|
|
@ -22,13 +22,19 @@ auth = "pam"
|
|
|
|
# to generate password entries.
|
|
|
|
# to generate password entries.
|
|
|
|
#auth = "plain[/etc/ocserv/ocpasswd]"
|
|
|
|
#auth = "plain[/etc/ocserv/ocpasswd]"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Whether to enable seccomp worker isolation. That restricts the number of
|
|
|
|
|
|
|
|
# system calls allowed to a worker process, in order to reduce damage from a
|
|
|
|
|
|
|
|
# bug in the worker process. It is available on Linux systems at a performance cost.
|
|
|
|
|
|
|
|
#use-seccomp = true
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Whether to enable the authentication method's session control (i.e., PAM).
|
|
|
|
|
|
|
|
# That requires more resources on the server, and makes cookies one-time-use;
|
|
|
|
|
|
|
|
# thus don't enable unless you need it.
|
|
|
|
|
|
|
|
#session-control = true
|
|
|
|
|
|
|
|
|
|
|
|
# A banner to be displayed on clients
|
|
|
|
# A banner to be displayed on clients
|
|
|
|
#banner = "Welcome"
|
|
|
|
#banner = "Welcome"
|
|
|
|
|
|
|
|
|
|
|
|
# Use listen-host to limit to specific IPs or to the IPs of a provided
|
|
|
|
|
|
|
|
# hostname.
|
|
|
|
|
|
|
|
#listen-host = [IP|HOSTNAME]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Limit the number of clients. Unset or set to zero for unlimited.
|
|
|
|
# Limit the number of clients. Unset or set to zero for unlimited.
|
|
|
|
#max-clients = 1024
|
|
|
|
#max-clients = 1024
|
|
|
|
max-clients = 16
|
|
|
|
max-clients = 16
|
|
|
@ -41,10 +47,23 @@ max-clients = 16
|
|
|
|
# multiple times). Unset or set to zero for unlimited.
|
|
|
|
# multiple times). Unset or set to zero for unlimited.
|
|
|
|
max-same-clients = 2
|
|
|
|
max-same-clients = 2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Use listen-host to limit to specific IPs or to the IPs of a provided
|
|
|
|
|
|
|
|
# hostname.
|
|
|
|
|
|
|
|
#listen-host = [IP|HOSTNAME]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# When the server has a dynamic DNS address (that may change),
|
|
|
|
|
|
|
|
# should set that to true to ask the client to resolve again on
|
|
|
|
|
|
|
|
# reconnects.
|
|
|
|
|
|
|
|
#listen-host-is-dyndns = true
|
|
|
|
|
|
|
|
|
|
|
|
# TCP and UDP port number
|
|
|
|
# TCP and UDP port number
|
|
|
|
tcp-port = 443
|
|
|
|
tcp-port = 443
|
|
|
|
udp-port = 443
|
|
|
|
udp-port = 443
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Accept connections using a socket file. The connections are
