pivpn/files/etc/openvpn/server_config.txt

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 9.9.9.9"
push "dhcp-option DNS 149.112.112.112"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io
First commit of reworked installer 2016-04-19 18:01:55 +00:00			`dev tun`
			`proto udp`
			`port 1194`
Phase 2 (of 3?): server.conf modifications for easy-rsa3 2016-12-05 04:34:08 +00:00			`ca /etc/openvpn/easy-rsa/pki/ca.crt`
			`cert /etc/openvpn/easy-rsa/pki/issued/server.crt`
			`key /etc/openvpn/easy-rsa/pki/private/server.key`
Changed the default length of the Diffie-Hellman parameters to 2048 bits. This is the default everywhere else, both in documentation as well as menu selections and other scripts in this project. This change has no real impact aside from setting the right example. 2017-09-21 03:42:29 +00:00			`dh /etc/openvpn/easy-rsa/pki/dh2048.pem`
Phase 2 (of 3?): server.conf modifications for easy-rsa3 2016-12-05 04:34:08 +00:00			`topology subnet`
First commit of reworked installer 2016-04-19 18:01:55 +00:00			`server 10.8.0.0 255.255.255.0`
Allow user to set DNS server clients will use 2016-04-20 16:10:06 +00:00			`# Set your primary domain name server address for clients`
Remove Google DNS Remove Google DNS for privacy purposes, replace with Quad9 2019-12-24 09:23:21 +00:00			`push "dhcp-option DNS 9.9.9.9"`
			`push "dhcp-option DNS 149.112.112.112"`
DNS leak fix in server_config.txt Added fix to prevent DNS leak on Windows 10 2018-03-16 23:45:15 +00:00			`# Prevent DNS leaks on Windows`
			`push "block-outside-dns"`
First commit of reworked installer 2016-04-19 18:01:55 +00:00			`# Override the Client default gateway by using 0.0.0.0/1 and`
			`# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of`
			`# overriding but not wiping out the original default gateway.`
			`push "redirect-gateway def1"`
			`client-to-client`
Set static IPs when using OpenVPN - Preparation for feature request from issue #942 2020-02-09 17:51:30 +00:00			`client-config-dir /etc/openvpn/ccd`
Minor unattended fixes, adjusted openvpn settings 2019-11-14 16:42:56 +00:00			`keepalive 15 120`
The client config contains the remote-cert-tls option to check for appropriate key usage, let's do this for the server config too. 2017-09-22 08:30:14 +00:00			`remote-cert-tls client`
Set control channel to TLS 1.2 Debate with myself on adding cipher list. 2016-04-26 14:39:18 +00:00			`tls-version-min 1.2`
Phase 2 (of 3?): server.conf modifications for easy-rsa3 2016-12-05 04:34:08 +00:00			`tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0`
Increase default levels of security 2016-04-23 19:08:14 +00:00			`cipher AES-256-CBC`
			`auth SHA256`
Revert some minor changes 2019-12-10 15:06:28 +00:00			`user openvpn`
			`group openvpn`
First commit of reworked installer 2016-04-19 18:01:55 +00:00			`persist-key`
			`persist-tun`
Implemented that a Certificate Revocation List is generated during installation after generation of other Public Key Infrastructure. Enabled this CRL in the server config. The added benefit of this is that whenever the user now revokes a client, the change is instant. Whereas before, the first time a client was revoked, the OpenVPN server had to be restarted to enabled the then-newly-generated CRL. This change also makes the file /etc/pivpn/REVOKE_STATUS obsolete. Documentation: https://openvpn.net/index.php/open-source/documentation/howto.html#revoke 2017-09-22 07:46:52 +00:00			`crl-verify /etc/openvpn/crl.pem`
First commit of reworked installer 2016-04-19 18:01:55 +00:00			`status /var/log/openvpn-status.log 20`
Add 'pivpn clients' command to show list of connected clients 2016-12-08 16:43:30 +00:00			`status-version 3`
2.4 2018-02-15 09:14:03 +00:00			`syslog`
			`verb 3`
Added OPTIONAL support for duplicate certificates Previous commits removed the duplicate cn option all together, this adds a comment to inform users of their options/choice. 2018-03-09 18:18:34 +00:00			`#DuplicateCNs allow access control on a less-granular, per user basis.`
			`#Remove # if you will manage access by user instead of device.`
			`#duplicate-cn`
Phase 2 (of 3?): server.conf modifications for easy-rsa3 2016-12-05 04:34:08 +00:00			`# Generated for use by PiVPN.io`