5 kx # openvpn.conf.sample
5 kx #
5 kx # This is a sample configuration file for OpenVPN.
5 kx # Not all options are listed here; you can find good documentation
5 kx # about all of the options in OpenVPN's manual page - openvpn(8).
5 kx #
5 kx # You can make a P-t-P connection by creating a shared key,
5 kx # copying this key to other hosts in your network, and changing
5 kx # the IP addresses in this file.
5 kx #
5 kx # Commented options are provided for some typical configurations
5 kx
5 kx # Change the "search" path to /etc/openvpn
5 kx # All files referenced in this configuration will be relative to
5 kx # whatever directory is specified here - we default to /etc/openvpn
5 kx cd /etc/openvpn
5 kx
5 kx # If running as a server, which local IP address should OpenVPN
5 kx # listen on? Specify this as either a hostname or IP address. If
5 kx # this is left blank, OpenVPN will default to listening on all
5 kx # interfaces.
5 kx #local a.b.c.d
5 kx
5 kx # This option defines the IP or DNS name of the other side of your VPN
5 kx # connection. This option is needed if you are making client or P-t-P
5 kx # connections. If you are the server, use "local" instead. This may
5 kx # be specified as a domain name or IP address.
5 kx #remote vpn.server.org
5 kx
5 kx # This option defins the protocol to use. Valid options are:
5 kx # udp, tcp-server, or tcp-client. Default is udp, and generally
5 kx # speaking, tcp is a bad idea.
5 kx proto udp
5 kx
5 kx # This option defines the port on which your server will be listening
5 kx # or trying to connect. The default is 1194
5 kx port 1194
5 kx
5 kx # This option defines whether to use LZO compression.
5 kx # If enabled, it must be enabled at both ends of the VPN connection.
5 kx #comp-lzo
5 kx
5 kx # Debug level (default 1)
5 kx #verb 3
5 kx
5 kx # VPN logfile location
5 kx # If you don't specify a location here, logging will be done through
5 kx # syslogd and write to /var/log/messages
5 kx log-append /var/log/openvpn.log
5 kx
5 kx # If you want to use OpenVPN as a daemon, uncomment this line.
5 kx # Generally speaking, servers should run OpenVPN as a daemon
5 kx # and clients should not.
5 kx #daemon
5 kx
5 kx # Device type to use, you can choose between tun or tap.
5 kx # TUN is the most common option. If you have multiple connections,
5 kx # it is a good idea to bind each connection to a separate TUN/TAP
5 kx # interface using tunX/tapX, where X is the number of each interface.
5 kx dev tun
5 kx
5 kx # This option prevents OpenVPN from closing and re-opening the tun/tap
5 kx # device every time it receives a SIGUSR1 signal
5 kx #persist-tun
5 kx
5 kx # This is similar to the previous option, but it prevents OpenVPN from
5 kx # re-reading the key files every time
5 kx #persist-key
5 kx
5 kx # If you are using a client-server architecture, you need to specify the
5 kx # role of your computer in your VPN network. To use one of these options,
5 kx # you need to configure TLS options too.
5 kx #
5 kx # To use the "server" option, you must specify a network subnet such
5 kx # as 172.16.1.0 255.255.255.0. The first number is the network, the
5 kx # second is the netmask. OpenVPN will take the first available IP
5 kx # for itself (in our example, 172.16.1.1) and the rest will be
5 kx # given to connecting clients dynamically.
5 kx #
5 kx # Leave these commented out if you are using OpenVPN in bridging mode.
5 kx #
5 kx #server 10.1.2.0 255.255.255.0
5 kx #client
5 kx
5 kx # This option defines a file with IP address to client mapping.
5 kx # This is useful in general, and necessary if clients use persist-tun.
5 kx #ifconfig-pool-persist ips.txt
5 kx
5 kx # Enable this option if you want clients connected to this VPN to be
5 kx # able to talk directly to each other
5 kx #client-to-client
5 kx
5 kx # This option defines the directory in which configuration files for clients
5 kx # will reside. With individual files you can make each client get different
5 kx # options using "push" parameters
5 kx #client-config-dir ccd
5 kx
5 kx # If you are using P-t-P, you need to specify the IP addresses at both ends
5 kx # of your VPN connection. The IP addresses are reversed at the other side.
