diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index 502fab297..c1e24f695 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ocserv -PKG_VERSION:=0.11.7 -PKG_RELEASE:=3 +PKG_VERSION:=0.11.8 +PKG_RELEASE:=1 PKG_USE_MIPS16:=0 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/ocserv/ -PKG_MD5SUM:=4c47b039bfaf1cecea6a2206dfe0ccd6 +PKG_HASH:=735b9b88a004d5bc8a91d4093d07ea0e2c9fac370a35d84beccc394ed24420c7 PKG_LICENSE:=GPLv2+ PKG_LICENSE_FILES:=COPYING diff --git a/net/ocserv/files/ocserv.conf.template b/net/ocserv/files/ocserv.conf.template index 1e71e9ce2..7b3ad33ec 100644 --- a/net/ocserv/files/ocserv.conf.template +++ b/net/ocserv/files/ocserv.conf.template @@ -1,3 +1,10 @@ +############################################################################ +# NOTE: Do not modify this file to configure ocserv. Add new directives # +# in /etc/ocserv/ocserv.conf.local and these will be included in ocserv's # +# configuration # +############################################################################ + + # User authentication method. Could be set multiple times and in that case # all should succeed. # Options: certificate, pam. @@ -51,6 +58,12 @@ tcp-port = |PORT| # radius is in use. #stats-report-time = 360 +# Stats reset time. The period of time statistics kept by main/sec-mod +# processes will be reset. These are the statistics shown by cmd +# 'occtl show stats'. For daily: 86400, weekly: 604800 +# This is unrelated to stats-report-time. +server-stats-reset-time = 604800 + # Keepalive in seconds keepalive = 32400 @@ -136,7 +149,7 @@ tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" # The time (in seconds) that a client is allowed to stay connected prior # to authentication -auth-timeout = 40 +auth-timeout = 240 # The time (in seconds) that a client is allowed to stay idle (no traffic) # before being disconnected. Unset to disable. @@ -161,10 +174,10 @@ min-reauth-time = 360 # locally from an HTTP server (i.e., when listen-clear-file is used). # # Set to zero to disable. -max-ban-score = 50 +max-ban-score = 80 # The time (in seconds) that all score kept for a client is reset. -ban-reset-time = 300 +ban-reset-time = 1200 # In case you'd like to change the default points. #ban-points-wrong-password = 10 @@ -172,13 +185,19 @@ ban-reset-time = 300 #ban-points-kkdcp = 1 # Cookie timeout (in seconds) -# which he can reconnect. That cookie will be invalided if not -# used within this timeout value. On a user disconnection, that -# cookie will also be active for this time amount prior to be -# invalid. That should allow a reasonable amount of time for roaming -# between different networks. +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. That cookie will be invalidated if not +# used within this timeout value. This cookie remains valid, during +# the user's connected time, and after user disconnection it +# remains active for this amount of time. That setting should allow a +# reasonable amount of time for roaming between different networks. cookie-timeout = 300 +# If this is enabled (not recommended) the cookies will stay +# valid even after a user manually disconnects, and until they +# expire. This may improve roaming with some broken clients. +#persistent-cookies = true + # Whether roaming is allowed, i.e., if true a cookie is # restricted to a single IP address and cannot be re-used # from a different IP. @@ -186,7 +205,8 @@ deny-roaming = false # ReKey time (in seconds) # ocserv will ask the client to refresh keys periodically once -# this amount of seconds is elapsed. Set to zero to disable. +# this amount of seconds is elapsed. Set to zero to disable (note +# that, some clients fail if rekey is disabled). rekey-time = 172800 # ReKey method @@ -285,6 +305,10 @@ ipv4-netmask = |NETMASK| # it is not in use by another (unrelated to this server) host. ping-leases = |PING_LEASES| +# Whether to tunnel all DNS queries via the VPN. This is the default +# when a default route is set. +#tunnel-all-dns = true + # Unset to assign the default MTU of the device # mtu =