forked from ISTI-ansible-roles/ansible-roles
128 lines
3.2 KiB
Django/Jinja
128 lines
3.2 KiB
Django/Jinja
mode {{ openvpn_mode }}
|
|
dev {{ openvpn_dev }}
|
|
|
|
port {{ openvpn_port }}
|
|
proto {{ openvpn_protocol }}
|
|
|
|
topology subnet
|
|
|
|
server {{ openvpn_server_net }}
|
|
|
|
ifconfig-pool-persist ipp/ipp.txt
|
|
|
|
client-config-dir ccd
|
|
# EXAMPLE: Suppose the client
|
|
# having the certificate common name "Thelonious"
|
|
# also has a small subnet behind his connecting
|
|
# machine, such as 192.168.40.128/255.255.255.248.
|
|
# First, uncomment out these lines:
|
|
;route 192.168.40.128 255.255.255.248
|
|
# Then create a file ccd/Thelonious with this line:
|
|
# iroute 192.168.40.128 255.255.255.248
|
|
# This will allow Thelonious' private subnet to
|
|
# access the VPN. This example will only work
|
|
# if you are routing, not bridging, i.e. you are
|
|
# using "dev tun" and "server" directives.
|
|
|
|
# EXAMPLE: Suppose you want to give
|
|
# Thelonious a fixed VPN IP address of 10.9.0.1.
|
|
# First uncomment out these lines:
|
|
;client-config-dir ccd
|
|
;route 10.9.0.0 255.255.255.252
|
|
# Then add this line to ccd/Thelonious:
|
|
# ifconfig-push 10.9.0.1 10.9.0.2
|
|
|
|
# Suppose that you want to enable different
|
|
# firewall access policies for different groups
|
|
# of clients. There are two methods:
|
|
# (1) Run multiple OpenVPN daemons, one for each
|
|
# group, and firewall the TUN/TAP interface
|
|
# for each group/daemon appropriately.
|
|
# (2) (Advanced) Create a script to dynamically
|
|
# modify the firewall in response to access
|
|
# from different clients. See man
|
|
# page for more info on learn-address script.
|
|
;learn-address ./script
|
|
|
|
{% if openvpn_client_routes is defined %}
|
|
{% for route in openvpn_client_routes %}
|
|
route {{ route }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if openvpn_push_routes is defined %}
|
|
{% for route in openvpn_push_routes %}
|
|
push "route {{ route }}"
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if openvpn_push_settings is defined %}
|
|
{% for dhcp_opt in openvpn_push_settings %}
|
|
push "{{ dhcp_opt }}"
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
# Select a cryptographic cipher.
|
|
# This config item must be copied to
|
|
# the client config file as well.
|
|
# Note that v2.4 client/server will automatically
|
|
# negotiate AES-256-GCM in TLS mode.
|
|
# See also the ncp-cipher option in the manpage
|
|
cipher AES-256-CBC
|
|
|
|
{% if openvpn_compression_enabled %}
|
|
compress lz4-v2
|
|
push "compress lz4-v2"
|
|
{% endif %}
|
|
|
|
keepalive {{ openvpn_keepalive }}
|
|
|
|
{% if openvpn_cert_auth_enabled %}
|
|
tls-server
|
|
{% endif %}
|
|
|
|
tls-auth {{ openvpn_tls_auth }} 0
|
|
dh {{ openvpn_dh }}
|
|
ca {{ openvpn_ca }}
|
|
cert {{ openvpn_cert }}
|
|
key {{ openvpn_key }}
|
|
|
|
{% if not openvpn_cert_auth_enabled %}
|
|
# Disable cert-auth
|
|
client-cert-not-required
|
|
{% endif %}
|
|
|
|
{% if openvpn_username_pam_auth %}
|
|
username-as-common-name
|
|
# PAM login
|
|
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
|
|
{% endif %}
|
|
|
|
{% if openvpn_ldap_auth %}
|
|
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
|
|
{% endif %}
|
|
|
|
{% if openvpn_ldap_perl_auth %}
|
|
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
|
|
script-security 3 execve
|
|
{% endif %}
|
|
|
|
max-clients {{ openvpn_max_clients }}
|
|
|
|
persist-tun
|
|
persist-key
|
|
|
|
status status/openvpn-status.log
|
|
|
|
{% if openvpn_run_unprivileged %}
|
|
user {{ openvpn_unprivileged_user }}
|
|
group {{ openvpn_unprivileged_group }}
|
|
{% endif %}
|
|
|
|
verb {{ openvpn_verbosity_log }}
|
|
mute {{ openvpn_mute_after }}
|
|
|
|
# Notify the client that when the server restarts so it
|
|
# can automatically reconnect.
|
|
explicit-exit-notify 1
|