git.squeep.com Git - awsible/blob - roles/msca-openvpn/templates/user-server.conf.j2

   1 {{ ansible_managed|comment }}
   2 # Mode: {{ vpn_mode }}
   3 # Subnet: {{ vpn_subnet }}
   4 # L3
   5 daemon
   6 port 1195
   7 dev tun
   8 proto tcp-server
   9 user openvpn
  10 group openvpn
  11 tcp-nodelay
  12 persist-tun
  13 persist-key
  14 cipher AES-256-CBC
  15 keepalive 30 90
  16 management 127.0.0.1 31339
  17
  18 comp-lzo
  19
  20 server {{ vpn_subnet }} 255.255.255.0
  21 topology subnet
  22
  23 max-clients 64
  24
  25 verb 3
  26 log /var/log/openvpn/openvpn.log
  27 status-version 3
  28 status /var/log/openvpn/status.log
  29 client-connect "/etc/openvpn/scripts/event-log.sh"
  30 client-disconnect "/etc/openvpn/scripts/event-log.sh"
  31
  32 tmp-dir /dev/shm
  33 {% if phase|default() == 'prod' %}
  34 auth-user-pass-verify /etc/openvpn/scripts/auth.py via-env
  35 {% endif %}
  36
  37 tls-server
  38 tls-version-min 1.2
  39 key-direction 0
  40 dh /etc/openvpn/keys/dh.pem
  41 ca /etc/openvpn/keys/ca.{{ ca_name|lower }}.crt
  42 crl-verify /etc/openvpn/keys/crl.{{ ca_name|lower }}.pem
  43 cert /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.crt
  44 key /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.key
  45 <tls-auth>
  46 {{ ta_secret }}
  47 </tls-auth>
  48
  49 script-security 2