|
|
|
|
@ -1,36 +1,47 @@
|
|
|
|
|
# User authentication method. Could be set multiple times and in
|
|
|
|
|
# that case all should succeed. To enable multiple methods use
|
|
|
|
|
# multiple auth directives. Available options: certificate, certificate[optional],
|
|
|
|
|
# plain, pam.
|
|
|
|
|
#auth = "certificate"
|
|
|
|
|
#auth = "plain[./sample.passwd]"
|
|
|
|
|
auth = "pam"
|
|
|
|
|
# plain, pam, radius[configfile,groupconfig].
|
|
|
|
|
|
|
|
|
|
# This indicates that a user may present a certificate. When that option
|
|
|
|
|
# certificate:
|
|
|
|
|
# This indicates that all connecting users must present a certificate.
|
|
|
|
|
#
|
|
|
|
|
# certificate[optional]:
|
|
|
|
|
# This indicates that a user may present a certificate. When that option
|
|
|
|
|
# is set, individual users or user groups can be forced to present a valid
|
|
|
|
|
# certificate by using "require-cert=true".
|
|
|
|
|
#auth = "certificate[optional]"
|
|
|
|
|
|
|
|
|
|
# The gid-min option is used by auto-select-group option, in order to
|
|
|
|
|
# select the minimum group ID.
|
|
|
|
|
#auth = "pam[gid-min=1000]"
|
|
|
|
|
|
|
|
|
|
# The plain option requires specifying a password file which contains
|
|
|
|
|
# certificate by adding "require-cert=true" in the per-user configuration file.
|
|
|
|
|
#
|
|
|
|
|
# pam[gid-min=1000]:
|
|
|
|
|
# The gid-min option is used by auto-select-group option, in order to
|
|
|
|
|
# select the minimum valid group ID.
|
|
|
|
|
#
|
|
|
|
|
# plain[/etc/ocserv/ocpasswd]
|
|
|
|
|
# The plain option requires specifying a password file which contains
|
|
|
|
|
# entries of the following format.
|
|
|
|
|
# "username:groupname:encoded-password"
|
|
|
|
|
# One entry must be listed per line, and 'ocpasswd' can be used
|
|
|
|
|
# "username:groupname1,groupname2:encoded-password"
|
|
|
|
|
# One entry must be listed per line, and 'ocpasswd' should be used
|
|
|
|
|
# to generate password entries.
|
|
|
|
|
#
|
|
|
|
|
# radius[/etc/radiusclient/radiusclient.conf,groupconfig]:
|
|
|
|
|
# The radius option requires specifying freeradius-client configuration
|
|
|
|
|
# file. If the groupconfig option is set, then config-per-user will be overriden,
|
|
|
|
|
# and all configuration will be read from radius. The supported atributes for
|
|
|
|
|
# radius configuration are:
|
|
|
|
|
# Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address,
|
|
|
|
|
# Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server
|
|
|
|
|
|
|
|
|
|
#auth = "certificate"
|
|
|
|
|
#auth = "certificate[optional]"
|
|
|
|
|
auth = "pam"
|
|
|
|
|
#auth = "pam[gid-min=1000]"
|
|
|
|
|
#auth = "plain[/etc/ocserv/ocpasswd]"
|
|
|
|
|
#auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]"
|
|
|
|
|
|
|
|
|
|
# Whether to enable seccomp worker isolation. That restricts the number of
|
|
|
|
|
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
|
|
|
|
|
# system calls allowed to a worker process, in order to reduce damage from a
|
|
|
|
|
# bug in the worker process. It is available on Linux systems at a performance cost.
|
|
|
|
|
#use-seccomp = true
|
|
|
|
|
|
|
|
|
|
# Whether to enable the authentication method's session control (i.e., PAM).
|
|
|
|
|
# That requires more resources on the server, and makes cookies one-time-use;
|
|
|
|
|
# thus don't enable unless you need it.
|
|
|
|
|
#session-control = true
|
|
|
|
|
# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
|
|
|
|
|
isolate-workers = true
|
|
|
|
|
|
|
|
|
|
# A banner to be displayed on clients
|
|
|
|
|
#banner = "Welcome"
