This document is describing an outdated version (v3.2.2). Please consider switching to the latest version (v5.8.0).
openvpn job
Usage
releases:
- name: "openvpn"
version: "3.2.2"
instance_groups:
- name: "openvpn"
jobs:
- name: "openvpn"
release: "openvpn"
properties: {}Properties
The following properties can be configured for the job.
openvpn.ca_crt
CA Certificate
This should include
-----BEGIN CERTIFICATE----- through -----END CERTIFICATE-----.openvpn.ccd
A list of Client Configuration Directives
This value is an array, with each client being an array whose first value is the client’s common name and second value is the OpenVPN directives.
Default
[]
openvpn.cipher
Cipher for encrypting packets
Default
BF-CBC
openvpn.client_config
A list of Client Configuration Connections
This value is an array, with each client connection being an item.
Default
[]
openvpn.crl_pem
Certificate Revocation List
This should inclulde
-----BEGIN X509 CRL----- through -----END X509 CRL-----.openvpn.dh_pem
Diffie-Hellmann Key
This should include
-----BEGIN DH PARAMETERS----- through -----END DH PARAMETERS-----.openvpn.extra_config
Custom OpenVPN configuration statements
For more details, see the manual with all the available options.
Default
null
openvpn.iptables
IPTable rules to manage
Default
[]
Example
- POSTROUTING -t nat -s 192.0.2.0/24 -d 10.10.1.0/24 -j MASQUERADE -m comment --comment
'vpn -> private lan'
- POSTROUTING -t nat -s 192.0.2.0/24 -d 10.10.2.100/32 -j MASQUERADE -m comment --comment
'vpn -> internal backup server'
openvpn.keysize
Size of cipher key in bits
Default
256
openvpn.local
Bind IP for the server
Default
0.0.0.0
openvpn.port
Bind Port for the server
Default
1194
openvpn.push_dns
DNS servers to push to connecting clients
This should be a list of DNS server IP adddresses that should be pushed to
connecting clients to enable DNS resolution over the VPN tunnel.
Default
[]
openvpn.push_dns_search_domains
List of search domains to push to clients
This should be a list of domains that should be pushed to connecting clients
for use as DNS search domains.
Default
[]
openvpn.push_routes
Routes to push to connecting clients
These should be in a format similar to “192.0.2.0 255.255.255.0”.
Default
[]
openvpn.routes
Routes for the local routing table
These will be added to the local kernel’s routing table and should be in the format of “192.0.2.0 255.255.255.0”.
Default
[]
openvpn.server
VPN IP and netmask
This is the basis of the IP pool which the server will allocate to clients.
openvpn.server_crt
Server Certificate
This should include
-----BEGIN CERTIFICATE----- through -----END CERTIFICATE-----.openvpn.server_key
Server Key
This should include
-----BEGIN RSA PRIVATE KEY----- through -----END RSA PRIVATE KEY-----.openvpn.tls_cipher
A colon-separated list of allowable TLS ciphers
Example
DEFAULT:!EXP:!LOW:!MEDIUM
openvpn.tls_version_min
The minimum TLS version accepted from peers
Default
"1.0"
Runtime
Templates
The following templates are rendered and installed in /var/vcap/jobs/openvpn.
bin/apply-iptables(source)bin/control(source)bin/control-client(source)bin/write-ccd(source)bin/write-clients(source)etc/ca.crt(source)etc/crl.pem(source)etc/dh.pem(source)etc/openvpn.conf(source)etc/server.crt(source)etc/server.key(source)
Packages
The job depends on the following packages installed in /var/vcap/packages.