################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). # # # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, e.g.: # # "C:\\Program Files\\OpenVPN\\config\\foo.key" # # # # Comments are preceded with '#' or ';' # ################################################# # Which local IP address should OpenVPN # listen on? (optional) ;local a.b.c.d # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port 1194 # TCP or UDP server? ;proto tcp proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap0" if you are ethernet bridging # and have precreated a tap0 virtual interface # and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). -----BEGIN CERTIFICATE----- MIIHDDCCBPSgAwIBAgIJAKM1kPiIBfkvMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD VQQGEwJSVTEVMBMGA1UECBMMWW91clByb3ZpbmNlMREwDwYDVQQHEwhZb3VyQ2l0 eTEZMBcGA1UEChMQWW91ck9yZ2FuaXNhdGlvbjEZMBcGA1UECxMQT3JnYW5pc2F0 aW9uVW5pdDETMBEGA1UEAxMKQ29tbW9uTmFtZTEQMA4GA1UEKRMHS2V5TmFtZTEe MBwGCSqGSIb3DQEJARYPbWFpbEBleGFtcGxlLnJ1MB4XDTE3MTIwNTIxNTQyOVoX DTI3MTIwMzIxNTQyOVowgbQxCzAJBgNVBAYTAlJVMRUwEwYDVQQIEwxZb3VyUHJv dmluY2UxETAPBgNVBAcTCFlvdXJDaXR5MRkwFwYDVQQKExBZb3VyT3JnYW5pc2F0 aW9uMRkwFwYDVQQLExBPcmdhbmlzYXRpb25Vbml0MRMwEQYDVQQDEwpDb21tb25O YW1lMRAwDgYDVQQpEwdLZXlOYW1lMR4wHAYJKoZIhvcNAQkBFg9tYWlsQGV4YW1w bGUucnUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC8ohkMMxVlRE3k dmDGun9Q+bRAlHpIgp4eCZ3D4aNo2+COXJ76/xp623UWlAORefN8Hw/1moGkgI/e HDmsjKnyeUjsxjZ9SnjLxx0jjL3mL4FPVqQ161ppCKmlB/LH9VxU4fM1JAXnoEzl w07f0vEi8znIoFCvljlBPpumX3OL+LZ1s+IflFFTA4sERf8RHKbw2bKKcwBtXgMP jlQyGp9ocxZrMiG4cbehuJa7ftWUwoWOBIUPR8adjl9zoueDLLapEN9heyblzjPs jWss6OOqVwPaSlc38NAppqLBL1uJj0a8+55+C3+MR5fA1XYUhlonJTFgcTrt+QI8 EXs86/JFvtQsWJ2XgfGdufn2EZcBbNjUZ33Qx0M6J1Xd08P04RoITt5OQfDg6rAq GvqVWopfc/i9vuwPCjYMuSeclaLTiBn16AWI7JNdWr+RduudmqQGzFnQrXn2RPVT wqyYigZte0cKmVzRtLOyK5emou/8w2BEOnvjwzYK4pulkdwSOmTPrPdWewXsR5/b dKOSkloc75eTJQNiajV1TjyG6FcrDF0qmwATopV+h0Acr+vOgMtvzVS/xam9wHug sXHyZ7Fz7MK61YBh+Wf1yEqxzVAQvoV1Z6uD2720HYyyUWDdW5MFeLcXluvk0L+d XGOystsfSV18AlSs3Qk5hamf6vbpvwIDAQABo4IBHTCCARkwHQYDVR0OBBYEFP/j 1de1UQgDyTN5vTqsicz0RQpwMIHpBgNVHSMEgeEwgd6AFP/j1de1UQgDyTN5vTqs