openwrt_lede/package/network/services/openvpn/files/openvpn.config

package openvpn

#################################################
# Sample to include a custom config file.       #
#################################################

config openvpn custom_config

	# Set to 1 to enable this instance:
	option enabled 0

	# Include OpenVPN configuration
	option config /etc/openvpn/my-vpn.conf


#################################################
# Sample OpenVPN 2.0 uci config for             #
# multi-client server.                          #
#################################################

config openvpn sample_server

	# Set to 1 to enable this instance:
	option enabled 0

	# Which local IP address should OpenVPN
	# listen on? (optional)
#	option local 0.0.0.0

	# Which TCP/UDP port should OpenVPN listen on?
	# If you want to run multiple OpenVPN instances
	# on the same machine, use a different port
	# number for each one.  You will need to
	# open up this port on your firewall.
	option port 1194

	# TCP or UDP server?
#	option proto tcp
	option proto udp

	# "dev tun" will create a routed IP tunnel,
	# "dev tap" will create an ethernet tunnel.
	# Use "dev tap0" if you are ethernet bridging
	# and have precreated a tap0 virtual interface
	# and bridged it with your ethernet interface.
	# If you want to control access policies
	# over the VPN, you must create firewall
	# rules for the the TUN/TAP interface.
	# On non-Windows systems, you can give
	# an explicit unit number, such as tun0.
	# On Windows, use "dev-node" for this.
	# On most systems, the VPN will not function
	# unless you partially or fully disable
	# the firewall for the TUN/TAP interface.
#	option dev tap
	option dev tun

	# SSL/TLS root certificate (ca), certificate
	# (cert), and private key (key).  Each client
	# and the server must have their own cert and
	# key file.  The server and all clients will
	# use the same ca file.
	#
	# See the "easy-rsa" directory for a series
	# of scripts for generating RSA certificates
	# and private keys.  Remember to use
	# a unique Common Name for the server
	# and each of the client certificates.
	#
	# Any X509 key management system can be used.
	# OpenVPN can also use a PKCS #12 formatted key file
	# (see "pkcs12" directive in man page).
	option ca /etc/openvpn/ca.crt
	option cert /etc/openvpn/server.crt
	# This file should be kept secret:
	option key /etc/openvpn/server.key

	# Diffie hellman parameters.
	# Generate your own with:
	#   openssl dhparam -out dh1024.pem 1024
	# Substitute 2048 for 1024 if you are using
	# 2048 bit keys.
	option dh /etc/openvpn/dh1024.pem

	# Configure server mode and supply a VPN subnet
	# for OpenVPN to draw client addresses from.
	# The server will take 10.8.0.1 for itself,
	# the rest will be made available to clients.
	# Each client will be able to reach the server
	# on 10.8.0.1. Comment this line out if you are
	# ethernet bridging. See the man page for more info.
	option server "10.8.0.0 255.255.255.0"

	# Maintain a record of client <-> virtual IP address
	# associations in this file.  If OpenVPN goes down or
	# is restarted, reconnecting clients can be assigned
	# the same virtual IP address from the pool that was
	# previously assigned.
	option ifconfig_pool_persist /tmp/ipp.txt

	# Configure server mode for ethernet bridging.
	# You must first use your OS's bridging capability
	# to bridge the TAP interface with the ethernet
	# NIC interface.  Then you must manually set the
	# IP/netmask on the bridge interface, here we
	# assume 10.8.0.4/255.255.255.0.  Finally we
	# must set aside an IP range in this subnet
	# (start=10.8.0.50 end=10.8.0.100) to allocate
	# to connecting clients.  Leave this line commented
	# out unless you are ethernet bridging.
#	option server_bridge "10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100"

	# Push routes to the client to allow it
	# to reach other private subnets behind
	# the server.  Remember that these
	# private subnets will also need
	# to know to route the OpenVPN client
	# address pool (10.8.0.0/255.255.255.0)
	# back to the OpenVPN server.
#	list push "route 192.168.10.0 255.255.255.0"
#	list push "route 192.168.20.0 255.255.255.0"

	# To assign specific IP addresses to specific
	# clients or if a connecting client has a private
	# subnet behind it that should also have VPN access,
	# use the subdirectory "ccd" for client-specific
	# configuration files (see man page for more info).

	# EXAMPLE: Suppose the client
	# having the certificate common name "Thelonious"
	# also has a small subnet behind his connecting
	# machine, such as 192.168.40.128/255.255.255.248.
	# First, uncomment out these lines:
#	option client_config_dir /etc/openvpn/ccd
#	list route "192.168.40.128 255.255.255.248"
	# Then create a file ccd/Thelonious with this line:
	#   iroute 192.168.40.128 255.255.255.248
	# This will allow Thelonious' private subnet to
	# access the VPN.  This example will only work
	# if you are routing, not bridging, i.e. you are
	# using "dev tun" and "server" directives.

	# EXAMPLE: Suppose you want to give
	# Thelonious a fixed VPN IP address of 10.9.0.1.
	# First uncomment out these lines:
#	option client_config_dir /etc/openvpn/ccd
#	list route "10.9.0.0 255.255.255.252"
#	list route "192.168.100.0 255.255.255.0"
	# Then add this line to ccd/Thelonious:
	#   ifconfig-push "10.9.0.1 10.9.0.2"

	# Suppose that you want to enable different
	# firewall access policies for different groups
	# of clients.  There are two methods:
	# (1) Run multiple OpenVPN daemons, one for each
	#     group, and firewall the TUN/TAP interface
	#     for each group/daemon appropriately.
	# (2) (Advanced) Create a script to dynamically
	#     modify the firewall in response to access
	#     from different clients.  See man
	#     page for more info on learn-address script.
#	option learn_address /etc/openvpn/script

	# If enabled, this directive will configure
	# all clients to redirect their default
	# network gateway through the VPN, causing
	# all IP traffic such as web browsing and
	# and DNS lookups to go through the VPN
	# (The OpenVPN server machine may need to NAT
	# the TUN/TAP interface to the internet in
	# order for this to work properly).
	# CAVEAT: May break client's network config if
	# client's local DHCP server packets get routed
	# through the tunnel.  Solution: make sure
	# client's local DHCP server is reachable via
	# a more specific route than the default route
	# of 0.0.0.0/0.0.0.0.
#	list push "redirect-gateway"

	# Certain Windows-specific network settings
	# can be pushed to clients, such as DNS
	# or WINS server addresses.  CAVEAT:
	# http://openvpn.net/faq.html#dhcpcaveats
#	list push "dhcp-option DNS 10.8.0.1"
#	list push "dhcp-option WINS 10.8.0.1"

	# Uncomment this directive to allow different
	# clients to be able to "see" each other.
	# By default, clients will only see the server.
	# To force clients to only see the server, you
	# will also need to appropriately firewall the
	# server's TUN/TAP interface.
#	option client_to_client 1

	# Uncomment this directive if multiple clients
	# might connect with the same certificate/key
	# files or common names.  This is recommended
	# only for testing purposes.  For production use,
	# each client should have its own certificate/key
	# pair.
	#
	# IF YOU HAVE NOT GENERATED INDIVIDUAL
	# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
	# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
	# UNCOMMENT THIS LINE OUT.
#	option duplicate_cn 1

	# The keepalive directive causes ping-like
	# messages to be sent back and forth over
	# the link so that each side knows when
	# the other side has gone down.
	# Ping every 10 seconds, assume that remote
	# peer is down if no ping received during
	# a 120 second time period.
	option keepalive "10 120"

	# For extra security beyond that provided
	# by SSL/TLS, create an "HMAC firewall"
	# to help block DoS attacks and UDP port flooding.
	#
	# Generate with:
	#   openvpn --genkey --secret ta.key
	#
	# The server and each client must have
	# a copy of this key.
	# The second parameter should be '0'
	# on the server and '1' on the clients.
	# This file is secret:
#	option tls_auth "/etc/openvpn/ta.key 0"

	# Select a cryptographic cipher.
	# This config item must be copied to
	# the client config file as well.
	# Blowfish (default):
#	option cipher BF-CBC
	# AES:
#	option cipher AES-128-CBC
	# Triple-DES:
#	option cipher DES-EDE3-CBC

	# Enable compression on the VPN link.
	# If you enable it here, you must also
	# enable it in the client config file.
	# LZ4 requires OpenVPN 2.4+ client and server
#	option compress lz4
	# LZO is compatible with most OpenVPN versions
	# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
	option compress lzo

