# OpenVPN Server Configuration (8192-bit RSA-based with 521-bit ECDSA CA) # ===================================================== # User/Group Permissions # --------------------- user openvpn # Drop privileges to openvpn user group network # Run under 'network' group writepid /var/run/openvpn-server/37.120.232.44-rsasecp521r1udp-1194.pid # PID file daemon # Run as daemon # Network Configuration # -------------------- proto udp # UDP protocol for better performance local 37.120.232.44 # Bind to this specific IP port 1194 # Standard OpenVPN port dev tun1 # We specify exact tun# instead of auto-assignment because: # - 'dev tun' auto-assignment maxes out at 255 devices # - Some servers need more than 255 VPN instances # Session Persistence # ------------------ persist-key # Keep TLS key across restarts push "persist-key" # Tell clients to do the same persist-tun # Keep tun device across restarts push "persist-tun" # Tell clients to do the same fast-io # Optimize for high-throughput environments # Cryptographic Material (Mixed RSA/ECDSA) # ---------------------------------------- ca /etc/openvpn/ca-secp521r1.crt # CA certificate (ECDSA secp521r1) cert /etc/openvpn/denmark-rsa.crt # Server certificate (8192-bit RSA) key /etc/openvpn/denmark-rsa.key # Server private key (8192-bit RSA) dh /etc/openvpn/dh.pem # DH parameters (required for RSA certs) # - 8192-bit # Security Scripts # --------------- script-security 2 # Allow execution of user scripts auth-user-pass-verify /etc/openvpn/auth.sh via-env # Validate access tokens + key renegotiations client-connect /etc/openvpn/session_up.sh # On connect: # - Increment session counter # - Tell client to use the VPN server's DNS # (10.31.33.8 / 2001:db8::8) # - Tell Windows clients to use block-outside-dns # (to prevent DNS leaks) client-disconnect /etc/openvpn/session_down.sh # On disconnect: # - Decrement session counter # - Remove client's port forwards # - Clean changemyip entries # - Clear conntrack entries # (Mitigates Port Shadowing along with isolated SNAT ranges) # Network Topology # --------------- tmp-dir /tmp # Temporary directory (ramdisk) topology subnet # Use subnet topology server 10.66.0.0/24 255.255.255.0 # Private subnet for this instance # (Each instance gets its own /24) push "redirect-gateway def1" # Redirect all client traffic through VPN # Client Authentication # -------------------- verify-client-cert none # No client certs (using token auth) # Connection Maintenance # --------------------- keepalive 20 60 # Ping every 20s, timeout after 60s max-clients 3000 # Maximum concurrent clients reneg-sec 1200 # Rekey interval (1200s = 20min) # Cryptographic Settings (RSA-specific) # ------------------------------------ auth SHA512 # HMAC for CBC cipher (AES-256-CBC) cipher AES-256-CBC # Default cipher for legacy compatibility data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC # Negotiable ciphers key-direction 1 # Required for tls-auth # TLS Configuration # ----------------- tls-server # Run as TLS server tls-version-min 1.2 # Minimum TLS version tls-version-max 1.3 # Maximum TLS version tls-auth /etc/openvpn/ta.key # Static TLS HMAC key (legacy tls-crypt alternative) # Cipher Suites # ------------- # For TLS 1.2 (RSA-specific): tls-cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA # - Includes DHE-RSA for FFS when CBC is negotiated # - ECDHE-RSA preferred for modern clients tls-exit # Exit server if TLS negotiation fails # Performance # ---------- compress migrate # Transition from legacy compression # (will be removed sometime soon) # Logging # ------- verb 0 # Minimal logging mute 2 # Limit repeated messages status /var/log/openvpn/37.120.232.44rsasecp521r1udp-status.log 1 # Status log # Note: /var/log is mounted as a tmpfs # - Stores connection stats in RAM only # - Used for counting users (replaces management interface) # - No privacy difference from management interface # - All data lost on server shutdown status-version 2 # Use status file format v2 log /dev/null # Discard main logs