# # Configuration par defaut d'un *serveur* OpenVPN pour l'accès nomade au réseau # privé virtuel de l'AUF. # # Pour toutes les options en detail : man openvpn # # # NE PAS MODIFIER CE FICHIER ! Si vous pensez qu'une modification est # indispensable, contactez d'abord thomas.noel@auf.org pour en parler. # # Configuration locale à cette implantation # --config # Load additional config options from file where each line corresponds to one # command line option, but with the leading '--' removed. # AUF RPV : fichier de configuration local (adresses IP du serveur et push vers # le client) généré lors de l'installation de auf-rpv config /etc/openvpn/server-nomad.conf.local # Configuration générale à tous les serveurs RPV2 de l'AUF # NE PAS MODIFIER... Si vous détectez un soucis, signalez-le à # thomas.noel@auf.org pour qu'il étudie le problème dans sa globalité. # Debug et autres # --verb n # Set output verbosity to n (default=1). Each level shows all info from the # previous levels. Level 3 is recommended if you want a good summary of what’s # happening without being swamped by output. # 0 -- No output except fatal errors. # 1 to 4 -- Normal usage range. # 5 -- Output R and W characters to the console for each packet read and # write, uppercase is used for TCP/UDP packets and lowercase is used for # TUN/TAP packets. # 6 to 11 -- Debug info range (see errlevel.h for additional information on # debug levels). ;verb 1 verb 5 # --syslog [progname] # Direct log output to system logger, but do not become a daemon. See # --daemon directive above for description of progname parameter. syslog openvpn/nomad # Output a short status file showing # current connections, truncated # and rewritten every minute. status /var/tmp/openvpn-nomad-status.log # Mode serveur sur udp/1195, sur un périphérique TUN # --mode m # Set OpenVPN major mode. By default, OpenVPN runs in point-to- point mode # ("p2p"). OpenVPN 2.0 introduces a new mode ("serv‐ er") which implements # a multi-client server capability. mode server # --dev tunX | tapX | null # TUN/TAP virtual network device ( X can be omitted for a dynamic device.) # tun devices encapsulate IPv4 while tap devices encapsulate ethernet 802.3. # You must use either tun devices on both ends of the connection or tap # devices on both ends. You cannot mix them, as they represent different # underlying protocols. # AUF RPV: Creation d'une interface IP virtuelle nommmee "nomad" dev nomad # --dev-type device-type # Which device type are we using? device-type should be tun or tap. Use # this option only if the TUN/TAP device used with --dev does not begin with # tun or tap. # AUF RPV : l'interface sera une IPv4 virtuelle de type "tun" dev-type tun # --persist-tun # Don’t close and reopen TUN/TAP device or run up/down scripts across # SIGUSR1 or --ping-restart restarts. # SIGUSR1 is a restart signal similar to SIGHUP, but which offers # finer-grained control over reset options. persist-tun # --proto p # Use protocol p for communicating with remote host. p can be udp, # tcp-client, or tcp-server. # AUF RPV : tunnel sur UDP/IP proto udp # --port port # TCP/UDP port number for both local and remote. The current default of # 1194 represents the official IANA port number assignment for OpenVPN and # has been used since version 2.0-beta17. Previous versions used port 5000 # as the default. # AUF RPV : par defaut se connecter sur le port 1194 port 1194 # --comp-lzo # Use fast LZO compression -- may add up to 1 byte per packet for # incompressible data. comp-lzo # Delais pour coupure d'un tunnel # --inactive n # (Experimental) Causes OpenVPN to exit after n seconds of inactivity on the # TUN/TAP device. The time length of inactivity is measured since the last # incoming tunnel packet. # AUF RPV : Fin du tunnel au bout d'une heure d'inactivite inactive 3600 # AUF RPV : on force l'inactivité à une heure sur les clients qui se connectent push "inactive 3600" # --ping n # Ping remote over the TCP/UDP control channel if no packets have been sent # for at least n seconds (specify --ping on both peers to cause ping packets # to be sent in both directions since OpenVPN ping packets are not echoed # like IP ping packets). When used in one of OpenVPN’s secure modes (where # --secret, --tls-server, or --tls-client is specified), the ping packet # will be cryptographically secure. # This option has two intended uses: # (1) Compatibility with stateful firewalls. The periodic ping will # ensure that a stateful firewall rule which allows OpenVPN UDP packets # to pass will not time out. # (2) To provide a basis for the remote to test the existence of # its peer using the --ping-exit option. # AUF RPV : Envoie d'un "ping" au correspondant toutes les 10 secondes ping 10 # AUF RPV : on force sur le client push "ping 10" # --ping-exit n # Causes OpenVPN to exit after n seconds pass without reception of a ping or # other packet from remote. This option can be combined with --inactive, # --ping, and --ping-exit to create a two-tiered inactivity disconnect. # For example, # openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60 # when used on both peers will cause OpenVPN to exit within 60 seconds if # its peer disconnects, but will exit after one hour if no actual tunnel data # is exchanged. # AUF RPV : Abandon du tunnel si pas de reponse au bout de deux minutes ping-exit 120 # AUF RPV : on force sur le client à quitter au bout d'une seule minute push "ping-exit 60" # NOTE : les 4 ping/ping-exit ci-dessus peuvent aussi s'écrire : #keepalive 10 120 # --ping-timer-rem # Run the --ping-exit / --ping-restart timer only if we have a remote # address. Use this option if you are starting the daemon in listen mode # (i.e. without an explicit --remote peer), and you don’t want to start # clocking timeouts until a remote peer connects. ping-timer-rem # Securisation système # --mlock # Disable paging by calling the POSIX mlockall function. Requires that # OpenVPN be initially run as root (though OpenVPN can subsequently # downgrade its UID using the --user option). # Using this option ensures that key material and tunnel data are never # written to disk due to virtual memory paging operations which occur under # most modern operating systems. It ensures that even if an attacker was # able to crack the box running OpenVPN, he would not be able to scan the # system swap file to recover previously used ephemeral keys, which are used # for a period of time governed by the --reneg options (see below), then are # discarded. # The downside of using --mlock is that it will reduce the amount of # physical memory available to other applications. #mlock # --chroot dir # Chroot to dir after initialization. --chroot essentially redefines dir as # being the top level directory tree (/). OpenVPN will therefore be unable to # access any files outside this tree. This can be desirable from a security # standpoint. # Since the chroot operation is delayed until after initialization, most # OpenVPN options that reference files will operate in a pre-chroot context. # In many cases, the dir parameter can point to an empty directory, however # complications can result when scripts or restarts are executed after the # chroot operation. ;chroot /var/lib/openvpn.nomad # --up cmd # Shell command to run after successful TUN/TAP device open (pre --user UID # change). The up script is useful for specifying route commands which # route IP traffic destined for private sub‐ nets which exist at the other # end of the VPN connection into the tunnel. # AUF RPV : ce script desactive les rp_filter sur l'interface TUN et créée # la prison chroot ;up /etc/openvpn/scripts/up-server # AUF RPV : Variable d'environnement pour emplacement de la prison (utilisé par # le script "up-server") ;setenv chroot_jail /var/lib/openvpn.nomad # --user user # Change the user ID of the OpenVPN process to user after initial‐ ization, # dropping privileges in the process. This option is useful to protect # the system in the event that some hostile par‐ ty was able to gain control # of an OpenVPN session. Though Open‐ VPN’s security features make this # unlikely, it is provided as a second line of defense. # AUF RPV : l'utilisateur "openvpn" a des droits spéciaux # FIXME : est-ce nécessaire pour le serveur nomade ? ;user openvpn user nobody # --group group # Similar to the --user option, this option changes the group ID of the # OpenVPN process to group after initialization. # AUF RPV : le groupe "openvpn" a des droits spéciaux # FIXME : est-ce nécessaire pour le serveur nomade ? ;group openvpn group nogroup # Adressage des clients # --ifconfig-pool-persist file [seconds] # Persist/unpersist ifconfig-pool data to file, at seconds intervals # (default=600), as well as on program startup and shutdown. # The goal of this option is to provide a long-term association between # clients (denoted by their common name) and the virtual IP address assigned # to them from the ifconfig-pool. Maintaining a long-term association is good # for clients because it allows them to effectively use the --persist-tun # option. # file is a comma-delimited ASCII file, formatted