OpenVPN server configuration file description (transfer), openvpn configuration file
This article describes how to configure the configuration file on the OpenVPN server. In Windows, this configuration file is generally called server. ovpn. in Linux/BSD, this configuration file is generally called server. conf. Although the configuration file name is different, the configuration content is the same as the configuration method.
This article is based on the official server. ovpn sample file. Server configuration files for Windows, Linux, and BSD systems can all be referred to in this article. You can click to view the description of the OpenVPN client configuration file.
######################################## ######### Example of a server-side configuration file for OpenVPN 2.0 with multiple clients ## this file is used for multiple clients <-> single-server-side OpenVPN server-side configuration # # OpenVPN supports standalone configuration. For more information, see the sample page on the website) # This configuration supports Windows, Linux, and BSD. In addition, in Windows, remember to add the path with double quotation marks # And use two backslashes, for example, "C: \ Program Files \ OpenVPN \ config \ foo. key "##' # 'or '; 'starts with the comment content ################################## ################ what IP addresses should OpenVPN listen to on the local machine? # This command is optional. If it is not set, all IP addresses of the local machine are monitored by default .; Local a. B. c. d # Which TCP/UDP port should OpenVPN listen? # If you want to run multiple OpenVPN instances on the same computer, you can use different port numbers to differentiate them. # In addition, you need to open these ports on the firewall. Port 1194 # Does OpenVPN use TCP or UDP ?; Proto tcpproto udp # specify the communication tunnel type created by OpenVPN. # "Dev tun" creates a Route IP Tunnel and # "dev tap" creates an Ethernet tunnel. # If you use the Ethernet bridging mode and create a virtual interface named "tap0" to bridge the Ethernet interface in advance, you can use "dev tap0" ## to control the VPN access policy, you must create firewall rules for the TUN/TAP interface. # In a non-Windows system, you can specify the unit number, for example, "tun0 ". # In Windows, you can also use "dev-node ". # In most systems, VPN does not work unless you partially disable or completely disable the TUN/TAP interface firewall .; Dev tapdev tun # If you want to configure multiple tunnels, you need to use the name of the TAP-Win32 adapter in the network connection Panel (for example, "MyTap "). # In XP SP2 or a later version, you may need to disable the firewall for the TAP Adapter. # This command is not required for non-Windows systems .; Dev-node MyTap # Set SSL/TLS root certificate (ca), Certificate (cert), and private key (key ). # Each client and server must have their own certificates and private key files. # The server and all clients use the same CA certificate file. # Use a series of scripts in the easy-rsa directory to generate the required certificate and private key. # Remember, the server and each client certificate must use a unique Common Name. # You can also use any key management system that complies with the X509 standard to generate certificates and private keys. # OpenVPN also supports using a key file in PKCS #12 format (for details, see the "pkcs12" command on the site manual page) ca. crtcert server. crtkey server. key # This file should be kept confidential # specify the difi-Herman parameter. # Use the following command to generate your parameter: # openssl dhparam-out dh1024.pem 1024 # if you are using a 2048-bit key, replace 2048 with 1024. Dh dh1024.pem # sets the server-side mode and provides a VPN subnet to facilitate IP Address Allocation for the client. # In this example, the server itself occupies 10.8.0.1, and others will be used by the client. # If you are using the Ethernet bridging mode, comment out the line. For more information, see the official manual page. Server 10.8.0.0 255.255.255.0 # specifies the file used to record the association between the client and the virtual IP address. # When OpenVPN is restarted, the client connected again will be assigned the same virtual IP address as the previous one ifconfig-pool-persist ipp.txt # This command only applies to Ethernet bridging mode. # First, you must use the bridging capability of the operating system to bridge the Ethernet NIC interface and the TAP interface. # Then, you need to manually set the IP address and subnet mask of the bridge interface. # Here, we assume 10.8.0.4 and 255.255.255.0. # Finally, we must specify an IP address range of the subnet (for example, from 10.8.0.50 to 10.8.0.100) to facilitate allocation to the connected client. # If you are not using the Ethernet bridging mode, just comment out this line of commands .; Server-bridge 10.8.0.4 255.255.0 10.8.0.50 10.8.0.100 # This command only applies to the Ethernet bridging mode using the DHCP proxy. # at this time, the client requests the DHCP server from the server, to obtain the IP address assigned to it and the DNS server address. # Before that, you also need to bridge the Ethernet NIC interface and the TAP interface. # Note: This command is only used on the OpenVPN client. The TAP adapter of the client must be bound to a DHCP client .; Server-bridge # Push route information to the client to allow the client to connect to other private subnets behind the server. # (In short, it is to allow the client to access other local networks of the VPN Server itself) # Remember, these private subnets also need to set the address pool of the OpenVPN client (10.8.0.0/255.255.255.0) feedback back to OpenVPN server .; Push "route 192.168.10.0 255.255.255.0"; push "route 192.168.20.0 255.255.255.255.0" # assign a specified IP address to the specified client, or