dev tun proto {{ protocol }} {% if protocol == 'tcp' %} tls-server {% else %} # explicit-exit-notify 1 explicit-exit-notify 1 {% endif %} port {{ port }} # Keys ca {{ ca_path }} cert {{ srv_cert_path }} key {{ srv_key_path }} dh {{ dh_path }} tls-auth {{ ta_path }} 0 {% if tun_mtu %} tun-mtu {{ tun_mtu }} {% endif %} {% if mssfix %} mssfix {{ mssfix }} {% endif %} # Network topology topology subnet server {{ vpn_network }} {{ vpn_netmask }} ifconfig-pool-persist /etc/openvpn/ipp.txt log /etc/openvpn/openvpn.log log-append /etc/openvpn/openvpn.log verb 3 # Use Extended Status Output status /etc/openvpn/openvpn-status.log 5 status-version 2 # Tunneling Mode {% if tunnel_type == 'FULL' %} push "redirect-gateway def1 bypass-dhcp" # Full tunneling mode - all routes through VPN {% else %} # Split tunneling mode {% for route in split_routes %} push "route {{ route }}" {% endfor %} {% endif %} # DNS Configuration {% if user_defined_dns %} {% for dns in dns_servers %} push "dhcp-option DNS {{ dns }}" {% endfor %} {% endif %} # Client-to-client communication {% if client_to_client %} client-to-client {% else %} # client-to-client disabled {% endif %} user nobody group nogroup # Allow same profile on multiple devices simultaneously {% if duplicate_cn %} duplicate-cn {% else %} # duplicate-cn disabled {% endif %} # data protection data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC data-ciphers-fallback AES-256-CBC auth SHA256 keepalive 10 120 persist-key persist-tun # check revocation list {% if crl_verify %} crl-verify /etc/openvpn/crl.pem {% else %} # crl-verify disabled {% endif %} # Script Security Level {% if user_defined_cdscripts %} script-security 2 # Client Connect Script {% if connect_script %} client-connect "{{ connect_script }}" {% endif %} # Client Disconnect Script {% if disconnect_script %} client-disconnect "{{ disconnect_script }}" {% endif %} {% endif %} # Enable Management Interface {% if management_interface %} management {{ management_interface_address }} {{ management_port }} {% endif %}