templates/server.conf.j2 - ansible/role/openvpn - Gitiles

 # openvpn server.conf - {{ ansible_managed }}
 #
 {#
 SPDX-FileCopyrightText: © 2022 Open Networking Foundation <support@opennetworking.org>
 SPDX-License-Identifier: Apache-2.0
 #}

 # accounts and privilege dropping
 user nobody
 group {{ openvpn_groupname }}
 persist-key
 persist-tun

 # security
 tls-server
 tls-version-min 1.3
 cipher AES-256-GCM
 auth SHA256

 # CA
 ca {{ openvpn_conf_dir }}/server/chain.pem
 crl-verify {{ openvpn_conf_dir }}/server/ca.crl

 # openVPN server
 cert {{ openvpn_conf_dir }}/server/openvpn_server.pem
 key {{ openvpn_conf_dir }}/server/openvpn_server.key
 dh {{ openvpn_conf_dir }}/server/dh.pem

 # shared auth
 tls-auth {{ openvpn_conf_dir }}/server/ta.key 0

 # must connect with a verified client cert
 opt-verify
 remote-cert-tls client
 verify-client-cert require
 tls-cert-profile preferred

 # Connection
 dev openvpn
 dev-type tun
 local {{ openvpn_listen_ip }}
 port 1194
 proto udp
 keepalive 10 120
 max-clients 100
 opt-verify

 # IP config
 topology subnet
 server {{ openvpn_subnet_cidr | ipaddr('network') }} {{ openvpn_subnet_cidr | ipaddr('netmask') }}

 # DHCP config
 {% for dnsserv in openvpn_dns_servers %}
 push "dhcp-option DNS {{ dnsserv }}"
 {% endfor %}

 # routes
 {% for route in openvpn_routes %}
 push "route {{ route | ipaddr('network') }} {{ route | ipaddr('netmask') }}"
 {% endfor %}

 # notify clients on server restart
 explicit-exit-notify 1

 # logging
 verb 4
 mute 20
 status {{ openvpn_log_dir }}/status.log
 ifconfig-pool-persist {{ openvpn_log_dir }}/ipp.txt
	# openvpn server.conf - {{ ansible_managed }}
	#
	{#
	SPDX-FileCopyrightText: © 2022 Open Networking Foundation <support@opennetworking.org>
	SPDX-License-Identifier: Apache-2.0
	#}

	# accounts and privilege dropping
	user nobody
	group {{ openvpn_groupname }}
	persist-key
	persist-tun

	# security
	tls-server
	tls-version-min 1.3
	cipher AES-256-GCM
	auth SHA256

	# CA
	ca {{ openvpn_conf_dir }}/server/chain.pem
	crl-verify {{ openvpn_conf_dir }}/server/ca.crl

	# openVPN server
	cert {{ openvpn_conf_dir }}/server/openvpn_server.pem
	key {{ openvpn_conf_dir }}/server/openvpn_server.key
	dh {{ openvpn_conf_dir }}/server/dh.pem

	# shared auth
	tls-auth {{ openvpn_conf_dir }}/server/ta.key 0

	# must connect with a verified client cert
	opt-verify
	remote-cert-tls client
	verify-client-cert require
	tls-cert-profile preferred

	# Connection
	dev openvpn
	dev-type tun
	local {{ openvpn_listen_ip }}
	port 1194
	proto udp
	keepalive 10 120
	max-clients 100
	opt-verify

	# IP config
	topology subnet
	server {{ openvpn_subnet_cidr \| ipaddr('network') }} {{ openvpn_subnet_cidr \| ipaddr('netmask') }}

	# DHCP config
	{% for dnsserv in openvpn_dns_servers %}
	push "dhcp-option DNS {{ dnsserv }}"
	{% endfor %}

	# routes
	{% for route in openvpn_routes %}
	push "route {{ route \| ipaddr('network') }} {{ route \| ipaddr('netmask') }}"
	{% endfor %}

	# notify clients on server restart
	explicit-exit-notify 1

	# logging
	verb 4
	mute 20
	status {{ openvpn_log_dir }}/status.log
	ifconfig-pool-persist {{ openvpn_log_dir }}/ipp.txt