openvpn-nomades: ameliorations
[auf-serveur.git] / auf-serveur-openvpn-nomades / auf-nomades.conf
CommitLineData
6249b630
TN
1#
2# Configuration par defaut d'un *serveur* OpenVPN pour l'accès nomade au réseau
3# privé virtuel de l'AUF.
4#
5# Pour toutes les options en detail : man openvpn
6#
7
8#
9# NE PAS MODIFIER CE FICHIER ! Si vous pensez qu'une modification est
10# indispensable, contactez d'abord thomas.noel@auf.org pour en parler.
11#
12
13
14# Configuration locale à cette implantation
15
16# --config
17# Load additional config options from file where each line corresponds to one
18# command line option, but with the leading '--' removed.
19# AUF RPV : fichier de configuration local (adresses IP du serveur et push vers
20# le client) généré lors de l'installation de auf-rpv
21config /etc/openvpn/auf-nomades.conf.local
22
23
24
25# Configuration générale à tous les serveurs RPV2 de l'AUF
26# NE PAS MODIFIER... Si vous détectez un soucis, signalez-le à
27# thomas.noel@auf.org pour qu'il étudie le problème dans sa globalité.
28
29
30# Debug et autres
31
32
33# --verb n
34# Set output verbosity to n (default=1). Each level shows all info from the
35# previous levels. Level 3 is recommended if you want a good summary of what’s
36# happening without being swamped by output.
37# 0 -- No output except fatal errors.
38# 1 to 4 -- Normal usage range.
39# 5 -- Output R and W characters to the console for each packet read and
40# write, uppercase is used for TCP/UDP packets and lowercase is used for
41# TUN/TAP packets.
42# 6 to 11 -- Debug info range (see errlevel.h for additional information on
43# debug levels).
44verb 1
45
46# --syslog [progname]
47# Direct log output to system logger, but do not become a daemon. See
48# --daemon directive above for description of progname parameter.
a50446f7
TN
49syslog
50# NB : "progname" est fourni par le lanceur /etc/init.d/openvpn
6249b630
TN
51
52
53
54# Mode serveur sur udp/1194, sur un périphérique TUN
55
56# --mode m
57# Set OpenVPN major mode. By default, OpenVPN runs in point-to- point mode
58# ("p2p"). OpenVPN 2.0 introduces a new mode ("serv‐ er") which implements
59# a multi-client server capability.
60mode server
61
62# --dev-type device-type
63# Which device type are we using? device-type should be tun or tap. Use
64# this option only if the TUN/TAP device used with --dev does not begin with
65# tun or tap.
66# AUF RPV : l'interface sera une IPv4 virtuelle de type "tun"
67dev-type tun
68
69# --dev tunX | tapX | null
70# TUN/TAP virtual network device ( X can be omitted for a dynamic device.)
71# tun devices encapsulate IPv4 while tap devices encapsulate ethernet 802.3.
72# You must use either tun devices on both ends of the connection or tap
73# devices on both ends. You cannot mix them, as they represent different
74# underlying protocols.
75# AUF RPV: Creation d'une interface IP virtuelle nommmee "nomades"
76dev nomades
77
78# --persist-tun
79# Don’t close and reopen TUN/TAP device or run up/down scripts across
80# SIGUSR1 or --ping-restart restarts.
81# SIGUSR1 is a restart signal similar to SIGHUP, but which offers
82# finer-grained control over reset options.
83persist-tun
84
85# --proto p
86# Use protocol p for communicating with remote host. p can be udp,
87# tcp-client, or tcp-server.
88# AUF RPV : tunnel sur UDP/IP
89proto udp
90
91# --port port
92# TCP/UDP port number for both local and remote. The current default of
93# 1194 represents the official IANA port number assignment for OpenVPN and
94# has been used since version 2.0-beta17. Previous versions used port 5000
95# as the default.
96# AUF RPV : par defaut se connecter sur le port 1194
97port 1194
98
99# --comp-lzo
100# Use fast LZO compression -- may add up to 1 byte per packet for
101# incompressible data.
102comp-lzo
103
104
105
106# Delais pour coupure d'un tunnel
107
108
109# --inactive n
110# (Experimental) Causes OpenVPN to exit after n seconds of inactivity on the
111# TUN/TAP device. The time length of inactivity is measured since the last
112# incoming tunnel packet.
113# AUF RPV : Fin du tunnel au bout d'une heure d'inactivite
114inactive 3600
115# AUF RPV : on force l'inactivité à une heure sur les clients qui se connectent
116push "inactive 3600"
117
118# --ping n
119# Ping remote over the TCP/UDP control channel if no packets have been sent
120# for at least n seconds (specify --ping on both peers to cause ping packets
121# to be sent in both directions since OpenVPN ping packets are not echoed
122# like IP ping packets). When used in one of OpenVPN’s secure modes (where
123# --secret, --tls-server, or --tls-client is specified), the ping packet
124# will be cryptographically secure.
