openwrt/package/network/services/openvpn/files/openvpn.config

package openvpn

#################################################
# Sample to include a custom config file.       #
#################################################

config openvpn custom_config

	# Set to 1 to enable this instance:
	option enabled 0

	# Include OpenVPN configuration
	option config /etc/openvpn/my-vpn.conf


#################################################
# Sample OpenVPN 2.0 uci config for             #
# multi-client server.                          #
#################################################

config openvpn sample_server

	# Set to 1 to enable this instance:
	option enabled 0

	# Which local IP address should OpenVPN
	# listen on? (optional)
#	option local 0.0.0.0

	# Which TCP/UDP port should OpenVPN listen on?
	# If you want to run multiple OpenVPN instances
	# on the same machine, use a different port
	# number for each one.  You will need to
	# open up this port on your firewall.
	option port 1194

	# TCP or UDP server?
#	option proto tcp
	option proto udp

	# "dev tun" will create a routed IP tunnel,
	# "dev tap" will create an ethernet tunnel.
	# Use "dev tap0" if you are ethernet bridging
	# and have precreated a tap0 virtual interface
	# and bridged it with your ethernet interface.
	# If you want to control access policies
	# over the VPN, you must create firewall
	# rules for the the TUN/TAP interface.
	# On non-Windows systems, you can give
	# an explicit unit number, such as tun0.
	# On Windows, use "dev-node" for this.
	# On most systems, the VPN will not function
	# unless you partially or fully disable
	# the firewall for the TUN/TAP interface.
#	option dev tap
	option dev tun

	# SSL/TLS root certificate (ca), certificate
	# (cert), and private key (key).  Each client
	# and the server must have their own cert and
	# key file.  The server and all clients will
	# use the same ca file.
	#
	# See the "easy-rsa" directory for a series
	# of scripts for generating RSA certificates
	# and private keys.  Remember to use
	# a unique Common Name for the server
	# and each of the client certificates.
	#
	# Any X509 key management system can be used.
	# OpenVPN can also use a PKCS #12 formatted key file
	# (see "pkcs12" directive in man page).
	option ca /etc/openvpn/ca.crt
	option cert /etc/openvpn/server.crt
	# This file should be kept secret:
	option key /etc/openvpn/server.key

	# Diffie hellman parameters.
	# Generate your own with:
	#   openssl dhparam -out dh1024.pem 1024
	# Substitute 2048 for 1024 if you are using
	# 2048 bit keys.
	option dh /etc/openvpn/dh1024.pem

	# Configure server mode and supply a VPN subnet
	# for OpenVPN to draw client addresses from.
	# The server will take 10.8.0.1 for itself,
	# the rest will be made available to clients.
	# Each client will be able to reach the server
	# on 10.8.0.1. Comment this line out if you are
	# ethernet bridging. See the man page for more info.
	option server "10.8.0.0 255.255.255.0"

	# Maintain a record of client <-> virtual IP address
	# associations in this file.  If OpenVPN goes down or
	# is restarted, reconnecting clients can be assigned
	# the same virtual IP address from the pool that was
	# previously assigned.
	option ifconfig_pool_persist /tmp/ipp.txt

	# Configure server mode for ethernet bridging.
	# You must first use your OS's bridging capability
	# to bridge the TAP interface with the ethernet
	# NIC interface.  Then you must manually set the
	# IP/netmask on the bridge interface, here we
	# assume 10.8.0.4/255.255.255.0.  Finally we
	# must set aside an IP range in this subnet
	# (start=10.8.0.50 end=10.8.0.100) to allocate
	# to connecting clients.  Leave this line commented
	# out unless you are ethernet bridging.
#	option server_bridge "10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100"

	# Push routes to the client to allow it
	# to reach other private subnets behind
	# the server.  Remember that these
	# private subnets will also need
	# to know to route the OpenVPN client
	# address pool (10.8.0.0/255.255.255.0)
	# back to the OpenVPN server.
#	list push "route 192.168.10.0 255.255.255.0"
#	list push "route 192.168.20.0 255.255.255.0"

	# To assign specific IP addresses to specific
	# clients or if a connecting client has a private
	# subnet behind it that should also have VPN access,
	# use the subdirectory "ccd" for client-specific
	# configuration files (see man page for more info).

