# Generated by NetworkManager
search homenet # - это название моей рабочей группы, прописанное в dnsmasq и samba на роутере лок. сети
nameserver 1.1.1.1 # - DNS-сервер, переданный OpenVPN-сервером
nameserver 208.67.220.220 # - DNS-сервер, переданный OpenVPN-сервером
nameserver 172.16.0.1 # - роутер лок. сети

default via 10.25.0.1 dev tun0 proto static metric 50 
default via 172.16.0.1 dev eno1 proto dhcp metric 100 
10.25.0.0/24 dev tun0 proto kernel scope link src 10.25.0.6 metric 50 
172.16.0.0/24 dev eno1 proto kernel scope link src 172.16.0.2 metric 100 
172.16.0.1 dev eno1 proto static scope link metric 100 
300.300.300.300 via 172.16.0.1 dev eno1 proto static metric 100 # внешний IP OpenVPN-сервера

server 10.25.0.0 255.255.255.0
port 1194
proto udp4
dev tun
topology subnet

cd /etc/openvpn/server/
ca ca.crt
cert server.crt
key server.key
dh dh.pem
crl-verify crl.pem

# Server - '0', client - '1'.
tls-auth ta.key 0 # This file is secret

user nobody
group nobody
persist-key
persist-tun

tls-server
tls-timeout 120

ifconfig-pool-persist ipp.txt
client-config-dir ccd

# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
compress lz4-v2
push "compress lz4-v2"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 1.1.1.1" # CloudFlare public server
push "dhcp-option DNS 208.67.220.220" # OpenDNS.com server

keepalive 10 120

cipher AES-256-GCM
auth SHA256
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 20

status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
#verb 3
verb 4

mute 20

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

# 16 tips on OpenVPN security: https://blog.g3rt.nl/openvpn-security-tips.html

# 2. Check the Extended Key Usage on the certificates
remote-cert-eku "TLS Web Client Authentication" # On clients change to 'Server'

client
dev tun
proto udp4
remote 300.300.300.300 1194  # внешний IP OpenVPN-сервера

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
setenv opt user nobody
setenv opt group nobody

# Block DNS servers on other network adapters to prevent DNS leaks. Windows 7 (or higher) only.
setenv opt block-outside-dns

# Try to preserve some state across restarts.
persist-key
persist-tun

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings

remote-cert-tls server
cipher AES-256-GCM
auth SHA256

# WARNING: this configuration may cache passwords in memory -- use the auth-nocache
auth-nocache

# Take this measure to prevent a client using his certificate to impersonate a server.
remote-cert-eku "TLS Web Server Authentication"

# Set log file verbosity.
verb 3

# Silence repeating messages
mute 20

<ca>...</ca>
<cert>...</cert>
<key>...</key>
<tls-auth>...</tls-auth>
key-direction 1

# Generated by NetworkManager
search homenet
nameserver 172.16.0.1

0.0.0.0/1 via 10.25.0.1 dev tun0 
default via 172.16.0.1 dev eno1 proto dhcp metric 100 
10.25.0.0/24 dev tun0 proto kernel scope link src 10.25.0.6 
128.0.0.0/1 via 10.25.0.1 dev tun0 
172.16.0.0/24 dev eno1 proto kernel scope link src 172.16.0.2 metric 100 
300.300.300.300 via 172.16.0.1 dev eno1