mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
13b2313ace
I kept most of the certificate properties equal to the old certs, since some people's test scripts might rely on them (and it does not require any creativity from my part). Changes: * Add script to generate fresh test/sample keys (but keep sample keys in git for simple testing) * Switch from 1024 to 4096 bits RSA CA * Switch from 1024 to 2048 bits client/server RSA keys * Switch from 1024 to 2048 bits Diffie-Hellman parameters * Generate EC client and server cert, but sign with RSA CA (lets us test EC <-> RSA interoperability) * Remove 3DES cipher from 'sample' config * Add 'remote-cert-tls server' to client config * Update config files to deprecate nsCertType in favour of the keyUsage and extendedKeyUsage extensions. * Make naming more consistent Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Samuli Seppänen <samuli@openvpn.net> Message-Id: <CAA1AbxKZr_E6Wk9GBbB3xpLyJzyBxSa1k21UDXnC90d8refUzw@mail.gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9226 Signed-off-by: Gert Doering <gert@greenie.muc.de>
84 lines
1.9 KiB
Plaintext
84 lines
1.9 KiB
Plaintext
#
|
|
# Sample OpenVPN configuration file for
|
|
# office using SSL/TLS mode and RSA certificates/keys.
|
|
#
|
|
# '#' or ';' may be used to delimit comments.
|
|
|
|
# Use a dynamic tun device.
|
|
# For Linux 2.2 or non-Linux OSes,
|
|
# you may want to use an explicit
|
|
# unit number such as "tun1".
|
|
# OpenVPN also supports virtual
|
|
# ethernet "tap" devices.
|
|
dev tun
|
|
|
|
# 10.1.0.1 is our local VPN endpoint (office).
|
|
# 10.1.0.2 is our remote VPN endpoint (home).
|
|
ifconfig 10.1.0.1 10.1.0.2
|
|
|
|
# Our up script will establish routes
|
|
# once the VPN is alive.
|
|
up ./office.up
|
|
|
|
# In SSL/TLS key exchange, Office will
|
|
# assume server role and Home
|
|
# will assume client role.
|
|
tls-server
|
|
|
|
# Diffie-Hellman Parameters (tls-server only)
|
|
dh dh2048.pem
|
|
|
|
# Certificate Authority file
|
|
ca my-ca.crt
|
|
|
|
# Our certificate/public key
|
|
cert office.crt
|
|
|
|
# Our private key
|
|
key office.key
|
|
|
|
# OpenVPN 2.0 uses UDP port 1194 by default
|
|
# (official port assignment by iana.org 11/04).
|
|
# OpenVPN 1.x uses UDP port 5000 by default.
|
|
# Each OpenVPN tunnel must use
|
|
# a different port number.
|
|
# lport or rport can be used
|
|
# to denote different ports
|
|
# for local and remote.
|
|
; port 1194
|
|
|
|
# Downgrade UID and GID to
|
|
# "nobody" after initialization
|
|
# for extra security.
|
|
; user nobody
|
|
; group nobody
|
|
|
|
# If you built OpenVPN with
|
|
# LZO compression, uncomment
|
|
# out the following line.
|
|
; comp-lzo
|
|
|
|
# Send a UDP ping to remote once
|
|
# every 15 seconds to keep
|
|
# stateful firewall connection
|
|
# alive. Uncomment this
|
|
# out if you are using a stateful
|
|
# firewall.
|
|
; ping 15
|
|
|
|
# Uncomment this section for a more reliable detection when a system
|
|
# loses its connection. For example, dial-ups or laptops that
|
|
# travel to other locations.
|
|
; ping 15
|
|
; ping-restart 45
|
|
; ping-timer-rem
|
|
; persist-tun
|
|
; persist-key
|
|
|
|
# Verbosity level.
|
|
# 0 -- quiet except for fatal errors.
|
|
# 1 -- mostly quiet, but display non-fatal network errors.
|
|
# 3 -- medium output, good for normal operation.
|
|
# 9 -- verbose, good for troubleshooting
|
|
verb 3
|