# Specify that we are a client and that we will be pulling certain config file # directives from the server. client # Use the same setting as you are using on the server. # On most systems, the VPN will not function unless you partially or fully # disable the firewall for the TUN/TAP interface. dev {{vpn_interface_type}} # Are we connecting to a TCP or UDP server? # Use the same setting as on the server. proto {{vpn_protocol}} port {{vpn_server_port}} # The hostname/IP and port of the server. # You can have multiple remote entries to load balance between the servers. remote {{vpn_server_host}} {{vpn_server_port}} # Choose a random host from the remote list for load-balancing. # Otherwise try hosts in the order specified. remote-random # Keep trying indefinitely to resolve the host name of the OpenVPN server. # Very useful on machines which are not permanently connected to the internet # such as laptops. resolv-retry infinite route-delay 2 # Use the VPN as the default network connection redirect-gateway def1 bypass-dhcp # IPv4 route-ipv6 2000::/3 # IPv6 # Most clients don't need to bind to a specific local port number. nobind # Downgrade privileges after initialization. ;user openvpn ;group openvpn # Try to preserve some state across restarts. persist-key persist-tun # Try and avoid fragmentation issues. fragment 1300 mssfix 1300 # If you are connecting through an HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and port number here. # See the man page if your proxy server requires authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot of duplicate packets. # Set this flag to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more description. # It's best to use a separate .crt/.key file pair for each client. # A single ca file can be used for all clients. #ca ca.crt #cert client.crt #key client.key # Verify server certificate by checking that the certificate has the correct # key usage set. # This is an important precaution to protect against a potential attack # discussed here: http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate your server certificates with # the keyUsage set to # digitalSignature, keyEncipherment # and the extendedKeyUsage to # serverAuth # EasyRSA can do this for you. remote-cert-tls server # If a tls-auth key is used on the server then every client must also have the # key. tls-auth {{vpn_name}}-ta.key 1 auth-user-pass # Select a cryptographic cipher. # If the cipher option is used on the server then you must also specify it # here. # Note that v2.4 client/server will automatically negotiate AES-256-GCM in TLS # mode. # See also the data-ciphers option in the manpage cipher AES-256-CBC # Enable compression on the VPN link. # Don't enable this unless it is also enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20 {{vpn_ca_certificate}}