{{ ansible_managed|comment }}
# Mode: {{ vpn_mode }}
# Subnet: {{ vpn_subnet }}
# L3
daemon
port 1195
dev tun
proto tcp-server
user openvpn
group openvpn
tcp-nodelay
persist-tun
persist-key
cipher AES-256-CBC
keepalive 30 90
management 127.0.0.1 31339

server {{ vpn_subnet }} 255.255.255.0
topology subnet

max-clients 64

verb 3
log /var/log/openvpn/openvpn.log
status-version 3
status /var/log/openvpn/status.log
client-connect /etc/openvpn/scripts/event-log.sh

tmp-dir /dev/shm
{% if phase|default() == 'prod' %}
auth-user-pass-verify /etc/openvpn/scripts/auth.py via-env
{% endif %}

tls-server
tls-version-min 1.2
key-direction 0
dh /etc/openvpn/keys/dh.pem
ca /etc/openvpn/keys/ca.{{ ca_name|lower }}.crt
crl-verify /etc/openvpn/keys/crl.{{ ca_name|lower }}.pem
cert /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.crt
key /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.key
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
07b7f906a252a8b304d2b9e055b05299
f199db480ce9da121fdbed99b2b18747
f24fd2b4b95f1dbbe2a480b9eb761413
03bc6848ec6181bb78078043306e2fcd
ad992ee1a5c02ded40c289209eb77587
36ac2a15fba4eb0cfc721c2c70a3fb83
7af9e5423e8cf81c5904a989d114fae8
b0c9ffd27bac60718d7231ab7cf4871f
79d0cc9e37935afea8b67f1a2c396707
8a586e78a1ba340e9c5bcce41de9ade7
5ca23c436c65c30bcb7e2854ed576b93
a955fe3b4d408444d5afaa8cc23dc9a5
f613242847be6cd33cb939b94658dd89
e02c3629fa9d8ff99d415b7041bd9df6
15d3744bd648f2ab1ba2db0c64737308
aca2fbab7c9b7114e4d8b646ca430c19
-----END OpenVPN Static key V1-----
</tls-auth>

script-security 2