It seems to work, and I am happy with it.
I post my reducted config (with the exception of the ccd file(s).
In case you notice something fishy about it,please let me know.
server conf:
Code: Select all
local xxx.xxx.xxx.xxx
port yyy
proto tcp
dev tunx
ca /path/to/openvpn/server/Pentagram.crt
cert /path/to/openvpn/server/X-files.crt
key /path/to/openvpn/server/jamesbondage.key # This file should be kept secret
dh /path/to/openvpn/server/topsecret.pem
server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ifconfig-pool-persist /path/to/openvpn/ipp.txt
push "redirect-gateway ipv6 def1 bypass-dhcp"
#push "redirect-gateway ipv6 def1"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
keepalive 10 120
tls-auth /path/to/openvpn/server/ta.key 0 # This file is secret
cipher AES-256-GCM
user nobody
group nogroup
persist-key
persist-tun
status /path/to/openvpn/openvpn-status.log
log /path/to/openvpn/openvpn.log
log-append /path/to/openvpn/openvpn.log
verb 4
auth-user-pass-optional
plugin /path/to/openvpn/openvpn-plugin-auth-pam.so login
client-config-dir ccd
client-to-client
topology subnet
route xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
push "route xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx"
# IPv6
server-ipv6 ipv6_address
push tun-ipv6
push "route-ipv6 address" #Here you should add the server ipv6 address
push "route-ipv6 something ipv6"
push "redirect-gateway ipv6 def1 bypass-dhcp"
push "dhcp-option DNS-ipv61"
push "dhcp-option DNS-ipv62"
Code: Select all
client
remote xxx.xxx.xxx.xxx
resolv-retry infinite
verb 4
auth-user-pass
keepalive 10 120
port yyy
proto tcp
cipher AES-256-GCM
persist-key
persist-tun
remote-cert-tls server
key-direction 1
push-peer-info
<ca>
Pentagram headquarters
</ca>
<cert>
X-files cert
</cert>
<key>
James Bondage key
</key>
<tls-auth>
tops secret
</tls-auth>