# Notice to Mullvad customers:
# 
# Apart from openvpn, you also need to install the
# package "resolvconf", available via apt, e.g.
#
# For those of you behind very restrictive firewalls,
# you can use our tunnels on tcp port 443, as well as
# on udp port 53.
client

#Original
#dev tun
dev mullvad
dev-type tun

proto udp
#proto udp
#proto tcp

remote nl.mullvad.net 1300
cipher AES-256-CBC

#remote openvpn.mullvad.net 443
#cipher BF-CBC

#remote openvpn.mullvad.net 53
#cipher BF-CBC

#remote se.mullvad.net 1300 # Servers in Sweden
#cipher AES-256-CBC

#remote nl.mullvad.net 1300 # Servers in the Netherlands
#cipher AES-256-CBC

#remote de.mullvad.net 1300 # Servers in Germany
#cipher AES-256-CBC

#remote us.mullvad.net 1300 # Servers in the USA
#cipher AES-256-CBC

#remote openvpn.mullvad.net 1194
#remote openvpn.mullvad.net 443
#remote openvpn.mullvad.net 53
#remote se.mullvad.net # Servers in Sweden
#remote nl.mullvad.net # Servers in the Netherlands
#remote de.mullvad.net # Servers in Germany
#remote us.mullvad.net # Servers in the USA

# Tunnel IPv6 traffic as well as IPv4
tun-ipv6

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# Enable compression on the VPN link.
comp-lzo

# Set log file verbosity.
verb 3

remote-cert-tls server

ping-restart 60

# Allow calling of built-in executables and user-defined scripts.
script-security 2

# Parses DHCP options from openvpn to update resolv.conf
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

ping 10

ca ca.crt
cert mullvad.crt
key mullvad.key

crl-verify crl.pem

# Enable Freifunk specific Routing
route-noexec
route-delay 3
route-up    /etc/openvpn/mullvad-up

# Limit range of possible TLS cipher-suites
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-SEED-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA