ref: 453cda58bae0131116fbab4e4fc686d867e87ade vpn-server-api/CONFIG_CHANGES.md -rw-r--r-- 3.3 KiB
453cda58François Kooman allow configuring the log format for log entries to syslog, also allow logging originating client IP 4 months ago

#Configuration Changes

This document describes all configuration file changes since the 2.0.0 release. This in order to keep track of all changes that were made during the 2.x release cycle.

This will help upgrades to a future 3.x release. Configuration changes during the 2.x life cycle are NOT required. Any existing configuration file will keep working!


  • added connectionLogFormat configuration option that takes a string. You can format the string you want to generate the log line in syslog you like for your particular situation. The default value is {{EVENT_TYPE}} {{USER_ID}} ({{PROFILE_ID}}) [{{IP_FOUR}},{{IP_SIX}}]. If you also want to log the client's originating IP address you can e.g. use {{EVENT_TYPE}} {{USER_ID}} ({{PROFILE_ID}}) [{{ORIGINATING_IP}} => {{IP_FOUR}},{{IP_SIX}}].


  • the tlsProtection configuration option was removed. It will always be tls-crypt. Specifying, or not specifying it will have no effect


  • the generated CA key type configurable with the vpnCaKeyType configuration option. The default is RSA, but ECDSA (NIST P-256) and EdDSA (Ed25519) are also supported. Note that EdDSA is only supported on Fedora and Debian >= 10 servers. We did not do extensive tests regarding client support after publishing this blog post. USE WITH CARE, THIS IS NOT OFFICIALLY SUPPORTED YET!


  • the useVpnDaemon option got a sibling: vpnDaemonTls which defaults to true. This means that by default VPN Daemon connections to IP addresses as specified in managementIp other than, or ::1, will require TLS. Setting it to false disables TLS. This is useful when you have multiple nodes in the same data center where TLS between controller and node is not that important.


  • the option vpnCaPath now defaults to /usr/bin/vpn-ca, when not specified, since switching to vpn-ca by default. You can still override this, but that is mostly useful for development purposes. The option can be removed for normal deployments.


  • allow enabling vpn-daemon support with the useVpnDaemon option that takes a boolean. When the option is NOT specified it defaults to false. This is a GLOBAL option, so all profiles will use the daemon to talk to OpenVPN processes.


  • allow specifying the tlsOneThree profile option, taking a bool to force the server and client to use TLSv1.3. NOTE this only works when both the server and client(s) use OpenSSL >= 1.1.1. This is FOR TESTING ONLY. See the eduVPN Blog for more information.


  • allow using vpn-ca, the experimental CA for use with Let's Connect!/eduVPN. The vpnCaPath configuration option was added. When specifying the (absolute) path to the vpn-ca binary vpn-ca will be used and migrate the existing EasyRsa CA database


  • Allow setting the DNS (search) suffix(es) the client will use using the dnsSuffix option. It takes an array with domain name(s). The default is the empty array [] meaning there will be no DNS suffix pushed to the client