2 # Configuration par defaut d'un *serveur* OpenVPN pour l'accès nomade au réseau
3 # privé virtuel de l'AUF.
5 # Pour toutes les options en detail : man openvpn
9 # NE PAS MODIFIER CE FICHIER ! Si vous pensez qu'une modification est
10 # indispensable, contactez d'abord thomas.noel@auf.org pour en parler.
14 # Configuration locale à cette implantation
17 # Load additional config options from file where each line corresponds to one
18 # command line option, but with the leading '--' removed.
19 # AUF RPV : fichier de configuration local (adresses IP du serveur et push vers
20 # le client) généré lors de l'installation de auf-rpv
21 config /etc/openvpn/auf-nomades.conf.local
25 # Configuration générale à tous les serveurs RPV2 de l'AUF
26 # NE PAS MODIFIER... Si vous détectez un soucis, signalez-le à
27 # thomas.noel@auf.org pour qu'il étudie le problème dans sa globalité.
34 # Set output verbosity to n (default=1). Each level shows all info from the
35 # previous levels. Level 3 is recommended if you want a good summary of what’s
36 # happening without being swamped by output.
37 # 0 -- No output except fatal errors.
38 # 1 to 4 -- Normal usage range.
39 # 5 -- Output R and W characters to the console for each packet read and
40 # write, uppercase is used for TCP/UDP packets and lowercase is used for
42 # 6 to 11 -- Debug info range (see errlevel.h for additional information on
47 # Direct log output to system logger, but do not become a daemon. See
48 # --daemon directive above for description of progname parameter.
49 syslog openvpn/nomades
53 # Mode serveur sur udp/1194, sur un périphérique TUN
56 # Set OpenVPN major mode. By default, OpenVPN runs in point-to- point mode
57 # ("p2p"). OpenVPN 2.0 introduces a new mode ("serv‐ er") which implements
58 # a multi-client server capability.
61 # --dev-type device-type
62 # Which device type are we using? device-type should be tun or tap. Use
63 # this option only if the TUN/TAP device used with --dev does not begin with
65 # AUF RPV : l'interface sera une IPv4 virtuelle de type "tun"
68 # --dev tunX | tapX | null
69 # TUN/TAP virtual network device ( X can be omitted for a dynamic device.)
70 # tun devices encapsulate IPv4 while tap devices encapsulate ethernet 802.3.
71 # You must use either tun devices on both ends of the connection or tap
72 # devices on both ends. You cannot mix them, as they represent different
73 # underlying protocols.
74 # AUF RPV: Creation d'une interface IP virtuelle nommmee "nomades"
78 # Don’t close and reopen TUN/TAP device or run up/down scripts across
79 # SIGUSR1 or --ping-restart restarts.
80 # SIGUSR1 is a restart signal similar to SIGHUP, but which offers
81 # finer-grained control over reset options.
85 # Use protocol p for communicating with remote host. p can be udp,
86 # tcp-client, or tcp-server.
87 # AUF RPV : tunnel sur UDP/IP
91 # TCP/UDP port number for both local and remote. The current default of
92 # 1194 represents the official IANA port number assignment for OpenVPN and
93 # has been used since version 2.0-beta17. Previous versions used port 5000
95 # AUF RPV : par defaut se connecter sur le port 1194
99 # Use fast LZO compression -- may add up to 1 byte per packet for
100 # incompressible data.
105 # Delais pour coupure d'un tunnel
109 # (Experimental) Causes OpenVPN to exit after n seconds of inactivity on the
110 # TUN/TAP device. The time length of inactivity is measured since the last
111 # incoming tunnel packet.
112 # AUF RPV : Fin du tunnel au bout d'une heure d'inactivite
114 # AUF RPV : on force l'inactivité à une heure sur les clients qui se connectent
118 # Ping remote over the TCP/UDP control channel if no packets have been sent
119 # for at least n seconds (specify --ping on both peers to cause ping packets
120 # to be sent in both directions since OpenVPN ping packets are not echoed
121 # like IP ping packets). When used in one of OpenVPN’s secure modes (where
122 # --secret, --tls-server, or --tls-client is specified), the ping packet
123 # will be cryptographically secure.
124 # This option has two intended uses:
125 # (1) Compatibility with stateful firewalls. The periodic ping will
126 # ensure that a stateful firewall rule which allows OpenVPN UDP packets
127 # to pass will not time out.
128 # (2) To provide a basis for the remote to test the existence of
129 # its peer using the --ping-exit option.
130 # AUF RPV : Envoie d'un "ping" au correspondant toutes les 10 secondes
132 # AUF RPV : on force sur le client
136 # Causes OpenVPN to exit after n seconds pass without reception of a ping or
137 # other packet from remote. This option can be combined with --inactive,
138 # --ping, and --ping-exit to create a two-tiered inactivity disconnect.
140 # openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
141 # when used on both peers will cause OpenVPN to exit within 60 seconds if
142 # its peer disconnects, but will exit after one hour if no actual tunnel data
144 # AUF RPV : Abandon du tunnel si pas de reponse au bout de deux minutes
146 # AUF RPV : on force sur le client à quitter au bout d'une seule minute
149 # NOTE : les 4 ping/ping-exit ci-dessus peuvent aussi s'écrire : keepalive 10 120
152 # Run the --ping-exit / --ping-restart timer only if we have a remote
153 # address. Use this option if you are starting the daemon in listen mode
154 # (i.e. without an explicit --remote peer), and you don’t want to start
155 # clocking timeouts until a remote peer connects.
160 # Securisation système
164 # Disable paging by calling the POSIX mlockall function. Requires that
165 # OpenVPN be initially run as root (though OpenVPN can subsequently
166 # downgrade its UID using the --user option).
167 # Using this option ensures that key material and tunnel data are never
168 # written to disk due to virtual memory paging operations which occur under
169 # most modern operating systems. It ensures that even if an attacker was
170 # able to crack the box running OpenVPN, he would not be able to scan the
171 # system swap file to recover previously used ephemeral keys, which are used
172 # for a period of time governed by the --reneg options (see below), then are
174 # The downside of using --mlock is that it will reduce the amount of
175 # physical memory available to other applications.
180 # Chroot to dir after initialization. --chroot essentially redefines dir as
181 # being the top level directory tree (/). OpenVPN will therefore be unable to
182 # access any files outside this tree. This can be desirable from a security
184 # Since the chroot operation is delayed until after initialization, most
185 # OpenVPN options that reference files will operate in a pre-chroot context.
186 # In many cases, the dir parameter can point to an empty directory, however
187 # complications can result when scripts or restarts are executed after the
189 #chroot /var/lib/openvpn.nomades
191 # Shell command to run after successful TUN/TAP device open (pre --user UID
192 # change). The up script is useful for specifying route commands which
193 # route IP traffic destined for private sub‐ nets which exist at the other
194 # end of the VPN connection into the tunnel.
195 # AUF RPV : ce script desactive les rp_filter sur l'interface TUN et créée
197 #up /etc/openvpn/scripts/up-server
198 # AUF RPV : Variable d'environnement pour emplacement de la prison (utilisé par
199 # le script "up-server")
200 #setenv chroot_jail /var/lib/openvpn.nomades
205 # Change the user ID of the OpenVPN process to user after initial‐ ization,
206 # dropping privileges in the process. This option is useful to protect
207 # the system in the event that some hostile par‐ ty was able to gain control
208 # of an OpenVPN session. Though Open‐ VPN’s security features make this
209 # unlikely, it is provided as a second line of defense.
210 # AUF RPV : personne...
213 # Similar to the --user option, this option changes the group ID of the
214 # OpenVPN process to group after initialization.
215 # AUF RPV : personne...
221 # Adressage des clients
223 # --ifconfig-pool-persist file [seconds]
224 # Persist/unpersist ifconfig-pool data to file, at seconds intervals
225 # (default=600), as well as on program startup and shutdown.
226 # The goal of this option is to provide a long-term association between
227 # clients (denoted by their common name) and the virtual IP address assigned
228 # to them from the ifconfig-pool. Maintaining a long-term association is good
229 # for clients because it allows them to effectively use the --persist-tun
231 # file is a comma-delimited ASCII file, formatted as <Common-Name>,<IP-address>.
232 # If seconds = 0, file will be treated as read-only. This is useful if you
233 # would like to treat file as a configuration file.
234 # Note that the entries in this file are treated by OpenVPN as suggestions
235 # only, based on past associations between a common name and IP address. They
236 # do not guarantee that the given common name will always receive the given
237 # IP address. If you want guaranteed assignment, use --ifconfig-push
238 # AUF RPV : Tant que la prison n'est pas refaite à chaque reboot, c'est utile.
239 ifconfig-pool-persist /var/tmp/openvpn-nomades.leases 60
243 # Connexion d'un client : routage
246 # Config particulieres : non utilisees pour l'instant, les bidouilles
247 # on verra si on en a besoin plus tard...
248 # client-config-dir /etc/openvpn/ccd
251 # Specify a directory dir for temporary files. This directory will be used by
252 # --client-connect scripts to dynamically generate client-specific
253 # configuration files.
258 # Authentification forte (TLS)
261 # Enable TLS and assume server role during TLS handshake. Note that OpenVPN
262 # is designed as a peer-to-peer application. The designation of client or
263 # server is only for the purpose of negotiating the TLS control channel.
267 # Certificate authority (CA) file in .pem format, also referred to as the
268 # root certificate. This file can have multiple certifi‐ cates in .pem
269 # format, concatenated together.
270 # AUF RPV : concaténation des certif de toutes les CA, automatiquement et
271 # périodiquement généré par "get-capath"
272 ca /etc/openvpn/auf-nomades-ca.pem
275 # Local peer’s signed certificate in .pem format -- must be signed by a
276 # certificate authority whose certificate is in --ca file.
277 # AUF RPV: certificat fourni par le paquet de configuration local
278 cert /etc/openvpn/auf-nomades-cert.pem
281 # Local peer’s private key in .pem format. Use the private key which was
282 # generated when you built your peer’s certificate (see -cert file above).
283 # AUF RPV: clé fournie par le paquet de configuration local
284 key /etc/openvpn/auf-nomades-key.pem
287 # Don’t re-read key files across SIGUSR1 or --ping-restart.
289 # This option can be combined with --user nobody to allow restarts triggered
290 # by the SIGUSR1 signal. Normally if you drop root privileges in
291 # OpenVPN, the daemon cannot be restarted since it will now be unable to
292 # re-read protected key files.
293 # This option solves the problem by persisting keys across SIGUSR1 resets, so
294 # they don’t need to be re-read.
295 # AUF RPV: Pas de relecture des cles en cours d'execution (permet de ne pas mettre
296 # la clé dans le chroot, par exemple...)
300 # Execute shell command cmd to verify the X509 name of a pending TLS
301 # connection that has otherwise passed all other tests of cer‐ tification.
302 # cmd should return 0 to allow the TLS handshake to proceed, or 1 to fail.
304 # cmd certificate_depth X509_NAME_oneline
305 # AUF RPV : ce script verifie le format du CN et la validité du certificat
306 # envoyé (notamment la révocation) via --tls-export-cert (cf ci-dessous)
307 #tls-verify /etc/openvpn/scripts/tls-verify-nomad
309 # --tls-export-cert : PATCH AUF RPV qui demande à OpenVPN de placer
310 # le certificat dans un fichier temporaire et indique le nom du fichier
311 # dans la variable d'environnement peercert
312 #tls-export-cert /tmp
315 # File containing Diffie Hellman parameters in .pem format (required for
316 # --tls-server only).
317 dh /etc/openvpn/dh1024.pem
320 # Renegotiate data channel key after n seconds (default=3600).
321 # AUF RPV : Frequence de renegociation : toutes les 2 heures
325 # Handshake Window -- the TLS-based key exchange must finalize within n
326 # seconds of handshake initiation by any peer (default = 60 seconds). If the
327 # handshake fails we will attempt to reset our connection with our peer and
328 # try again. Even in the event of handshake failure we will still use our
329 # expiring key for up to --tran-window seconds to maintain continuity of
330 # transmission of tunnel data.
331 # AUF RPV : Delai de handshake a deux minutes pour liaisons degradees
335 # --tls-auth file [direction]
336 # Add an additional layer of HMAC authentication on top of the TLS
337 # control channel to protect against DoS attacks.
339 # In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN’s
340 # TCP/UDP port, where TLS control channel packets bear‐ ing an incorrect HMAC
341 # signature can be dropped immediately with‐ out response.
342 # FIXME : a ajouter !
343 # tls-auth /etc/openvpn/tls-auth.key