	# EXAMPLE: Suppose the client
	# having the certificate common name "Thelonious"
	# also has a small subnet behind his connecting
	# machine, such as 192.168.40.128/255.255.255.248.
	# First, uncomment out these lines:
#	option client_config_dir /etc/openvpn/ccd
#	list route "192.168.40.128 255.255.255.248"
	# Then create a file ccd/Thelonious with this line:
	#   iroute 192.168.40.128 255.255.255.248
	# This will allow Thelonious' private subnet to
	# access the VPN.  This example will only work
	# if you are routing, not bridging, i.e. you are
	# using "dev tun" and "server" directives.

	# EXAMPLE: Suppose you want to give
	# Thelonious a fixed VPN IP address of 10.9.0.1.
	# First uncomment out these lines:
#	option client_config_dir /etc/openvpn/ccd
#	list route "10.9.0.0 255.255.255.252"
#	list route "192.168.100.0 255.255.255.0"
	# Then add this line to ccd/Thelonious:
	#   ifconfig-push "10.9.0.1 10.9.0.2"

	# Suppose that you want to enable different
	# firewall access policies for different groups
	# of clients.  There are two methods:
	# (1) Run multiple OpenVPN daemons, one for each
	#     group, and firewall the TUN/TAP interface
	#     for each group/daemon appropriately.
	# (2) (Advanced) Create a script to dynamically
	#     modify the firewall in response to access
	#     from different clients.  See man
	#     page for more info on learn-address script.
#	option learn_address /etc/openvpn/script

	# If enabled, this directive will configure
	# all clients to redirect their default
	# network gateway through the VPN, causing
	# all IP traffic such as web browsing and
	# and DNS lookups to go through the VPN
	# (The OpenVPN server machine may need to NAT
	# the TUN/TAP interface to the internet in
	# order for this to work properly).
	# CAVEAT: May break client's network config if
	# client's local DHCP server packets get routed
	# through the tunnel.  Solution: make sure
	# client's local DHCP server is reachable via
	# a more specific route than the default route
	# of 0.0.0.0/0.0.0.0.
#	list push "redirect-gateway"

	# Certain Windows-specific network settings
	# can be pushed to clients, such as DNS
	# or WINS server addresses.  CAVEAT:
	# http://openvpn.net/faq.html#dhcpcaveats
#	list push "dhcp-option DNS 10.8.0.1"
#	list push "dhcp-option WINS 10.8.0.1"

	# Uncomment this directive to allow different
	# clients to be able to "see" each other.
	# By default, clients will only see the server.
	# To force clients to only see the server, you
	# will also need to appropriately firewall the
	# server's TUN/TAP interface.
#	option client_to_client 1

	# Uncomment this directive if multiple clients
	# might connect with the same certificate/key
	# files or common names.  This is recommended
	# only for testing purposes.  For production use,
	# each client should have its own certificate/key
	# pair.
	#
	# IF YOU HAVE NOT GENERATED INDIVIDUAL
	# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
	# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
	# UNCOMMENT THIS LINE OUT.
#	option duplicate_cn 1

	# The keepalive directive causes ping-like
	# messages to be sent back and forth over
	# the link so that each side knows when
	# the other side has gone down.
	# Ping every 10 seconds, assume that remote
	# peer is down if no ping received during
	# a 120 second time period.
	option keepalive "10 120"

