You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

415 lines
15 KiB

11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
  1. ############################################################################
  2. # NOTE: Do not modify this file to configure ocserv. Add new directives #
  3. # in /etc/ocserv/ocserv.conf.local and these will be included in ocserv's #
  4. # configuration #
  5. ############################################################################
  6. # User authentication method. Could be set multiple times and in that case
  7. # all should succeed.
  8. # Options: certificate, pam.
  9. #auth = "certificate"
  10. #auth = "pam"
  11. # The gid-min option is used by auto-select-group option, in order to
  12. # select the minimum group ID.
  13. #auth = "pam[gid-min=1000]"
  14. # The plain option requires specifying a password file which contains
  15. # entries of the following format.
  16. # "username:groupname:encoded-password"
  17. # One entry must be listed per line, and 'ocpasswd' can be used
  18. # to generate password entries.
  19. auth = "|AUTH|"
  20. # A banner to be displayed on clients
  21. banner = "Welcome to OpenWRT"
  22. #isolate-workers = true
  23. # When the server has a dynamic DNS address (that may change),
  24. # should set that to true to ask the client to resolve again on
  25. # reconnects.
  26. listen-host-is-dyndns = |DYNDNS|
  27. # Use listen-host to limit to specific IPs or to the IPs of a provided
  28. # hostname.
  29. #listen-host = [IP|HOSTNAME]
  30. # Limit the number of clients. Unset or set to zero for unlimited.
  31. #max-clients = 1024
  32. max-clients = |MAX_CLIENTS|
  33. # Limit the number of client connections to one every X milliseconds
  34. # (X is the provided value). Set to zero for no limit.
  35. rate-limit-ms = 100
  36. # Limit the number of identical clients (i.e., users connecting
  37. # multiple times). Unset or set to zero for unlimited.
  38. max-same-clients = |MAX_SAME|
  39. # TCP and UDP port number
  40. tcp-port = |PORT|
  41. |UDP|udp-port = |UDP_PORT|
  42. # Stats report time. The number of seconds after which each
  43. # worker process will report its usage statistics (number of
  44. # bytes transferred etc). This is useful when accounting like
  45. # radius is in use.
  46. #stats-report-time = 360
  47. # Stats reset time. The period of time statistics kept by main/sec-mod
  48. # processes will be reset. These are the statistics shown by cmd
  49. # 'occtl show stats'. For daily: 86400, weekly: 604800
  50. # This is unrelated to stats-report-time.
  51. server-stats-reset-time = 604800
  52. # Keepalive in seconds
  53. keepalive = 32400
  54. # Dead peer detection in seconds.
  55. dpd = |DPD|
  56. # Dead peer detection for mobile clients. The needs to
  57. # be much higher to prevent such clients being awaken too
  58. # often by the DPD messages, and save battery.
  59. # (clients that send the X-AnyConnect-Identifier-DeviceType)
  60. mobile-dpd = 1800
  61. # If using DTLS, and no UDP traffic is received for this
  62. # many seconds, attempt to send future traffic over the TCP
  63. # connection instead, in an attempt to wake up the client
  64. # in the case that there is a NAT and the UDP translation
  65. # was deleted. If this is unset, do not attempt to use this
  66. # recovery mechanism.
  67. switch-to-tcp-timeout = 25
  68. # MTU discovery (DPD must be enabled)
  69. try-mtu-discovery = false
  70. # The key and the certificates of the server
  71. # The key may be a file, or any URL supported by GnuTLS (e.g.,
  72. # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
  73. # or pkcs11:object=my-vpn-key;object-type=private)
  74. #
  75. # There may be multiple certificate and key pairs and each key
  76. # should correspond to the preceding certificate.
  77. server-cert = /etc/ocserv/server-cert.pem
  78. server-key = /etc/ocserv/server-key.pem
  79. # Diffie-Hellman parameters. Only needed if you require support
  80. # for the DHE ciphersuites (by default this server supports ECDHE).
