# OpenVPN apt-get install --no-install-recommends openvpn # Each VPN daemon should run with a dedicated user/group to downgrade privileges export VPN_NAME="cameleon" # Create a system user (no password and shell defaulting to /bin/false) adduser --quiet --system --no-create-home --home /nonexistent --group --disabled-login ovpn-$VPN_NAME # Setup the VPN chroot export VPN_CHROOT="/etc/openvpn/$VPN_NAME/chroot" mkdir -p $VPN_CHROOT/etc cp /etc/localtime $VPN_CHROOT/etc/ # for log with timestamps in the right timezone # Do not use a status file. SIGUSR2 is sent to the OpenVPN # PID when those stats are needed sed -i 's/#\(STATUSREFRESH=0\)/\1/' /etc/default/openvpn
Add the following to your configuration file :
# Security script-security 1 tls-client remote-cert-tls server # Remote cert type must match chroot /etc/openvpn/chroot # Chroot to (almost) empty dir user openvpn # Drop root privileges group openvpn # Drop root privileges # Make sure local net are not going through the VPN route-metric 50