From 646a5c1cbfd95873950a87b5f75d52073a967023 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Mon, 28 May 2018 19:12:29 +0000 Subject: Mon May 28 19:12:29 UTC 2018 a/pkgtools-15.0-noarch-13.txz: Rebuilt. installpkg: default line length for --terselength is the number of columns. removepkg: added --terse mode. upgradepkg: default line length for --terselength is the number of columns. upgradepkg: accept -option in addition to --option. ap/vim-8.1.0026-x86_64-1.txz: Upgraded. d/bison-3.0.5-x86_64-1.txz: Upgraded. e/emacs-26.1-x86_64-1.txz: Upgraded. kde/kopete-4.14.3-x86_64-8.txz: Rebuilt. Recompiled against libidn-1.35. n/conntrack-tools-1.4.5-x86_64-1.txz: Upgraded. n/libnetfilter_conntrack-1.0.7-x86_64-1.txz: Upgraded. n/libnftnl-1.1.0-x86_64-1.txz: Upgraded. n/links-2.16-x86_64-2.txz: Rebuilt. Rebuilt to enable X driver for -g mode. n/lynx-2.8.9dev.19-x86_64-1.txz: Upgraded. n/nftables-0.8.5-x86_64-1.txz: Upgraded. n/p11-kit-0.23.11-x86_64-1.txz: Upgraded. n/ulogd-2.0.7-x86_64-1.txz: Upgraded. n/whois-5.3.1-x86_64-1.txz: Upgraded. xap/network-manager-applet-1.8.12-x86_64-1.txz: Upgraded. xap/vim-gvim-8.1.0026-x86_64-1.txz: Upgraded. --- source/n/openvpn/doinst.sh | 25 +++++ source/n/openvpn/openvpn.SlackBuild | 58 ++++++++---- source/n/openvpn/openvpn.conf.sample | 178 ----------------------------------- source/n/openvpn/openvpn.url | 3 +- source/n/openvpn/rc.openvpn | 111 ++++++++++++++++++++++ source/n/openvpn/slack-desc | 8 +- source/n/openvpn/slackware.conf | 178 +++++++++++++++++++++++++++++++++++ 7 files changed, 360 insertions(+), 201 deletions(-) create mode 100644 source/n/openvpn/doinst.sh delete mode 100644 source/n/openvpn/openvpn.conf.sample create mode 100644 source/n/openvpn/rc.openvpn create mode 100644 source/n/openvpn/slackware.conf (limited to 'source/n/openvpn') diff --git a/source/n/openvpn/doinst.sh b/source/n/openvpn/doinst.sh new file mode 100644 index 000000000..4b9b133a9 --- /dev/null +++ b/source/n/openvpn/doinst.sh @@ -0,0 +1,25 @@ +#!/bin/sh +config() { + NEW="$1" + OLD="`dirname $NEW`/`basename $NEW .new`" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} +preserve_perms() { + NEW="$1" + OLD="$(dirname ${NEW})/$(basename ${NEW} .new)" + if [ -e ${OLD} ]; then + cp -a ${OLD} ${NEW}.incoming + cat ${NEW} > ${NEW}.incoming + mv ${NEW}.incoming ${NEW} + fi + config ${NEW} +} + +preserve_perms etc/rc.d/rc.openvpn.new + diff --git a/source/n/openvpn/openvpn.SlackBuild b/source/n/openvpn/openvpn.SlackBuild index cb9efc4f0..c8457f9d3 100755 --- a/source/n/openvpn/openvpn.SlackBuild +++ b/source/n/openvpn/openvpn.SlackBuild @@ -1,7 +1,7 @@ -#!/bin/sh +#!/bin/bash # Copyright 2006, Alan Hicks, Lizella, GA -# Copyright 2008, 2009, 2010, 2011, 2013 Patrick J. Volkerding, Sebeka, MN, USA +# Copyright 2008, 2009, 2010, 2011, 2013, 2016, 2018 Patrick J. Volkerding, Sebeka, MN, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -21,10 +21,11 @@ # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +cd $(dirname $0) ; CWD=$(pwd) PKGNAM=openvpn VERSION=${VERSION:-$(echo $PKGNAM-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -36,6 +37,14 @@ if [ -z "$ARCH" ]; then esac fi +# If the variable PRINT_PACKAGE_NAME is set, then this script will report what +# the name of the created package would be, and then exit. This information +# could be useful to other scripts. +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz" + exit 0 +fi + NUMJOBS=${NUMJOBS:-" -j7 "} if [ "$ARCH" = "i586" ]; then @@ -52,7 +61,6 @@ else LIBDIRSUFFIX="" fi -CWD=$(pwd) TMP=${TMP:-/tmp} PKG=$TMP/package-$PKGNAM @@ -84,9 +92,8 @@ CXXFLAGS="$SLKCFLAGS" \ --docdir=/usr/doc/openvpn-${VERSION} \ --enable-lzo \ --enable-iproute2 \ - --enable-password-save \ --disable-plugin-auth-pam \ - --build=$ARCH-slackware-linux + --build=$ARCH-slackware-linux || exit 1 make $NUMJOBS || make || exit 1 make install-strip DESTDIR=$PKG || exit 1 @@ -97,26 +104,33 @@ mkdir -p $PKG/etc/openvpn/{certs,keys} chown root:nobody $PKG/etc/openvpn/{certs,keys} chmod 750 $PKG/etc/openvpn/{certs,keys} -# Install a reasonably generic sample config file: -cp -a $CWD/openvpn.conf.sample $PKG/etc/openvpn/openvpn.conf.sample -chmod 644 $PKG/etc/openvpn/openvpn.conf.sample +# Install a startup script: +mkdir -p $PKG/etc/rc.d +cp -a $CWD/rc.openvpn $PKG/etc/rc.d/rc.openvpn.new +chmod 644 $PKG/etc/rc.d/rc.openvpn.new +chown root:root $PKG/etc/rc.d/rc.openvpn.new # Let folks know about the other configs, if they haven't found them. # They might even find the documentation there useful. ;-) cat << EOF > $PKG/etc/openvpn/README.TXT -Have a look in /usr/doc/$PKGNAM-$VERSION/sample-config-files -for some more examples of how to configure OpenVPN. You'll -need to add something to your /etc/rc.d/rc.local to start -OpenVPN, as well as to tell it where to find its config file. +One or more OpenVPN config files should be installed in this directory +as files ending in ".conf" (i.e. client.conf, server.conf, etc.). + +Have a look in sample-config-files for some more examples of how to +configure OpenVPN. + +To start OpenVPN, use this command as root: +sh /etc/rc.d/rc.openvpn start +To make OpenVPN start automatically at boot, change the script permissions: +chmod 755 /etc/rc.d/rc.openvpn See "man openvpn" and the other docs for more information. EOF # Add a link, too: -mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION/sample-config-files -( cd $PKG/usr/doc/$PKGNAM-$VERSION/sample-config-files - ln -sf /etc/openvpn/openvpn.conf.sample . +( cd $PKG/etc/openvpn + ln -sf /usr/doc/$PKGNAM-$VERSION/sample-config-files . ) if [ -d $PKG/usr/man ]; then @@ -127,10 +141,17 @@ if [ -d $PKG/usr/man ]; then fi mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION -cp -a AUTHORS COPYING* COPYRIGHT.GPL INSTALL INSTALL-win32.txt \ - NEWS PORTS README* sample-config-files sample-keys sample-scripts easy-rsa \ +cp -a AUTHORS COPYING* COPYRIGHT* INSTALL* \ + NEWS PORTS README* sample/sample-config-files sample/sample-keys sample/sample-scripts \ $PKG/usr/doc/$PKGNAM-$VERSION +# Install a reasonably generic sample config file: +# (put this in with the other samples) +mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION/sample-config-files +cp -a $CWD/slackware.conf $PKG/usr/doc/$PKGNAM-$VERSION/sample-config-files +chown root:root $PKG/usr/doc/$PKGNAM-$VERSION/sample-config-files/slackware.conf +chmod 644 $PKG/usr/doc/$PKGNAM-$VERSION/sample-config-files/slackware.conf + # If there's a ChangeLog, installing at least part of the recent history # is useful, but don't let it get totally out of control: if [ -r ChangeLog ]; then @@ -140,6 +161,7 @@ if [ -r ChangeLog ]; then fi mkdir -p $PKG/install +zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh cat $CWD/slack-desc > $PKG/install/slack-desc cd $PKG diff --git a/source/n/openvpn/openvpn.conf.sample b/source/n/openvpn/openvpn.conf.sample deleted file mode 100644 index 4314b5441..000000000 --- a/source/n/openvpn/openvpn.conf.sample +++ /dev/null @@ -1,178 +0,0 @@ -# openvpn.conf.sample -# -# This is a sample configuration file for OpenVPN. -# Not all options are listed here; you can find good documentation -# about all of the options in OpenVPN's manual page - openvpn(8). -# -# You can make a P-t-P connection by creating a shared key, -# copying this key to other hosts in your network, and changing -# the IP addresses in this file. -# -# Commented options are provided for some typical configurations - -# Change the "search" path to /etc/openvpn -# All