[auf-serveur.git] / auf-serveur-openvpn-nomades / auf-nomades.conf

#
# Configuration par defaut d'un *serveur* OpenVPN pour l'accès nomade au réseau
# privé virtuel de l'AUF.
#
# Pour toutes les options en detail : man openvpn
#

#
# NE PAS MODIFIER CE FICHIER ! Si vous pensez qu'une modification est
# indispensable, contactez d'abord thomas.noel@auf.org pour en parler.
#


# Configuration locale à cette implantation

# --config
#   Load additional config options from file where each line corresponds to one
#   command line option, but with the leading '--' removed.
# AUF RPV : fichier de configuration local (adresses IP du serveur et push vers
# le client) généré lors de l'installation de auf-rpv
config /etc/openvpn/auf-nomades.conf.local


# Configuration générale à tous les serveurs RPV2 de l'AUF
# NE PAS MODIFIER... Si vous détectez un soucis, signalez-le à
# thomas.noel@auf.org pour qu'il étudie le problème dans sa globalité.


# Debug et autres


# --verb n
#   Set output verbosity to n (default=1).  Each level shows all info from the
#   previous levels.  Level 3 is recommended if you want a good summary of what’s
#   happening without being swamped by output.
#   0 -- No output except fatal errors.
#   1 to 4 -- Normal usage range.
#   5 -- Output R and W characters to the console for each packet read and
#     write, uppercase is used for TCP/UDP packets and lowercase is used for
#     TUN/TAP packets.
#   6 to 11 -- Debug info range (see errlevel.h for additional information on
#     debug levels).
verb 1

# --syslog [progname]
#   Direct log output to system logger, but do not become a daemon. See
#   --daemon directive above for description of progname parameter.
syslog
# NB : "progname" est fourni par le lanceur /etc/init.d/openvpn


# Mode serveur sur udp/1194, sur un périphérique TUN

# --mode m
#   Set  OpenVPN  major mode.  By default, OpenVPN runs in point-to- point mode
#   ("p2p").  OpenVPN 2.0 introduces a new  mode  ("serv‐ er") which implements
#   a multi-client server capability.
mode server

# --dev-type device-type
#   Which  device  type  are  we using?  device-type should be tun or tap.  Use
#   this option only if the TUN/TAP device used with  --dev does not begin with
#   tun or tap.
# AUF RPV : l'interface sera une IPv4 virtuelle de type "tun"
dev-type tun

# --dev tunX | tapX | null
#   TUN/TAP virtual network device ( X can be omitted for a  dynamic device.)
#   tun devices encapsulate IPv4 while tap devices encapsulate ethernet 802.3.
#   You must use either tun devices on both ends of  the  connection or  tap
#   devices on both ends.  You cannot mix them, as they represent different
#   underlying protocols.
# AUF RPV: Creation d'une interface IP virtuelle nommmee "nomades"
dev nomades

# --persist-tun
#   Don’t close and reopen TUN/TAP  device  or  run  up/down  scripts across
#   SIGUSR1 or --ping-restart restarts.
#   SIGUSR1  is  a restart signal similar to SIGHUP, but which offers
#   finer-grained control over reset options.
persist-tun

# --proto p
#   Use protocol p for communicating with remote host.  p can be udp,
#   tcp-client, or tcp-server.
# AUF RPV : tunnel sur UDP/IP
proto udp

# --port port
#   TCP/UDP  port  number for both local and remote.  The current default of
#   1194 represents the official IANA port number assignment for OpenVPN and
#   has been used since version 2.0-beta17.  Previous versions used port 5000
#   as the default.
# AUF RPV : par defaut se connecter sur le port 1194
port 1194

# --comp-lzo
# Use  fast LZO compression -- may add up to 1 byte per packet for
# incompressible data.
comp-lzo


# Delais pour coupure d'un tunnel


# --inactive n
#   (Experimental) Causes OpenVPN to exit after n seconds of inactivity on the
#   TUN/TAP device.  The time length of inactivity is measured since the last
#   incoming tunnel packet.
# AUF RPV : Fin du tunnel au bout d'une heure d'inactivite
inactive 3600
# AUF RPV : on force l'inactivité à une heure sur les clients qui se connectent
push "inactive 3600"