	# For extra security beyond that provided
	# by SSL/TLS, create an "HMAC firewall"
	# to help block DoS attacks and UDP port flooding.
	#
	# Generate with:
	#   openvpn --genkey --secret ta.key
	#
	# The server and each client must have
	# a copy of this key.
	# The second parameter should be '0'
	# on the server and '1' on the clients.
	# This file is secret:
#	option tls_auth "/etc/openvpn/ta.key 0"

	# Select a cryptographic cipher.
	# This config item must be copied to
	# the client config file as well.
	# Blowfish (default):
#	option cipher BF-CBC
	# AES:
#	option cipher AES-128-CBC
	# Triple-DES:
#	option cipher DES-EDE3-CBC

	# Enable compression on the VPN link.
	# If you enable it here, you must also
	# enable it in the client config file.
	option comp_lzo 1

	# The maximum number of concurrently connected
	# clients we want to allow.
#	option max_clients 100

	# The persist options will try to avoid
	# accessing certain resources on restart
	# that may no longer be accessible because
	# of the privilege downgrade.
	option persist_key 1
	option persist_tun 1

	# Output a short status file showing
	# current connections, truncated
	# and rewritten every minute.
	option status /tmp/openvpn-status.log

	# By default, log messages will go to the syslog (or
	# on Windows, if running as a service, they will go to
	# the "\Program Files\OpenVPN\log" directory).
	# Use log or log-append to override this default.
	# "log" will truncate the log file on OpenVPN startup,
	# while "log-append" will append to it.  Use one
	# or the other (but not both).
#	option log         /tmp/openvpn.log
#	option log_append  /tmp/openvpn.log

	# Set the appropriate level of log
	# file verbosity.
	#
	# 0 is silent, except for fatal errors
	# 4 is reasonable for general usage
	# 5 and 6 can help to debug connection problems
	# 9 is extremely verbose
	option verb 3

	# Silence repeating messages.  At most 20
	# sequential messages of the same message
	# category will be output to the log.
#	option mute 20


##############################################
# Sample client-side OpenVPN 2.0 uci config  #
# for connecting to multi-client server.     #
##############################################

config openvpn sample_client

	# Set to 1 to enable this instance:
	option enabled 0

	# Specify that we are a client and that we
	# will be pulling certain config file directives
	# from the server.
	option client 1

	# Use the same setting as you are using on
	# the server.
	# On most systems, the VPN will not function
	# unless you partially or fully disable
	# the firewall for the TUN/TAP interface.
#	option dev tap
	option dev tun

	# Are we connecting to a TCP or
	# UDP server?  Use the same setting as
	# on the server.
#	option proto tcp
	option proto udp

	# The hostname/IP and port of the server.
	# You can have multiple remote entries
	# to load balance between the servers.
	list remote "my_server_1 1194"
#	list remote "my_server_2 1194"

	# Choose a random host from the remote
	# list for load_balancing.  Otherwise
	# try hosts in the order specified.
#	option remote_random 1

	# Keep trying indefinitely to resolve the
	# host name of the OpenVPN server.  Very useful
	# on machines which are not permanently connected
	# to the internet such as laptops.
	option resolv_retry infinite

	# Most clients don't need to bind to
	# a specific local port number.
	option nobind 1

	# Try to preserve some state across restarts.
	option persist_key 1
	option persist_tun 1

	# If you are connecting through an
	# HTTP proxy to reach the actual OpenVPN
	# server, put the proxy server/IP and
	# port number here.  See the man page
	# if your proxy server requires
	# authentication.
	# retry on connection failures:
#	option http_proxy_retry 1
	# specify http proxy address and port:
#	option http_proxy "192.168.1.100 8080"

	# Wireless networks often produce a lot
	# of duplicate packets.  Set this flag
	# to silence duplicate packet warnings.
#	option mute_replay_warnings 1

	# SSL/TLS parms.
	# See the server config file for more
	# description.  It's best to use
	# a separate .crt/.key file pair
	# for each client.  A single ca
	# file can be used for all clients.
	option ca /etc/openvpn/ca.crt
	option cert /etc/openvpn/client.crt
	option key /etc/openvpn/client.key