|
|
|
|
|
@ -60,21 +71,34 @@ max-same-clients = 2
|
|
|
|
|
tcp-port = 443
|
|
|
|
|
udp-port = 443
|
|
|
|
|
|
|
|
|
|
# Accept connections using a socket file. The connections are
|
|
|
|
|
# forwarded without SSL/TLS.
|
|
|
|
|
listen-clear-file = /var/run/ocserv-conn.socket
|
|
|
|
|
# Accept connections using a socket file. It accepts HTTP
|
|
|
|
|
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
|
|
|
|
|
# and uses it as the primary channel. That option cannot be
|
|
|
|
|
# combined with certificate authentication.
|
|
|
|
|
#listen-clear-file = /var/run/ocserv-conn.socket
|
|
|
|
|
|
|
|
|
|
# Stats report time. The number of seconds after which each
|
|
|
|
|
# worker process will report its usage statistics (number of
|
|
|
|
|
# bytes transferred etc). This is useful when accounting like
|
|
|
|
|
# radius is in use.
|
|
|
|
|
#stats-report-time = 360
|
|
|
|
|
|
|
|
|
|
# Keepalive in seconds
|
|
|
|
|
keepalive = 32400
|
|
|
|
|
|
|
|
|
|
# Dead peer detection in seconds.
|
|
|
|
|
# Note that when the client is behind a NAT this value
|
|
|
|
|
# needs to be short enough to prevent the NAT disassociating
|
|
|
|
|
# his UDP session from the port number. Otherwise the client
|
|
|
|
|
# could have his UDP connection stalled, for several minutes.
|
|
|
|
|
dpd = 90
|
|
|
|
|
|
|
|
|
|
# Dead peer detection for mobile clients. The needs to
|
|
|
|
|
# be much higher to prevent such clients being awaken too
|
|
|
|
|
# Dead peer detection for mobile clients. That needs to
|
|
|
|
|
# be higher to prevent such clients being awaken too
|
|
|
|
|
# often by the DPD messages, and save battery.
|
|
|
|
|
# (clients that send the X-AnyConnect-Identifier-DeviceType)
|
|
|
|
|
#mobile-dpd = 1800
|
|
|
|
|
# The mobile clients are distinguished from the header
|
|
|
|
|
# 'X-AnyConnect-Identifier-DeviceType'.
|
|
|
|
|
mobile-dpd = 1800
|
|
|
|
|
|
|
|
|
|
# MTU discovery (DPD must be enabled)
|
|
|
|
|
try-mtu-discovery = false
|
|
|
|
|
@ -84,8 +108,11 @@ try-mtu-discovery = false
|
|
|
|
|
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
|
|
|
|
|
# or pkcs11:object=my-vpn-key;object-type=private)
|
|
|
|
|
#
|
|
|
|
|
# There may be multiple certificate and key pairs and each key
|
|
|
|
|
# should correspond to the preceding certificate.
|
|
|
|
|
# The server-cert file may contain a single certificate, or
|
|
|
|
|
# a sorted certificate chain.
|
|
|
|
|
#
|
|
|
|
|
# There may be multiple server-cert and server-key directives,
|
|
|
|
|
# but each key should correspond to the preceding certificate.
|
|
|
|
|
server-cert = /etc/pki/ocserv/public/server.crt
|
|
|
|
|
server-key = /etc/pki/ocserv/private/server.key
|
|
|
|
|
|
|
|
|
|
@ -128,13 +155,29 @@ ca-cert = /etc/pki/ocserv/cacerts/ca.crt
|
|
|
|
|
#cert-group-oid = 2.5.4.11
|
|
|
|
|
|
|
|
|
|
# The revocation list of the certificates issued by the 'ca-cert' above.
|
|
|
|
|
# See the manual to generate an empty CRL initially.
|
|
|
|
|
#crl = /path/to/crl.pem
|
|
|
|
|
|
|
|
|
|
# GnuTLS priority string
|
|
|
|
|
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
|
|
|
|
|
# Uncomment this to enable compression negotiation (LZS, LZ4).
|
|
|
|
|
#compression = true
|
|
|
|
|
|
|
|
|
|
# Set the minimum size under which a packet will not be compressed.
|
|
|
|
|
# That is to allow low-latency for VoIP packets. The default size
|
|
|
|
|
# is 256 bytes. Modify it if the clients typically use compression
|
|
|
|
|
# as well of VoIP with codecs that exceed the default value.
|
|
|
|
|
#no-compress-limit = 256
|
|
|
|
|
|
|
|
|
|
# GnuTLS priority string; note that SSL 3.0 is disabled by default
|
|
|
|
|
# as there are no openconnect (and possibly anyconnect clients) using
|
|
|
|
|
# that protocol. The string below does not enforce perfect forward
|
|
|
|
|
# secrecy, in order to be compatible with legacy clients.
|
|
|
|
|
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0"
|
|
|
|
|
tls-priorities = "@SYSTEM"