# --ping n
#   Ping remote over the TCP/UDP control channel if no  packets have been sent
#   for at least n seconds (specify --ping on both peers to cause ping packets
#   to be sent in both  directions since  OpenVPN ping  packets are not echoed
#   like IP ping packets).  When used in one of OpenVPN’s secure modes (where
#   --secret,  --tls-server,  or --tls-client is specified), the ping packet
#   will be cryptographically secure.
#   This option has two intended uses:
#   (1) Compatibility with stateful  firewalls.   The  periodic  ping will
#       ensure  that  a stateful firewall rule which allows OpenVPN UDP packets
#       to pass will not time out.
#   (2) To provide a basis for the remote to test  the  existence  of
#       its peer using the --ping-exit option.
# AUF RPV : Envoie d'un "ping" au correspondant toutes les 10 secondes
ping 10
# AUF RPV : on force sur le client
push "ping 10"

# --ping-exit n
#   Causes  OpenVPN to exit after n seconds pass without reception of a ping or
#   other packet from remote.  This option can be combined with  --inactive,
#   --ping, and --ping-exit to create a two-tiered inactivity disconnect.
#   For example,
#       openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
#   when used on both peers will cause OpenVPN to exit within 60 seconds  if
#   its peer disconnects, but will exit after one hour if no actual tunnel data
#   is exchanged.
# AUF RPV : Abandon du tunnel si pas de reponse au bout de deux minutes
ping-exit 120
# AUF RPV : on force sur le client à quitter au bout d'une seule minute
push "ping-exit 60"

# NOTE : les 4 ping/ping-exit ci-dessus peuvent aussi s'écrire : keepalive 10 120

# --ping-timer-rem
#   Run the --ping-exit / --ping-restart timer only if we have a remote
#   address.  Use this option if you are starting the daemon in listen  mode
#   (i.e.  without an explicit --remote peer), and you don’t want to start
#   clocking timeouts until a remote  peer  connects.
ping-timer-rem


# Securisation système


# --mlock
#    Disable paging by calling the POSIX mlockall function. Requires that
#    OpenVPN be initially run as root (though OpenVPN can subsequently
#    downgrade its UID using the --user option).
#    Using this option ensures that key material and tunnel data are never
#    written to disk due to virtual memory paging operations which occur under
#    most modern operating systems. It ensures that even if an attacker was
#    able to crack the box running OpenVPN, he would not be able to scan the
#    system swap file to recover previously used ephemeral keys, which are used
#    for a period of time governed by the --reneg options (see below), then are
#    discarded.
#    The downside of using --mlock is that it will reduce the amount of
#    physical memory available to other applications.
mlock

# TODO
# --chroot dir
#   Chroot to dir after initialization. --chroot essentially redefines dir as
#   being the top level directory tree (/). OpenVPN will therefore be unable to
#   access any files outside this tree. This can be desirable from a security
#   standpoint.
#   Since the chroot operation is delayed until after initialization, most
#   OpenVPN options that reference files will operate in a pre-chroot context.
#   In many cases, the dir parameter can point to an empty directory, however
#   complications can result when scripts or restarts are executed after the
#   chroot operation.
#chroot /var/lib/openvpn.nomades
# --up cmd
#   Shell  command  to run after successful TUN/TAP device open (pre --user UID
#   change).  The up  script  is  useful  for  specifying route  commands which
#   route IP traffic destined for private sub‐ nets which exist at the other
#   end of the VPN connection into the tunnel.
# AUF RPV : ce script contruit (construira) la prison chroot
#up /etc/openvpn/scripts/up-server
# AUF RPV : Variable d'environnement pour emplacement de la prison (utilisé par
# le script "up-server")
#setenv chroot_jail /var/lib/openvpn.nomades


# --user user
#   Change the user ID of the OpenVPN process to user after initial‐ ization,
#   dropping privileges in the  process.   This  option  is useful to protect
#   the system in the event that some hostile par‐ ty was able to gain control
#   of an OpenVPN session.  Though Open‐ VPN’s  security features make this
#   unlikely, it is provided as a second line of defense.
# AUF RPV : personne...
user nobody
# --group group
#   Similar  to  the --user option, this option changes the group ID of the
#   OpenVPN process to group after initialization.
# AUF RPV : personne...
group nogroup