as ,. # If seconds = 0, file will be treated as read-only. This is useful if you # would like to treat file as a configuration file. # Note that the entries in this file are treated by OpenVPN as suggestions # only, based on past associations between a common name and IP address. They # do not guarantee that the given common name will always receive the given # IP address. If you want guaranteed assignment, use --ifconfig-push # AUF RPV : Tant que la prison n'est pas refaite à chaque reboot, c'est utile. ifconfig-pool-persist /var/tmp/openvpn-server.leases 60 # Connexion d'un client : routage push "route 10.0.0.0 255.0.0.0" # Config particulieres : non utilisees pour l'instant, les bidouilles # on verra si on en a besoin plus tard... client-config-dir /etc/openvpn/ccd # --tmp-dir dir # Specify a directory dir for temporary files. This directory will be used by # --client-connect scripts to dynamically generate client-specific # configuration files. tmp-dir /tmp # Authentification forte (TLS) # --tls-server # Enable TLS and assume server role during TLS handshake. Note that OpenVPN # is designed as a peer-to-peer application. The designation of client or # server is only for the purpose of negotiating the TLS control channel. tls-server # --ca file # Certificate authority (CA) file in .pem format, also referred to as the # root certificate. This file can have multiple certifi‐ cates in .pem # format, concatenated together. # AUF RPV : concaténation des certif de toutes les CA, automatiquement et # périodiquement généré par "get-capath" ca /etc/openvpn/ssl/all-ca.crt # --cert file # Local peer’s signed certificate in .pem format -- must be signed by a # certificate authority whose certificate is in --ca file. # AUF RPV: certificat fourni par le paquet de configuration local cert /etc/openvpn/ssl/server.crt # --key file # Local peer’s private key in .pem format. Use the private key which was # generated when you built your peer’s certificate (see -cert file above). # AUF RPV: clé fournie par le paquet de configuration local key /etc/openvpn/ssl/server.key # --persist-key # Don’t re-read key files across SIGUSR1 or --ping-restart. # # This option can be combined with --user nobody to allow restarts triggered # by the SIGUSR1 signal. Normally if you drop root privileges in # OpenVPN, the daemon cannot be restarted since it will now be unable to # re-read protected key files. # This option solves the problem by persisting keys across SIGUSR1 resets, so # they don’t need to be re-read. # AUF RPV: Pas de relecture des cles en cours d'execution (permet de ne pas mettre # la clé dans le chroot, par exemple...) persist-key # --tls-verify cmd # Execute shell command cmd to verify the X509 name of a pending TLS # connection that has otherwise passed all other tests of cer‐ tification. # cmd should return 0 to allow the TLS handshake to proceed, or 1 to fail. # cmd is executed as # cmd certificate_depth X509_NAME_oneline # AUF RPV : ce script verifie le format du CN et la validité du certificat # envoyé (notamment la révocation) via --tls-export-cert (cf ci-dessous) ;tls-verify /etc/openvpn/scripts/tls-verify-nomad # --tls-export-cert : PATCH AUF RPV qui demande à OpenVPN de placer # le certificat dans un fichier temporaire et indique le nom du fichier # dans la variable d'environnement peercert ;tls-export-cert /tmp # --dh file # File containing Diffie Hellman parameters in .pem format (required for # --tls-server only). dh /etc/openvpn/ssl/dh1024.pem # --reneg-sec n # Renegotiate data channel key after n seconds (default=3600). # AUF RPV : Frequence de renegociation : toutes les 2 heures reneg-sec 7200 # --hand-window n # Handshake Window -- the TLS-based key exchange must finalize within n # seconds of handshake initiation by any peer (default = 60 seconds). If the # handshake fails we will attempt to reset our connection with our peer and # try again. Even in the event of handshake failure we will still use our # expiring key for up to --tran-window seconds to maintain continuity of # transmission of tunnel data. # AUF RPV : Delai de handshake a deux minutes pour liaisons degradees hand-window 120 # --tls-auth file [direction] # Add an additional layer of HMAC authentication on top of the TLS # control channel to protect against DoS attacks. # # In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN’s # TCP/UDP port, where TLS control channel packets bear‐ ing an incorrect HMAC # signature can be dropped immediately with‐ out response. # FIXME : a ajouter ! # tls-auth /etc/openvpn/tls-auth.key