@@ -4,3 +4,5 @@
which is located at:
http://openvpn.net/howto.html
+
+See also the openvpn-examples man page.
@@ -1,5 +1,5 @@
##############################################
-# Sample client-side OpenVPN 2.0 config file #
+# Sample client-side OpenVPN 2.6 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
@@ -105,20 +105,7 @@
# If a tls-auth key is used on the server
# then every client must also have the key.
-tls-auth ta.key 1
-
-# Select a cryptographic cipher.
-# If the cipher option is used on the server
-# then you must also specify it here.
-# Note that v2.4 client/server will automatically
-# negotiate AES-256-GCM in TLS mode.
-# See also the data-ciphers option in the manpage
-cipher AES-256-CBC
-
-# Enable compression on the VPN link.
-# Don't enable this unless it is also
-# enabled in the server config file.
-#comp-lzo
+;tls-auth ta.key 1
# Set log file verbosity.
verb 3
@@ -1,5 +1,5 @@
#################################################
-# Sample OpenVPN 2.0 config file for #
+# Sample OpenVPN 2.6 config file for #
# multi-client server. #
# #
# This file is for the server side #
@@ -47,15 +47,15 @@
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
-# unless you partially or fully disable
+# unless you partially or fully disable/open
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
-# have more than one. On XP SP2 or higher,
-# you may need to selectively disable the
+# have more than one.
+# You may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
@@ -66,8 +66,9 @@
# key file. The server and all clients will
# use the same ca file.
#
-# See the "easy-rsa" directory for a series
-# of scripts for generating RSA certificates
+# See the "easy-rsa" project at
+# https://github.com/OpenVPN/easy-rsa
+# for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
@@ -75,6 +76,13 @@
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
+#
+# If you do not want to maintain a CA
+# and have a small number of clients
+# you can also use self-signed certificates
+# and use the peer-fingerprint option.
+# See openvpn-examples man page for a
+# configuration example.
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
@@ -89,7 +97,7 @@
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
-;topology subnet
+topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
@@ -218,7 +226,7 @@
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
-# UNCOMMENT THIS LINE OUT.
+# UNCOMMENT THIS LINE.
;duplicate-cn
# The keepalive directive causes ping-like
@@ -241,26 +249,7 @@
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
-tls-auth ta.key 0 # This file is secret
-
-# Select a cryptographic cipher.
-# This config item must be copied to
-# the client config file as well.
-# Note that v2.4 client/server will automatically
-# negotiate AES-256-GCM in TLS mode.
-# See also the ncp-cipher option in the manpage
-cipher AES-256-CBC
-
-# Enable compression on the VPN link and push the
-# option to the client (v2.4+ only, for earlier
-# versions see below)
-;compress lz4-v2
-;push "compress lz4-v2"
-
-# For compression compatible with older clients use comp-lzo
-# If you enable it here, you must also
-# enable it in the client config file.
-;comp-lzo
+;tls-auth ta.key 0 # This file is secret
# The maximum number of concurrently connected
# clients we want to allow.
Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/532?usp=email to review the following change. Change subject: samples: Update sample configurations ...................................................................... samples: Update sample configurations - Remove compression settings. Not recommended anymore. - Remove old cipher setting. Replaced by data-cipher with sane defaults. - Remove/reword some old comments. e.g. no need to reference OpenVPN 1.x anymore. - Mention peer-fingerprint alternative. Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> --- M sample/sample-config-files/README M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf 3 files changed, 21 insertions(+), 43 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/32/532/1