there is a private subnet on the client to access the VPN, # You can use the ccd subdirectory for the configuration file of the client. # (In short, allow the LAN members of the client to access the VPN) # For example: assume that a client with the Common Name "Thelonious" also has a small subnet to connect to the VPN. The subnet is 192.168.40.128/255.255.255.255.248. # First, you need to remove the following two line instructions:; client-config-dir ccd; route 192.168.40.128 255.255.255.255.248 # then create a file ccd/Thelonious with the following content: # iroute 192.168.40.128 255.255.255.255.248 # in this way, the local area network of the client can access the VPN. # Note: This command takes effect only when you are routing-based, not bridge-based. # For example, you use the "dev tun" and "server" commands. # Another example: Suppose you want to assign a fixed IP address 10.9.0.1 to Thelonious. # First, you need to remove the comments of the following two lines of commands:; client-config-dir ccd; route 10.9.0.0 255.255.255.252 # Then add the following command to the ccd/Thelonious file: # ifconfig-push 10.9.0.1 10.9.0.2 # If you want to enable different firewall access policies for clients in different groups, you can use either of the following methods: # (1) run multiple OpenVPN daemon processes. Each process corresponds to a group and enables appropriate firewall rules for each process (group. # (2) (advanced) create a script to dynamically modify the firewall rules that respond to different customers. # For more information about the learn-address script, see the official manual page .; Learn-address./script # If this command is enabled, the default gateways of all clients are redirected to the VPN, which causes all client traffic such as web browser and DNS query to pass through the VPN. # (To ensure normal operation, the computer on which the OpenVPN server is located may need to use NAT or bridging technology between the TUN/TAP interface and Ethernet ); push "redirect-gateway def1 bypass-dhcp" # Some specific Windows network settings can be pushed to the client, such as the DNS or WINS server address. # The following addresses are from the Public DNS server provided by opendns.com .; Push "dhcp-option DNS 208.67.222.222 "; push "dhcp-option DNS 208.67.220.220" # removing the note of this command will allow different clients to "be visible" (allow clients to access each other ). # By default, the client can only "View" the server. To ensure that the client can only see the server, you can also set appropriate firewall rules on the TUN/TAP interface of the server .; Client-to-client # If multiple clients may use the same certificate/private key file or Common Name for connection, you can cancel the annotation of this command. # We recommend that you use this command only for testing purposes. For production environments, each client should have its own certificate and private key. # If you do not generate a unique Certificate/private key for the Common Name for each client, you can cancel the comments for this line (but this is not recommended ).; The duplicate-cn # keepalive command will cause messages similar to the ping command to be sent back and forth, so that the server and client can know when the other side is disabled. # Ping every 10 seconds. If no reply is received within 120 seconds, the remote connection is closed. Keepalive 10 120 # for more security considerations beyond SSL/TLS, creating an "HMAC firewall" can help defend against DoS attacks and UDP port flood attacks. # You can use the following command to generate a copy of the key: # openvpn -- genkey -- secret ta. key # the server and each client must have a copy of the key. # The second parameter should be '0' on the server side and '1' on the client side '.; Tls-auth ta. key 0 # The file should be kept confidential # select a password encryption algorithm. # This configuration item must also be copied to each client configuration file .; Cipher BF-CBC # Blowfish (default); cipher AES-128-CBC # AES; cipher DES-EDE3-CBC # Triple-DES # enable compression on a VPN connection. # If you have enabled this command here, you should also enable it in each client configuration file. Comp-lzo # maximum number of clients that can be connected concurrently; max-clients 100 # It is a good idea to reduce the permissions of the OpenVPN daemon after initialization. # This command is only used in non-Windows systems .; User nobody; group nobody # The Persistence option can avoid accessing some resources that cannot be accessed after the restart due to reduced user permissions. Persist-keypersist-tun # outputs a brief State file to display the current connection status. This file is cleared and overwritten every minute. Status openvpn-status.log # by default, log messages are written to syslogs (in Windows, if running as a service, log messages are written to the log folder in the OpenVPN installation directory ). # You can use log or log-append to change this default situation. # The "log" method clears the previous log files each time it is started. # "Log-append" is appended after the previous log Content. # You can use either of the two methods (but do not use them at the same time ).; Log openvpn. log; log-append openvpn. log # set an appropriate redundancy level for the log file (0 ~ 9 ). The higher the redundancy level, the more detailed the output information. #0 indicates silent operation and only fatal errors are recorded. #4 indicates a reasonable Regular usage. #5 and 6 can help debug connection errors. #9 indicates extremely redundant logs and outputs very detailed log information. Verb 3 # Silence of duplicate information. # Only the first 20 pieces of information of the same category will be output to the log file .; Mute 20
Author: Software compass (http://www.softown.cn), reproduced please keep the source!