{{ ansible_managed|comment }}
# Mode: {{ vpn_mode }}
# Subnet: {{ vpn_subnet }}
# L3
daemon
port 1195
dev tun
proto tcp-server
user openvpn
group openvpn
tcp-nodelay
persist-tun
persist-key
cipher AES-256-CBC
keepalive 30 90
management 127.0.0.1 31339

server {{ vpn_subnet }} 255.255.255.0
topology subnet

max-clients 64

verb 3
log /var/log/openvpn/openvpn.log
status-version 3
status /var/log/openvpn/status.log
client-connect /etc/openvpn/scripts/event-log.sh

tmp-dir /dev/shm
{% if phase|default() == 'prod' %}
auth-user-pass-verify /etc/openvpn/scripts/auth.py via-env
{% endif %}

tls-server
tls-version-min 1.2
key-direction 0
dh /etc/openvpn/keys/dh.pem
ca /etc/openvpn/keys/ca.{{ ca_name|lower }}.crt
crl-verify /etc/openvpn/keys/crl.{{ ca_name|lower }}.pem
cert /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.crt
key /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.key
<tls-auth>
{{ ta_secret }}
</tls-auth>

script-security 2