# Adressage des clients

# --ifconfig-pool-persist file [seconds]
#   Persist/unpersist ifconfig-pool data to file, at seconds intervals
#   (default=600), as well as on program startup and shutdown.
#   The goal of this option is to provide a long-term association between
#   clients (denoted by their common name) and the virtual IP address assigned
#   to them from the ifconfig-pool. Maintaining a long-term association is good
#   for clients because it allows them to effectively use the --persist-tun
#   option.
#   file is a comma-delimited ASCII file, formatted as <Common-Name>,<IP-address>.
#   If seconds = 0, file will be treated as read-only. This is useful if you
#   would like to treat file as a configuration file.
#   Note that the entries in this file are treated by OpenVPN as suggestions
#   only, based on past associations between a common name and IP address. They
#   do not guarantee that the given common name will always receive the given
#   IP address. If you want guaranteed assignment, use --ifconfig-push
# AUF RPV : Tant que la prison n'est pas refaite à chaque reboot, c'est utile.
ifconfig-pool-persist /var/tmp/openvpn-nomades.leases 60


# Connexion d'un client : routage


# Config particulieres (pour les IPs fixées)
client-config-dir /etc/openvpn/auf-nomades.ccd/

# --tmp-dir dir
#   Specify a directory dir for temporary files. This directory will be used by
#   --client-connect scripts to dynamically generate client-specific
#   configuration files.
tmp-dir /var/tmp


# Authentification forte (TLS)

# --tls-server
#   Enable TLS and assume server role during TLS handshake.  Note that OpenVPN
#   is designed as a  peer-to-peer application.  The designation of client or
#   server is only for the purpose of negotiating the TLS control channel.
tls-server

# --ca file
#   Certificate authority (CA) file in .pem format, also referred to as the
#   root certificate.  This file can have  multiple  certifi‐ cates  in .pem
#   format, concatenated together.
# AUF RPV : concaténation des certif de toutes les CA, automatiquement et
# périodiquement généré par "get-capath"
ca /etc/openvpn/auf-nomades-ca.pem

# --cert file
#   Local peer’s signed certificate in .pem format -- must be signed by  a
#   certificate  authority whose certificate is in --ca file.
# AUF RPV: certificat fourni par le paquet de configuration local
cert /etc/openvpn/auf-nomades-cert.pem

# --key file
#   Local  peer’s  private  key in .pem format.  Use the private key which was
#   generated when you built your peer’s certificate  (see -cert file above).
# AUF RPV: clé fournie par le paquet de configuration local
key /etc/openvpn/auf-nomades-key.pem

# --persist-key
#   Don’t re-read key files across SIGUSR1 or --ping-restart.
#
#   This option can be combined with --user nobody to allow restarts triggered
#   by the SIGUSR1 signal.   Normally  if  you  drop  root privileges  in
#   OpenVPN, the daemon cannot be restarted since it will now be unable to
#   re-read protected key files.
#   This option solves the problem by persisting keys across SIGUSR1 resets, so
#   they don’t need to be re-read.
# AUF RPV: Pas de relecture des cles en cours d'execution (permet de ne pas mettre
# la clé dans le chroot, par exemple...)
persist-key

# --tls-verify cmd
#    Execute  shell  command cmd to verify the X509 name of a pending TLS
#    connection that has otherwise passed all other tests of cer‐ tification.
#    cmd  should return 0 to allow the TLS handshake to proceed, or 1 to fail.
#    cmd is executed as
#          cmd certificate_depth X509_NAME_oneline
# AUF RPV : ce script verifie le format du CN et la validité du certificat
# envoyé (notamment la révocation) via --tls-export-cert (cf ci-dessous)
#tls-verify /etc/openvpn/scripts/tls-verify-nomad

# --tls-export-cert : PATCH AUF RPV qui demande à OpenVPN de placer
# le certificat dans un fichier temporaire et indique le nom du fichier
# dans la variable d'environnement peercert
#tls-export-cert /tmp