icz0RQpwoYG6pIG3MIG0MQswCQYDVQQGEwJSVTEVMBMGA1UECBMMWW91clByb3Zp bmNlMREwDwYDVQQHEwhZb3VyQ2l0eTEZMBcGA1UEChMQWW91ck9yZ2FuaXNhdGlv bjEZMBcGA1UECxMQT3JnYW5pc2F0aW9uVW5pdDETMBEGA1UEAxMKQ29tbW9uTmFt ZTEQMA4GA1UEKRMHS2V5TmFtZTEeMBwGCSqGSIb3DQEJARYPbWFpbEBleGFtcGxl LnJ1ggkAozWQ+IgF+S8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEA XsT7xefDPsEJox/pe3VAvMa5Y7iPyWHuLU8yWETbI2ap+V6mFSRTlEs9BbUukuKT 0dUHBPAC4JYgmvpr2DqxIeZ3hQxwQ/jljUIaiz1ieXm/A3mSAKDlmFuG1IT1XU77 5aD1sRasKl0GMKw6W0fZuu11XaNGJwZNNbrKSehhKoxUO47N9JUgAq8fYZGyu/Cf rq5KVc3pXpoyPGT/CCjR5yOQ5lUHmEtN7+BWh4Xyh1k68VHhnYY4PLEU5oGoRLd1 l+xmz3MBQ+Plh8MpjZ8zmmdNo1Bp3fQ8C2dzDrK5jNdhRd2HnuSYXvnuUDaLxZ2f WSnunaOjvJomAIzNe59z+XEFzTvRfFfFc6ItMhlvDVjSkPD/zYCpG7lwvQmXybj4 7vVtRlOs9CTzaylTtwIqR/K5LJmTzj+/a/9WiqlUtUsKXKSMvWta510NrErECA+Y uP6PMc1JVGsZ8AZ0hz9kiUW4OmpRhN3W6XsaIKepKd9qeQlgf3UWl4+ii6cdKJ6E D2yZdu7x9VbIyKwueBQ0V+A3aJ/5+1fxRGH3VsuLH55LLGevIwOcX811BlXl7cME BqOWCm9qxsh8+lhiNc/7odD/sIkm0Egn1ByZFP/9E3uM1vBeQknP2Uz23ZwVSQQc TzjRhI0+s/McKXR1xaFZCua+aUPU7C8Ufn4HbjcuqUs= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIHbzCCBVegAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCUlUx FTATBgNVBAgTDFlvdXJQcm92aW5jZTERMA8GA1UEBxMIWW91ckNpdHkxGTAXBgNV BAoTEFlvdXJPcmdhbmlzYXRpb24xGTAXBgNVBAsTEE9yZ2FuaXNhdGlvblVuaXQx EzARBgNVBAMTCkNvbW1vbk5hbWUxEDAOBgNVBCkTB0tleU5hbWUxHjAcBgkqhkiG 9w0BCQEWD21haWxAZXhhbXBsZS5ydTAeFw0xNzEyMDUyMTU5MzZaFw0yNzEyMDMy MTU5MzZaMIG3MQswCQYDVQQGEwJSVTEVMBMGA1UECBMMWW91clByb3ZpbmNlMREw DwYDVQQHEwhZb3VyQ2l0eTEZMBcGA1UEChMQWW91ck9yZ2FuaXNhdGlvbjEZMBcG A1UECxMQT3JnYW5pc2F0aW9uVW5pdDETMBEGA1UEAxMKS2VlbmV0aWMtMTETMBEG A1UEKRMKS2VlbmV0aWMtMTEeMBwGCSqGSIb3DQEJARYPbWFpbEBleGFtcGxlLnJ1 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4BCLa/24U/wtIS6wQHFp Y0NfYV9izsSfkP1YXjzTl4N92YfXW3PCfZ2a0Zzdybc166cMePTaCsbnhJsoDCjY MylUPfNcI8kLVCVgT87qQEQjk+P/WXVtYldZJL2WGo5lMWuoMd/2M3cVQnx2sxo1 uhGVSYlvTobjGDm4N9EFQ+O/Rio5N2QM6DBG7IvXA96B9EyNMxNY3Z8EOp+ZReB3 QLm3gIEJ/0GFFvePwzxt6eEeoDpU2U2nCsAIHx3FB6D0Hb8L1s7w71lfZd+BV3AH HcBPV2zvQQ0pWn8mfyzvRYFojpBbCLULyrS2S68gbzNFO5Yv+XZ+8NHj0XXUdmcR