|
|
|
|
|
|
|
|
|
|
# To enforce perfect forward secrecy (PFS) on the main channel.
|
|
|
|
|
# More combinations in priority strings are available, check
|
|
|
|
|
# http://gnutls.org/manual/html_node/Priority-Strings.html
|
|
|
|
|
# E.g., the string below enforces perfect forward secrecy (PFS)
|
|
|
|
|
# on the main channel.
|
|
|
|
|
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
|
|
|
|
|
|
|
|
|
|
# The time (in seconds) that a client is allowed to stay connected prior
|
|
|
|
|
@ -181,16 +224,25 @@ rekey-time = 172800
|
|
|
|
|
# option.
|
|
|
|
|
rekey-method = ssl
|
|
|
|
|
|
|
|
|
|
# Script to call when a client connects and obtains an IP
|
|
|
|
|
# Parameters are passed on the environment.
|
|
|
|
|
# Script to call when a client connects and obtains an IP.
|
|
|
|
|
# The following parameters are passed on the environment.
|
|
|
|
|
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
|
|
|
|
|
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
|
|
|
|
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
|
|
|
|
|
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
|
|
|
|
|
# assigned), IPV6_REMOVE (the IPv6 remote address), and
|
|
|
|
|
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
|
|
|
|
|
|
|
|
|
|
# The disconnect script will receive the additional values: STATS_BYTES_IN,
|
|
|
|
|
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
|
|
|
|
|
# output from the tun device, and the duration of the session in seconds.
|
|
|
|
|
|
|
|
|
|
#connect-script = /usr/bin/ocserv-script
|
|
|
|
|
#disconnect-script = /usr/bin/ocserv-script
|
|
|
|
|
|
|
|
|
|
# UTMP
|
|
|
|
|
# Register the connected clients to utmp. This will allow viewing
|
|
|
|
|
# the connected clients using the command 'who'.
|
|
|
|
|
use-utmp = true
|
|
|
|
|
|
|
|
|
|
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
|
|
|
|
|
@ -201,14 +253,13 @@ use-occtl = true
|
|
|
|
|
# if you use more than a single servers.
|
|
|
|
|
#occtl-socket-file = /var/run/occtl.socket
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# PID file. It can be overriden in the command line.
|
|
|
|
|
#pid-file = /var/run/ocserv.pid
|
|
|
|
|
|
|
|
|
|
# The default server directory. Does not require any devices present.
|
|
|
|
|
chroot-dir = /var/lib/ocserv
|
|
|
|
|
|
|
|
|
|
# socket file used for IPC, will be appended with .PID
|
|
|
|
|
# socket file used for server IPC (worker-main), will be appended with .PID
|
|
|
|
|
# It must be accessible within the chroot environment (if any)
|
|
|
|
|
socket-file = ocserv.sock
|
|
|
|
|
|
|
|
|
|
@ -232,7 +283,7 @@ run-as-group = ocserv
|
|
|
|
|
# Network settings
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
# The name of the tun device
|
|
|
|
|
# The name to use for the tun device
|
|
|
|
|
device = vpns
|
|
|
|
|
|
|
|
|
|
# Whether the generated IPs will be predictable, i.e., IP stays the
|
|
|
|
|
@ -243,20 +294,22 @@ predictable-ips = true
|
|
|
|
|
default-domain = example.com
|
|
|
|
|
|
|
|
|
|
# The pool of addresses that leases will be given from.
|
|
|
|
|
ipv4-network = 192.168.1.0
|
|
|
|
|
ipv4-netmask = 255.255.255.0
|
|
|
|
|
#ipv4-network = 192.168.1.0
|
|
|
|
|
#ipv4-netmask = 255.255.255.0
|
|
|
|
|
|
|
|
|
|
# An alternative way of specifying the network:
|
|
|
|
|
#ipv4-network = 192.168.1.0/24
|
|
|
|
|
|
|
|
|
|
# The advertized DNS server. Use multiple lines for
|
|
|
|
|
# multiple servers.
|
|
|
|
|
# dns = fc00::4be0
|
|
|
|
|
dns = 192.168.1.2
|
|
|
|
|
#dns = 192.168.1.2
|
|
|
|
|
|
|
|
|
|
# The NBNS server (if any)
|
|
|
|
|
#nbns = 192.168.1.3
|
|
|
|
|
|
|
|
|
|
# The IPv6 subnet that leases will be given from.
|
|
|
|
|
#ipv6-network = fc00::
