105 lines
3.1 KiB
Django/Jinja
105 lines
3.1 KiB
Django/Jinja
# Specify that we are a client and that we will be pulling certain config file
|
|
# directives from the server.
|
|
client
|
|
|
|
# Use the same setting as you are using on the server.
|
|
# On most systems, the VPN will not function unless you partially or fully
|
|
# disable the firewall for the TUN/TAP interface.
|
|
dev {{vpn_interface_type}}
|
|
|
|
# Are we connecting to a TCP or UDP server?
|
|
# Use the same setting as on the server.
|
|
proto {{vpn_protocol}}
|
|
port {{vpn_server_port}}
|
|
|
|
# The hostname/IP and port of the server.
|
|
# You can have multiple remote entries to load balance between the servers.
|
|
remote {{vpn_server_host}} {{vpn_server_port}}
|
|
|
|
# Choose a random host from the remote list for load-balancing.
|
|
# Otherwise try hosts in the order specified.
|
|
remote-random
|
|
|
|
# Keep trying indefinitely to resolve the host name of the OpenVPN server.
|
|
# Very useful on machines which are not permanently connected to the internet
|
|
# such as laptops.
|
|
resolv-retry infinite
|
|
route-delay 2
|
|
|
|
# Use the VPN as the default network connection
|
|
redirect-gateway def1 bypass-dhcp # IPv4
|
|
route-ipv6 2000::/3 # IPv6
|
|
|
|
# Most clients don't need to bind to a specific local port number.
|
|
nobind
|
|
|
|
# Downgrade privileges after initialization.
|
|
;user openvpn
|
|
;group openvpn
|
|
|
|
# Try to preserve some state across restarts.
|
|
persist-key
|
|
persist-tun
|
|
|
|
# Try and avoid fragmentation issues.
|
|
fragment 1300
|
|
mssfix 1300
|
|
|
|
# If you are connecting through an HTTP proxy to reach the actual OpenVPN
|
|
# server, put the proxy server/IP and port number here.
|
|
# See the man page if your proxy server requires authentication.
|
|
;http-proxy-retry # retry on connection failures
|
|
;http-proxy [proxy server] [proxy port #]
|
|
|
|
# Wireless networks often produce a lot of duplicate packets.
|
|
# Set this flag to silence duplicate packet warnings.
|
|
;mute-replay-warnings
|
|
|
|
# SSL/TLS parms.
|
|
# See the server config file for more description.
|
|
# It's best to use a separate .crt/.key file pair for each client.
|
|
# A single ca file can be used for all clients.
|
|
#ca ca.crt
|
|
#cert client.crt
|
|
#key client.key
|
|
|
|
# Verify server certificate by checking that the certificate has the correct
|
|
# key usage set.
|
|
# This is an important precaution to protect against a potential attack
|
|
# discussed here: http://openvpn.net/howto.html#mitm
|
|
#
|
|
# To use this feature, you will need to generate your server certificates with
|
|
# the keyUsage set to
|
|
# digitalSignature, keyEncipherment
|
|
# and the extendedKeyUsage to
|
|
# serverAuth
|
|
# EasyRSA can do this for you.
|
|
remote-cert-tls server
|
|
|
|
# If a tls-auth key is used on the server then every client must also have the
|
|
# key.
|
|
tls-auth {{vpn_name}}-ta.key 1
|
|
auth-user-pass
|
|
|
|
# Select a cryptographic cipher.
|
|
# If the cipher option is used on the server then you must also specify it
|
|
# here.
|
|
# Note that v2.4 client/server will automatically negotiate AES-256-GCM in TLS
|
|
# mode.
|
|
# See also the data-ciphers option in the manpage
|
|
cipher AES-256-CBC
|
|
|
|
# Enable compression on the VPN link.
|
|
# Don't enable this unless it is also enabled in the server config file.
|
|
comp-lzo
|
|
|
|
# Set log file verbosity.
|
|
verb 3
|
|
|
|
# Silence repeating messages
|
|
;mute 20
|
|
|
|
<ca>
|
|
{{vpn_ca_certificate}}
|
|
</ca>
|