kPGY2T9Veqhr285En7DXcTfn7zp5JxPr1YS7RmvcztkBf24HlB0B2H5j8W+5LaGX mabCtYkJvzCNPUcIlUh4GVysLuf6RQm8rdVscstjbKeMptIoPguQYmE9kIjOSVLu kyP1HP/s84OJoxgW+FJE+DvBeaJW/guP0F+Do/jNU5/Yy9CS08VFDKGNdQAX7dX8 1+nE5G0QJ+qk95PqAE+htgqAAUy1Mg7qVUuks4msd+EXtBsY6SRPxbW1WEEF9Y5j gwRdpXceV5BKBp1xsSNexgyc9C0DAxYQuFtdvHG1kIuIKhGSmoyJKe3/JPPzymf3 8rX/L9eTDAn1YaDPf8wMuRsCAwEAAaOCAYUwggGBMAkGA1UdEwQCMAAwEQYJYIZI AYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVFYXN5LVJTQSBHZW5lcmF0ZWQg U2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBSMe25RKnzE+Cm5uQUV6VEn9Q27 qDCB6QYDVR0jBIHhMIHegBT/49XXtVEIA8kzeb06rInM9EUKcKGBuqSBtzCBtDEL MAkGA1UEBhMCUlUxFTATBgNVBAgTDFlvdXJQcm92aW5jZTERMA8GA1UEBxMIWW91 ckNpdHkxGTAXBgNVBAoTEFlvdXJPcmdhbmlzYXRpb24xGTAXBgNVBAsTEE9yZ2Fu aXNhdGlvblVuaXQxEzARBgNVBAMTCkNvbW1vbk5hbWUxEDAOBgNVBCkTB0tleU5h bWUxHjAcBgkqhkiG9w0BCQEWD21haWxAZXhhbXBsZS5ydYIJAKM1kPiIBfkvMBMG A1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQsFAAOC AgEAExGrKg24jD7PLRNrZKwhHuLkq7QbNCHV8VrCr8AaKgyOB9/Q8H6AHpJS0FZV 6ZIZP8/iSeI4Rz1vMY+7yH8hZohrO9Cnd4z4EYbdTU8bXG5Z3bq46N8kfGVckFbU /zvOL2oko60bru7V+vW1LXPqM3HzK+rX+cdBJ5vnib8QTMflv58Yt1XJCTmvst4P WHDxkRQ4Lt+gLI4DUC2D23Kw9pGltqlktw94bfo70uKZtjp/pWkg5ftRjC70JF9P RAgkL4xIKQIxMB1bBa9W6IALREgrmFt/CLndzJT3ugqqxXsl6j9ZYaynz12P34QO aha22xM+n8CiudkzVaYR8tnrmeIJIs1lm2SuC7PyTzvMYYVk05ZSJKR+1kqdu+Ph DQdNxyNl9ncpj3UdWVUrRNxKKlrf9VAiMTfBOIVxX1Gh1g2P0yXEOLQe0vOfD/uC AD3QQcMrnApPPN5FEVi0SXJ+22FZFfyA6yFn6TP3t8OPEGjIXrcJVL/S+TmB2duy IMwb3nRYod1CQKOg1ppaDo3P7ZcqJr8J2Jy4CaKpSr16yCQ0ADCB2fmL7Iz72iVC vB03vCmtdBdHZFTUrtAAATvvqGOQfJfYIeZ4vFbGhrpw+6DewHx4QJUz2u5ZXbsv vTwh4HrjWKUosx37bdCUGUZOifsNkXbWBXmdC32ZSfaDBJQ= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDgEItr/bhT/C0h LrBAcWljQ19hX2LOxJ+Q/VhePNOXg33Zh9dbc8J9nZrRnN3JtzXrpwx49NoKxueE mygMKNgzKVQ981wjyQtUJWBPzupARCOT4/9ZdW1iV1kkvZYajmUxa6gx3/YzdxVC fHazGjW6EZVJiW9OhuMYObg30QVD479GKjk3ZAzoMEbsi9cD3oH0TI0zE1jdnwQ6 n5lF4HdAubeAgQn/QYUW94/DPG3p4R6gOlTZTacKwAgfHcUHoPQdvwvWzvDvWV9l 34FXcAcdwE9XbO9BDSlafyZ/LO9FgWiOkFsItQvKtLZLryBvM0U7li/5dn7w0ePR ddR2ZxGQ8ZjZP1V6qGvbzkSfsNdxN+fvOnknE+vVhLtGa9zO2QF/bgeUHQHYfmPx b7ktoZeZpsK1iQm/MI09RwiVSHgZXKwu5/pFCbyt1Wxyy2Nsp4ym0ig+C5BiYT2Q