution to protect against -# a potential attack discussed here: -# http://openvpn.net/howto.html#mitm -# -# To use this feature, you will need to generate -# your server certificates with the keyUsage set to -# digitalSignature, keyEncipherment -# and the extendedKeyUsage to -# serverAuth -# EasyRSA can do this for you. {% if openvpn_cert_auth_enabled %} tls-client remote-cert-tls server {% endif %} - -# If a tls-auth key is used on the server -# then every client must also have the key. tls-auth {{ openvpn_tls_auth }} 1 - -# Select a cryptographic cipher. -# If the cipher option is used on the server -# then you must also specify it here. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the ncp-cipher option in the manpage +key-direction 1 cipher AES-256-CBC - +keepalive {{ openvpn_keepalive }} # Set log file verbosity. verb {{ openvpn_verbosity_log }} # Silence repeating messages diff --git a/openvpn/templates/server.conf.j2 b/openvpn/templates/server.conf.j2 index 6ce58212..2cf43661 100644 --- a/openvpn/templates/server.conf.j2 +++ b/openvpn/templates/server.conf.j2 @@ -1,127 +1,69 @@ mode {{ openvpn_mode }} dev {{ openvpn_dev }} - port {{ openvpn_port }} proto {{ openvpn_protocol }} - topology subnet - server {{ openvpn_server_net }} - ifconfig-pool-persist ipp/ipp.txt - client-config-dir ccd -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -;route 192.168.40.128 255.255.255.248 -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. - -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: -;client-config-dir ccd -;route 10.9.0.0 255.255.255.252 -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 - -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script - {% if openvpn_client_routes is defined %} {% for route in openvpn_client_routes %} route {{ route }} {% endfor %} {% endif %} - {% if openvpn_push_routes is defined %} {% for route in openvpn_push_routes %} push "route {{ route }}" {% endfor %} {% endif %} - {% if openvpn_push_settings is defined %} {% for dhcp_opt in openvpn_push_settings %} push "{{ dhcp_opt }}" {% endfor %} {% endif %} - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the ncp-cipher option in the manpage cipher AES-256-CBC - {% if openvpn_compression_enabled %} compress lz4-v2 push "compress lz4-v2" {% endif %} - keepalive {{ openvpn_keepalive }} - {% if openvpn_cert_auth_enabled %} tls-server {% endif %} - tls-auth {{ openvpn_tls_auth }} 0 +key-direction 0 dh {{ openvpn_dh }} ca {{ openvpn_ca }} cert {{ openvpn_cert }} key {{ openvpn_key }} - {% if not openvpn_cert_auth_enabled %} # Disable cert-auth client-cert-not-required {% endif %} - {% if openvpn_username_pam_auth %} username-as-common-name # PAM login plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login {% endif %} - {% if openvpn_ldap_auth %} plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf {% endif %} - {% if openvpn_ldap_perl_auth %} auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env script-security 3 execve {% endif %} - max-clients {{ openvpn_max_clients }} - persist-tun persist-key - status status/openvpn-status.log - {% if openvpn_run_unprivileged %} user {{ openvpn_unprivileged_user }} group {{ openvpn_unprivileged_group }} {% endif %} - verb {{ openvpn_verbosity_log }} mute {{ openvpn_mute_after }} - +{% if openvpn_protocol == 'udp' %} # Notify the client that when the server restarts so it # can automatically reconnect. explicit-exit-notify 1 +{% endif %}