# on Windows, if running as a service, they will go to # By default, log messages will go to the syslog (or # that may no longer be accessible because # daemon's privileges after initialization. # The maximum number of concurrently connected # to help block DoS attacks and UDP port flooding. # For extra security beyond that provided # peer is down if no ping received during # Ping every 10 seconds, assume that remote # messages to be sent back and forth over # The keepalive directive causes ping-like # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # each client should have its own certificate/key # might connect with the same certificate/key # Uncomment this directive if multiple clients # will also need to appropriately firewall the # To force clients to only see the server, you # By default, clients will only see the server. # clients to be able to "see" each other. # Uncomment this directive to allow different # Certain Windows-specific network settings # a more specific route than the default route # client's local DHCP server is reachable via # client's local DHCP server packets get routed # CAVEAT: May break client's network config if # the TUN/TAP interface to the internet in # (The OpenVPN server machine may need to NAT # all IP traffic such as web browsing and # network gateway through the VPN, causing # If enabled, this directive will configure # page for more info on learn-address script. # modify the firewall in response to access # (2) (Advanced) Create a script to dynamically # group, and firewall the TUN/TAP interface # (1) Run multiple OpenVPN daemons, one for each # firewall access policies for different groups # Suppose that you want to enable different # Thelonious a fixed VPN IP address of 10.9.0.1. # using "dev tun" and "server" directives.
# This will allow Thelonious' private subnet to # Then create a file ccd/Thelonious with this line: # also has a small subnet behind his connecting # having the certificate common name "Thelonious" # configuration files (see man page for more info). # use the subdirectory "ccd" for client-specific # subnet behind it that should also have VPN access, # clients or if a connecting client has a private # To assign specific IP addresses to specific # must set aside an IP range in this subnet # IP/netmask on the bridge interface, here we # to bridge the TAP interface with the ethernet # You must first use your OS's bridging capability # Configure server mode for ethernet bridging. # the same virtual IP address from the pool that was # is restarted, reconnecting clients can be assigned # Maintain a record of client virtual IP address # Each client will be able to reach the server # the rest will be made available to clients. # The server will take 10.8.0.1 for itself, # for OpenVPN to draw client addresses from.
# Configure server mode and supply a VPN subnet Key server.key # This file should be kept secret
# OpenVPN can also use a PKCS #12 formatted key file # Any X509 key management system can be used. # of scripts for generating RSA certificates
#MAC OS X VPN CLIENT OPENVPN SERIES#
# See the "easy-rsa" directory for a series # and the server must have their own cert and # SSL/TLS root certificate (ca), certificate # Non-Windows systems usually don't need this.
# you may need to selectively disable the # from the Network Connections panel if you
#MAC OS X VPN CLIENT OPENVPN WINDOWS#
# Windows needs the TAP-Windows adapter name # the firewall for the TUN/TAP interface. # On most systems, the VPN will not function # and bridged it with your ethernet interface. # and have precreated a tap0 virtual interface # Use "dev tap0" if you are ethernet bridging # "dev tap" will create an ethernet tunnel. # "dev tun" will create a routed IP tunnel, # on the same machine, use a different port # If you want to run multiple OpenVPN instances # Which TCP/UDP port should OpenVPN listen on? # Comments are preceded with '#' or ' ' # # "C:\\Program Files\\OpenVPN\\config\\foo.key" # # configurations (See the Examples page # Iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE