@@ -4,3 +4,5 @@ These files are part of the OpenVPN HOWTO

 which is located at:

 http://openvpn.net/howto.html

+

+See also the openvpn-examples man page.

@@ -1,5 +1,5 @@

 ##############################################

-# Sample client-side OpenVPN 2.0 config file #

+# Sample client-side OpenVPN 2.6 config file #

 # for connecting to multi-client server.     #

 #                                            #

 # This configuration can be used by multiple #

@@ -103,22 +103,15 @@ key client.key

 # EasyRSA can do this for you.

 remote-cert-tls server

+# Allow to connect to really old OpenVPN versions

+# without AEAD support (OpenVPN 2.3.x or older)

+# This adds AES-256-CBC as fallback cipher and

+# keeps the modern ciphers as well.

+;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC

+

 # If a tls-auth key is used on the server

 # then every client must also have the key.

-tls-auth ta.key 1

-

-# Select a cryptographic cipher.

-# If the cipher option is used on the server

-# then you must also specify it here.

-# Note that v2.4 client/server will automatically

-# negotiate AES-256-GCM in TLS mode.

-# See also the data-ciphers option in the manpage

-cipher AES-256-CBC

-

-# Enable compression on the VPN link.

-# Don't enable this unless it is also

-# enabled in the server config file.

-#comp-lzo

+;tls-auth ta.key 1

 # Set log file verbosity.

 verb 3

@@ -1,5 +1,5 @@

 #################################################

-# Sample OpenVPN 2.0 config file for            #

+# Sample OpenVPN 2.6 config file for            #

 # multi-client server.                          #

 #                                               #

 # This file is for the server side              #

@@ -47,15 +47,15 @@ proto udp

 # an explicit unit number, such as tun0.

 # On Windows, use "dev-node" for this.

 # On most systems, the VPN will not function

-# unless you partially or fully disable

+# unless you partially or fully disable/open

 # the firewall for the TUN/TAP interface.

 ;dev tap

 dev tun

 # Windows needs the TAP-Win32 adapter name

 # from the Network Connections panel if you

-# have more than one.  On XP SP2 or higher,

-# you may need to selectively disable the

+# have more than one.

+# You may need to selectively disable the

 # Windows firewall for the TAP adapter.

 # Non-Windows systems usually don't need this.

 ;dev-node MyTap

@@ -66,8 +66,9 @@ dev tun

 # key file.  The server and all clients will

 # use the same ca file.

 #

-# See the "easy-rsa" directory for a series

-# of scripts for generating RSA certificates

+# See the "easy-rsa" project at

+# https://github.com/OpenVPN/easy-rsa

+# for generating RSA certificates

 # and private keys.  Remember to use

 # a unique Common Name for the server

 # and each of the client certificates.

@@ -75,6 +76,13 @@ dev tun

 # Any X509 key management system can be used.

 # OpenVPN can also use a PKCS #12 formatted key file

 # (see "pkcs12" directive in man page).

+#

+# If you do not want to maintain a CA

+# and have a small number of clients

+# you can also use self-signed certificates

+# and use the peer-fingerprint option.

+# See openvpn-examples man page for a

+# configuration example.

 ca ca.crt

 cert server.crt

 key server.key  # This file should be kept secret

@@ -84,12 +92,18 @@ key server.key  # This file should be kept secret

 #   openssl dhparam -out dh2048.pem 2048

 dh dh2048.pem

+# Allow to connect to really old OpenVPN versions

+# without AEAD support (OpenVPN 2.3.x or older)

+# This adds AES-256-CBC as fallback cipher and

+# keeps the modern ciphers as well.

+;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC

+

 # Network topology

 # Should be subnet (addressing via IP)

 # unless Windows clients v2.0.9 and lower have to

 # be supported (then net30, i.e. a /30 per client)

 # Defaults to net30 (not recommended)

-;topology subnet

+topology subnet

 # Configure server mode and supply a VPN subnet

 # for OpenVPN to draw client addresses from.

@@ -218,7 +232,7 @@ ifconfig-pool-persist ipp.txt

 # IF YOU HAVE NOT GENERATED INDIVIDUAL

 # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

 # EACH HAVING ITS OWN UNIQUE "COMMON NAME",

-# UNCOMMENT THIS LINE OUT.

+# UNCOMMENT THIS LINE.

 ;duplicate-cn

 # The keepalive directive causes ping-like

@@ -241,26 +255,7 @@ keepalive 10 120

 # a copy of this key.

 # The second parameter should be '0'

 # on the server and '1' on the clients.

-tls-auth ta.key 0 # This file is secret

-

-# Select a cryptographic cipher.

-# This config item must be copied to

-# the client config file as well.

-# Note that v2.4 client/server will automatically

-# negotiate AES-256-GCM in TLS mode.

-# See also the ncp-cipher option in the manpage

-cipher AES-256-CBC

-

-# Enable compression on the VPN link and push the

-# option to the client (v2.4+ only, for earlier

-# versions see below)

-;compress lz4-v2

-;push "compress lz4-v2"

-

-# For compression compatible with older clients use comp-lzo

-# If you enable it here, you must also

-# enable it in the client config file.

-;comp-lzo

+;tls-auth ta.key 0 # This file is secret

 # The maximum number of concurrently connected

 # clients we want to allow.