files referenced in this configuration will be relative to -# whatever directory is specified here - we default to /etc/openvpn -cd /etc/openvpn - -# If running as a server, which local IP address should OpenVPN -# listen on? Specify this as either a hostname or IP address. If -# this is left blank, OpenVPN will default to listening on all -# interfaces. -#local a.b.c.d - -# This option defines the IP or DNS name of the other side of your VPN -# connection. This option is needed if you are making client or P-t-P -# connections. If you are the server, use "local" instead. This may -# be specified as a domain name or IP address. -#remote vpn.server.org - -# This option defins the protocol to use. Valid options are: -# udp, tcp-server, or tcp-client. Default is udp, and generally -# speaking, tcp is a bad idea. -proto udp - -# This option defines the port on which your server will be listening -# or trying to connect. The default is 1194 -port 1194 - -# This option defines whether to use LZO compression. -# If enabled, it must be enabled at both ends of the VPN connection. -#comp-lzo - -# Debug level (default 1) -#verb 3 - -# VPN logfile location -# If you don't specify a location here, logging will be done through -# syslogd and write to /var/log/messages -log-append /var/log/openvpn.log - -# If you want to use OpenVPN as a daemon, uncomment this line. -# Generally speaking, servers should run OpenVPN as a daemon -# and clients should not. -#daemon - -# Device type to use, you can choose between tun or tap. -# TUN is the most common option. If you have multiple connections, -# it is a good idea to bind each connection to a separate TUN/TAP -# interface using tunX/tapX, where X is the number of each interface. -dev tun - -# This option prevents OpenVPN from closing and re-opening the tun/tap -# device every time it receives a SIGUSR1 signal -#persist-tun - -# This is similar to the previous option, but it prevents OpenVPN from -# re-reading the key files every time -#persist-key - -# If you are using a client-server architecture, you need to specify the -# role of your computer in your VPN network. To use one of these options, -# you need to configure TLS options too. -# -# To use the "server" option, you must specify a network subnet such -# as 172.16.1.0 255.255.255.0. The first number is the network, the -# second is the netmask. OpenVPN will take the first available IP -# for itself (in our example, 172.16.1.1) and the rest will be -# given to connecting clients dynamically. -# -# Leave these commented out if you are using OpenVPN in bridging mode. -# -#server 10.1.2.0 255.255.255.0 -#client - -# This option defines a file with IP address to client mapping. -# This is useful in general, and necessary if clients use persist-tun. -#ifconfig-pool-persist ips.txt - -# Enable this option if you want clients connected to this VPN to be -# able to talk directly to each other -#client-to-client - -# This option defines the directory in which configuration files for clients -# will reside. With individual files you can make each client get different -# options using "push" parameters -#client-config-dir ccd - -# If you are using P-t-P, you need to specify the IP addresses at both ends -# of your VPN connection. The IP addresses are reversed at the other side. -# -# You can use this to specify client IP addresses in ccd files (on server) -# or directly in client configuration -#ifconfig 10.1.2.1 10.1.2.2 - -# You can set routes to specific networks. In the sample below, "vpn_gateway" -# is an internal OpenVPN alias to your VPN gateway - leave it as is. -# This will enable you to talk with the networks behind your VPN server. -# Multiple routes can be specified. -# -# +------------+ - - +------------+ -# | Network1 |---| VPN1 |--[10.1.2.0/24]--| VPN2 |---| Network2 | -# +------------+ +------+ +------+ +------------+ -# 192.168.0.0/24 192.168.2.0/24 -# -# The sample below shows how VPN1 server can reach Network2 -#route 192.168.2.0 255.255.255.0 vpn_gateway - -# You can send clients many network configuration options using the -# "push" directive and sending commands. -# Multiple "push" directives can be used. You should only put global -# "push" directives here. You can "push" different options to -# different clients in per-client configuration files. See -# "client-config-dir" above. -# -# Using the same network configuration that you see above, the route statment -# here allows VPN2 to reach Network1 -#push "route-delay 2 600" -#push "route 192.168.2.0 255.255.255.0 vpn_gateway" -#push "persist-key" - -# This option sets the encryption algorithm to use in the VPN connection. -# Available options are: -# DES-CBC, RC2-CBC, DES-EDE-CBC, DES-EDE3-CBC, -# DESX-CBC, BF-CBC, RC2-40-CBC, CAST5-CBC, -# RC2-64-CBC, AES-128-CBC, AES-192-CBC and AES-256-CBC -cipher BF-CBC - -# Shared Key Connection -# --------------------- -# Secret is one shared key between the hosts that want to connect through VPNs. -# Without secret or TLS options, your data will not be encrypted. -# -# To generate an encryption key do: -# openvpn --genkey --secret /etc/openvpn/keys/shared.key -# -# Do the above on one host and copy it to the others -secret keys/shared.key - -# TLS Connections -# --------------- -# TLS must be used if you use option "server" or "client" -# The basic idea there is: You have one Certificate Authority, and all -# machines in your VPN network need to have individual certificates and -# keys signed by Certificate Authority. This means each client can -# have its own key, making it easier to revoke a key without copying -# a shared secret key to every client. -# -# Inside the /usr/doc/openvpn-$VERSION documentation directory, you can -# find "easy-rsa" scripts to make certificate and key management easier. - -# Certificate Authority file -# This file must be identical on all hosts that connect to your VPN -#ca certs/ca.crt - -# If you are the server, you need to specify some Diffie Hellman parameters. -# OpenVPN provides some sample .pem files in documentation directory -#dh my-dh.pem - -# Certificate and Key signed by Certificate Authority -# Each machine needs to have their own unique certificate -#cert certs/machine.cert -#key keys/machine.key - -# To prevent some DoS attacks we can add another authentication layer in the -# TLS control channel. This needs to be enabled at both ends to work -# client uses the value 1; server uses the value 0 -#tls-auth keys/shared.key 0 - diff --git a/source/n/openvpn/openvpn.url b/source/n/openvpn/openvpn.url index 0845c4112..4c476d874 100644 --- a/source/n/openvpn/openvpn.url +++ b/source/n/openvpn/openvpn.url @@ -1 +1,2 @@ -https://swupdate.openvpn.org/community/releases/ +https://swupdate.openvpn.org/community/releases/openvpn-2.4.6.tar.xz +https://swupdate.openvpn.org/community/releases/openvpn-2.4.6.tar.xz.asc diff --git a/source/n/openvpn/rc.openvpn b/source/n/openvpn/rc.openvpn new file mode 100644 index 000000000..86f319225 --- /dev/null +++ b/source/n/openvpn/rc.openvpn @@ -0,0 +1,111 @@ +#!