  81. # Can be generated using:
  82. # certtool --generate-dh-params --outfile /path/to/dh.pem
  83. #dh-params = /path/to/dh.pem
  84. # If you have a certificate from a CA that provides an OCSP
  85. # service you may provide a fresh OCSP status response within
  86. # the TLS handshake. That will prevent the client from connecting
  87. # independently on the OCSP server.
  88. # You can update this response periodically using:
  89. # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
  90. # Make sure that you replace the following file in an atomic way.
  91. #ocsp-response = /path/to/ocsp.der
  92. # In case PKCS #11 or TPM keys are used the PINs should be available
  93. # in files. The srk-pin-file is applicable to TPM keys only, and is the
  94. # storage root key.
  95. #pin-file = /path/to/pin.txt
  96. #srk-pin-file = /path/to/srkpin.txt
  97. # The Certificate Authority that will be used to verify
  98. # client certificates (public keys) if certificate authentication
  99. # is set.
  100. #ca-cert = /etc/ocserv/ca.pem
  101. # The object identifier that will be used to read the user ID in the client
  102. # certificate. The object identifier should be part of the certificate's DN
  103. # Useful OIDs are:
  104. # CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
  105. #cert-user-oid = 0.9.2342.19200300.100.1.1
  106. # The object identifier that will be used to read the user group in the
  107. # client certificate. The object identifier should be part of the certificate's
  108. # DN. Useful OIDs are:
  109. # OU (organizational unit) = 2.5.4.11
  110. #cert-group-oid = 2.5.4.11
  111. # The revocation list of the certificates issued by the 'ca-cert' above.
  112. #crl = /etc/ocserv/crl.pem
  113. # Uncomment this to enable compression negotiation (LZS, LZ4).
  114. |COMPRESSION|compression = true
  115. # GnuTLS priority string
  116. tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
  117. # To enforce perfect forward secrecy (PFS) on the main channel.
  118. #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-RSA"
  119. # The time (in seconds) that a client is allowed to stay connected prior
  120. # to authentication
  121. auth-timeout = 240
  122. # The time (in seconds) that a client is allowed to stay idle (no traffic)
  123. # before being disconnected. Unset to disable.
  124. #idle-timeout = 1200
  125. # The time (in seconds) that a mobile client is allowed to stay idle (no
  126. # traffic) before being disconnected. Unset to disable.
  127. #mobile-idle-timeout = 2400
  128. # The time (in seconds) that a client is not allowed to reconnect after
  129. # a failed authentication attempt.
  130. min-reauth-time = 360
  131. # Banning clients in ocserv works with a point system. IP addresses
  132. # that get a score over that configured number are banned for
  133. # min-reauth-time seconds. By default a wrong password attempt is 10 points,
  134. # a KKDCP POST is 1 point, and a connection is 1 point. Note that
  135. # due to difference processes being involved the count of points
  136. # will not be real-time precise.
  137. #
  138. # Score banning cannot be reliably used when receiving proxied connections
  139. # locally from an HTTP server (i.e., when listen-clear-file is used).
  140. #
  141. # Set to zero to disable.
  142. max-ban-score = 80
  143. # The time (in seconds) that all score kept for a client is reset.
  144. ban-reset-time = 1200
  145. # In case you'd like to change the default points.
  146. #ban-points-wrong-password = 10
  147. #ban-points-connection = 1
  148. #ban-points-kkdcp = 1
  149. # Cookie timeout (in seconds)
  150. # Once a client is authenticated he's provided a cookie with
  151. # which he can reconnect. That cookie will be invalidated if not
  152. # used within this timeout value. This cookie remains valid, during
  153. # the user's connected time, and after user disconnection it
  154. # remains active for this amount of time. That setting should allow a
  155. # reasonable amount of time for roaming between different networks.
  156. cookie-timeout = 300
  157. # If this is enabled (not recommended) the cookies will stay
  158. # valid even after a user manually disconnects, and until they
  159. # expire. This may improve roaming with some broken clients.
  160. #persistent-cookies = true
  161. # Whether roaming is allowed, i.e., if true a cookie is
  162. # restricted to a single IP address and cannot be re-used
  163. # from a different IP.
