summaryrefslogtreecommitdiffstats
path: root/patches/source/openvpn/slackware.conf
blob: 4314b54412d5cee1b7b78ec0502f07f516676172 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# openvpn.conf.sample
#
# This is a sample configuration file for OpenVPN.
# Not all options are listed here; you can find good documentation 
# about all of the options in OpenVPN's manual page - openvpn(8).
#
# You can make a P-t-P connection by creating a shared key, 
# copying this key to other hosts in your network, and changing
# the IP addresses in this file.
#
# Commented options are provided for some typical configurations 

# Change the "search" path to /etc/openvpn
# All files referenced in this configuration will be relative to 
# whatever directory is specified here - we default to /etc/openvpn 
cd /etc/openvpn

# If running as a server, which local IP address should OpenVPN
# listen on? Specify this as either a hostname or IP address. If
# this is left blank, OpenVPN will default to listening on all
# interfaces.
#local a.b.c.d

# This option defines the IP or DNS name of the other side of your VPN
# connection.  This option is needed if you are making client or P-t-P 
# connections.  If you are the server, use "local" instead.  This may
# be specified as a domain name or IP address.
#remote vpn.server.org

# This option defins the protocol to use.  Valid options are:
# udp, tcp-server, or tcp-client.  Default is udp, and generally
# speaking, tcp is a bad idea.
proto udp

# This option defines the port on which your server will be listening 
# or trying to connect. The default is 1194
port 1194

# This option defines whether to use LZO compression. 
# If enabled, it must be enabled at both ends of the VPN connection. 
#comp-lzo

# Debug level (default 1)
#verb 3

# VPN logfile location
# If you don't specify a location here, logging will be done through
# syslogd and write to /var/log/messages
log-append /var/log/openvpn.log

# If you want to use OpenVPN as a daemon, uncomment this line.
# Generally speaking, servers should run OpenVPN as a daemon
# and clients should not.
#daemon

# Device type to use, you can choose between tun or tap. 
# TUN is the most common option. If you have multiple connections, 
# it is a good idea to bind each connection to a separate TUN/TAP 
# interface using tunX/tapX, where X is the number of each interface.
dev tun

# This option prevents OpenVPN from closing and re-opening the tun/tap 
# device every time it receives a SIGUSR1 signal
#persist-tun

# This is similar to the previous option, but it prevents OpenVPN from
# re-reading the key files every time
#persist-key

# If you are using a client-server architecture, you need to specify the 
# role of your computer in your VPN network.  To use one of these options,
# you need to configure TLS options too.
#
# To use the "server" option, you must specify a network subnet such
# as 172.16.1.0 255.255.255.0.  The first number is the network, the
# second is the netmask.  OpenVPN will take the first available IP
# for itself (in our example, 172.16.1.1) and the rest will be
# given to connecting clients dynamically.
#
# Leave these commented out if you are using OpenVPN in bridging mode.
#
#server 10.1.2.0 255.255.255.0
#client

# This option defines a file with IP address to client mapping. 
# This is useful in general, and necessary if clients use persist-tun.
#ifconfig-pool-persist ips.txt

# Enable this option if you want clients connected to this VPN to be
# able to talk directly to each other
#client-to-client

# This option defines the directory in which configuration files for clients 
# will reside.  With individual files you can make each client get different 
# options using "push" parameters
#client-config-dir ccd

# If you are using P-t-P, you need to specify the IP addresses at both ends 
# of your VPN connection.  The IP addresses are reversed at the other side.
#
# You can use this to specify client IP addresses in ccd files (on server) 
# or directly in client configuration
#ifconfig 10.1.2.1 10.1.2.2

# You can set routes to specific networks. In the sample below, "vpn_gateway"
# is an internal OpenVPN alias to your VPN gateway - leave it as is.
# This will enable you to talk with the networks behind your VPN server. 
# Multiple routes can be specified.
#
# +------------+ <eth>-<tun>               <tun>-<eth> +------------+
# |  Network1  |---| VPN1 |--[10.1.2.0/24]--| VPN2 |---|  Network2  |
# +------------+   +------+                 +------+   +------------+
# 192.168.0.0/24                                       192.168.2.0/24
#
# The sample below shows how VPN1 server can reach Network2
#route 192.168.2.0 255.255.255.0 vpn_gateway

# You can send clients many network configuration options using the 
# "push" directive and sending commands.
# Multiple "push" directives can be used.  You should only put global
# "push" directives here.  You can "push" different options to
# different clients in per-client configuration files.  See
# "client-config-dir" above.
#
# Using the same network configuration that you see above, the route statment 
# here allows VPN2 to reach Network1 
#push "route-delay 2 600"
#push "route 192.168.2.0 255.255.255.0 vpn_gateway"
#push "persist-key"

# This option sets the encryption algorithm to use in the VPN connection.
# Available options are:
# DES-CBC, RC2-CBC, DES-EDE-CBC,  DES-EDE3-CBC, 
# DESX-CBC, BF-CBC, RC2-40-CBC, CAST5-CBC, 
# RC2-64-CBC, AES-128-CBC, AES-192-CBC and AES-256-CBC
cipher BF-CBC

# Shared Key Connection
# ---------------------
# Secret is one shared key between the hosts that want to connect through VPNs.
# Without secret or TLS options, your data will not be encrypted.
# 
# To generate an encryption key do:
#   openvpn --genkey --secret /etc/openvpn/keys/shared.key
#
# Do the above on one host and copy it to the others
secret keys/shared.key

# TLS Connections
# ---------------
# TLS must be used if you use option "server" or "client"
# The basic idea there is: You have one Certificate Authority, and all 
# machines in your VPN network need to have individual certificates and 
# keys signed by Certificate Authority.  This means each client can
# have its own key, making it easier to revoke a key without copying
# a shared secret key to every client.
#
# Inside the /usr/doc/openvpn-$VERSION documentation directory, you can
# find "easy-rsa" scripts to make certificate and key management easier.

# Certificate Authority file 
# This file must be identical on all hosts that connect to your VPN
#ca certs/ca.crt

# If you are the server, you need to specify some Diffie Hellman parameters. 
# OpenVPN provides some sample .pem files in documentation directory
#dh my-dh.pem

# Certificate and Key signed by Certificate Authority
# Each machine needs to have their own unique certificate
#cert certs/machine.cert
#key keys/machine.key

# To prevent some DoS attacks we can add another authentication layer in the
# TLS control channel.  This needs to be enabled at both ends to work
# client uses the value 1; server uses the value 0
#tls-auth keys/shared.key 0