template.ovpn

# Basic Connection Settings
client
dev tun                                 # Use a tun device for a routed IP tunnel
proto udp                               # Use UDP protocol for better performance
remote {remote_server} {remote_port}  # Remote server and port

# Connection Reliability and Persistence
resolv-retry infinite                    # Keep trying indefinitely to resolve the host name
nobind                                  # Do not bind to local address and port
persist-key                             # Don't re-read keys on connection restart
persist-tun                             # Don't re-read tun device on connection restart

# Security and Encryption
tls-client                              # Act as a TLS client
remote-cert-tls server                  # Require server certificate to be a TLS server cert
mute-replay-warnings                    # Mute replay warnings
remote-cert-eku "TLS Web Server Authentication"  # Ensure the server cert has this EKU
verify-x509-name 'CN=server' subject    # Verify the server's certificate name
cipher AES-256-GCM                      # Use AES-256-GCM cipher
auth SHA512                             # Use SHA512 for auth
tls-version-min 1.2                     # Minimum TLS version 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384  # Use this specific TLS cipher
reneg-sec 360                           # Renegotiate every 360 seconds

# Performance and Logging
verb 3                                  # Logging verbosity level
keepalive 10 60                         # Ping every 10 seconds, assume down if no ping received for 60 seconds.
mute 20                                 # Limit repeated log messages

# Security Enhancements
script-security 2                       # Allow external scripts to be called
auth-nocache                            # Don't cache auth credentials
#user nobody                             # Run OpenVPN as the user 'nobody'
#group nogroup                           # Run OpenVPN under the group 'nogroup'

# Status and Logging
#status /var/log/openvpn/{project_name}-status.log
#log /var/log/openvpn/{project_name}.log

# TLS Crypt (Encryption and Authentication of Control Channel)
<tls-crypt>
{tc}</tls-crypt>

# CA certificate file
<ca>
{ca}</ca>

# Client's certificate
<cert>
{cert}</cert>

# Client's private key
<key>
{key}</key>