  164. deny-roaming = false
  165. # ReKey time (in seconds)
  166. # ocserv will ask the client to refresh keys periodically once
  167. # this amount of seconds is elapsed. Set to zero to disable (note
  168. # that, some clients fail if rekey is disabled).
  169. rekey-time = 172800
  170. # ReKey method
  171. # Valid options: ssl, new-tunnel
  172. # ssl: Will perform an efficient rehandshake on the channel allowing
  173. # a seamless connection during rekey.
  174. # new-tunnel: Will instruct the client to discard and re-establish the channel.
  175. # Use this option only if the connecting clients have issues with the ssl
  176. # option.
  177. rekey-method = ssl
  178. # Script to call when a client connects and obtains an IP
  179. # Parameters are passed on the environment.
  180. # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
  181. # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
  182. # in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
  183. # ID (a unique numeric ID); REASON may be "connect" or "disconnect".
  184. # These scripts are not needed if you have setup an interface for all vpns+
  185. # devices.
  186. #connect-script = /usr/bin/ocserv-script
  187. #disconnect-script = /usr/bin/ocserv-script
  188. # UTMP
  189. use-utmp = false
  190. # Whether to enable support for the occtl tool (i.e., either through D-BUS,
  191. # or via a unix socket).
  192. use-occtl = true
  193. # socket file used for IPC with occtl. You only need to set that,
  194. # if you use more than a single servers.
  195. occtl-socket-file = /var/run/occtl.socket
  196. # PID file. It can be overriden in the command line.
  197. pid-file = /var/run/ocserv.pid
  198. # The default server directory. Does not require any devices present.
  199. chroot-dir = /var/lib/ocserv
  200. # socket file used for IPC, will be appended with .PID
  201. # It must be accessible within the chroot environment (if any)
  202. #socket-file = /var/run/ocserv-socket
  203. socket-file = ocserv-socket
  204. # The user the worker processes will be run as. It should be
  205. # unique (no other services run as this user).
  206. run-as-user = ocserv
  207. run-as-group = ocserv
  208. # Set the protocol-defined priority (SO_PRIORITY) for packets to
  209. # be sent. That is a number from 0 to 6 with 0 being the lowest
  210. # priority. Alternatively this can be used to set the IP Type-
  211. # Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
  212. # This can be set per user/group or globally.
  213. #net-priority = 3
  214. # Set the VPN worker process into a specific cgroup. This is Linux
  215. # specific and can be set per user/group or globally.
  216. #cgroup = "cpuset,cpu:test"
  217. #
  218. # Network settings
  219. #
  220. # The name of the tun device
  221. device = vpns
  222. # Whether the generated IPs will be predictable, i.e., IP stays the
  223. # same for the same user when possible.
  224. predictable-ips = |PREDICTABLE_IPS|
  225. # The default domain to be advertised
  226. |ENABLE_DEFAULT_DOMAIN|default-domain = |DEFAULT_DOMAIN|
  227. # The pool of addresses that leases will be given from.
  228. ipv4-network = |IPV4ADDR|
  229. ipv4-netmask = |NETMASK|
  230. # The advertized DNS server. Use multiple lines for
  231. # multiple servers.
  232. # dns = fc00::4be0
  233. #dns = 192.168.1.2
  234. # The NBNS server (if any)
  235. #nbns = 192.168.1.3
  236. # The IPv6 subnet that leases will be given from.
  237. |ENABLE_IPV6|ipv6-network = |IPV6ADDR|
  238. # The domains over which the provided DNS should be used. Use
  239. # multiple lines for multiple domains.
  240. |ENABLE_SPLIT_DNS|split-dns = |DEFAULT_DOMAIN|
  241. # Prior to leasing any IP from the pool ping it to verify that
  242. # it is not in use by another (unrelated to this server) host.
  243. ping-leases = |PING_LEASES|
  244. # Whether to tunnel all DNS queries via the VPN. This is the default
  245. # when a default route is set.
  246. #tunnel-all-dns = true
  247. # Unset to assign the default MTU of the device
  248. # mtu =
  249. # Unset to enable bandwidth restrictions (in bytes/sec). The
  250. # setting here is global, but can also be set per user or per group.