# --dh file
#   File containing Diffie Hellman parameters in .pem format (required for
#   --tls-server only).
dh /etc/openvpn/dh1024.pem

# --reneg-sec n
#   Renegotiate data channel key after n seconds (default=3600).
# AUF RPV : Frequence de renegociation : toutes les 2 heures
reneg-sec 7200

# --hand-window n
#   Handshake Window -- the TLS-based key exchange must finalize within n
#   seconds of handshake initiation by any peer (default = 60 seconds). If the
#   handshake fails we will attempt to reset our connection with our peer and
#   try again. Even in the event of handshake failure we will still use our
#   expiring key for up to --tran-window seconds to maintain continuity of
#   transmission of tunnel data.
# AUF RPV : Delai de handshake a deux minutes pour liaisons degradees
hand-window 120


# --tls-auth file [direction]
#   Add an additional layer of HMAC authentication on top of the TLS
#   control channel to protect against DoS attacks.
#
#   In a nutshell, --tls-auth enables a kind of "HMAC  firewall"  on OpenVPN’s
#   TCP/UDP port, where TLS control channel packets bear‐ ing an incorrect HMAC
#   signature can be dropped immediately with‐ out response.
# FIXME : a ajouter !
# tls-auth /etc/openvpn/tls-auth.key
Commit	Line	Data
6249b630 TN	1	#
	2	# Configuration par defaut d'un serveur OpenVPN pour l'accès nomade au réseau
	3	# privé virtuel de l'AUF.
	4	#
	5	# Pour toutes les options en detail : man openvpn
	6	#
	7
	8	#
	9	# NE PAS MODIFIER CE FICHIER ! Si vous pensez qu'une modification est
	10	# indispensable, contactez d'abord thomas.noel@auf.org pour en parler.
	11	#
	12
	13
	14	# Configuration locale à cette implantation
	15
	16	# --config
	17	# Load additional config options from file where each line corresponds to one
	18	# command line option, but with the leading '--' removed.
	19	# AUF RPV : fichier de configuration local (adresses IP du serveur et push vers
	20	# le client) généré lors de l'installation de auf-rpv
	21	config /etc/openvpn/auf-nomades.conf.local
	22
	23
	24
	25	# Configuration générale à tous les serveurs RPV2 de l'AUF
	26	# NE PAS MODIFIER... Si vous détectez un soucis, signalez-le à
	27	# thomas.noel@auf.org pour qu'il étudie le problème dans sa globalité.
	28
	29
	30	# Debug et autres
	31
	32
	33	# --verb n
	34	# Set output verbosity to n (default=1). Each level shows all info from the
	35	# previous levels. Level 3 is recommended if you want a good summary of what’s
	36	# happening without being swamped by output.
	37	# 0 -- No output except fatal errors.
	38	# 1 to 4 -- Normal usage range.
	39	# 5 -- Output R and W characters to the console for each packet read and
	40	# write, uppercase is used for TCP/UDP packets and lowercase is used for
	41	# TUN/TAP packets.
	42	# 6 to 11 -- Debug info range (see errlevel.h for additional information on
	43	# debug levels).
	44	verb 1
	45
	46	# --syslog [progname]
	47	# Direct log output to system logger, but do not become a daemon. See
	48	# --daemon directive above for description of progname parameter.
a50446f7 TN	49	syslog
a50446f7 TN	50	# NB : "progname" est fourni par le lanceur /etc/init.d/openvpn
6249b630 TN	51
	52
	53
	54	# Mode serveur sur udp/1194, sur un périphérique TUN
	55
	56	# --mode m
	57	# Set OpenVPN major mode. By default, OpenVPN runs in point-to- point mode
	58	# ("p2p"). OpenVPN 2.0 introduces a new mode ("serv‐ er") which implements
	59	# a multi-client server capability.
	60	mode server
	61
	62	# --dev-type device-type
	63	# Which device type are we using? device-type should be tun or tap. Use
	64	# this option only if the TUN/TAP device used with --dev does not begin with
	65	# tun or tap.
	66	# AUF RPV : l'interface sera une IPv4 virtuelle de type "tun"
	67	dev-type tun
	68
	69	# --dev tunX \| tapX \| null
	70	# TUN/TAP virtual network device ( X can be omitted for a dynamic device.)
	71	# tun devices encapsulate IPv4 while tap devices encapsulate ethernet 802.3.
	72	# You must use either tun devices on both ends of the connection or tap