iM5JUu6TI/Uc/+zzg4mjGBb4UkT4O8F5olb+C4/QX4Oj+M1Tn9jL0JLTxUUMoY11 ABft1fzX6cTkbRAn6qT3k+oAT6G2CoABTLUyDupVS6Sziax34Re0GxjpJE/FtbVY QQX1jmODBF2ldx5XkEoGnXGxI17GDJz0LQMDFhC4W128cbWQi4gqEZKajIkp7f8k 8/PKZ/fytf8v15MMCfVhoM9/zAy5GwIDAQABAoICACU9Gq7cACKVKrr1E33iW22P 6O45+CX9L7fdIy6mVVQ9GlFo7jXYy14tL2ne9E1uEZwUq1H+/64C2L+FOearcyMt nz6cj5ey9hsKCzO4Y95CdNdDcVDg30kU00/z4lqPh+nqxo1jd3ueMv5VyTSDCqLe AT2zhbg7WsrP7Pn51zItS8DRi6jVDAAa5e6yXw3ZkSeVAXKXqJFMuFs14zdl0uwC 8ah9ybeOoBvtEQuVo37XV0ux5iAnc7epqq/hNrnJ2kiHU+RjiE9/PwejWc+6YrRj Hcyd4jWhhlnv/+nrAek/VK08+KQ90rPhzNpPRMi2cK8yis6fDwHfIEnTl3gGMTjh 9Tt5nWF+XTwi06aZSCHhUT7KBUk6k7q4/sqFP6ZgGDM7IEfOjnQ6n/TtIfxGsFiA V5f4gv7Xl7F1SnbbRzrl8o06k2utGCkmfKqRk1BNJs8R9x4tod7HiApZ4irK6dip 6hFx6XOmdKxaQqnPETm20RxsA0IIlA4Gq8rDLvwANKXJc2pbZId6RyoiB0pVBHWO 0FHDnO56ifhxpZAm6EwA3FenOyVO8D+AwvDAfx79JwIybvQqWTkKRF+ZFBRZMj0K Qa2jsoqfSHQ5fN3IRMseLr2gGi6gqD7l8wpN4IUwSyIlBl2N6x7uQnepVtLQElrM vgc5w1ggI6dl7UXJwzQBAoIBAQD8pCJ0bgQeWSZYqXLjEZ7TxGDW8C8Z4Q+fnFHt F2taNKOcUG4NPmJfIQ59T1+YJRLVJrCQQseIR0kZRtMJGb6wwmGP5QxKDSLEMJUZ nGpEgVJOzut/lX7PEHX/NrDxmfbsveSYHk4m6GGH+2QRabaK/kLs8JIzWITnu1NF XeudGFrg2YqY+4SRdDL+/o7rzAL2N4Vnxfehf2V8DjMGXZd8Fc2uUqI/lYmZre+s jC+hBCoXxoQ0jsOT75mTmMTi41U+0rLc7LWLtLoDoaaPJk4TI+/QvqsVK+3DK1YC rek+qQ7lFfzxl0AlqDOqPFhbQMMSVanRBwzbPj642OXkegSbAoIBAQDjCyZR+2o6 wVP3KZKZV8BOcTWQGIutBaptB46VSIwFdjGTZUmgTcjUO9iUbMe43OAdqh05k763 0ep44DdBAwP2hrsUMIbcvWeP0/Ss2Ct1xiFx/7lJUrA02RreSVwXg7idEAgVMeNR t3iuHw5WOGf0ApjVLy/eFvyewWsklkDTcoz/TUSwNwmMUrDRlq7RxokZZU7CAaea FQxSAY2gsELRiF43j90iZyo/3hkNu/s/FthK7vXgHXA7+BesrpcdepRUSTv+sMd8 kRSF2ybxzEXjnig0+UGny4MXol1jBhPF9DO1K8wKniB3XFml4shJU77wE3pfbHUu oGVWOdPvEiWBAoIBAQCYWOHuE+mn41qcXJJLG3ULfoBnHK9Ki81AEqPUtSqnWtbO jDHRCq2HcAesyRB8Tt7sakhOtfZc15/c/jiEZGH5dT4f559hiEpOxH0k1I3AgbuA ioa4iQ3PD74YCILrLk0YteoDUUMPc1JdDdtqJLVPW8Q/3VJMZDTBCNVOHzTVprom nQhW+FUY4VlfK2JEDuI6V4C680ZAvPIVvPpH/Gg9C2jcljgA38v6QEknY+HU1w4L CErw5qZJr1KNDrKrnyrol2YEkzlm5bTGO9SUviSWpjUXS+MfAT5/UsKrGvRsNMYm nvvJM8wa6TM+lOUzIfqAM+gThIzcKMzp6uG2xV3BAoIBAD4FurckljVswLJBQhHv vdHv7TDq86UVaiQUr2eqhM2tJwfb4IwRE66elqCdQsYGWJbh9M/Yw33Vs1bH8XAq