	# Verify server certificate by checking
	# that the certicate has the nsCertType
	# field set to "server".  This is an
	# important precaution to protect against
	# a potential attack discussed here:
	#  http://openvpn.net/howto.html#mitm
	#
	# To use this feature, you will need to generate
	# your server certificates with the nsCertType
	# field set to "server".  The build_key_server
	# script in the easy_rsa folder will do this.
#	option ns_cert_type server

	# If a tls_auth key is used on the server
	# then every client must also have the key.
#	option tls_auth "/etc/openvpn/ta.key 1"

	# Select a cryptographic cipher.
	# If the cipher option is used on the server
	# then you must also specify it here.
#	option cipher x

	# Enable compression on the VPN link.
	# Don't enable this unless it is also
	# enabled in the server config file.
	option comp_lzo 1

	# Set log file verbosity.
	option verb 3

	# Silence repeating messages
#	option mute 20
openvpn: add from openvpn-devel from /packages, fix support for current polarssl SVN-Revision: 35412 2013-01-30 20:07:15 +00:00			`package openvpn`

			`#################################################`
			`# Sample to include a custom config file. #`
			`#################################################`

			`config openvpn custom_config`

			`# Set to 1 to enable this instance:`
			`option enabled 0`

			`# Include OpenVPN configuration`
			`option config /etc/openvpn/my-vpn.conf`


			`#################################################`
			`# Sample OpenVPN 2.0 uci config for #`
			`# multi-client server. #`
			`#################################################`

			`config openvpn sample_server`

			`# Set to 1 to enable this instance:`
			`option enabled 0`

			`# Which local IP address should OpenVPN`
			`# listen on? (optional)`
			`# option local 0.0.0.0`

			`# Which TCP/UDP port should OpenVPN listen on?`
			`# If you want to run multiple OpenVPN instances`
			`# on the same machine, use a different port`
			`# number for each one. You will need to`
			`# open up this port on your firewall.`
			`option port 1194`

			`# TCP or UDP server?`
			`# option proto tcp`
			`option proto udp`

			`# "dev tun" will create a routed IP tunnel,`
			`# "dev tap" will create an ethernet tunnel.`
			`# Use "dev tap0" if you are ethernet bridging`
			`# and have precreated a tap0 virtual interface`
			`# and bridged it with your ethernet interface.`
			`# If you want to control access policies`
			`# over the VPN, you must create firewall`
			`# rules for the the TUN/TAP interface.`
			`# On non-Windows systems, you can give`
			`# an explicit unit number, such as tun0.`
			`# On Windows, use "dev-node" for this.`
			`# On most systems, the VPN will not function`
			`# unless you partially or fully disable`
			`# the firewall for the TUN/TAP interface.`
			`# option dev tap`
			`option dev tun`

			`# SSL/TLS root certificate (ca), certificate`
			`# (cert), and private key (key). Each client`
			`# and the server must have their own cert and`
			`# key file. The server and all clients will`
			`# use the same ca file.`
			`#`
			`# See the "easy-rsa" directory for a series`
			`# of scripts for generating RSA certificates`
			`# and private keys. Remember to use`
			`# a unique Common Name for the server`
			`# and each of the client certificates.`
			`#`
			`# Any X509 key management system can be used.`
			`# OpenVPN can also use a PKCS #12 formatted key file`
			`# (see "pkcs12" directive in man page).`
			`option ca /etc/openvpn/ca.crt`
			`option cert /etc/openvpn/server.crt`
			`# This file should be kept secret:`
			`option key /etc/openvpn/server.key`

			`# Diffie hellman parameters.`
			`# Generate your own with:`
			`# openssl dhparam -out dh1024.pem 1024`
			`# Substitute 2048 for 1024 if you are using`
			`# 2048 bit keys.`
			`option dh /etc/openvpn/dh1024.pem`