|
|
|
|
|
|
|
|
# forwarded without SSL/TLS.
|
|
|
|
|
|
|
|
listen-clear-file = /var/run/ocserv-conn.socket
|
|
|
|
|
|
|
|
|
|
|
|
# Keepalive in seconds
|
|
|
|
# Keepalive in seconds
|
|
|
|
keepalive = 32400
|
|
|
|
keepalive = 32400
|
|
|
|
|
|
|
|
|
|
|
@ -94,7 +113,6 @@ server-key = /etc/pki/ocserv/private/server.key
|
|
|
|
# The Certificate Authority that will be used to verify
|
|
|
|
# The Certificate Authority that will be used to verify
|
|
|
|
# client certificates (public keys) if certificate authentication
|
|
|
|
# client certificates (public keys) if certificate authentication
|
|
|
|
# is set.
|
|
|
|
# is set.
|
|
|
|
#ca-cert = /path/to/ca.pem
|
|
|
|
|
|
|
|
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
|
|
|
|
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
|
|
|
|
|
|
|
|
|
|
|
|
# The object identifier that will be used to read the user ID in the client
|
|
|
|
# The object identifier that will be used to read the user ID in the client
|
|
|
@ -113,10 +131,10 @@ ca-cert = /etc/pki/ocserv/cacerts/ca.crt
|
|
|
|
#crl = /path/to/crl.pem
|
|
|
|
#crl = /path/to/crl.pem
|
|
|
|
|
|
|
|
|
|
|
|
# GnuTLS priority string
|
|
|
|
# GnuTLS priority string
|
|
|
|
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
|
|
|
|
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
|
|
|
|
|
|
|
|
|
|
|
|
# To enforce perfect forward secrecy (PFS) on the main channel.
|
|
|
|
# To enforce perfect forward secrecy (PFS) on the main channel.
|
|
|
|
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
|
|
|
|
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
|
|
|
|
|
|
|
|
|
|
|
|
# The time (in seconds) that a client is allowed to stay connected prior
|
|
|
|
# The time (in seconds) that a client is allowed to stay connected prior
|
|
|
|
# to authentication
|
|
|
|
# to authentication
|
|
|
@ -135,7 +153,18 @@ auth-timeout = 40
|
|
|
|
#min-reauth-time = 2
|
|
|
|
#min-reauth-time = 2
|
|
|
|
|
|
|
|
|
|
|
|
# Cookie timeout (in seconds)
|
|
|
|
# Cookie timeout (in seconds)
|
|
|
|
cookie-timeout = 360
|
|
|
|
# Once a client is authenticated he's provided a cookie with
|
|
|
|
|
|
|
|
# which he can reconnect. That cookie will be invalided if not
|
|
|
|
|
|
|
|
# used within this timeout value. On a user disconnection, that
|
|
|
|
|
|
|
|
# cookie will also be active for this time amount prior to be
|
|
|
|
|
|
|
|
# invalid. That should allow a reasonable amount of time for roaming
|
|
|
|
|
|
|
|
# between different networks.
|
|
|
|
|
|
|
|
cookie-timeout = 300
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Whether roaming is allowed, i.e., if true a cookie is
|
|
|
|
|
|
|
|
# restricted to a single IP address and cannot be re-used
|
|
|
|
|
|
|
|
# from a different IP.
|
|
|
|
|
|
|
|
deny-roaming = false
|
|
|
|
|
|
|
|
|
|
|
|
# ReKey time (in seconds)
|
|
|
|
# ReKey time (in seconds)
|
|
|
|
# ocserv will ask the client to refresh keys periodically once
|
|
|
|
# ocserv will ask the client to refresh keys periodically once
|
|
|
@ -157,8 +186,8 @@ rekey-method = ssl
|
|
|
|
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
|
|
|
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
|
|
|
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
|
|
|
|
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
|
|
|
|
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
|
|
|
|
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
|
|
|
|
#connect-script = /usr/bin/ocserv-script
|
|
|
|
#connect-script = /scripts/ocserv-script
|
|
|
|
#disconnect-script = /usr/bin/ocserv-script
|
|
|
|
#disconnect-script = /scripts/ocserv-script
|
|
|
|
|
|
|
|
|
|
|
|
# UTMP
|
|
|
|
# UTMP
|
|
|
|
use-utmp = true
|
|
|
|
use-utmp = true
|
|
|
@ -171,6 +200,7 @@ use-occtl = true
|
|
|
|
# if you use more than a single servers.
|
|
|
|
# if you use more than a single servers.
|
|
|
|
#occtl-socket-file = /var/run/occtl.socket
|
|
|
|
#occtl-socket-file = /var/run/occtl.socket
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# PID file. It can be overriden in the command line.
|
|
|
|
# PID file. It can be overriden in the command line.
|
|
|
|
#pid-file = /var/run/ocserv.pid
|
|
|
|
#pid-file = /var/run/ocserv.pid
|
|
|
|
|
|
|
|
|
|
|
@ -254,7 +284,7 @@ ping-leases = false
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# To set the server as the default gateway for the client just
|
|
|
|
# To set the server as the default gateway for the client just
|
|
|
|
# comment out all routes from the server.
|
|
|
|
# comment out all routes from the server.
|
|
|
|
route = 192.168.1.0/255.255.255.0
|
|
|
|
#route = 192.168.1.0/255.255.255.0
|
|
|
|
#route = 192.168.5.0/255.255.255.0
|
|
|
|
#route = 192.168.5.0/255.255.255.0
|
|
|
|
#route = fef4:db8:1000:1001::/64
|
|
|
|
#route = fef4:db8:1000:1001::/64
|
|
|
|
|
|
|
|
|
|
|
@ -291,17 +321,23 @@ route = 192.168.1.0/255.255.255.0
|
|
|
|
#default-select-group = DEFAULT
|
|
|
|
#default-select-group = DEFAULT
|
|
|
|
|
|
|
|
|
|
|
|
# Instead of specifying manually all the allowed groups, you may instruct
|
|
|
|
# Instead of specifying manually all the allowed groups, you may instruct
|
|
|
|
# ocserv to scan all available groups and include the full list.
|
|
|
|
# ocserv to scan all available groups and include the full list. That
|
|
|
|
|
|
|
|
# option is only functional on plain authentication.
|
|
|
|
#auto-select-group = true
|
|
|
|
#auto-select-group = true
|
|
|
|
|
|
|
|
|
|
|
|
# The system command to use to setup a route. %R will be replaced with the
|
|
|
|
# The system command to use to setup a route. %{R} will be replaced with the
|
|
|
|
# route/mask and %D with the (tun) device.
|
|
|
|
# route/mask and %{D} with the (tun) device.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# The following example is from linux systems. %R should be something
|
|
|
|
# The following example is from linux systems. %{R} should be something
|
|
|
|
# like 192.168.2.0/24
|
|
|
|
# like 192.168.2.0/24
|
|
|
|
|
|
|
|
|
|
|
|
route-add-cmd = "ip route add %R dev %D"
|
|
|
|
route-add-cmd = "ip route add %{R} dev %{D}"
|
|
|
|
route-del-cmd = "ip route delete %R dev %D"
|
|
|
|
route-del-cmd = "ip route delete %{R} dev %{D}"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# This option allows to forward a proxy. The special strings '%{U}'
|
|
|
|
|
|
|
|
# and '%{G}', if present will be replaced by the username and group name.
|
|
|
|
|
|
|
|
#proxy-url = http://example.com/
|
|
|
|
|
|
|
|
#proxy-url = http://example.com/%{U}/%{G}/hello
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# The following options are for (experimental) AnyConnect client
|
|
|
|
# The following options are for (experimental) AnyConnect client
|
|
|
|