|
|
|
|
|
#ipv6-prefix = 16
|
|
|
|
|
#ipv6-network = fda9:4efe:7e3b:03ea::/64
|
|
|
|
|
|
|
|
|
|
# The domains over which the provided DNS should be used. Use
|
|
|
|
|
# multiple lines for multiple domains.
|
|
|
|
|
@ -264,10 +317,13 @@ dns = 192.168.1.2
|
|
|
|
|
|
|
|
|
|
# Prior to leasing any IP from the pool ping it to verify that
|
|
|
|
|
# it is not in use by another (unrelated to this server) host.
|
|
|
|
|
# Only set to true, if there can be occupied addresses in the
|
|
|
|
|
# IP range for leases.
|
|
|
|
|
ping-leases = false
|
|
|
|
|
|
|
|
|
|
# Unset to assign the default MTU of the device
|
|
|
|
|
# mtu =
|
|
|
|
|
# Use this option to enforce an MTU value to the incoming
|
|
|
|
|
# connections. Unset to use the default MTU of the TUN device.
|
|
|
|
|
#mtu = 1420
|
|
|
|
|
|
|
|
|
|
# Unset to enable bandwidth restrictions (in bytes/sec). The
|
|
|
|
|
# setting here is global, but can also be set per user or per group.
|
|
|
|
|
@ -284,84 +340,97 @@ ping-leases = false
|
|
|
|
|
# config-per-user/group or even connect and disconnect scripts.
|
|
|
|
|
#
|
|
|
|
|
# To set the server as the default gateway for the client just
|
|
|
|
|
# comment out all routes from the server.
|
|
|
|
|
# comment out all routes from the server, or use the special keyword
|
|
|
|
|
# 'default'.
|
|
|
|
|
|
|
|
|
|
#route = 192.168.1.0/255.255.255.0
|
|
|
|
|
#route = 192.168.5.0/255.255.255.0
|
|
|
|
|
#route = fef4:db8:1000:1001::/64
|
|
|
|
|
|
|
|
|
|
# Groups that a client is allowed to select from.
|
|
|
|
|
# A client may belong in multiple groups, and in certain use-cases
|
|
|
|
|
# it is needed to switch between them. For these cases the client can
|
|
|
|
|
# select prior to authentication. Add multiple entries for multiple groups.
|
|
|
|
|
# The group may be followed by a user-friendly name in brackets.
|
|
|
|
|
#select-group = group1
|
|
|
|
|
#select-group = group2[My special group]