EbgTwCFYzE6a0yKgRTO+bcjjkhlhQU19cDNPp55XrfeifRky2vJnSXD2TNpME4+M IyGuX+/Ezy+9Wc9IiStafGUG4uuPQRdeQZZ6tGDc5+7YbHVqjmRDLXTTESWJ1RWz cN1qgkptW3xdcFY4JuHwm0b1x6pYswRBJnrLYDRFEXT1GnYX93Kw+h3WSCP05SOi qOjwOI2YFc5vsuUO7rHxZA9skX+JcljoL3hL2xWM6SfW388XkxNkPnK5UFWIwJOL goECggEAVceHsBJSzSnTNenVULgvwEOoQRm3Kngbf1gH8Rkffpj8cePsCA2cGZYS B5R6nua0FP3qki3KOWd3j4hXWW1dCg9wLMImRJI/9cwFZ1LEp8KwzHultcWtzULQ hNg3hF2ZbP9l8Ebs7wB6qteJ1Pq8FDasx41m9wsem5HiykX3w36Vp9vHfaybnGY5 PFJtAKP/Lj1lBoyvpHG0xONOcBnQyDsgrzNxrBxqwBgfHrSMrBxBx3IAMztNObFy EcHlROAGL24bzYHY+bXJ+gnlRiAHK02Qq9eoXj7fPnhfgQ1A+terQ2dqVnN81QuJ HhIopF0dy1KZjyxJaOE5u8tPZlvDZA== -----END PRIVATE KEY----- # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh2048.pem 2048 -----BEGIN DH PARAMETERS----- MIICCAKCAgEA3DNrMyk3h8Q/tTrhFDxsDq6TpVk3HWlDJIFGs3j1NulmwV2QFC2h eudCewPH49pM5yvnmvDf73Vo1x0AEifl0JIXQ+REjAoAj66mH3MBXQ0aastS4MMq n1OCC87V5ub9kNCFKqGL9wMVJA7YZVumpamgf5xp2MYK3PMjwejTR8EzmAgVB+OB yKv2Far7jpAkxSB9jXF3hDDAHfQ7LK50joUqsgjpGLG+VleVe4p6O/g9o2NsNyGY X5JvdUHYpuuojyEqLyLi4lUnuwNCGkqOPZQV+XsmIhdDkAvhQ1cEZfXIWuoWxOVn C/DgctEnFbWSV6P4USBUq0EhirLh+H6fsFPnnIeeIMgzoxrTKBs57TEklEqRkhEA MCEDUwBCXi4Ki5uk8gz5Cr+nzXwvjElH3yIErBSR+jDsrpU0OacDVQebbLNxkqyF DJCtCpGkDhPGjSu6/eUr2UOeWHs52ekELUyW1VH4rCvtyHWUnoxEOIIzSO9IhOHW jeHSJfzpxT2cjHe2WiB1YXKSQe9gMvgmTfsCYdVUclCcHzrTgh0ps4HlTC/ASz9j mqYJOpffd8E39HT/hfXGNn5nSg2MyZ/ZnZgWwzZHqKCgQydOcTNy0cyKq05190Ox T/eXHwYyruS968F1MjO7pwmgL/Pi25FccJU0mvR68rWOUbYk1H82PDMCAQI= -----END DH PARAMETERS----- # Network topology # Should be subnet (addressing via IP) # unless Windows clients v2.0.9 and lower have to # be supported (then net30, i.e. a /30 per client) # Defaults to net30 (not recommended) topology subnet # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.8.0.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ;ifconfig-pool-persist ipp.txt # Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 # Configure server mode for ethernet bridging # using a DHCP-proxy, where clients talk # to the OpenVPN server-side DHCP server # to receive their IP address allocation # and DNS server addresses. You must first use # your OS's bridging capability to bridge the TAP # interface with the ethernet NIC interface. # Note: this mode only works on clients (such as # Windows), where the client-side TAP adapter is # bound to a DHCP client. ;server-bridge # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives. # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # or bridge the TUN/TAP interface to the internet # in order for this to work properly). ;push "redirect-gateway def1 bypass-dhcp" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats # The addresses below refer to the public # DNS servers provided by opendns.com. ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. ;client-to-client # Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- a317a208623442cba18216af43b0ee31 8bc2187f5e9acac32545a57328c7f262 ec3dea67a6cbc097bdf61f71f91f3aec ba79406792b0dbe45202c81069ced5bd fa2f69252af9bb84284a513df40339d2 dc5e94b1a2ccabc2dc5f254eff88f491 7e150f87fdc247ed9a1eb3d9fa53f4a9 9efc282d399879b0b1139a23b0071ba1 66b5a0975a086bfb85d677dcb6b58180 0823825c3a7fd66fcbb412d1bd414152 b16d67bc3124f5407307e5d4e1db61b3 cec5a775b4107ad892cb358e8e2deeac f67918e6a63e57a96efd53803d6ff86d f66014211e61f8e460b76a7cf821dd54 76d74e23ce313b659d8edaadc204770e a5b825f84b531f8974ea8cebd646ea44 -----END OpenVPN Static key V1----- key-direction 0 # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC # Enable compression on the VPN link and push the # option to the client (v2.4+ only, for earlier # versions see below) ;compress lz4-v2 ;push "compress lz4-v2" # For compression compatible with older clients use comp-lzo # If you enable it here, you must also # enable it in the client config file. ;comp-lzo # The maximum number of concurrently connected # clients we want to allow. ;max-clients 100 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. ;user nobody ;group nobody # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. ;status openvpn-status.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log ;log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 # Notify the client that when the server restarts so it # can automatically reconnect. explicit-exit-notify 1