  251. #rx-data-per-sec = 40000
  252. #tx-data-per-sec = 40000
  253. # The number of packets (of MTU size) that are available in
  254. # the output buffer. The default is low to improve latency.
  255. # Setting it higher will improve throughput.
  256. #output-buffer = 10
  257. # Routes to be forwarded to the client. If you need the
  258. # client to forward routes to the server, you may use the
  259. # config-per-user/group or even connect and disconnect scripts.
  260. #
  261. # To set the server as the default gateway for the client just
  262. # comment out all routes from the server.
  263. #route = 192.168.1.0/255.255.255.0
  264. #route = 192.168.5.0/255.255.255.0
  265. #route = fef4:db8:1000:1001::/64
  266. # Configuration files that will be applied per user connection or
  267. # per group. Each file name on these directories must match the username
  268. # or the groupname.
  269. # The options allowed in the configuration files are dns, nbns,
  270. # ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
  271. # net-priority and cgroup.
  272. #
  273. # Note that the 'iroute' option allows to add routes on the server
  274. # based on a user or group. The syntax depends on the input accepted
  275. # by the commands route-add-cmd and route-del-cmd (see below).
  276. config-per-user = /etc/ocserv/config-per-user/
  277. config-per-group = /etc/ocserv/config-per-group/
  278. # When config-per-xxx is specified and there is no group or user that
  279. # matches, then utilize the following configuration.
  280. #default-user-config = /etc/ocserv/defaults/user.conf
  281. #default-group-config = /etc/ocserv/defaults/group.conf
  282. # Groups that a client is allowed to select from.
  283. # A client may belong in multiple groups, and in certain use-cases
  284. # it is needed to switch between them. For these cases the client can
  285. # select prior to authentication. Add multiple entries for multiple groups.
  286. #select-group = group1
  287. #select-group = group2[My group 2]
  288. #select-group = tost[The tost group]
  289. # The name of the group that if selected it would allow to use
  290. # the assigned by default group.
  291. #default-select-group = DEFAULT
  292. # Instead of specifying manually all the allowed groups, you may instruct
  293. # ocserv to scan all available groups and include the full list. That
  294. # option is only functional on plain authentication.
  295. #auto-select-group = true
  296. # The system command to use to setup a route. %{R} will be replaced with the
  297. # route/mask and %{D} with the (tun) device.
  298. #
  299. # The following example is from linux systems. %{R} should be something
  300. # like 192.168.2.0/24
  301. #route-add-cmd = "/usr/sbin/ip route add %{R} dev %{D}"
  302. #route-del-cmd = "/usr/sbin/ip route delete %{R} dev %{D}"
  303. route-add-cmd = "/sbin/route add -net %{RI} dev %{D}"
  304. route-del-cmd = "/sbin/route del -net %{RI} dev %{D}"
  305. # This option allows to forward a proxy. The special strings '%{U}'
  306. # and '%{G}', if present will be replaced by the username and group name.
  307. #proxy-url = http://example.com/
  308. #proxy-url = http://example.com/%{U}/%{G}/hello
  309. #
  310. # The following options are for (experimental) AnyConnect client
  311. # compatibility.
  312. # Client profile xml. A sample file exists in doc/profile.xml.
  313. # This file must be accessible from inside the worker's chroot.
  314. # It is not used by the openconnect client.
  315. #user-profile = profile.xml
  316. # Binary files that may be downloaded by the CISCO client. Must
  317. # be within any chroot environment.
  318. #binary-files = /path/to/binaries
  319. # Unless set to false it is required for clients to present their
  320. # certificate even if they are authenticating via a previously granted
  321. # cookie and complete their authentication in the same TCP connection.
  322. # Legacy CISCO clients do not do that, and thus this option should be
  323. # set for them.
  324. cisco-client-compat = |CISCO_COMPAT|
  325. #Advanced options
  326. # Option to allow sending arbitrary custom headers to the client after
  327. # authentication and prior to VPN tunnel establishment.
  328. #custom-header = "X-My-Header: hi there"
  329. expose-iroutes = true