|
|
|
|
|
|
|
|
|
|
# The name of the (virtual) group that if selected it would assign the user
|
|
|
|
|
# to its default group.
|
|
|
|
|
#default-select-group = DEFAULT
|
|
|
|
|
|
|
|
|
|
# Instead of specifying manually all the allowed groups, you may instruct
|
|
|
|
|
# ocserv to scan all available groups and include the full list.
|
|
|
|
|
#auto-select-group = true
|
|
|
|
|
|
|
|
|
|
# Configuration files that will be applied per user connection or
|
|
|
|
|
# per group. Each file name on these directories must match the username
|
|
|
|
|
# or the groupname.
|
|
|
|
|
# The options allowed in the configuration files are dns, nbns,
|
|
|
|
|
# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
|
|
|
|
|
# net-priority and cgroup.
|
|
|
|
|
# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route,
|
|
|
|
|
# net-priority, deny-roaming, no-udp, user-profile, require-cert, and cgroup.
|
|
|
|
|
#
|
|
|
|
|
# Note that the 'iroute' option allows to add routes on the server
|
|
|
|
|
# based on a user or group. The syntax depends on the input accepted
|
|
|
|
|
# by the commands route-add-cmd and route-del-cmd (see below).
|
|
|
|
|
# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
|
|
|
|
|
# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
|
|
|
|
|
# for that specific user or group.
|
|
|
|
|
|
|
|
|
|
#config-per-user = /etc/ocserv/config-per-user/
|
|
|
|
|
#config-per-group = /etc/ocserv/config-per-group/
|
|
|
|
|
|
|
|
|
|
# When config-per-xxx is specified and there is no group or user that
|
|
|
|
|
# matches, then utilize the following configuration.
|
|
|
|
|
|
|
|
|
|
#default-user-config = /etc/ocserv/defaults/user.conf
|
|
|
|
|
#default-group-config = /etc/ocserv/defaults/group.conf
|
|
|
|
|
|
|
|
|
|
# Groups that a client is allowed to select from.
|
|
|
|
|
# A client may belong in multiple groups, and in certain use-cases
|
|
|
|
|
# it is needed to switch between them. For these cases the client can
|
|
|
|
|
# select prior to authentication. Add multiple entries for multiple groups.
|
|
|
|
|
#select-group = group1
|
|
|
|
|
#select-group = group2[My group 2]
|
|
|
|
|
#select-group = tost[The tost group]
|
|
|
|
|
|
|
|
|
|
# The name of the group that if selected it would allow to use
|
|
|
|
|
# the assigned by default group.
|
|
|
|
|
#default-select-group = DEFAULT
|
|
|
|
|
|
|
|
|
|
# Instead of specifying manually all the allowed groups, you may instruct
|
|
|
|
|
# ocserv to scan all available groups and include the full list. That
|
|
|
|
|
# option is only functional on plain authentication.
|
|
|
|
|
#auto-select-group = true
|
|
|
|
|
# This option is only valid in a user/group configuration file. If the
|
|
|
|
|
# auth mode is certificate[optional], it requires a certificate for this
|
|
|
|
|
# particular user or group.
|
|
|
|
|
#require-cert = true
|
|
|
|
|
|
|
|
|
|
# The system command to use to setup a route. %{R} will be replaced with the
|
|
|
|
|
# route/mask and %{D} with the (tun) device.
|
|
|
|
|
#
|
|
|
|
|
# The following example is from linux systems. %{R} should be something
|
|
|
|
|
# like 192.168.2.0/24
|
|
|
|
|
# The following example is from linux systems. %R should be something
|
|
|
|
|
# like 192.168.2.0/24 (the argument of iroute).
|
|
|
|
|
|
|
|
|
|
route-add-cmd = "ip route add %{R} dev %{D}"
|
|
|
|
|
route-del-cmd = "ip route delete %{R} dev %{D}"
|
|
|
|
|
|
|
|
|
|
# This option allows to forward a proxy. The special strings '%{U}'
|
|
|
|
|
# This option allows to forward a proxy. The special keywords '%{U}'
|
|
|
|
|
# and '%{G}', if present will be replaced by the username and group name.
|
|
|
|
|
#proxy-url = http://example.com/
|
|
|
|
|
#proxy-url = http://example.com/%{U}/%{G}/hello
|
|
|
|
|
#proxy-url = http://example.com/%{U}/
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# The following options are for (experimental) AnyConnect client
|
|
|
|
|
# compatibility.
|
|
|
|
|
|
|
|
|
|
# This option must be set to true to support legacy CISCO clients.
|
|
|
|
|
# A side effect of this option is that it will no longer be required
|
|
|
|
|
# for clients to present their certificate on every connection.
|
|
|
|
|
# That is they may resume a cookie without presenting a certificate
|
|
|
|
|
# (when certificate authentication is used).
|
|
|
|
|
cisco-client-compat = true
|
|
|
|
|
|
|
|
|
|
# Client profile xml. A sample file exists in doc/profile.xml.
|
|
|
|
|
# It is required by some of the CISCO clients.
|
|
|
|
|
# This file must be accessible from inside the worker's chroot.
|
|
|
|
|
# It is not used by the openconnect client.
|
|
|
|
|
user-profile = profile.xml
|
|
|
|
|
|
|
|
|
|
# Binary files that may be downloaded by the CISCO client. Must
|
|
|
|
|
# be within any chroot environment.
|
|
|
|
|
# be within any chroot environment. Normally you don't need
|
|
|
|
|
# to use this option.
|
|
|
|
|
#binary-files = /path/to/binaries
|
|
|
|
|
|
|
|
|
|
# Unless set to false it is required for clients to present their
|
|
|
|
|
# certificate even if they are authenticating via a previously granted
|
|
|
|
|
# cookie and complete their authentication in the same TCP connection.
|
|
|
|
|
# Legacy CISCO clients do not do that, and thus this option should be
|
|
|
|
|
# set for them.
|
|
|
|
|
cisco-client-compat = true
|
|
|
|
|
|
|
|
|
|
#Advanced options
|
|
|
|
|
|
|
|
|
|
# Option to allow sending arbitrary custom headers to the client after
|
|
|
|
|
# authentication and prior to VPN tunnel establishment.
|
|
|
|
|
# authentication and prior to VPN tunnel establishment. You shouldn't
|
|
|
|
|
# need to use this option normally; if you do and you think that
|
|
|
|
|
# this may help others, please send your settings and reason to
|
|
|
|
|
# the openconnect mailing list. The special keywords '%{U}'
|
|
|
|
|
# and '%{G}', if present will be replaced by the username and group name.
|
|
|
|
|
#custom-header = "X-My-Header: hi there"
|
|
|
|
|
|
|
|
|
|
|
Nikos Mavrogiannopoulos
10 years ago