			`# Configure server mode and supply a VPN subnet`
			`# for OpenVPN to draw client addresses from.`
			`# The server will take 10.8.0.1 for itself,`
			`# the rest will be made available to clients.`
			`# Each client will be able to reach the server`
			`# on 10.8.0.1. Comment this line out if you are`
			`# ethernet bridging. See the man page for more info.`
			`option server "10.8.0.0 255.255.255.0"`

			`# Maintain a record of client <-> virtual IP address`
			`# associations in this file. If OpenVPN goes down or`
			`# is restarted, reconnecting clients can be assigned`
			`# the same virtual IP address from the pool that was`
			`# previously assigned.`
			`option ifconfig_pool_persist /tmp/ipp.txt`

			`# Configure server mode for ethernet bridging.`
			`# You must first use your OS's bridging capability`
			`# to bridge the TAP interface with the ethernet`
			`# NIC interface. Then you must manually set the`
			`# IP/netmask on the bridge interface, here we`
			`# assume 10.8.0.4/255.255.255.0. Finally we`
			`# must set aside an IP range in this subnet`
			`# (start=10.8.0.50 end=10.8.0.100) to allocate`
			`# to connecting clients. Leave this line commented`
			`# out unless you are ethernet bridging.`
			`# option server_bridge "10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100"`

			`# Push routes to the client to allow it`
			`# to reach other private subnets behind`
			`# the server. Remember that these`
			`# private subnets will also need`
			`# to know to route the OpenVPN client`
			`# address pool (10.8.0.0/255.255.255.0)`
			`# back to the OpenVPN server.`
			`# list push "route 192.168.10.0 255.255.255.0"`
			`# list push "route 192.168.20.0 255.255.255.0"`

			`# To assign specific IP addresses to specific`
			`# clients or if a connecting client has a private`
			`# subnet behind it that should also have VPN access,`
			`# use the subdirectory "ccd" for client-specific`
			`# configuration files (see man page for more info).`

			`# EXAMPLE: Suppose the client`
			`# having the certificate common name "Thelonious"`
			`# also has a small subnet behind his connecting`
			`# machine, such as 192.168.40.128/255.255.255.248.`
			`# First, uncomment out these lines:`
			`# option client_config_dir /etc/openvpn/ccd`
			`# list route "192.168.40.128 255.255.255.248"`
			`# Then create a file ccd/Thelonious with this line:`
			`# iroute 192.168.40.128 255.255.255.248`
			`# This will allow Thelonious' private subnet to`
			`# access the VPN. This example will only work`
			`# if you are routing, not bridging, i.e. you are`
			`# using "dev tun" and "server" directives.`

			`# EXAMPLE: Suppose you want to give`
			`# Thelonious a fixed VPN IP address of 10.9.0.1.`
			`# First uncomment out these lines:`
			`# option client_config_dir /etc/openvpn/ccd`
			`# list route "10.9.0.0 255.255.255.252"`
			`# list route "192.168.100.0 255.255.255.0"`
			`# Then add this line to ccd/Thelonious:`
			`# ifconfig-push "10.9.0.1 10.9.0.2"`

			`# Suppose that you want to enable different`
			`# firewall access policies for different groups`
			`# of clients. There are two methods:`
			`# (1) Run multiple OpenVPN daemons, one for each`
			`# group, and firewall the TUN/TAP interface`
			`# for each group/daemon appropriately.`
			`# (2) (Advanced) Create a script to dynamically`
			`# modify the firewall in response to access`
			`# from different clients. See man`
			`# page for more info on learn-address script.`
			`# option learn_address /etc/openvpn/script`

