### CONFIG ###
mode server
server [VPN-IP/24].0 255.255.255.0
port [Port]
proto tcp
# UDP ONLY:
# explicit-exit-notify 1
dev tun

persist-key
persist-tun
ifconfig-pool-persist ip.table

ca [VPN-Dir]/ca.crt
cert [VPN-Dir]/[NAME].crt
key [VPN-Dir]/[NAME].key
dh [VPN-Dir]/dh.pem
tls-crypt [VPN-Dir]/SharedSecret.psk

# Benötigt für RasPI
#tun-mtu 1500

topology subnet
push "topology subnet"

# Deprecated
#comp-lzo
compress lz4-v2
push "compress lz4-v2"

push "redirect-gateway def1 bypass-dhcp bypass-dns"
push "dhcp-option DNS [DNS-SERVER-IP]"
#push "dhcp-option DNS 208.64.222.222" # OpenDNS
#push "dhcp-option DNS 208.64.220.220" # OpenDNS Fallback
#push "dhcp-option DNS 8.8.8.8"        # Google-DNS
#push "dhcp-option DNS 8.8.4.4"        # Google-DNS Fallback
push "dhcp-option WINS [VPN-IP/24].1"
push "route [VPN-IP/24].0 255.255.255.0"

client-to-client
keepalive 10 120



status logs/status.log
log-append logs/vpn.log
verb 3

### HARDENING ###
user ovpn
group ovpn

auth SHA512
keysize 256
cipher AES-256-GCM
remote-cert-tls client
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
ncp-ciphers AES-256-GCM:AES-256-CBC