https://wiki.archlinux.org/index.php/OpenVPN#Create_a_Public_Key_Infrastructure_.28PKI.29_from_scratch

https://wiki.archlinux.org/index.php/Easy-rsa#OpenVPN_client_files

server.conf

port 1194
;proto udp
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/merlyn.crt
key /etc/openvpn/merlyn.key  # This file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth /etc/openvpn/ta.key 0 # This file is secret
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
max-clients 3
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20
cipher AES-256-CBC
;auth SHA512
;tls-version-min 1.2
;tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-2}56-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

client.conf

client
dev tun
proto tcp
remote 54.223.70.150 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client1.crt
key /etc/openvpn/client1.key
remote-cert-tls server
;tls-auth /etc/openvpn/ta.key 1
;cipher x
cipher AES-256-CBC
comp-lzo
verb 3
;mute 20

désert/Linux/openvpn (last edited 2016-08-17 17:03:05 by localhost)