	# The maximum number of concurrently connected
	# clients we want to allow.
#	option max_clients 100

	# The persist options will try to avoid
	# accessing certain resources on restart
	# that may no longer be accessible because
	# of the privilege downgrade.
	option persist_key 1
	option persist_tun 1
	option user nobody

	# Output a short status file showing
	# current connections, truncated
	# and rewritten every minute.
	option status /tmp/openvpn-status.log

	# By default, log messages will go to the syslog (or
	# on Windows, if running as a service, they will go to
	# the "\Program Files\OpenVPN\log" directory).
	# Use log or log-append to override this default.
	# "log" will truncate the log file on OpenVPN startup,
	# while "log-append" will append to it.  Use one
	# or the other (but not both).
#	option log         /tmp/openvpn.log
#	option log_append  /tmp/openvpn.log

	# Set the appropriate level of log
	# file verbosity.
	#
	# 0 is silent, except for fatal errors
	# 4 is reasonable for general usage
	# 5 and 6 can help to debug connection problems
	# 9 is extremely verbose
	option verb 3

	# Silence repeating messages.  At most 20
	# sequential messages of the same message
	# category will be output to the log.
#	option mute 20


##############################################
# Sample client-side OpenVPN 2.0 uci config  #
# for connecting to multi-client server.     #
##############################################

config openvpn sample_client

	# Set to 1 to enable this instance:
	option enabled 0

	# Specify that we are a client and that we
	# will be pulling certain config file directives
	# from the server.
	option client 1

	# Use the same setting as you are using on
	# the server.
	# On most systems, the VPN will not function
	# unless you partially or fully disable
	# the firewall for the TUN/TAP interface.
#	option dev tap
	option dev tun

	# Are we connecting to a TCP or
	# UDP server?  Use the same setting as
	# on the server.
#	option proto tcp
	option proto udp

	# The hostname/IP and port of the server.
	# You can have multiple remote entries
	# to load balance between the servers.
	list remote "my_server_1 1194"
#	list remote "my_server_2 1194"

	# Choose a random host from the remote
	# list for load_balancing.  Otherwise
	# try hosts in the order specified.
#	option remote_random 1

	# Keep trying indefinitely to resolve the
	# host name of the OpenVPN server.  Very useful
	# on machines which are not permanently connected
	# to the internet such as laptops.
	option resolv_retry infinite

	# Most clients don't need to bind to
	# a specific local port number.
	option nobind 1

	# Try to preserve some state across restarts.
	option persist_key 1
	option persist_tun 1
	option user nobody

	# If you are connecting through an
	# HTTP proxy to reach the actual OpenVPN
	# server, put the proxy server/IP and
	# port number here.  See the man page
	# if your proxy server requires
	# authentication.
	# retry on connection failures:
#	option http_proxy_retry 1
	# specify http proxy address and port:
#	option http_proxy "192.168.1.100 8080"

	# Wireless networks often produce a lot
	# of duplicate packets.  Set this flag
	# to silence duplicate packet warnings.
#	option mute_replay_warnings 1

	# SSL/TLS parms.
	# See the server config file for more
	# description.  It's best to use
	# a separate .crt/.key file pair
	# for each client.  A single ca
	# file can be used for all clients.
	option ca /etc/openvpn/ca.crt
	option cert /etc/openvpn/client.crt
	option key /etc/openvpn/client.key

	# Verify server certificate by checking
	# that the certicate has the nsCertType
	# field set to "server".  This is an
	# important precaution to protect against
	# a potential attack discussed here:
	#  http://openvpn.net/howto.html#mitm
	#
	# To use this feature, you will need to generate
	# your server certificates with the nsCertType
	# field set to "server".  The build_key_server
	# script in the easy_rsa folder will do this.
#	option ns_cert_type server

	# If a tls_auth key is used on the server
	# then every client must also have the key.
#	option tls_auth "/etc/openvpn/ta.key 1"

	# Select a cryptographic cipher.
	# If the cipher option is used on the server
	# then you must also specify it here.
#	option cipher x

	# Enable compression on the VPN link.
	# Don't enable this unless it is also
	# enabled in the server config file.
	# LZ4 requires OpenVPN 2.4+ on server and client
#	option compress lz4
	# LZO is compatible with most OpenVPN versions
	option compress lzo

	# Set log file verbosity.
	option verb 3

	# Silence repeating messages
#	option mute 20