# general
verb 4
# silence repeating messages
mute 20
user root
group root
# client
tls-client
client
resolv-retry infinite
#lport 0
nobind
# server
remote foo.bar.lan 12345 tcp-client
comp-lzo adaptive
# interface
dev tun
persist-tun
persist-key
# ciphers
cipher AES-256-CBC
# --ncp-ciphers list to list available ones
ncp-ciphers AES-128-GCM:AES-192-GCM
auth SHA512
# auth
auth-user-pass /foo/auth
# tls
# use tls auth key
tls-auth foo-tls.key 1
tls-version-min 1.2
# verify server certificate key usage
remote-cert-tls server
reneg-sec 3600
# crt
verify-x509-name "foobar" name
pkcs12 foo.p12
# routes
# command after routes are added
#route-up cmd
# cmd before routes are removed
#route-pre-down cmd
# dont add routes automatically
#route-noexec
# accept options pushed by server EXCEPT for routes and dhcp options
#route-nopull
# hooks
#0 strictly no calling of external programs
#1 (default) only call built-ins such as ifconfig
#2 allow calling of built-ins and scripts
#3 allow password to be passed to scripts via env
script-security 2
--up /foo/systemd-resolved.sh
--up-delay
--up-restart
#!/bin/bash
set -eu
_runasroot=""
_domain="~foo.lan"
_nameserver="172.1.2.254"
# openvpn call format ./systemd-resolved.sh tun0 1500 1553 172.1.2.3 255.255.255.0 init
[[ ${#} == 6 ]] || { echo "ERR: invalid call, must pass 6 arguments from openvpn"; exit 1; }
[[ ${UID} == "0" ]] || { echo "INFO: not root, using sudo"; _runasroot="sudo"; }
${_runasroot} systemd-resolve --interface ${1} --set-dns ${_nameserver} --set-domain ${_domain}
exit 0