# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
#
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev {{ vpn_interface }}

# Use unprivileged ip command
#iproute /usr/local/sbin/unpriv-ip

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto {{ vpn_protocol }}

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote {{ vpn_ip }}
port {{ vpn_port }}

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Ping every 30s - Inactivity restart 120s
keepalive 30 120

# Don't ping until connected to remote
ping-timer-rem

# Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /etc/openvpn/client/zeus/ca.crt
cert  /etc/openvpn/client/zeus/laptop.crt
key  /etc/openvpn/client/zeus/laptop.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
#   digitalSignature, keyEncipherment
# and the extendedKeyUsage to
#   serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
auth SHA512

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-256-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
# Disabled as advised on https://openvpn.net/security-advisories/
#compress lz4

# Set log file verbosity.
verb {{ vpn_verbosity }}