|
@ -1,3 +1,10 @@ |
|
|
|
|
|
############################################################################ |
|
|
|
|
|
# NOTE: Do not modify this file to configure ocserv. Add new directives # |
|
|
|
|
|
# in /etc/ocserv/ocserv.conf.local and these will be included in ocserv's # |
|
|
|
|
|
# configuration # |
|
|
|
|
|
############################################################################ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# User authentication method. Could be set multiple times and in that case |
|
|
# User authentication method. Could be set multiple times and in that case |
|
|
# all should succeed. |
|
|
# all should succeed. |
|
|
# Options: certificate, pam. |
|
|
# Options: certificate, pam. |
|
@ -51,6 +58,12 @@ tcp-port = |PORT| |
|
|
# radius is in use. |
|
|
# radius is in use. |
|
|
#stats-report-time = 360 |
|
|
#stats-report-time = 360 |
|
|
|
|
|
|
|
|
|
|
|
# Stats reset time. The period of time statistics kept by main/sec-mod |
|
|
|
|
|
# processes will be reset. These are the statistics shown by cmd |
|
|
|
|
|
# 'occtl show stats'. For daily: 86400, weekly: 604800 |
|
|
|
|
|
# This is unrelated to stats-report-time. |
|
|
|
|
|
server-stats-reset-time = 604800 |
|
|
|
|
|
|
|
|
# Keepalive in seconds |
|
|
# Keepalive in seconds |
|
|
keepalive = 32400 |
|
|
keepalive = 32400 |
|
|
|
|
|
|
|
@ -136,7 +149,7 @@ tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" |
|
|
|
|
|
|
|
|
# The time (in seconds) that a client is allowed to stay connected prior |
|
|
# The time (in seconds) that a client is allowed to stay connected prior |
|
|
# to authentication |
|
|
# to authentication |
|
|
auth-timeout = 40 |
|
|
|
|
|
|
|
|
auth-timeout = 240 |
|
|
|
|
|
|
|
|
# The time (in seconds) that a client is allowed to stay idle (no traffic) |
|
|
# The time (in seconds) that a client is allowed to stay idle (no traffic) |
|
|
# before being disconnected. Unset to disable. |
|
|
# before being disconnected. Unset to disable. |
|
@ -161,10 +174,10 @@ min-reauth-time = 360 |
|
|
# locally from an HTTP server (i.e., when listen-clear-file is used). |
|
|
# locally from an HTTP server (i.e., when listen-clear-file is used). |
|
|
# |
|
|
# |
|
|
# Set to zero to disable. |
|
|
# Set to zero to disable. |
|
|
max-ban-score = 50 |
|
|
|
|
|
|
|
|
max-ban-score = 80 |
|
|
|
|
|
|
|
|
# The time (in seconds) that all score kept for a client is reset. |
|
|
# The time (in seconds) that all score kept for a client is reset. |
|
|
ban-reset-time = 300 |
|
|
|
|
|
|
|
|
ban-reset-time = 1200 |
|
|
|
|
|
|
|
|
# In case you'd like to change the default points. |
|
|
# In case you'd like to change the default points. |
|
|
#ban-points-wrong-password = 10 |
|
|
#ban-points-wrong-password = 10 |
|
@ -172,13 +185,19 @@ ban-reset-time = 300 |
|
|
#ban-points-kkdcp = 1 |
|
|
#ban-points-kkdcp = 1 |
|
|
|
|
|
|
|
|
# Cookie timeout (in seconds) |
|
|
# Cookie timeout (in seconds) |
|
|
# which he can reconnect. That cookie will be invalided if not |
|
|
|
|
|
# used within this timeout value. On a user disconnection, that |
|
|
|
|
|
# cookie will also be active for this time amount prior to be |
|
|
|
|
|
# invalid. That should allow a reasonable amount of time for roaming |
|
|
|
|
|
# between different networks. |
|
|
|
|
|
|
|
|
# Once a client is authenticated he's provided a cookie with |
|
|
|
|
|
# which he can reconnect. That cookie will be invalidated if not |
|
|
|
|
|
# used within this timeout value. This cookie remains valid, during |
|
|
|
|
|
# the user's connected time, and after user disconnection it |
|
|
|
|
|
# remains active for this amount of time. That setting should allow a |
|
|
|
|
|
# reasonable amount of time for roaming between different networks. |
|
|
cookie-timeout = 300 |
|
|
cookie-timeout = 300 |
|
|
|
|
|
|
|
|
|
|
|
# If this is enabled (not recommended) the cookies will stay |
|
|
|
|
|
# valid even after a user manually disconnects, and until they |
|
|
|
|
|
# expire. This may improve roaming with some broken clients. |
|
|
|
|
|
#persistent-cookies = true |
|
|
|
|
|
|
|
|
# Whether roaming is allowed, i.e., if true a cookie is |
|
|
# Whether roaming is allowed, i.e., if true a cookie is |
|
|
# restricted to a single IP address and cannot be re-used |
|
|
# restricted to a single IP address and cannot be re-used |
|
|
# from a different IP. |
|
|
# from a different IP. |
|
@ -186,7 +205,8 @@ deny-roaming = false |
|
|
|
|
|
|
|
|
# ReKey time (in seconds) |
|
|
# ReKey time (in seconds) |
|
|
# ocserv will ask the client to refresh keys periodically once |
|
|
# ocserv will ask the client to refresh keys periodically once |
|
|
# this amount of seconds is elapsed. Set to zero to disable. |
|
|
|
|
|
|
|
|
# this amount of seconds is elapsed. Set to zero to disable (note |
|
|
|
|
|
# that, some clients fail if rekey is disabled). |
|
|
rekey-time = 172800 |
|
|
rekey-time = 172800 |
|
|
|
|
|
|
|
|
# ReKey method |
|
|
# ReKey method |
|
@ -285,6 +305,10 @@ ipv4-netmask = |NETMASK| |
|
|
# it is not in use by another (unrelated to this server) host. |
|
|
# it is not in use by another (unrelated to this server) host. |
|
|
ping-leases = |PING_LEASES| |
|
|
ping-leases = |PING_LEASES| |
|
|
|
|
|
|
|
|
|
|
|
# Whether to tunnel all DNS queries via the VPN. This is the default |
|
|
|
|
|
# when a default route is set. |
|
|
|
|
|
#tunnel-all-dns = true |
|
|
|
|
|
|
|
|
# Unset to assign the default MTU of the device |
|
|
# Unset to assign the default MTU of the device |
|
|
# mtu = |
|
|
# mtu = |
|
|
|
|
|
|
|
|