|
|
|
|
@ -99,12 +99,22 @@ chroot-dir = /var/lib/ocserv
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### All configuration options below this line are reloaded on a SIGHUP.
|
|
|
|
|
### The options above, will remain unchanged.
|
|
|
|
|
### The options above, will remain unchanged. Note however, that the
|
|
|
|
|
### server-cert, server-key, dh-params and ca-cert options will be reloaded
|
|
|
|
|
### if the provided file changes, on server reload. That allows certificate
|
|
|
|
|
### rotation, but requires the server key to remain the same for seamless
|
|
|
|
|
### operation. If the server key changes on reload, there may be connection
|
|
|
|
|
### failures during the reloading time.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
|
|
|
|
|
# system calls allowed to a worker process, in order to reduce damage from a
|
|
|
|
|
# bug in the worker process. It is available on Linux systems at a performance cost.
|
|
|
|
|
# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
|
|
|
|
|
# Note however, that process isolation is restricted to the specific libc versions
|
|
|
|
|
# the isolation was tested at. If you get random failures on worker processes, try
|
|
|
|
|
# disabling that option and report the failures you, along with system and debugging
|
|
|
|
|
# information at: https://gitlab.com/ocserv/ocserv/issues
|
|
|
|
|
isolate-workers = true
|
|
|
|
|
|
|
|
|
|
# A banner to be displayed on clients
|
|
|
|
|
@ -118,11 +128,6 @@ max-clients = 16
|
|
|
|
|
# multiple times). Unset or set to zero for unlimited.
|
|
|
|
|
max-same-clients = 2
|
|
|
|
|
|
|
|
|
|
# When the server has a dynamic DNS address (that may change),
|
|
|
|
|
# should set that to true to ask the client to resolve again on
|
|
|
|
|
# reconnects.
|
|
|
|
|
#listen-host-is-dyndns = true
|
|
|
|
|
|
|
|
|
|
# Limit the number of client connections to one every X milliseconds
|
|
|
|
|
# (X is the provided value). Set to zero for no limit.
|
|
|
|
|
#rate-limit-ms = 100
|
|
|
|
|
@ -214,7 +219,9 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
|
|
|
|
|
#cert-group-oid = 2.5.4.11
|
|
|
|
|
|
|
|
|
|
# The revocation list of the certificates issued by the 'ca-cert' above.
|
|
|
|
|
# See the manual to generate an empty CRL initially.
|
|
|
|
|
# See the manual to generate an empty CRL initially. The CRL will be reloaded
|
|
|
|
|
# periodically when ocserv detects a change in the file. To force a reload use
|
|
|
|
|
# SIGHUP.
|
|
|
|
|
#crl = /path/to/crl.pem
|
|
|
|
|
|
|
|
|
|
# Uncomment this to enable compression negotiation (LZS, LZ4).
|
|
|
|
|
@ -251,7 +258,7 @@ tls-priorities = "@SYSTEM"
|
|
|
|
|
|
|
|
|
|
# The time (in seconds) that a client is allowed to stay connected prior
|
|
|
|
|
# to authentication
|
|
|
|
|
auth-timeout = 40
|
|
|
|
|
auth-timeout = 240
|
|
|
|
|
|
|
|
|
|
# The time (in seconds) that a client is allowed to stay idle (no traffic)
|
|
|
|
|
# before being disconnected. Unset to disable.
|
|
|
|
|
@ -299,6 +306,13 @@ ban-reset-time = 300
|
|
|
|
|
# between different networks.
|
|
|
|
|
cookie-timeout = 300
|
|
|
|
|
|
|
|
|
|
# Cookie rekey time (in seconds)
|
|
|
|
|
# The time after which the key used to encrypt cookies will be
|
|
|
|
|
# refreshed. After this time the previous key will also be valid
|
|
|
|
|
# for verification. It is recommended not to modify the default
|
|
|
|
|
# value.
|
|
|
|
|
cookie-rekey-time = 14400
|
|
|
|
|
|
|
|
|
|
# If this is enabled (not recommended) the cookies will stay
|
|
|
|
|
# valid even after a user manually disconnects, and until they
|
|
|
|
|
# expire. This may improve roaming with some broken clients.
|
|
|
|
|
@ -327,11 +341,17 @@ rekey-method = ssl
|
|
|
|
|
# Script to call when a client connects and obtains an IP.
|
|
|
|
|
# The following parameters are passed on the environment.
|
|
|
|
|
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
|
|
|
|
|
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
|
|
|
|
# DEVICE, IP_REAL (the real IP of the client), IP_REAL_LOCAL (the local
|
|
|
|
|
# interface IP the client connected), IP_LOCAL (the local IP
|
|
|
|
|
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
|
|
|
|
|
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
|
|
|
|
|
# assigned), IPV6_REMOVE (the IPv6 remote address), and
|
|
|
|
|
# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
|
|
|
|
|
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
|
|
|
|
|
# In addition the following variables OCSERV_ROUTES (the applied routes for this
|
|
|
|
|
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
|
|
|
|
|
# will contain a space separated list of routes or DNS servers. A version
|
|
|
|
|
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
|
|
|
|
|
# IPv6 values.
|
|
|
|
|
|
|
|
|
|
# The disconnect script will receive the additional values: STATS_BYTES_IN,
|
|
|
|
|
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
|
|
|
|
|
@ -398,6 +418,10 @@ default-domain = example.com
|
|
|
|
|
#ipv6-subnet-prefix = 128
|
|
|
|
|
#ipv6-subnet-prefix = 64
|
|
|
|
|
|
|
|
|
|
# Whether to tunnel all DNS queries via the VPN. This is the default
|
|
|
|
|
# when a default route is set.
|
|
|
|
|
#tunnel-all-dns = true
|
|
|
|
|
|
|
|
|
|
# The advertized DNS server. Use multiple lines for
|
|
|
|
|
# multiple servers.
|
|
|
|
|
# dns = fc00::4be0
|
|
|
|
|
|
Nikos Mavrogiannopoulos
9 years ago