cat <<EOF > /etc/openvpn/server.conf
port 1194
proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem

server 10.8.0.0 255.255.255.0

cipher AES-256-CBC
ping-timer-rem
keepalive 20 180

# Route kompletten Traffic durch VPN
push "redirect-gateway def1 bypass-dhcp"

# DNS über VPN
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 9.9.9.9"

# Optional: interne Route falls noch gebraucht
push "route 172.16.0.0 255.255.255.0"

user nobody
group nogroup

persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3

explicit-exit-notify 1
EOF