pinecrypt-gateway-backend/pinecrypt/server/templates/openvpn.conf

{% if proto == "udp" %}
dev tun0
proto udp
port 1194
management 127.0.0.1 7505
setenv service openvpn-udp
{% else %}
dev tun1
port-share 127.0.0.1 1443
proto tcp-server
port 443
socket-flags TCP_NODELAY
management 127.0.0.1 7506
setenv service openvpn-tcp
{% endif %}

# Client subnets
server {{ slot4.network_address }} {{ slot4.netmask }}
{% if slot6 %}
server-ipv6 {{ slot6 }}
{% endif %}
topology subnet

# Bind to all interfaces
local 0.0.0.0

# Send keep alive packets, mainly for UDP
keepalive 60 120

opt-verify

# Keypairs
key /server-secrets/self_key.pem
cert /server-secrets/self_cert.pem
ca /server-secrets/ca_cert.pem

# Push subnets
{% if push %}
push "route-metric 10002
{% endif %}
{% for subnet in push4 %}
push "route {{ subnet.network_address }} {{ subnet.netmask }}"
{% endfor %}
{% for subnet in push6 %}
push "route-ipv6 {{ subnet }}"
{% endfor %}

# DH parameters file
dh none
#dhparam.pem

# Control channel encryption parameterss
# For more info see: openvpn --show-tls
tls-version-min {{ openvpn_tls_version_min }}
tls-ciphersuites {{ openvpn_tls_ciphersuites }} # Used by TLS 1.3
tls-cipher {{ openvpn_tls_cipher }} # Used by TLS 1.2

# Data channel encryption parameters
cipher {{ openvpn_cipher }}
auth {{ openvpn_auth }}

# Just to sanity check ourselves
tls-cert-profile preferred

script-security 2
learn-address /helpers/learn-address.py
client-connect /helpers/client-connect.py
#verb 0
Move OpenVPN and StrongSwan entrypoint to separate Docker images 2021-06-02 12:44:19 +00:00			`{% if proto == "udp" %}`
			`dev tun0`
			`proto udp`
			`port 1194`
			`management 127.0.0.1 7505`
			`setenv service openvpn-udp`
			`{% else %}`
			`dev tun1`
			`port-share 127.0.0.1 1443`
			`proto tcp-server`
			`port 443`
			`socket-flags TCP_NODELAY`
			`management 127.0.0.1 7506`
			`setenv service openvpn-tcp`
			`{% endif %}`

			`# Client subnets`
			`server {{ slot4.network_address }} {{ slot4.netmask }}`
			`{% if slot6 %}`
			`server-ipv6 {{ slot6 }}`
			`{% endif %}`
			`topology subnet`

			`# Bind to all interfaces`
			`local 0.0.0.0`

			`# Send keep alive packets, mainly for UDP`
			`keepalive 60 120`

			`opt-verify`

			`# Keypairs`
			`key /server-secrets/self_key.pem`
			`cert /server-secrets/self_cert.pem`
			`ca /server-secrets/ca_cert.pem`

			`# Push subnets`
			`{% if push %}`
			`push "route-metric 10002`
			`{% endif %}`
			`{% for subnet in push4 %}`
			`push "route {{ subnet.network_address }} {{ subnet.netmask }}"`
			`{% endfor %}`
			`{% for subnet in push6 %}`
			`push "route-ipv6 {{ subnet }}"`
			`{% endfor %}`

			`# DH parameters file`
			`dh none`
			`#dhparam.pem`

			`# Control channel encryption parameterss`
			`# For more info see: openvpn --show-tls`
			`tls-version-min {{ openvpn_tls_version_min }}`
			`tls-ciphersuites {{ openvpn_tls_ciphersuites }} # Used by TLS 1.3`
			`tls-cipher {{ openvpn_tls_cipher }} # Used by TLS 1.2`

			`# Data channel encryption parameters`
			`cipher {{ openvpn_cipher }}`
			`auth {{ openvpn_auth }}`

			`# Just to sanity check ourselves`
			`tls-cert-profile preferred`

			`script-security 2`
			`learn-address /helpers/learn-address.py`
			`client-connect /helpers/client-connect.py`
			`#verb 0`