/bin/sh +# +# /etc/rc.d/rc.openvpn +# +# Start/stop/restart the openvpn daemon. +# +# By default, this script will start/stop/restart a daemon for every *.conf +# file found in /etc/openvpn. +# +# To work with a single connection, add the name of the config file: +# /etc/rc.d/rc.openvpn start configfile.conf +# +# You may also use a config file not found in /etc/openvpn by providing a +# complete path: +# /etc/rc.d/rc.openvpn start /path/to/some/other/configfile.conf +# +# The name of a config file provided with a complete path should not match +# the name of any config file present in the /etc/openvpn directory. + +ovpn_start() { + if [ -x /usr/sbin/openvpn ]; then + if [ -z "$1" ]; then # start OpenVPN for all config files: + if /bin/ls /etc/openvpn/*.conf 1> /dev/null 2> /dev/null ; then + for config in /etc/openvpn/*.conf ; do + echo "Starting OpenVPN: /usr/sbin/openvpn --daemon --writepid /run/openvpn/$(basename $config).pid --user nobody --group nobody --config $config" + /usr/sbin/openvpn --daemon --writepid /run/openvpn/$(basename $config).pid --user nobody --group nobody --config $config + done + else + echo "Unable to start OpenVPN - no .conf files found in /etc/openvpn/." + fi + else # start OpenVPN for one config file: + if [ -r "$1" ]; then + echo "Starting OpenVPN: /usr/sbin/openvpn --daemon --writepid /run/openvpn/$(basename $1).pid --user nobody --group nobody --config $1" + /usr/sbin/openvpn --daemon --writepid /run/openvpn/$(basename $1).pid --user nobody --group nobody --config $1 + else # config file is missing: + echo "Error starting OpenVPN: config file $1 is missing." + fi + fi + fi +} + +ovpn_stop() { + # Note: OpenVPN has a bad habit of leaving stale pid files around when exiting. + # Maybe it would be better to just use killall unless called for one config? + if [ -z "$1" ]; then # stop OpenVPN for all pid files: + if /bin/ls /run/openvpn/*.pid 1> /dev/null 2> /dev/null ; then + for pid in /run/openvpn/*.pid ; do + echo "Stopping OpenVPN for pid file $pid..." + kill $(cat $pid) + rm -f $pid + done + else + echo "Warning: no pid files found in /run/openvpn/. Using killall to stop any OpenVPN processes." + killall openvpn + fi + else # stop OpenVPN for one config file: + if [ -r /run/openvpn/$(basename ${1}).pid ]; then + echo "Stopping OpenVPN for config file ${1}..." + kill $(cat /run/openvpn/$(basename ${1}).pid) + rm -f /run/openvpn/$(basename ${1}).pid + else + echo "Error stopping OpenVPN: no such pid file /run/openvpn/$(basename ${1}).pid" + fi + fi +} + +ovpn_restart() { + if [ ! -z "$1" ]; then # restart for all config files: + ovpn_stop + sleep 2 + ovpn_start + else # restart for one config file only: + ovpn_stop $1 + sleep 2 + ovpn_start $1 + fi +} + +ovpn_status() { + if /bin/ls /run/openvpn/*.pid 1> /dev/null 2> /dev/null ; then + echo "Currently running OpenVPN processes according to .pid files in /run/openvpn:" + for pid in /run/openvpn/*.pid ; do + echo " $(basename $pid) ($(cat $pid))" + done + else + echo "No .pid files found in /run/openvpn." + fi +} + +# Create PID directory if it doesn't exist: +if [ ! -d /run/openvpn ]; then + mkdir -p /run/openvpn +fi + +case "$1" in +'start') + ovpn_start $2 + ;; +'stop') + ovpn_stop $2 + ;; +'restart') + ovpn_restart $2 + ;; +'status') + ovpn_status + ;; +*) + echo "Usage: $0 {start|stop|restart}" +esac + diff --git a/source/n/openvpn/slack-desc b/source/n/openvpn/slack-desc index e73ab2fd2..7ffd6167d 100644 --- a/source/n/openvpn/slack-desc +++ b/source/n/openvpn/slack-desc @@ -1,8 +1,8 @@ # HOW TO EDIT THIS FILE: -# The "handy ruler" below makes it easier to edit a package description. Line +# The "handy ruler" below makes it easier to edit a package description. Line # up the first '|' above the ':' following the base package name, and the '|' -# on the right side marks the last column you can put a character in. You must -# make exactly 11 lines for the formatting to be correct. It's also +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also # customary to leave one space after the ':'. |-----handy-ruler------------------------------------------------------| @@ -13,7 +13,7 @@ openvpn: of configurations, including remote