125# This option has two intended uses:
126# (1) Compatibility with stateful firewalls. The periodic ping will
127# ensure that a stateful firewall rule which allows OpenVPN UDP packets
128# to pass will not time out.
129# (2) To provide a basis for the remote to test the existence of
130# its peer using the --ping-exit option.
131# AUF RPV : Envoie d'un "ping" au correspondant toutes les 10 secondes
132ping 10
133# AUF RPV : on force sur le client
134push "ping 10"
135
136# --ping-exit n
137# Causes OpenVPN to exit after n seconds pass without reception of a ping or
138# other packet from remote. This option can be combined with --inactive,
139# --ping, and --ping-exit to create a two-tiered inactivity disconnect.
140# For example,
141# openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
142# when used on both peers will cause OpenVPN to exit within 60 seconds if
143# its peer disconnects, but will exit after one hour if no actual tunnel data
144# is exchanged.
145# AUF RPV : Abandon du tunnel si pas de reponse au bout de deux minutes
146ping-exit 120
147# AUF RPV : on force sur le client à quitter au bout d'une seule minute
148push "ping-exit 60"
149
150# NOTE : les 4 ping/ping-exit ci-dessus peuvent aussi s'écrire : keepalive 10 120
151
152# --ping-timer-rem
153# Run the --ping-exit / --ping-restart timer only if we have a remote
154# address. Use this option if you are starting the daemon in listen mode
155# (i.e. without an explicit --remote peer), and you don’t want to start
156# clocking timeouts until a remote peer connects.
157ping-timer-rem
158
159
160
161# Securisation système
162
163
164# --mlock
165# Disable paging by calling the POSIX mlockall function. Requires that
166# OpenVPN be initially run as root (though OpenVPN can subsequently
167# downgrade its UID using the --user option).
168# Using this option ensures that key material and tunnel data are never
169# written to disk due to virtual memory paging operations which occur under
170# most modern operating systems. It ensures that even if an attacker was
171# able to crack the box running OpenVPN, he would not be able to scan the
172# system swap file to recover previously used ephemeral keys, which are used
173# for a period of time governed by the --reneg options (see below), then are
174# discarded.
175# The downside of using --mlock is that it will reduce the amount of
176# physical memory available to other applications.
177mlock
178
179# TODO
180# --chroot dir
181# Chroot to dir after initialization. --chroot essentially redefines dir as
182# being the top level directory tree (/). OpenVPN will therefore be unable to
183# access any files outside this tree. This can be desirable from a security
184# standpoint.
185# Since the chroot operation is delayed until after initialization, most
186# OpenVPN options that reference files will operate in a pre-chroot context.
187# In many cases, the dir parameter can point to an empty directory, however
188# complications can result when scripts or restarts are executed after the
189# chroot operation.
190#chroot /var/lib/openvpn.nomades
191# --up cmd
192# Shell command to run after successful TUN/TAP device open (pre --user UID
193# change). The up script is useful for specifying route commands which
194# route IP traffic destined for private sub‐ nets which exist at the other
195# end of the VPN connection into the tunnel.
a50446f7 196# AUF RPV : ce script contruit (construira) la prison chroot
6249b630
TN
197#up /etc/openvpn/scripts/up-server
198# AUF RPV : Variable d'environnement pour emplacement de la prison (utilisé par
199# le script "up-server")
200#setenv chroot_jail /var/lib/openvpn.nomades
201
202
203
204# --user user
205# Change the user ID of the OpenVPN process to user after initial‐ ization,
206# dropping privileges in the process. This option is useful to protect
207# the system in the event that some hostile par‐ ty was able to gain control
208# of an OpenVPN session. Though Open‐ VPN’s security features make this
209# unlikely, it is provided as a second line of defense.
210# AUF RPV : personne...
211user nobody
212# --group group
213# Similar to the --user option, this option changes the group ID of the
214# OpenVPN process to group after initialization.
215# AUF RPV : personne...
216group nogroup
217
218
219
220
221# Adressage des clients
222
223# --ifconfig-pool-persist file [seconds]
224# Persist/unpersist ifconfig-pool data to file, at seconds intervals
225# (default=600), as well as on program startup and shutdown.
226# The goal of this option is to provide a long-term association between
227# clients (denoted by their common name) and the virtual IP address assigned
228# to them from the ifconfig-pool. Maintaining a long-term association is good
229# for clients because it allows them to effectively use the --persist-tun
230# option.
231# file is a comma-delimited ASCII file, formatted as <Common-Name>,<IP-address>.
232# If seconds = 0, file will be treated as read-only. This is useful if you
233# would like to treat file as a configuration file.
234# Note that the entries in this file are treated by OpenVPN as suggestions
235# only, based on past associations between a common name and IP address. They
236# do not guarantee that the given common name will always receive the given
237# IP address. If you want guaranteed assignment, use --ifconfig-push
238# AUF RPV : Tant que la prison n'est pas refaite à chaque reboot, c'est utile.
239ifconfig-pool-persist /var/tmp/openvpn-nomades.leases 60
240
241
242
243# Connexion d'un client : routage
244
245
a50446f7
TN
246# Config particulieres (pour les IPs fixées)
247client-config-dir /etc/openvpn/auf-nomades.ccd/
6249b630
TN
248
249# --tmp-dir dir
250# Specify a directory dir for temporary files. This directory will be used by
251# --client-connect scripts to dynamically generate client-specific
252# configuration files.
253tmp-dir /var/tmp
254
255
256
257# Authentification forte (TLS)
258
259# --tls-server
260# Enable TLS and assume server role during TLS handshake. Note that OpenVPN
261# is designed as a peer-to-peer application. The designation of client or
262# server is only for the purpose of negotiating the TLS control channel.
263tls-server
264
265# --ca file
266# Certificate authority (CA) file in .pem format, also referred to as the
267# root certificate. This file can have multiple certifi‐ cates in .pem
268# format, concatenated together.
269# AUF RPV : concaténation des certif de toutes les CA, automatiquement et
270# périodiquement généré par "get-capath"
271ca /etc/openvpn/auf-nomades-ca.pem
272
273# --cert file
274# Local peer’s signed certificate in .pem format -- must be signed by a
275# certificate authority whose certificate is in --ca file.
276# AUF RPV: certificat fourni par le paquet de configuration local
277cert /etc/openvpn/auf-nomades-cert.pem
278
279# --key file
280# Local peer’s private key in .pem format. Use the private key which was
281# generated when you built your peer’s certificate (see -cert file above).
282# AUF RPV: clé fournie par le paquet de configuration local
283key /etc/openvpn/auf-nomades-key.pem
284
285# --persist-key
286# Don’t re-read key files across SIGUSR1 or --ping-restart.
287#
288# This option can be combined with --user nobody to allow restarts triggered
289# by the SIGUSR1 signal. Normally if you drop root privileges in
290# OpenVPN, the daemon cannot be restarted since it will now be unable to
291# re-read protected key files.
292# This option solves the problem by persisting keys across SIGUSR1 resets, so
293# they don’t need to be re-read.
294# AUF RPV: Pas de relecture des cles en cours d'execution (permet de ne pas mettre
295# la clé dans le chroot, par exemple...)
296persist-key
297
298# --tls-verify cmd
299# Execute shell command cmd to verify the X509 name of a pending TLS
300# connection that has otherwise passed all other tests of cer‐ tification.
301# cmd should return 0 to allow the TLS handshake to proceed, or 1 to fail.
302# cmd is executed as
303# cmd certificate_depth X509_NAME_oneline
304# AUF RPV : ce script verifie le format du CN et la validité du certificat
305# envoyé (notamment la révocation) via --tls-export-cert (cf ci-dessous)
306#tls-verify /etc/openvpn/scripts/tls-verify-nomad
307
308# --tls-export-cert : PATCH AUF RPV qui demande à OpenVPN de placer
309# le certificat dans un fichier temporaire et indique le nom du fichier
310# dans la variable d'environnement peercert
311#tls-export-cert /tmp
312
313# --dh file
314# File containing Diffie Hellman parameters in .pem format (required for
315# --tls-server only).
316dh /etc/openvpn/dh1024.pem
317
318# --reneg-sec n
319# Renegotiate data channel key after n seconds (default=3600).
320# AUF RPV : Frequence de renegociation : toutes les 2 heures
321reneg-sec 7200
322
323# --hand-window n
324# Handshake Window -- the TLS-based key exchange must finalize within n
325# seconds of handshake initiation by any peer (default = 60 seconds). If the
326# handshake fails we will attempt to reset our connection with our peer and
327# try again. Even in the event of handshake failure we will still use our
328# expiring key for up to --tran-window seconds to maintain continuity of
329# transmission of tunnel data.
330# AUF RPV : Delai de handshake a deux minutes pour liaisons degradees
331hand-window 120
332
333
334# --tls-auth file [direction]
335# Add an additional layer of HMAC authentication on top of the TLS
336# control channel to protect against DoS attacks.
337#
338# In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN’s
339# TCP/UDP port, where TLS control channel packets bear‐ ing an incorrect HMAC
340# signature can be dropped immediately with‐ out response.
341# FIXME : a ajouter !
342# tls-auth /etc/openvpn/tls-auth.key
343