{{ ansible_managed|comment }}
# Mode: {{ vpn_mode }}
# Subnet: {{ vpn_subnet }}
# L3
daemon
port 1194
dev tap
proto udp
user openvpn
group openvpn
tcp-nodelay
persist-tun
persist-key
cipher AES-256-CBC
keepalive 30 90
management 127.0.0.1 31337

server {{ vpn_subnet }} 255.255.255.0
topology subnet

max-clients 64

verb 3
log /var/log/openvpn/openvpn-vpc.log
status-version 3
status /var/log/openvpn/status-vpc.log
client-connect "/etc/openvpn/scripts/event-log.sh"
client-disconnect "/etc/openvpn/scripts/event-log.sh"

tmp-dir /dev/shm

tls-server
tls-version-min 1.2
key-direction 0
dh /etc/openvpn/keys/dh.pem
ca /etc/openvpn/keys/ca.{{ ca_name|lower }}.crt
crl-verify /etc/openvpn/keys/crl.{{ ca_name|lower }}.pem
cert /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.crt
key /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.key
<tls-auth>
{{ ta_secret }}
</tls-auth>

script-security 2