	73	# devices on both ends. You cannot mix them, as they represent different
	74	# underlying protocols.
	75	# AUF RPV: Creation d'une interface IP virtuelle nommmee "nomades"
	76	dev nomades
	77
	78	# --persist-tun
	79	# Don’t close and reopen TUN/TAP device or run up/down scripts across
	80	# SIGUSR1 or --ping-restart restarts.
	81	# SIGUSR1 is a restart signal similar to SIGHUP, but which offers
	82	# finer-grained control over reset options.
	83	persist-tun
	84
	85	# --proto p
	86	# Use protocol p for communicating with remote host. p can be udp,
	87	# tcp-client, or tcp-server.
	88	# AUF RPV : tunnel sur UDP/IP
	89	proto udp
	90
	91	# --port port
	92	# TCP/UDP port number for both local and remote. The current default of
	93	# 1194 represents the official IANA port number assignment for OpenVPN and
	94	# has been used since version 2.0-beta17. Previous versions used port 5000
	95	# as the default.
	96	# AUF RPV : par defaut se connecter sur le port 1194
	97	port 1194
	98
	99	# --comp-lzo
	100	# Use fast LZO compression -- may add up to 1 byte per packet for
	101	# incompressible data.
	102	comp-lzo
	103
	104
	105
	106	# Delais pour coupure d'un tunnel
	107
	108
	109	# --inactive n
	110	# (Experimental) Causes OpenVPN to exit after n seconds of inactivity on the
	111	# TUN/TAP device. The time length of inactivity is measured since the last
	112	# incoming tunnel packet.
	113	# AUF RPV : Fin du tunnel au bout d'une heure d'inactivite
	114	inactive 3600
115	# AUF RPV : on force l'inactivité à une heure sur les clients qui se connectent
116	push "inactive 3600"
117
118	# --ping n
119	# Ping remote over the TCP/UDP control channel if no packets have been sent
120	# for at least n seconds (specify --ping on both peers to cause ping packets
121	# to be sent in both directions since OpenVPN ping packets are not echoed
122	# like IP ping packets). When used in one of OpenVPN’s secure modes (where
123	# --secret, --tls-server, or --tls-client is specified), the ping packet
124	# will be cryptographically secure.
125	# This option has two intended uses:
126	# (1) Compatibility with stateful firewalls. The periodic ping will
127	# ensure that a stateful firewall rule which allows OpenVPN UDP packets
128	# to pass will not time out.
129	# (2) To provide a basis for the remote to test the existence of
130	# its peer using the --ping-exit option.
131	# AUF RPV : Envoie d'un "ping" au correspondant toutes les 10 secondes
132	ping 10
133	# AUF RPV : on force sur le client
134	push "ping 10"
135
136	# --ping-exit n
137	# Causes OpenVPN to exit after n seconds pass without reception of a ping or
138	# other packet from remote. This option can be combined with --inactive,
139	# --ping, and --ping-exit to create a two-tiered inactivity disconnect.
140	# For example,
141	# openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
142	# when used on both peers will cause OpenVPN to exit within 60 seconds if
143	# its peer disconnects, but will exit after one hour if no actual tunnel data
144	# is exchanged.
145	# AUF RPV : Abandon du tunnel si pas de reponse au bout de deux minutes
146	ping-exit 120
147	# AUF RPV : on force sur le client à quitter au bout d'une seule minute
148	push "ping-exit 60"
149
150	# NOTE : les 4 ping/ping-exit ci-dessus peuvent aussi s'écrire : keepalive 10 120
151
152	# --ping-timer-rem
153	# Run the --ping-exit / --ping-restart timer only if we have a remote
154	# address. Use this option if you are starting the daemon in listen mode
155	# (i.e. without an explicit --remote peer), and you don’t want to start
156	# clocking timeouts until a remote peer connects.
157	ping-timer-rem
158
159
160
161	# Securisation système
162
163
164	# --mlock
165	# Disable paging by calling the POSIX mlockall function. Requires that
166	# OpenVPN be initially run as root (though OpenVPN can subsequently
167	# downgrade its UID using the --user option).
168	# Using this option ensures that key material and tunnel data are never
169	# written to disk due to virtual memory paging operations which occur under
170	# most modern operating systems. It ensures that even if an attacker was
171	# able to crack the box running OpenVPN, he would not be able to scan the
172	# system swap file to recover previously used ephemeral keys, which are used
173	# for a period of time governed by the --reneg options (see below), then are
174	# discarded.
175	# The downside of using --mlock is that it will reduce the amount of
176	# physical memory available to other applications.
177	mlock
178
179	# TODO
180	# --chroot dir
181	# Chroot to dir after initialization. --chroot essentially redefines dir as
182	# being the top level directory tree (/). OpenVPN will therefore be unable to
183	# access any files outside this tree. This can be desirable from a security
184	# standpoint.
185	# Since the chroot operation is delayed until after initialization, most
186	# OpenVPN options that reference files will operate in a pre-chroot context.
187	# In many cases, the dir parameter can point to an empty directory, however
188	# complications can result when scripts or restarts are executed after the
189	# chroot operation.
190	#chroot /var/lib/openvpn.nomades
191	# --up cmd
192	# Shell command to run after successful TUN/TAP device open (pre --user UID
193	# change). The up script is useful for specifying route commands which
194	# route IP traffic destined for private sub‐ nets which exist at the other
195	# end of the VPN connection into the tunnel.
a50446f7	196	# AUF RPV : ce script contruit (construira) la prison chroot
6249b630 TN	197	#up /etc/openvpn/scripts/up-server
	198	# AUF RPV : Variable d'environnement pour emplacement de la prison (utilisé par
	199	# le script "up-server")
	200	#setenv chroot_jail /var/lib/openvpn.nomades
	201
	202
	203
	204	# --user user
	205	# Change the user ID of the OpenVPN process to user after initial‐ ization,
	206	# dropping privileges in the process. This option is useful to protect
	207	# the system in the event that some hostile par‐ ty was able to gain control
	208	# of an OpenVPN session. Though Open‐ VPN’s security features make this
	209	# unlikely, it is provided as a second line of defense.
	210	# AUF RPV : personne...
	211	user nobody
	212	# --group group
	213	# Similar to the --user option, this option changes the group ID of the
	214	# OpenVPN process to group after initialization.
	215	# AUF RPV : personne...
	216	group nogroup
	217
	218
	219
	220
	221	# Adressage des clients
	222
	223	# --ifconfig-pool-persist file [seconds]
	224	# Persist/unpersist ifconfig-pool data to file, at seconds intervals
	225	# (default=600), as well as on program startup and shutdown.
	226	# The goal of this option is to provide a long-term association between
	227	# clients (denoted by their common name) and the virtual IP address assigned
	228	# to them from the ifconfig-pool. Maintaining a long-term association is good
	229	# for clients because it allows them to effectively use the --persist-tun
	230	# option.
	231	# file is a comma-delimited ASCII file, formatted as <Common-Name>,<IP-address>.
	232	# If seconds = 0, file will be treated as read-only. This is useful if you
	233	# would like to treat file as a configuration file.
	234	# Note that the entries in this file are treated by OpenVPN as suggestions
	235	# only, based on past associations between a common name and IP address. They
	236	# do not guarantee that the given common name will always receive the given
	237	# IP address. If you want guaranteed assignment, use --ifconfig-push
	238	# AUF RPV : Tant que la prison n'est pas refaite à chaque reboot, c'est utile.
	239	ifconfig-pool-persist /var/tmp/openvpn-nomades.leases 60
	240
	241
	242
	243	# Connexion d'un client : routage
	244
	245
a50446f7 TN	246	# Config particulieres (pour les IPs fixées)
a50446f7 TN	247	client-config-dir /etc/openvpn/auf-nomades.ccd/
6249b630 TN	248
	249	# --tmp-dir dir
	250	# Specify a directory dir for temporary files. This directory will be used by
	251	# --client-connect scripts to dynamically generate client-specific
	252	# configuration files.