access, site-to-site VPNs, WiFi openvpn: security, and enterprise-scale remote access with load balancing, openvpn: failover, and fine-grained access-controls. openvpn: -openvpn: OpenVPN's home on the net is: http://openvpn.net +openvpn: OpenVPN's home on the net is: http://openvpn.net openvpn: openvpn: openvpn: diff --git a/source/n/openvpn/slackware.conf b/source/n/openvpn/slackware.conf new file mode 100644 index 000000000..4314b5441 --- /dev/null +++ b/source/n/openvpn/slackware.conf @@ -0,0 +1,178 @@ +# openvpn.conf.sample +# +# This is a sample configuration file for OpenVPN. +# Not all options are listed here; you can find good documentation +# about all of the options in OpenVPN's manual page - openvpn(8). +# +# You can make a P-t-P connection by creating a shared key, +# copying this key to other hosts in your network, and changing +# the IP addresses in this file. +# +# Commented options are provided for some typical configurations + +# Change the "search" path to /etc/openvpn +# All files referenced in this configuration will be relative to +# whatever directory is specified here - we default to /etc/openvpn +cd /etc/openvpn + +# If running as a server, which local IP address should OpenVPN +# listen on? Specify this as either a hostname or IP address. If +# this is left blank, OpenVPN will default to listening on all +# interfaces. +#local a.b.c.d + +# This option defines the IP or DNS name of the other side of your VPN +# connection. This option is needed if you are making client or P-t-P +# connections. If you are the server, use "local" instead. This may +# be specified as a domain name or IP address. +#remote vpn.server.org + +# This option defins the protocol to use. Valid options are: +# udp, tcp-server, or tcp-client. Default is udp, and generally +# speaking, tcp is a bad idea. +proto udp + +# This option defines the port on which your server will be listening +# or trying to connect. The default is 1194 +port 1194 + +# This option defines whether to use LZO compression. +# If enabled, it must be enabled at both ends of the VPN connection. +#comp-lzo + +# Debug level (default 1) +#verb 3 + +# VPN logfile location +# If you don't specify a location here, logging will be done through +# syslogd and write to /var/log/messages +log-append /var/log/openvpn.log + +# If you want to use OpenVPN as a daemon, uncomment this line. +# Generally speaking, servers should run OpenVPN as a daemon +# and clients should not. +#daemon + +# Device type to use, you can choose between tun or tap. +# TUN is the most common option. If you have multiple connections, +# it is a good idea to bind each connection to a separate TUN/TAP +# interface using tunX/tapX, where X is the number of each interface. +dev tun + +# This option prevents OpenVPN from closing and re-opening the tun/tap +# device every time it receives a SIGUSR1 signal +#persist-tun + +# This is similar to the previous option, but it prevents OpenVPN from +# re-reading the key files every time +#persist-key + +# If you are using a client-server architecture, you need to specify the +# role of your computer in your VPN network. To use one of these options, +# you need to configure TLS options too. +# +# To use the "server" option, you must specify a network subnet such +# as 172.16.1.0 255.255.255.0. The first number is the network, the +# second is the netmask. OpenVPN will take the first available IP +# for itself (in our example, 172.16.1.1) and the rest will be +# given to connecting clients dynamically. +# +# Leave these commented out if you are using OpenVPN in bridging mode. +# +#server 10.1.2.0 255.255.255.0 +#client + +# This option defines a file with IP address to client mapping. +# This is useful in general, and