# Originally /usr/share/doc/packages/openvpn/sample-config-files/tls-home.conf # Set up for Harlech by jimc on 2004-06-15. This is openvpn-2.0beta5 # General Parameters # Verbosity. 0=fatal only, 1=startup + nonfatal errs, 2 = cert + crypto names, # 3=TLS debug stuff, up to 11. verb 1 mute 10 # Drop privileges and enter chroot jail. (Can't, no access to tunnel device) # user nobody # group nobody # chroot /etc/openvpn/jail # Preserve root-only files and options. persist-key persist-local-ip persist-remote-ip persist-tun # Lock key and buffers in memory, keeping them out of the swap file. mlock # Use a dynamic tun device. (Could also be tap, for ether bridging.) dev tun # tun-ipv6 (not allowed with mode server) # MTU for tunnel (outer) packets. Over-conservative default 1300, recommended # is (link_mtu - 28) deducting the UDP header, i.e. 1472 for a standard link # of MTU = 1500. The default seems to work OK in v2.0. # link-mtu 1472 # Path MTU discovery, should DF (don't fragment) be set? no, maybe, yes. # "maybe" uses per-route heuristics to decide. mtu-disc maybe # Empirically verify the MTU. Results logged after about 3 minutes. # Requires equivalent support on the other end. mtu-test # Send pings to keep conntracks alive and detect a dead peer, only if connected. ping 60 ping-exit 180 ping-timer-rem # Parameters of Server # Multi-client server mode server # Address range for clients. Each one takes 4 addresses (a.b.c.d/30). # Server will inform client if the client does "pull". Server needs to send # packets destined to the pool via tun0. ifconfig-pool 192.168.250.4 192.168.250.248 route 192.168.250.0 255.255.255.0 # Address of server (the 2nd address is arbitrary). Tell this to client. # The client ends up with its tun0 pointopoint between two pool addresses, # and a host-oid route to the real server endpoint via the pool address. # Creepy but it works. ifconfig 192.168.250.254 192.168.250.253 push "route 192.168.250.254 255.255.255.255" # Don't complain about not knowing IP addresses. ifconfig-nowarn # Connection freq, N connects per S seconds. Resist denial of service attacks. connect-freq 1 1 # Our OpenVPN peer: wait for something to connect to the server. # remote its.host.name # Allow reconnects with a different IP address (DHCP renew does that sometimes) float # Protocol (udp, tcp-server, tcp-client). udp is the default, and usually best. proto udp # Port (default is 5000) # port 5000 # The client should handle its own ifconfig and routes (default gateway). # We don't push those out. # Crypto Parameters (must match the peer, can't push them) # HMAC algorithm (anti-tampering checksum) auth SHA1 # Cryptographic cipher on main data channel cipher AES-128-CBC # TLS encryption algo(s), colon separated. `openvpn --show-tls` for a list. 30 # ciphers in default list starting with DHE-RSA-AES256-SHA (most preferred) # down to EXP-RC4-MD5 (40 bits). Use default. # Use LZO compression (with adaptive shutoff) comp-lzo # TLS Parameters # Polarity of this host (tls-client or tls-server) tls-server # Certificate Authority file (symbolic links to the real locations) ca ucla-math.crt # Our certificate/public key cert host.crt # Our private key key host.key # Diffie-Hellman parameters (1024 bits) (only needed on server) dh dh1024.pem # This command allows one user to have more than one connection at a time, # e.g. from multiple machines on his home net. duplicate-cn