			`# If enabled, this directive will configure`
			`# all clients to redirect their default`
			`# network gateway through the VPN, causing`
			`# all IP traffic such as web browsing and`
			`# and DNS lookups to go through the VPN`
			`# (The OpenVPN server machine may need to NAT`
			`# the TUN/TAP interface to the internet in`
			`# order for this to work properly).`
			`# CAVEAT: May break client's network config if`
			`# client's local DHCP server packets get routed`
			`# through the tunnel. Solution: make sure`
			`# client's local DHCP server is reachable via`
			`# a more specific route than the default route`
			`# of 0.0.0.0/0.0.0.0.`
			`# list push "redirect-gateway"`

			`# Certain Windows-specific network settings`
			`# can be pushed to clients, such as DNS`
			`# or WINS server addresses. CAVEAT:`
			`# http://openvpn.net/faq.html#dhcpcaveats`
			`# list push "dhcp-option DNS 10.8.0.1"`
			`# list push "dhcp-option WINS 10.8.0.1"`

			`# Uncomment this directive to allow different`
			`# clients to be able to "see" each other.`
			`# By default, clients will only see the server.`
			`# To force clients to only see the server, you`
			`# will also need to appropriately firewall the`
			`# server's TUN/TAP interface.`
			`# option client_to_client 1`

			`# Uncomment this directive if multiple clients`
			`# might connect with the same certificate/key`
			`# files or common names. This is recommended`
			`# only for testing purposes. For production use,`
			`# each client should have its own certificate/key`
			`# pair.`
			`#`
			`# IF YOU HAVE NOT GENERATED INDIVIDUAL`
			`# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,`
			`# EACH HAVING ITS OWN UNIQUE "COMMON NAME",`
			`# UNCOMMENT THIS LINE OUT.`
			`# option duplicate_cn 1`

			`# The keepalive directive causes ping-like`
			`# messages to be sent back and forth over`
			`# the link so that each side knows when`
			`# the other side has gone down.`
			`# Ping every 10 seconds, assume that remote`
			`# peer is down if no ping received during`
			`# a 120 second time period.`
			`option keepalive "10 120"`

			`# For extra security beyond that provided`
			`# by SSL/TLS, create an "HMAC firewall"`
			`# to help block DoS attacks and UDP port flooding.`
			`#`
			`# Generate with:`
			`# openvpn --genkey --secret ta.key`
			`#`
			`# The server and each client must have`
			`# a copy of this key.`
			`# The second parameter should be '0'`
			`# on the server and '1' on the clients.`
			`# This file is secret:`
			`# option tls_auth "/etc/openvpn/ta.key 0"`

			`# Select a cryptographic cipher.`
			`# This config item must be copied to`
			`# the client config file as well.`
			`# Blowfish (default):`
			`# option cipher BF-CBC`
			`# AES:`
			`# option cipher AES-128-CBC`
			`# Triple-DES:`
			`# option cipher DES-EDE3-CBC`

			`# Enable compression on the VPN link.`
			`# If you enable it here, you must also`
			`# enable it in the client config file.`
			`option comp_lzo 1`

			`# The maximum number of concurrently connected`
			`# clients we want to allow.`
			`# option max_clients 100`

			`# The persist options will try to avoid`
			`# accessing certain resources on restart`
			`# that may no longer be accessible because`
			`# of the privilege downgrade.`
			`option persist_key 1`
			`option persist_tun 1`

			`# Output a short status file showing`
			`# current connections, truncated`
			`# and rewritten every minute.`
			`option status /tmp/openvpn-status.log`

			`# By default, log messages will go to the syslog (or`
			`# on Windows, if running as a service, they will go to`
			`# the "\Program Files\OpenVPN\log" directory).`
			`# Use log or log-append to override this default.`
			`# "log" will truncate the log file on OpenVPN startup,`
			`# while "log-append" will append to it. Use one`
			`# or the other (but not both).`
			`# option log /tmp/openvpn.log`
			`# option log_append /tmp/openvpn.log`

			`# Set the appropriate level of log`
			`# file verbosity.`
			`#`
			`# 0 is silent, except for fatal errors`
			`# 4 is reasonable for general usage`
			`# 5 and 6 can help to debug connection problems`
			`# 9 is extremely verbose`
			`option verb 3`

			`# Silence repeating messages. At most 20`
			`# sequential messages of the same message`
			`# category will be output to the log.`
			`# option mute 20`


			`##############################################`
			`# Sample client-side OpenVPN 2.0 uci config #`
			`# for connecting to multi-client server. #`
			`##############################################`

			`config openvpn sample_client`

			`# Set to 1 to enable this instance:`
			`option enabled 0`

			`# Specify that we are a client and that we`
			`# will be pulling certain config file directives`
			`# from the server.`
			`option client 1`

			`# Use the same setting as you are using on`
			`# the server.`
			`# On most systems, the VPN will not function`
			`# unless you partially or fully disable`
			`# the firewall for the TUN/TAP interface.`
			`# option dev tap`
			`option dev tun`

			`# Are we connecting to a TCP or`
			`# UDP server? Use the same setting as`
			`# on the server.`
			`# option proto tcp`
			`option proto udp`

			`# The hostname/IP and port of the server.`
			`# You can have multiple remote entries`
			`# to load balance between the servers.`
			`list remote "my_server_1 1194"`
			`# list remote "my_server_2 1194"`

			`# Choose a random host from the remote`
			`# list for load_balancing. Otherwise`
			`# try hosts in the order specified.`
			`# option remote_random 1`

			`# Keep trying indefinitely to resolve the`
			`# host name of the OpenVPN server. Very useful`
			`# on machines which are not permanently connected`
			`# to the internet such as laptops.`
			`option resolv_retry infinite`

			`# Most clients don't need to bind to`
			`# a specific local port number.`
			`option nobind 1`

			`# Try to preserve some state across restarts.`
			`option persist_key 1`
			`option persist_tun 1`

			`# If you are connecting through an`
			`# HTTP proxy to reach the actual OpenVPN`
			`# server, put the proxy server/IP and`
			`# port number here. See the man page`
			`# if your proxy server requires`
			`# authentication.`
			`# retry on connection failures:`
			`# option http_proxy_retry 1`
			`# specify http proxy address and port:`
			`# option http_proxy "192.168.1.100 8080"`

			`# Wireless networks often produce a lot`
			`# of duplicate packets. Set this flag`
			`# to silence duplicate packet warnings.`
			`# option mute_replay_warnings 1`

			`# SSL/TLS parms.`
			`# See the server config file for more`
			`# description. It's best to use`
			`# a separate .crt/.key file pair`
			`# for each client. A single ca`
			`# file can be used for all clients.`
			`option ca /etc/openvpn/ca.crt`
			`option cert /etc/openvpn/client.crt`
			`option key /etc/openvpn/client.key`

			`# Verify server certificate by checking`
			`# that the certicate has the nsCertType`
			`# field set to "server". This is an`
			`# important precaution to protect against`
			`# a potential attack discussed here:`
			`# http://openvpn.net/howto.html#mitm`
			`#`
			`# To use this feature, you will need to generate`
			`# your server certificates with the nsCertType`
			`# field set to "server". The build_key_server`
			`# script in the easy_rsa folder will do this.`
			`# option ns_cert_type server`

			`# If a tls_auth key is used on the server`
			`# then every client must also have the key.`
			`# option tls_auth "/etc/openvpn/ta.key 1"`

			`# Select a cryptographic cipher.`
			`# If the cipher option is used on the server`
			`# then you must also specify it here.`
			`# option cipher x`

			`# Enable compression on the VPN link.`
			`# Don't enable this unless it is also`
			`# enabled in the server config file.`
			`option comp_lzo 1`

			`# Set log file verbosity.`
			`option verb 3`

			`# Silence repeating messages`
			`# option mute 20`