# C'est nous qui prenons l'initiative de nous connecter au serveur.
# Equivalent à "pull" "tls-client"
client
# On route de l'IP, on ne fait pas de l'ethernet.
dev tun

# Ne pas utiliser un port local statique, on est client de toutes façons.
nobind


# On essaie de contacter chaque serveur dans cet ordre pendant 5s
server-poll-timeout 6
resolv-retry 3
<connection>
remote aesvpn.arn-fai.net 443
explicit-exit-notify
fragment 1300
</connection>
<connection>
remote aesvpn.arn-fai.net 53
explicit-exit-notify
fragment 1300
</connection>
<connection>
remote aesvpn.arn-fai.net 1194
explicit-exit-notify
fragment 1300
</connection>
<connection>
remote 89.234.141.94 443
explicit-exit-notify
fragment 1300
</connection>
<connection>
remote aesvpn.arn-fai.net 443 tcp
mssfix 1300
</connection>
<connection>
remote 89.234.141.94 443 tcp
mssfix 1300
</connection>

# Garder la clé en mémoire, pour ne pas avoir besoin de la relire lors d'un
# redémarrage.
persist-key

# On redémarre au bout de 30s si pas de ping
keepalive 10 30

# Active la compression
comp-lzo

# Routing
route-ipv6 2000::/3
route 10.0.0.0 255.0.0.0 net_gateway
route 172.16.0.0 255.240.0.0 net_gateway
route 192.168.0.0 255.255.0.0 net_gateway
redirect-gateway def1 bypass-dhcp

# To avoid a log as we don't use auth-user-pass
auth-nocache

# Logs
verb 3
mute 5

# CRYPTOGRAPHIE
tls-cipher "EDH+aRSA:EECDH+aRSA:EECDH+ECDSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4"

cipher AES-128-CBC
auth SHA256

prng sha256 64

# Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.
remote-cert-tls server

# TLS 
<ca>
-----BEGIN CERTIFICATE-----
MIIEPzCCAyegAwIBAgIJAJzlDP4UwAIOMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
BAYTAkZSMQ8wDQYDVQQIEwZBbHNhY2UxEzARBgNVBAcTClN0cmFzYm91cmcxDDAK
BgNVBAoTA0FSTjEPMA0GA1UEAxMGQUMgVlBOMR4wHAYJKoZIhvcNAQkBFg92cG5A
YXJuLWZhaS5uZXQwHhcNMTQwNzAxMTc1MjA0WhcNMjQwNjI4MTc1MjA0WjByMQsw
CQYDVQQGEwJGUjEPMA0GA1UECBMGQWxzYWNlMRMwEQYDVQQHEwpTdHJhc2JvdXJn
MQwwCgYDVQQKEwNBUk4xDzANBgNVBAMTBkFDIFZQTjEeMBwGCSqGSIb3DQEJARYP
dnBuQGFybi1mYWkubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
0vsQrBt8hCPzyinlTC2Xc/eje3jWEdj4fjJpiYmNr/DbHgF4+Lxzxi+Alsn8RQuG
+wFkgyOkzOEoca2qc0eHaWlXt8qcCWBpQUPQXTgS3blspZl839ne4nwBdQQQDsHn
wHxOQ/Jm7dX/mCUh8d5F8JiT24IgQW2xUK5JM3GprTIOqT23ORKDs2zPtWl/VuoB
tOrUn/kqUhYKw13HKuRYCv4pVXApGQ+xbvC90lnvmnjPIQ57AdE4gPBdptk2aGVu
2kvBPbcvi94iyp5H3VKhGpmniYknYeDOoi5o7y4Tsj262xT14oxSXznFFyDSW4NQ
SjjH4W6pPsRSjFbLwY0dfwIDAQABo4HXMIHUMB0GA1UdDgQWBBThtjgo+fpoezmZ
Lw0NxpXJRab+VTCBpAYDVR0jBIGcMIGZgBThtjgo+fpoezmZLw0NxpXJRab+VaF2
pHQwcjELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkFsc2FjZTETMBEGA1UEBxMKU3Ry
YXNib3VyZzEMMAoGA1UEChMDQVJOMQ8wDQYDVQQDEwZBQyBWUE4xHjAcBgkqhkiG
9w0BCQEWD3ZwbkBhcm4tZmFpLm5ldIIJAJzlDP4UwAIOMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAE1w8TsTV2nEKOGVk5c97OdcW80PH5am+dy8EI/r
nebFgTKOb4AnipAMDCvD2MSymUIuCmwDTwy13lgyqAWlbjyx4ogW4VH2nq2TIzpB
lVP00YcHW7TWF2/cbGClwCQppUX0fFULFGhP4GktrfE9Js1w+bBRGpSKS4c0vIet
sdT5IYJXwe7357TgcPqwE3iPa4wQOT07gTtkUMRZMoRY2Q6XpWvU2UWIbq9iSSGg
6/I7YxPwhk0GBX+PA7G6FMo3JajCT3tuDtC/509H9qGscHkZTOIFZwBZ5peISOe0
HXapcikfzY2uU2DifClRNK5iqU2QdnSrHeF/gDcXVlQHZ40=
-----END CERTIFICATE-----
</ca>

cert /etc/openvpn/user.crt
key /etc/openvpn/user.key