@ -77,10 +77,10 @@ config openvpn sample_server
# Diffie hellman parameters.
# Diffie hellman parameters.
# Generate your own with:
# Generate your own with:
# openssl dhparam -out dh10 24.pem 10 24
# openssl dhparam -out dh20 48 .pem 20 48
# Substitute 2048 for 1024 if you are using
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
# 1024 bit keys.
option dh /etc/openvpn/dh10 24.pem
option dh /etc/openvpn/dh20 48 .pem
# Configure server mode and supply a VPN subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# for OpenVPN to draw client addresses from.
@ -228,10 +228,52 @@ config openvpn sample_server
# This file is secret:
# This file is secret:
# option tls_auth "/etc/openvpn/ta.key 0"
# option tls_auth "/etc/openvpn/ta.key 0"
# For additional privacy, a shared secret key
# can be used for both authentication (as in tls_auth)
# and encryption of the TLS control channel.
#
# Generate a shared secret with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
#
# tls_auth and tls_crypt should NOT
# be combined, as tls_crypt implies tls_auth.
# Use EITHER tls_crypt, tls_auth, or neither option.
# option tls_crypt "/etc/openvpn/ta.key"
# Set the minimum required TLS protocol version
# for all connections.
#
# Require at least TLS 1.1
# option tls_version_min "1.1"
# Require at least TLS 1.2
# option tls_version_min "1.2"
# Require TLS 1.2, or the highest version supported
# on the system
# option tls_version_min "1.2 'or-highest'"
# OpenVPN versions 2.4 and later will attempt to
# automatically negotiate the most secure cipher
# between the client and server, regardless of a
# configured "option cipher" (see below).
# Automatic negotiation is recommended.
#
# Uncomment this option to disable this behavior,
# and force all OpenVPN peers to use the configured
# cipher option instead (not recommended).
# option ncp_disable
# Select a cryptographic cipher.
# Select a cryptographic cipher.
# This config item must be copied to
# This config item must be copied to
# the client config file as well.
# the client config file as well.
# Blowfish (default):
#
# To see all supported ciphers, run:
# openvpn --show-ciphers
#
# Blowfish (default for backwards compatibility,
# but not recommended due to weaknesses):
# option cipher BF-CBC
# option cipher BF-CBC
# AES:
# AES:
# option cipher AES-128-CBC
# option cipher AES-128-CBC
@ -241,11 +283,16 @@ config openvpn sample_server
# Enable compression on the VPN link.
# Enable compression on the VPN link.
# If you enable it here, you must also
# If you enable it here, you must also
# enable it in the client config file.
# enable it in the client config file.
#
# Compression is not recommended, as compression and
# encryption in combination can weaken the security
# of the connection.
#
# LZ4 requires OpenVPN 2.4+ client and server
# LZ4 requires OpenVPN 2.4+ client and server
# option compress lz4
# option compress lz4
# LZO is compatible with most OpenVPN versions
# LZO is compatible with most OpenVPN versions
# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
option compress lzo
# option compress lzo
# The maximum number of concurrently connected
# The maximum number of concurrently connected
# clients we want to allow.
# clients we want to allow.
@ -371,7 +418,7 @@ config openvpn sample_client
option key /etc/openvpn/client.key
option key /etc/openvpn/client.key
# Verify server certificate by checking
# Verify server certificate by checking
# that the certicate has the nsCertTyp e
# that the certicate has the key usag e
# field set to "server". This is an
# field set to "server". This is an
# important precaution to protect against
# important precaution to protect against
# a potential attack discussed here:
# a potential attack discussed here:
@ -381,12 +428,27 @@ config openvpn sample_client
# your server certificates with the nsCertType
# your server certificates with the nsCertType
# field set to "server". The build_key_server
# field set to "server". The build_key_server
# script in the easy_rsa folder will do this.
# script in the easy_rsa folder will do this.
# option ns_cert_type server
# option remote_cert_tls server
# If a tls_auth key is used on the server
# If a tls_auth key is used on the server
# then every client must also have the key.
# then every client must also have the key.
# option tls_auth "/etc/openvpn/ta.key 1"
# option tls_auth "/etc/openvpn/ta.key 1"
# If a tls_crypt key is used on the server
# every client must also have the key.
# option tls_crypt "/etc/openvpn/ta.key"
# Set the minimum required TLS protocol version
# for all connections.
#
# Require at least TLS 1.1
# option tls_version_min "1.1"
# Require at least TLS 1.2
# option tls_version_min "1.2"
# Require TLS 1.2, or the highest version supported
# on the system
# option tls_version_min "1.2 'or-highest'"
# Select a cryptographic cipher.
# Select a cryptographic cipher.
# If the cipher option is used on the server
# If the cipher option is used on the server
# then you must also specify it here.
# then you must also specify it here.
@ -395,10 +457,15 @@ config openvpn sample_client
# Enable compression on the VPN link.
# Enable compression on the VPN link.
# Don't enable this unless it is also
# Don't enable this unless it is also
# enabled in the server config file.
# enabled in the server config file.
#
# Compression is not recommended, as compression and
# encryption in combination can weaken the security
# of the connection.
#
# LZ4 requires OpenVPN 2.4+ on server and client
# LZ4 requires OpenVPN 2.4+ on server and client
# option compress lz4
# option compress lz4
# LZO is compatible with most OpenVPN versions
# LZO is compatible with most OpenVPN versions
option compress lzo
# option compress lzo
# Set log file verbosity.
# Set log file verbosity.
option verb 3
option verb 3