This ensures that the client will detect the timeout before the Seconds of inactivity (on the client) and 60 * 2 = 120 seconds The second part of this directive will try to restart the connection after 60 This is useful to keep stateful firewalls will not drop or UDPĬonnection after some time of inactivity. With this setting, a ping will be sent every 15 seconds (if no other data hasīeen sent). Values on both the client and the server (when set on the server). This is a helper directive that automatically sets the ping and ping-restart Put compression on or not, though even when not compressing, this is not free. If you think you may wantĬompression after all, set it to adaptive which automatically decides if to HTTP in most cases), so addingĬompression on top will not add any benefits. SSH and HTTPS) or already compressed (e.g. Most, if not all, of my traffic is either encrypted (e.g. The tls-cipher directive controls the cipher suite used by the VPNs controlĭisable compression. The auth directive controls the HMAC algorithm used for the control channel. That is, all the data transferred through the VPN. The cipher directive controls which cipher would be used for the data channel, However, some of themĪre only available from OpenVpn 2.3.3. These statements harden the server with stronger crypto. Get the packets, so don't enable it if you want fine-grained control. Be advised that with this enabled, the server's firewall will never Means that all packets, even between clients in the VPN network will be handledīy the server's firewall, so if you want client to client traffic, you need toĮxplicitly enable it in the firewall and add all the rules to do it.Īlternatively, you can set this directive that automatically does all of thatįor you. Normally, OpenVPN would pass all packets to the tun device on the server. Otherwise I would have had to set dev-type explicitly. Since the device name starts with tun, OpenVPN automatically sets the device On the client I let it choose the exact device on its own. To tun0, so I can more easily set firewall rules knowing it'll always be the Sets the name of the virtual network device to use. On the client I set it to udp, because udp6 will force it to only try IPv6,Īnd made OpenVPN not work for me (I don't always have IPv6). On the server I set it to udp6 which tells it to listen to both IPv4 and IPv6 However, if for some reason you can't use This directive sets which port the server should listen on. Will take 192.186.87.1 for itself, and allocate the rest of the subnet forĬhoose a subnet that's unlikely to create clashes with your other networks. The server puts OpenVPN in server mode, and supplies it with a subnet of IPs toĪllocate by specifying an address and a netmask.
![openvpn access server config files openvpn access server config files](https://assets.digitalocean.com/articles/openvpn_ubunutu/6.png)
Tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 comp-lzo no verb 3 persist-tun persist-key # Keys key-direction 1 tls-auth client/ta.key etc/openvpn/nf: client remote 1194 udp dev tun # Uncomment the next line to redirect all traffic through the VPN # redirect-gateway def1 remote-cert-tls server cipher AES-256-CBC Group nobody # Keys tls-auth server/ta.key 0 cert server/cert.crt Tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 comp-lzo no keepalive 15 60 ping-timer-rem ifconfig-pool-persist server/ipp verb 3 persist-tun persist-key # Drop privs user nobody The config fileĬlick on a line to jump to its explanation. That requires some settings that are annoying to use and setting up a firewall to block mistakes. While my base configuration is hardened (strong encryption and secure settings), my route-all-traffic configuration is not. I use my VPN to have remote access into my network, and sometimes also to route all traffic through it, in order to escape some forms of connection filtering.