############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server, # # with ALT Linux specific comments. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # For more complex examples install package # # openvpn-docs and check content of # # sample-config-files/ subdirectory. # ############################################## ################################################# # Quick start: # # Copy this file to /etc/openvpn/ # # Obtain CA root certificate ca.cert and # # client certificate/key files (client.cert, # # key.cert) from system administrator of # # OpenVPN server. # # Put certificates into /etc/openvpn/keys/, # # check file's names in ca/cert/key directives. # # Set proper OpenVPN server hostname/IP in # # 'remote' directive. # # Check firewall to not block OpenVPN traffic. # # Start OpenVPN by 'service openvpn start'. # # Check /var/log/messages for errors. # ################################################# # Specify that we are a client and that we will be # pulling certain config file directives from the server. client # Use the same setting as you are using on the server. # On most systems, the VPN will not function unless you # partially or fully disable the firewall for the TUN/TAP # interface. # You could specify given interface name for this # connection by using something like 'dev tun0'. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. ;dev-node MyTap # Are we connecting to a TCP or UDP server? # Use the same setting as on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote my-server-1 1194 ;remote my-server-2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) user openvpn group openvpn # Try to preserve some state across restarts - # necessary while running with downgraded privileges persist-key persist-tun # If you are connecting through an HTTP proxy to reach # the actual OpenVPN server, put the proxy server/IP and # port number here. See the man page if your proxy server # requires authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # Specify # See the server config file for more description. # It's best to use a separate .crt/.key file pair for each # client. A single ca file can be used for all clients. # # By default files should be located in /etc/openvpn/keys, # Key file should not be world readable. # OpenVPN reads that files at startup, so there are no needs # to place them in chroot environment. ca /etc/openvpn/keys/ca.cert cert /etc/openvpn/keys/client.cert key /etc/openvpn/keys/client.key # Verify server certificate by checking # that the certificate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ;ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20