	253	tmp-dir /var/tmp
	254
	255
	256
	257	# Authentification forte (TLS)
	258
	259	# --tls-server
	260	# Enable TLS and assume server role during TLS handshake. Note that OpenVPN
	261	# is designed as a peer-to-peer application. The designation of client or
	262	# server is only for the purpose of negotiating the TLS control channel.
	263	tls-server
	264
	265	# --ca file
	266	# Certificate authority (CA) file in .pem format, also referred to as the
	267	# root certificate. This file can have multiple certifi‐ cates in .pem
	268	# format, concatenated together.
	269	# AUF RPV : concaténation des certif de toutes les CA, automatiquement et
	270	# périodiquement généré par "get-capath"
	271	ca /etc/openvpn/auf-nomades-ca.pem
	272
	273	# --cert file
	274	# Local peer’s signed certificate in .pem format -- must be signed by a
	275	# certificate authority whose certificate is in --ca file.
	276	# AUF RPV: certificat fourni par le paquet de configuration local
	277	cert /etc/openvpn/auf-nomades-cert.pem
	278
	279	# --key file
	280	# Local peer’s private key in .pem format. Use the private key which was
	281	# generated when you built your peer’s certificate (see -cert file above).
	282	# AUF RPV: clé fournie par le paquet de configuration local
	283	key /etc/openvpn/auf-nomades-key.pem
	284
	285	# --persist-key
	286	# Don’t re-read key files across SIGUSR1 or --ping-restart.
	287	#
	288	# This option can be combined with --user nobody to allow restarts triggered
	289	# by the SIGUSR1 signal. Normally if you drop root privileges in
	290	# OpenVPN, the daemon cannot be restarted since it will now be unable to
	291	# re-read protected key files.
	292	# This option solves the problem by persisting keys across SIGUSR1 resets, so
	293	# they don’t need to be re-read.
	294	# AUF RPV: Pas de relecture des cles en cours d'execution (permet de ne pas mettre
	295	# la clé dans le chroot, par exemple...)
	296	persist-key
	297
	298	# --tls-verify cmd
	299	# Execute shell command cmd to verify the X509 name of a pending TLS
	300	# connection that has otherwise passed all other tests of cer‐ tification.
	301	# cmd should return 0 to allow the TLS handshake to proceed, or 1 to fail.
	302	# cmd is executed as
	303	# cmd certificate_depth X509_NAME_oneline
	304	# AUF RPV : ce script verifie le format du CN et la validité du certificat
	305	# envoyé (notamment la révocation) via --tls-export-cert (cf ci-dessous)
	306	#tls-verify /etc/openvpn/scripts/tls-verify-nomad
	307
	308	# --tls-export-cert : PATCH AUF RPV qui demande à OpenVPN de placer
	309	# le certificat dans un fichier temporaire et indique le nom du fichier
	310	# dans la variable d'environnement peercert
	311	#tls-export-cert /tmp
312
313	# --dh file
314	# File containing Diffie Hellman parameters in .pem format (required for
315	# --tls-server only).
316	dh /etc/openvpn/dh1024.pem
317
318	# --reneg-sec n
319	# Renegotiate data channel key after n seconds (default=3600).
320	# AUF RPV : Frequence de renegociation : toutes les 2 heures
321	reneg-sec 7200
322
323	# --hand-window n
324	# Handshake Window -- the TLS-based key exchange must finalize within n
325	# seconds of handshake initiation by any peer (default = 60 seconds). If the
326	# handshake fails we will attempt to reset our connection with our peer and
327	# try again. Even in the event of handshake failure we will still use our
328	# expiring key for up to --tran-window seconds to maintain continuity of
329	# transmission of tunnel data.
330	# AUF RPV : Delai de handshake a deux minutes pour liaisons degradees
331	hand-window 120
332
333
334	# --tls-auth file [direction]
335	# Add an additional layer of HMAC authentication on top of the TLS
336	# control channel to protect against DoS attacks.
337	#
338	# In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN’s
339	# TCP/UDP port, where TLS control channel packets bear‐ ing an incorrect HMAC
340	# signature can be dropped immediately with‐ out response.
341	# FIXME : a ajouter !
342	# tls-auth /etc/openvpn/tls-auth.key
343