necessary if clients use persist-tun. +#ifconfig-pool-persist ips.txt + +# Enable this option if you want clients connected to this VPN to be +# able to talk directly to each other +#client-to-client + +# This option defines the directory in which configuration files for clients +# will reside. With individual files you can make each client get different +# options using "push" parameters +#client-config-dir ccd + +# If you are using P-t-P, you need to specify the IP addresses at both ends +# of your VPN connection. The IP addresses are reversed at the other side. +# +# You can use this to specify client IP addresses in ccd files (on server) +# or directly in client configuration +#ifconfig 10.1.2.1 10.1.2.2 + +# You can set routes to specific networks. In the sample below, "vpn_gateway" +# is an internal OpenVPN alias to your VPN gateway - leave it as is. +# This will enable you to talk with the networks behind your VPN server. +# Multiple routes can be specified. +# +# +------------+ - - +------------+ +# | Network1 |---| VPN1 |--[10.1.2.0/24]--| VPN2 |---| Network2 | +# +------------+ +------+ +------+ +------------+ +# 192.168.0.0/24 192.168.2.0/24 +# +# The sample below shows how VPN1 server can reach Network2 +#route 192.168.2.0 255.255.255.0 vpn_gateway + +# You can send clients many network configuration options using the +# "push" directive and sending commands. +# Multiple "push" directives can be used. You should only put global +# "push" directives here. You can "push" different options to +# different clients in per-client configuration files. See +# "client-config-dir" above. +# +# Using the same network configuration that you see above, the route statment +# here allows VPN2 to reach Network1 +#push "route-delay 2 600" +#push "route 192.168.2.0 255.255.255.0 vpn_gateway" +#push "persist-key" + +# This option sets the encryption algorithm to use in the VPN connection. +# Available options are: +# DES-CBC, RC2-CBC, DES-EDE-CBC, DES-EDE3-CBC, +# DESX-CBC, BF-CBC, RC2-40-CBC, CAST5-CBC, +# RC2-64-CBC, AES-128-CBC, AES-192-CBC and AES-256-CBC +cipher BF-CBC + +# Shared Key Connection +# --------------------- +# Secret is one shared key between the hosts that want to connect through VPNs. +# Without secret or TLS options, your data will not be encrypted. +# +# To generate an encryption key do: +# openvpn --genkey --secret /etc/openvpn/keys/shared.key +# +# Do the above on one host and copy it to the others +secret keys/shared.key + +# TLS Connections +# --------------- +# TLS must be used if you use option "server" or "client" +# The basic idea there is: You have one Certificate Authority, and all +# machines in your VPN network need to have individual certificates and +# keys signed by Certificate Authority. This means each client can +# have its own key, making it easier to revoke a key without copying +# a shared secret key to every client. +# +# Inside the /usr/doc/openvpn-$VERSION documentation directory, you can +# find "easy-rsa" scripts to make certificate and key management easier. + +# Certificate Authority file +# This file must be identical on all hosts that connect to your VPN +#ca certs/ca.crt + +# If you are the server, you need to specify some Diffie Hellman parameters. +# OpenVPN provides some sample .pem files in documentation directory +#dh my-dh.pem + +# Certificate and Key signed by Certificate Authority +# Each machine needs to have their own unique certificate +#cert certs/machine.cert +#key keys/machine.key + +# To prevent some DoS attacks we can add another authentication layer in the +# TLS control channel. This needs to be enabled at both ends to work +# client uses the value 1; server uses the value 0 +#tls-auth keys/shared.key 0 + -- cgit v1.2.3