mode {{ openvpn_mode }} dev {{ openvpn_dev }} port {{ openvpn_port }} proto {{ openvpn_protocol }} topology subnet server {{ openvpn_server_net }} ifconfig-pool-persist ipp/ipp.txt client-config-dir ccd # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives. # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script {% if openvpn_client_routes is defined %} {% for route in openvpn_client_routes %} route {{ route }} {% endfor %} {% endif %} {% if openvpn_push_routes is defined %} {% for route in openvpn_push_routes %} push "route {{ route }}" {% endfor %} {% endif %} {% if openvpn_push_settings is defined %} {% for dhcp_opt in openvpn_push_settings %} push "{{ dhcp_opt }}" {% endfor %} {% endif %} # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC {% if openvpn_compression_enabled %} compress lz4-v2 push "compress lz4-v2" {% endif %} keepalive {{ openvpn_keepalive }} {% if openvpn_cert_auth_enabled %} tls-server {% endif %} tls-auth {{ openvpn_tls_auth }} 0 dh {{ openvpn_dh }} ca {{ openvpn_ca }} cert {{ openvpn_cert }} key {{ openvpn_key }} {% if not openvpn_cert_auth_enabled %} # Disable cert-auth client-cert-not-required {% endif %} {% if openvpn_username_pam_auth %} username-as-common-name # PAM login plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login {% endif %} {% if openvpn_ldap_auth %} plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf {% endif %} {% if openvpn_ldap_perl_auth %} auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env script-security 3 execve {% endif %} max-clients {{ openvpn_max_clients }} persist-tun persist-key status status/openvpn-status.log {% if openvpn_run_unprivileged %} user {{ openvpn_unprivileged_user }} group {{ openvpn_unprivileged_group }} {% endif %} verb {{ openvpn_verbosity_log }} mute {{ openvpn_mute_after }} # Notify the client that when the server restarts so it # can automatically reconnect. explicit-exit-notify 1