-
Notifications
You must be signed in to change notification settings - Fork 0
/
client.ovpn.j2
86 lines (69 loc) · 3.49 KB
/
client.ovpn.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Run in client mode (and pull relevant settings from the server)
client
# Use tunnel mode (rather than bridging) - this is required for iOS
# compatibility, and is fine for most home VPN use-cases
dev {{ openvpn.dev }}
# Use TCP protocol
proto {{ openvpn.proto }}
# Connect to the server at port 443 at yourdomainname.com (replace with your
# actual domain name, if you've setup dynamic (or static) DNS, or put your
# static external IP address if not)
remote {{ openvpn.remote }}
port {{ openvpn.port }}
# Keep trying to resolve the domain name for the server (useful when frequently
# switching networks, as is often the case for mobile clients)
resolv-retry infinite
# Don't bind to a specific local port when it's not necessary
nobind
# Try to persist the key and tunnel parameters across disconnects and restarts
# - this helps to improve the user experience if, for instance, your iPhone
# switches from wifi to cellular connection while connected to the VPN
persist-key
persist-tun
# This is an essential setting for preventing man-in-the-middle TLS attacks -
# it tells the client to make sure that the (authenticated and signed) remote
# certificate is a server certificate
# - i.e. it was created using ./build-key-server and not just ./build-key
# Commented: cfssl is unable to generate this old artifact of SSL
#ns-cert-type server
# Use this one instead to verify server cert
remote-cert-tls server
# We need to pass user credentials to the server (TOTP) before it will allow us
# to connect
# Commented: Disable this so we rely only on certificate authentication
# auth-user-pass
# We want to use strong, industry standard encryption which works well on iOS
# devices as well as other clients. (If you chose to use 128 bit encryption on
# the server earlier (AES-128-CBC), you need to specify the same here too.)
cipher {{ openvpn.cipher }}
# If your client is running a recent version of OpenVPN which supports NIST-
# style names for cipher suites, you might get an error in the log about the
# following name being deprecated.
# If that's the case, you can get rid of the error by using the new name for
# the same ciphersuite: TLS-DHE-RSA-WITH-AES-256-CBC-SHA
tls-cipher {{ openvpn.tls_cipher }}
# Turn on adaptive fast LZO compression for the link. (If you didn't specify
# this option on the server config, then don't include it here either.)
comp-lzo
# Use medium level verbosity for the logs. For debug purposes, increase this to
# a value between 6 - 11, where higher numbers give far more detail about what
# is happening
verb {{ openvpn.server_verbosity }}
# Don't renegotiate the connection. If this isn't set, your connection will
# drop after around 10 minutes (unless you re-enter your credentials).
reneg-sec 0
# the following line defines the direction of TLS authentication, when using
# inline format for the key, as we've done below
key-direction 1
# Regarding <ca/>
# Because iOS doesn't store the CA cert from the PKCS#12 file in its keychain,
# we need to include the CA public key here, otherwise the client won't be able
# to verify the signature
# Regarding <tls-auth/>
# The ta.key PSK file isn't included in the PKCS#12 either, so we need to
# include it here, otherwise our server will deny the client before it's even
# had chance to initialise the TLS handshake
# The following line instructs the OpenVPN iPhone app to disable the option
# to save the user auth password. (We're using one-time passwords anyway, so
# we'll only confuse ourselves if we try to save the password!)
#setenv ALLOW_PASSWORD_SAVE 0