5 kx #
5 kx # You can use this to specify client IP addresses in ccd files (on server)
5 kx # or directly in client configuration
5 kx #ifconfig 10.1.2.1 10.1.2.2
5 kx
5 kx # You can set routes to specific networks. In the sample below, "vpn_gateway"
5 kx # is an internal OpenVPN alias to your VPN gateway - leave it as is.
5 kx # This will enable you to talk with the networks behind your VPN server.
5 kx # Multiple routes can be specified.
5 kx #
5 kx # +------------+ <eth>-<tun> <tun>-<eth> +------------+
5 kx # | Network1 |---| VPN1 |--[10.1.2.0/24]--| VPN2 |---| Network2 |
5 kx # +------------+ +------+ +------+ +------------+
5 kx # 192.168.0.0/24 192.168.2.0/24
5 kx #
5 kx # The sample below shows how VPN1 server can reach Network2
5 kx #route 192.168.2.0 255.255.255.0 vpn_gateway
5 kx
5 kx # You can send clients many network configuration options using the
5 kx # "push" directive and sending commands.
5 kx # Multiple "push" directives can be used. You should only put global
5 kx # "push" directives here. You can "push" different options to
5 kx # different clients in per-client configuration files. See
5 kx # "client-config-dir" above.
5 kx #
5 kx # Using the same network configuration that you see above, the route statment
5 kx # here allows VPN2 to reach Network1
5 kx #push "route-delay 2 600"
5 kx #push "route 192.168.2.0 255.255.255.0 vpn_gateway"
5 kx #push "persist-key"
5 kx
5 kx # This option sets the encryption algorithm to use in the VPN connection.
5 kx # Available options are:
5 kx # DES-CBC, RC2-CBC, DES-EDE-CBC, DES-EDE3-CBC,
5 kx # DESX-CBC, BF-CBC, RC2-40-CBC, CAST5-CBC,
5 kx # RC2-64-CBC, AES-128-CBC, AES-192-CBC and AES-256-CBC
5 kx cipher BF-CBC
5 kx
5 kx # Shared Key Connection
5 kx # ---------------------
5 kx # Secret is one shared key between the hosts that want to connect through VPNs.
5 kx # Without secret or TLS options, your data will not be encrypted.
5 kx #
5 kx # To generate an encryption key do:
5 kx # openvpn --genkey --secret /etc/openvpn/keys/shared.key
5 kx #
5 kx # Do the above on one host and copy it to the others
5 kx secret keys/shared.key
5 kx
5 kx # TLS Connections
5 kx # ---------------
5 kx # TLS must be used if you use option "server" or "client"
5 kx # The basic idea there is: You have one Certificate Authority, and all
5 kx # machines in your VPN network need to have individual certificates and
5 kx # keys signed by Certificate Authority. This means each client can
5 kx # have its own key, making it easier to revoke a key without copying
5 kx # a shared secret key to every client.
5 kx #
5 kx # Inside the /usr/doc/openvpn-$VERSION documentation directory, you can
5 kx # find "easy-rsa" scripts to make certificate and key management easier.
5 kx
5 kx # Certificate Authority file
5 kx # This file must be identical on all hosts that connect to your VPN
5 kx #ca certs/ca.crt
5 kx
5 kx # If you are the server, you need to specify some Diffie Hellman parameters.
5 kx # OpenVPN provides some sample .pem files in documentation directory
5 kx #dh my-dh.pem
5 kx
5 kx # Certificate and Key signed by Certificate Authority
5 kx # Each machine needs to have their own unique certificate
5 kx #cert certs/machine.cert
5 kx #key keys/machine.key
5 kx
5 kx # To prevent some DoS attacks we can add another authentication layer in the
5 kx # TLS control channel. This needs to be enabled at both ends to work
5 kx # client uses the value 1; server uses the value 0
5 kx #tls-auth keys/shared.key 0
5 kx
Radix cross Linux
The main Radix cross Linux repository contains the build scripts of packages, which have the most complete and common functionality for desktop machines
452 Commits
2 Branches
1 Tag