bdb0D04M

1# ukazy`vaem na kakom lokal`nom interfei`se OpenVPN budet slushat`
2# po umolchaniiu OpenVPN slushaet vse interfei`sy`
3#local xxx.xxx.xx.x
4
5# port na kotorom rabotaet server
6port 1194
7
8# protokol - TCP ili UDP
9proto udp6
10
11########################################
12mode server
13##################################
14
15# ispol`zuemy`i` tip ustroi`stva i nomer
16dev tap0
17
18# ukazy`vaem po kakim interfei`sam mozhno podcliuchat`sia k OpenVPN po telnet
19# ukazy`vat` nuzhno IP adresa interfei`sov servera
20#management localhost 8329
21#management 192.168.0.xx 8329
22#management 86.86.xxx.xx 8329
23
24# ukazy`vaem fai`l CA
25ca /usr/local/etc/openvpn/keys/ca.crt
26
27# ukazy`vaem fai`l s sertifikatom servera
28cert /usr/local/etc/openvpn/keys/server.crt
29
30# ukazy`vaem fai`l s cliuchem servera
31key /usr/local/etc/openvpn/keys/server.key
32
33# ukazy`vaem fai`l s generirovanny`i` algoritmom Diffi KHellmana
34dh /usr/local/etc/openvpn/keys/dh2048.pem
35
36# ukazy`vaem gde nahoditsia fai`l otozvanny`kh sertifikatov
37#crl-verify /usr/local/etc/openvpn/crl.pem
38
39# zadaem IP-adres servera i masku podseti (virtual`noi` seti)
40[23:43:00] Николай Матюнин: это что такое?
41[23:43:03] Сергей Матюнин: #server 10.10.100.0 255.255.255.0
42
43# ukazy`vaem vnutrennii` DNS i WINS servery`
44#push "dhcp-option DNS 192.168.0.1"
45#push "dhcp-option DNS 192.168.0.10"
46#push "dhcp-option WINS 192.168.0.1"
47
48# zadaem MARSHRUT kotory`i` peredayom clientu
49# i masku podseti dlia togo chtoby` on "videl"
50# set` za OpenVPN serverom
51# Ofis
52#push "route 192.168.0.0 255.255.255.0"
53# Filial .1
54#push "route 192.168.1.0 255.255.255.0"
55# Filial .2
56#push "route 192.168.2.0 255.255.255.0"
57# Filial .3
58#push "route 192.168.3.0 255.255.255.0"
59
60# ukazy`vaem gde khraniatsia fai`ly` s
61# nastroi`kami IP-adresov clientov
62#client-config-dir ccd
63
64# dobavliaem marshrut server-client
65#route 10.10.100.0 255.255.255.252
66# Filial .1
67#route 192.168.1.0 255.255.255.0
68# Filial .2
69#route 192.168.2.0 255.255.255.0
70# Filial .3
71#route 192.168.3.0 255.255.255.0
72
73# delaet server OpenVPN osnovny`m shliuzom u clientov
74#push "redirect-gateway"
75
76# razreshaet videt` clientam drug druga (po virtual`ny`m IP)
77# po umolchaniiu clienty` vidiat tol`ko server
78[23:43:09] Сергей Матюнин: конфиг со стороны сервера
79[23:43:19] Сергей Матюнин: #client-to-client
80
81# razreshat` podcliuchat`sia s odinakovy`m sertifikatom/cliuchom
82#duplicate-cn
83
84# vcliuchaem TLS autentifikatciiu
85tls-server
86
87# dlia dopolnitel`noi` bezopasnosti pri
88# ispol`zovanii SSL/TLS, sozdai`te "HMAC firewall"
89# dlia zashchity` ot DoS attak i fluda UDP porta.
90#
91# sgenerirui`te s pomoshch`iu:
92#   openvpn --genkey --secret ta.key
93#
94# server i kazhdy`i` client dolzhny` imet` kopiiu e`togo cliucha.
95# vtoroi` parametr vy`stavliaetsia v '0' dlia servera i '1' dlia clientov.
96tls-auth keys/ta.key 0
97
98# TLS tai`maut, polezen esli vy`hod v internet osushchestvliaetsia
99# cherez GPRS mobil`ny`kh operatorov
100tls-timeout 120
101
102# vy`biraem algoritm kheshirovaniia po umolchaniiu ispol`zuetsia SHA1
103# vy`vod polnogo spiska komandoi` openvpn --show-digests
104auth SHA1
105
106# vy`berite kriptograficheskii` sertifikat.
107# e`tot punkt konfiga dolzhen kopirovat`sia
108# v konfig clienta, tak zhe kak on ustanovlen zdes`.
109# po umolchaniiu ispol`zuetsia/rekomenduetsia BF-CBC
110# vy`vod polnogo spiska komandoi` openvpn --show-ciphers
111#cipher BF-CBC        # Blowfish (default)
112#cipher AES-128-CBC   # AES
113#cipher DES-EDE3-CBC  # Triple-DES
114#cipher BF-CBC
115###############################################33
116[23:43:29] Сергей Матюнин: #cipher BF-CBC
117###############################################33
118cipher none
119
120########################################
121daemon
122ifconfig-pool 192.168.1.2 192.168.1.12
123ifconfig 192.168.1.1 255.255.255.0
124#####################################$$$$$$$$$$$$$$$$$$$$$$$$$$$$
125
126
127# proveriaet aktivnost` podcliucheniia kazhdy`e 10 sekund,
128# esli v techenii 120 sek. net otveta, podcliuchenie zakry`vaetsia
129keepalive 10 120
130
131# szhatiia trafika VPN tunnelia s pomoshch`iu biblioteki LZO
132# esli vy` vcliuchili szhatie na servere,
133# vy` tak zhe dolzhny` vcliuchit` i v konfige u clienta
134comp-lzo
135
136# maksimal`noe kolichestvo odnovremenno podcliuchenny`kh clientov
137max-clients 10
138
139# ot kakogo pol`zovatelia i gruppy` budet rabotat` OpenVPN
140#user nobody
141#group nobody
142
143# imeet smy`sl ispol`zovat` pri ispol`zovanii protokola udp
144#mssfix 1450
145
146# e`ti optcii pozvoliaiut izbezhat` neobhodimosti
147# polucheniia dostupa k opredelenny`m resursam
148# posle restarta, t.k. e`to mozhet by`t` nevozmozhny`m
149# iz-za ponizheniia privilegii`.
150persist-key
151persist-tun
152
153# put` k fai`lu zapisi statusa OpenVPN v log
154status /var/log/openvpn/openvpn-status.log
155[23:43:36] Сергей Матюнин: # put` k fai`lu zapisi statusa OpenVPN v log
156status /var/log/openvpn/openvpn-status.log
157
158# put` k fai`lu zapisi soby`tii` proishodiashchikh na servere
159# "log" - zapis` soby`tii` v log budet perezapisy`vat`sia pri perezagruzke demona
160# "log-append" - zapis` soby`tii` budet dobavliat`sia v log
161log /var/log/openvpn/openvpn.log
162
163# ustanovite neobhodimy`i` uroven` logirovaniia.
164# 0 - nichego, za iscliucheniem fatal`ny`kh oshibok
165# 4 - podoi`det dlia polucheniia obshchikh svedenii`
166# 5 i 6 prigodiat`sia dlia otladki problem soedineniia
167# 9 - maksimal`no vozmozhnaia informatciia
168verb 6
169
170# maks kol-vo odnotipny`kh zapisei` v log
171#mute 20