|
|
Hello everyone, I was hoping to get some feed back on my server configuration file. I have always run OpenVPN with DHCP assigned IP addresses. I now have a few connections for which I need to assign static IPs. I was hoping to get a second (third, forth, nth) pair of eyes to look over my configuration? If I understand correctly, for the 'server' setting I'm using a private class C and for the static IPs I (in this case) will be using a different private class C. Thanks for your help! --Jim # Which local IP address should OpenVPN # listen on? (optional) local 2xx.x9.x3.x8 # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port 1xxx # TCP or UDP server? proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. dev tun #Certs ca /etc/ssl/xxxxx.pem cert /etc/ssl/xxxxxx.crt key /etc/ssl/xxxxxx.key # management interface management localhost xx06 # Diffie Hellman parameters. dh /etc/openvpn/xxxxxxx_dh2048.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 172.16.14.0 255.255.255.0 # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. push "route xxx.xx.xxx.0 255.255.255.0" # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). # STATIC IP ASSIGNMENTS client-config-dir ccd route 172.16.15.0 255.255.255.0 # Then add this line to ccd/CN_of_BOB1: # ifconfig-push 172.16.15.1 172.16.15.2 # Next user would have a file ccd/CN_of_Jane2: # ifconfig-push 172.16.15.5 17.16.15.6 # Next user would have a file ccd/CN_of_Joe3: # ifconfig-push 172.16.15.9 17.16.15.10 # Next user would have a file ccd/CN_of_Billy4: # ifconfig-push 172.16.15.13 17.16.15.14 # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. keepalive 10 60 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret xxxxx.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. tls-auth /etc/openvpn/xxxxxxx_ta.txt 0 # This file is secret # The maximum number of concurrently connected # clients we want to allow. max-clients 128 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. # # You can uncomment this out on # non-Windows systems. user nobody group nogroup persist-key persist-tun # verify certificate crl-verify /etc/ssl/crl.pem # Output a short status file showing # current connections, truncated # and rewritten every minute. status xxxxxxxx-status.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. log-append /var/log/openvpn-xxxxxxxxxxxx.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. mute 20 ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |