# OpenVPN Server Configuration (521-bit secp521r1-based) # from one of the Denmark server's instances # ============================================== # User/Group Permissions # --------------------- user openvpn # Drop privileges to openvpn user group network # Run under 'network' group writepid /var/run/openvpn-server/37.120.232.44-secp521r1secp521r1udp.pid # PID file daemon # Run as daemon # Network Configuration # -------------------- proto udp # UDP protocol for better performance local 37.120.232.44 # Bind to this specific IP port 5060 # Listen on this port dev tun3 # We specify exact tun# instead of auto-assignment because: # - 'dev tun' auto-assignment maxes out at 255 devices # - Some servers need more than 255 VPN instances # Session Persistence # ------------------ persist-key # Keep TLS key across restarts push "persist-key" # Tell clients to do the same persist-tun # Keep tun device across restarts push "persist-tun" # Tell clients to do the same fast-io # Optimize for high-throughput environments # Cryptographic Material # ---------------------- ca /etc/openvpn/ca-secp521r1.crt # CA certificate (ECDSA secp521r1) cert /etc/openvpn/denmark-secp521r1.crt # Server certificate key /etc/openvpn/denmark-secp521r1.key # Server private key # Security Scripts # --------------- script-security 2 # Allow execution of user scripts auth-user-pass-verify /etc/openvpn/auth.sh via-env # Validate access tokens + key renegotiations client-connect /etc/openvpn/session_up.sh # On connect: # - Increment session counter # - Tell client to use the VPN server's DNS # (10.31.33.8 / 2001:db8::8) # - Tell Windows clients to use block-outside-dns # (to prevent DNS leaks) client-disconnect /etc/openvpn/session_down.sh # On disconnect: # - Decrement session counter # - Remove client's port forwards # - Clean changemyip entries # - Clear conntrack entries # (Mitigates Port Shadowing along with isolated SNAT ranges) # Network Topology # --------------- tmp-dir /tmp # Temporary directory (ramdisk) topology subnet # Use subnet topology server 10.66.2.0/24 255.255.255.0 # Private subnet for this instance # (Each instance gets its own /24) push "redirect-gateway def1" # Redirect all client traffic through VPN # Client Authentication # -------------------- verify-client-cert none # No client certs (using token auth) # Connection Maintenance # --------------------- keepalive 20 60 # Ping every 20s, timeout after 60s max-clients 3000 # Maximum concurrent clients reneg-sec 1200 # Rekey interval (1200s = 20min) # Cryptographic Settings # --------------------- cipher AES-256-GCM # Data channel cipher data-ciphers CHACHA20-POLY1305:AES-256-GCM # Negotiable ciphers (PFS) tls-crypt-v2 /etc/openvpn/tcv2.key # Per-client TLS wrapping tls-server # Run as TLS server tls-version-min 1.2 # Minimum TLS version tls-version-max 1.3 # Maximum TLS version tls-crypt /etc/openvpn/tc.key # Static TLS wrapping (fallback) # For TLS 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 # For TLS 1.3 tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 tls-exit # Exit server if TLS negotiation fails # Performance # ---------- compress migrate # Tell clients with very old configs not to use compression # (will be removed sometime soon) # Logging # ------- verb 0 # Minimal logging mute 2 # Limit repeated messages status /var/log/openvpn/37.120.232.44secp521r1secp521r1udp-status.log 1 # Status log # Note: /var/log is mounted as a tmpfs # - Stores connection stats in RAM only # - Used for counting users (replaces management interface) # - No privacy difference from management interface # - All data lost on server shutdown status-version 2 # Use status file format v2 log /dev/null # Discard main logs