Content #
- persist-tun and persist-key
Instruct OpenVPN to neither reopen the tun device, nor generate new keying material whenever the tunnel is restarted. These options are particularly useful in combination with user nobody, as the user nobody normally does not have the access rights to open a new tun interface.
- keepalive 10 60
This is used to make sure that the VPN connection remains up, even if there is no traffic flowing over the tunnel. The keepalive statement is a macro for the ping and ping-restart commands. The statement keepalive 10 60 in a server-side configuration expands to:
ping 10 ping-restart 120 push “ping 10” push “ping-restart 60”
The preceding code means: Send a ping message to each client every 10 seconds Restart the connection if a client does not respond within 120 seconds (2 * 60 = 120) Push the statements ping 10 and ping-restart 60 to each client
- dh <path to Diffie Hellman file>
This specifies the path to the DH file that is required for the OpenVPN server. Without this file, the server cannot establish a secure TLS connection with the clients. It is advisable to use an absolute path for this file.
- ca <path to CA file>
This specifies the path to the CA file. The CA file needs to contain the CA certificate (or even set of certificates) that was used to sign the client certificates. It does not necessarily have to be the same CA as the one that was used to sign the server certificate. It is advisable to use an absolute path for this file.
- cert <path to X.509 certificate file>
This specifies the path to the server X.509 public certificate file. This certificate is needed by the OpenVPN server, even if the clients are connection without using certificates. It is advisable to use an absolute path for this file.
- key <path to private key file>
This specifies the path to the server private key file. This private key file is needed by the OpenVPN server, even if the clients are connecting without using certificates or private keys. This file needs to be readable by the root (or administrator) user only, as anyone with read access to private keys can decrypt OpenVPN traffic. Note that OpenVPN will read this file before dropping user privileges. It is advisable to use an absolute path for this file.
- user nobody and group nobody
This instructs OpenVPN to drop to Unix user nobody and group nobody after the connection has come up. This further enhances security, as an attack on the tunnel will less likely result in a root exploit. Note that on Debian/Ubuntu the group nogroup is used.
From #
Mastering OpenVPN