|
|
|
|
@ -5,6 +5,10 @@
|
|
|
|
|
#auth = "plain[./sample.passwd]"
|
|
|
|
|
auth = "pam"
|
|
|
|
|
|
|
|
|
|
# The gid-min option is used by auto-select-group option, in order to
|
|
|
|
|
# select the minimum group ID.
|
|
|
|
|
#auth = "pam[gid-min=1000]"
|
|
|
|
|
|
|
|
|
|
# The plain option requires specifying a password file which contains
|
|
|
|
|
# entries of the following format.
|
|
|
|
|
# "username:groupname:encoded-password"
|
|
|
|
|
@ -128,7 +132,7 @@ auth-timeout = 40
|
|
|
|
|
# Once a client is authenticated he's provided a cookie with
|
|
|
|
|
# which he can reconnect. This option sets the maximum lifetime
|
|
|
|
|
# of that cookie.
|
|
|
|
|
cookie-validity = 86400
|
|
|
|
|
cookie-validity = 10800
|
|
|
|
|
|
|
|
|
|
# ReKey time (in seconds)
|
|
|
|
|
# ocserv will ask the client to refresh keys periodically once
|
|
|
|
|
@ -156,10 +160,13 @@ rekey-method = ssl
|
|
|
|
|
# UTMP
|
|
|
|
|
use-utmp = true
|
|
|
|
|
|
|
|
|
|
# D-BUS usage. If disabled occtl tool cannot be used. If enabled
|
|
|
|
|
# then ocserv must have access to register org.infradead.ocserv
|
|
|
|
|
# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
|
|
|
|
|
use-dbus = true
|
|
|
|
|
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
|
|
|
|
|
# or via a unix socket).
|
|
|
|
|
use-occtl = true
|
|
|
|
|
|
|
|
|
|
# socket file used for IPC with occtl. You only need to set that,
|
|
|
|
|
# if you use more than a single servers.
|
|
|
|
|
#occtl-socket-file = /var/run/occtl.socket
|
|
|
|
|
|
|
|
|
|
# PID file. It can be overriden in the command line.
|
|
|
|
|
#pid-file = /var/run/ocserv.pid
|
|
|
|
|
@ -194,6 +201,10 @@ run-as-group = ocserv
|
|
|
|
|
# The name of the tun device
|
|
|
|
|
device = vpns
|
|
|
|
|
|
|
|
|
|
# Whether the generated IPs will be predictable, i.e., IP stays the
|
|
|
|
|
# same for the same user when possible.
|
|
|
|
|
predictable-ips = true
|
|
|
|
|
|
|
|
|
|
# The default domain to be advertised
|
|
|
|
|
default-domain = example.com
|
|
|
|
|
|
|
|
|
|
@ -258,6 +269,29 @@ route = 192.168.1.0/255.255.255.0
|
|
|
|
|
#config-per-user = /etc/ocserv/config-per-user/
|
|
|
|
|
#config-per-group = /etc/ocserv/config-per-group/
|
|
|
|
|
|
|
|
|
|
# When config-per-xxx is specified and there is no group or user that
|
|
|
|
|
# matches, then utilize the following configuration.
|
|
|
|
|
|
|
|
|
|
#default-user-config = /etc/ocserv/defaults/user.conf
|
|
|
|
|
#default-group-config = /etc/ocserv/defaults/group.conf
|
|
|
|
|
|
|
|
|
|
# Groups that a client is allowed to select from.
|
|
|
|
|
# A client may belong in multiple groups, and in certain use-cases
|
|
|
|
|
# it is needed to switch between them. For these cases the client can
|
|
|
|
|
# select prior to authentication. Add multiple entries for multiple groups.
|
|
|
|
|
#select-group = group1
|
|
|
|
|
#select-group = group2[My group 2]
|
|
|
|
|
#select-group = tost[The tost group]
|
|
|
|
|
|
|
|
|
|
# The name of the group that if selected it would allow to use
|
|
|
|
|
# the assigned by default group.
|
|
|
|
|
default-select-group = DEFAULT
|
|
|
|
|
|
|
|
|
|
# Instead of specifying manually all the allowed groups, you may instruct
|
|
|
|
|
# ocserv to scan all available groups and include the full list. That
|
|
|
|
|
# option is only functional on plain authentication.
|
|
|
|
|
auto-select-group = true
|
|
|
|
|
|
|
|
|
|
# The system command to use to setup a route. %R will be replaced with the
|
|
|
|
|
# route/mask and %D with the (tun) device.
|
|
|
|
|
#
|
|
|
|
|
|
Nikos Mavrogiannopoulos
11 years ago