templates/server.conf.j2

# openvpn server.conf - {{ ansible_managed }}
#
{#
SPDX-FileCopyrightText: © 2022 Open Networking Foundation <support@opennetworking.org>
SPDX-License-Identifier: Apache-2.0
#}

# accounts and privilege dropping
user nobody
group {{ openvpn_groupname }}
persist-key
persist-tun

# security
tls-server
tls-version-min 1.3
cipher AES-256-GCM
auth SHA256

# CA
ca {{ openvpn_conf_dir }}/server/chain.pem
crl-verify {{ openvpn_conf_dir }}/server/ca.crl

# openVPN server
cert {{ openvpn_conf_dir }}/server/openvpn_server.pem
key {{ openvpn_conf_dir }}/server/openvpn_server.key
dh {{ openvpn_conf_dir }}/server/dh.pem

# shared auth
tls-auth {{ openvpn_conf_dir }}/server/ta.key 0

# must connect with a verified client cert
opt-verify
remote-cert-tls client
verify-client-cert require
tls-cert-profile preferred

# Connection
dev openvpn
dev-type tun
local {{ openvpn_listen_ip }}
port 1194
proto udp
keepalive 10 120
max-clients 100
opt-verify

# IP config
topology subnet
server {{ openvpn_subnet_cidr | ipaddr('network') }} {{ openvpn_subnet_cidr | ipaddr('netmask') }}

# DHCP config
{% for dnsserv in openvpn_dns_servers %}
push "dhcp-option DNS {{ dnsserv }}"
{% endfor %}

# routes
{% for route in openvpn_routes %}
push "route {{ route | ipaddr('network') }} {{ route | ipaddr('netmask') }}"
{% endfor %}

# notify clients on server restart
explicit-exit-notify 1

# logging
verb 4
mute 20
status {{ openvpn_log_dir }}/status.log
ifconfig-pool-persist {{ openvpn_log_dir }}/ipp.txt