66471934af
Knowledge base of ~80+ markdown files across 14 domains (00-13), Logseq graph, hardware design files (KiCAD), infrastructure configs, and talas-wiki static site. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
98 lines
3.1 KiB
Text
98 lines
3.1 KiB
Text
# {{ ansible_managed }}
|
|
port {{ openvpn_port }}
|
|
proto {{ openvpn_proto }}
|
|
dev tun
|
|
ca {{ openvpn_ca }}
|
|
crl-verify {{ openvpn_ssl_root }}/revoked dir
|
|
cert {{ openvpn_cert }}
|
|
key {{ openvpn_key }}
|
|
dh {{ openvpn_dh }}
|
|
server {{ openvpn_server }}
|
|
{% if openvpn_push is defined %}
|
|
{% for push in openvpn_push %}
|
|
push "{{ push }}"
|
|
{% endfor %}
|
|
{% endif %}
|
|
keepalive 10 120
|
|
{% if openvpn_installed_version is version('2.5', '<') %}
|
|
comp-lzo
|
|
{% endif %}
|
|
{% if openvpn_installed_version is version('2.5', '>=') and openvpn_force_insecure_compression %}
|
|
# /!\ BEGIN insecure compression enabled
|
|
# those settings are enabled for compatibility purpose, consider migration to disable it
|
|
# may not be supported in future releases of OpenVPN
|
|
allow-compression yes
|
|
comp-lzo
|
|
# /!\ END insecure compression enabled
|
|
{% endif %}
|
|
max-clients {{ openvpn_max_clients }}
|
|
{% if openvpn_client_scripts or openvpn_auth_user_pass_verify is defined %}
|
|
user openvpn
|
|
group openvpn
|
|
{% else %}
|
|
user nobody
|
|
group nogroup
|
|
{% endif %}
|
|
persist-key
|
|
persist-tun
|
|
# the status must be in /tmp, and systemd will handle it in a private tmp folder
|
|
status /tmp/{{ openvpn_proto }}_{{ openvpn_port }}-openvpn-status.log
|
|
log-append /var/log/openvpn/{{ openvpn_proto }}_{{ openvpn_port }}-openvpn.log
|
|
verb {{ openvpn_verb }}
|
|
mute 5
|
|
{% if openvpn_ldap_auth %}
|
|
# check the password against OpenLDAP - this doesn't check that the username is the same as the certificate common_name, see auth-user-pass-verify script for that
|
|
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap/auth-ldap.conf
|
|
{% endif %}
|
|
{% if openvpn_client2client %}
|
|
client-to-client
|
|
{% endif %}
|
|
{% if openvpn_ccd %}
|
|
# static client IP
|
|
client-config-dir /etc/openvpn/topology-subnet
|
|
# do not allow the connection if a ccd file does not exist for the current user
|
|
ccd-exclusive
|
|
{% endif %}
|
|
|
|
# write temporary files to tmpfs
|
|
tmp-dir /dev/shm
|
|
{% if openvpn_auth_user_pass_verify is defined %}
|
|
# allow custom script to use the username but not the password
|
|
script-security 2
|
|
# currently only validate that the username is the same as the common_name of the client certificate, /var/log/openvpn must be writable by nobody for it to log
|
|
auth-user-pass-verify /etc/openvpn/scripts/{{ openvpn_auth_user_pass_verify }} via-env
|
|
{% endif %}
|
|
{% if openvpn_client_scripts %}
|
|
# connect and disconnect script to insert logs to postgres
|
|
client-connect /etc/openvpn/scripts/connect.py
|
|
client-disconnect /etc/openvpn/scripts/disconnect.py
|
|
{% endif %}
|
|
|
|
{% if openvpn_proto.startswith('tcp') %}
|
|
# TCP_NODELAY is generally a good latency optimization
|
|
tcp-nodelay
|
|
{% endif %}
|
|
|
|
# subnet -- Use a subnet rather than a point-to-point topology
|
|
topology subnet
|
|
{% if openvpn_ciphers is defined %}
|
|
|
|
{% if openvpn_installed_version is version('2.5', '>=') %}
|
|
data-ciphers {{ openvpn_ciphers }}
|
|
{% else %}
|
|
cipher {{ openvpn_ciphers }}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if openvpn_auth is defined %}
|
|
auth {{ openvpn_auth }}
|
|
{% endif %}
|
|
# management socket, for monitoring
|
|
management /run/openvpn/openvpn-socket unix
|
|
management-client-user zabbix
|
|
{% if openvpn_additional_config_list is defined %}
|
|
|
|
# additional config
|
|
{% for item in openvpn_additional_config_list %}
|
|
{{ item }}
|
|
{% endfor %}
|
|
{% endif %}
|