2026-02-10 16:57:00 +08:00 · 2013-02-16 16:33:43 +01:00
parent a7f14b7e68
commit 04bebb32f2
4 changed files with 46 additions and 18 deletions
						
						
						
						
@@ -1,8 +1,8 @@
.TH ocserv 1 "12 Feb 2013" "" "User Commands"
.TH ocserv 1 "16 Feb 2013" "" "User Commands"
.\"
.\"
.\"  DO NOT EDIT THIS FILE   (ocserv-args.man)
.\"  DO NOT EDIT THIS FILE   (ocserv-args.man)
.\"  
.\"  
.\"  It has been AutoGen-ed  February 12, 2013 at 07:18:42 PM by AutoGen 5.16
.\"  It has been AutoGen-ed  February 16, 2013 at 04:33:33 PM by AutoGen 5.16
.\"  From the definitions    ../src/ocserv-args.def.tmp
.\"  From the definitions    ../src/ocserv-args.def.tmp
.\"  and the template file   agman-cmd.tpl
.\"  and the template file   agman-cmd.tpl
.\"
.\"
						
						
						
							
						
						
@@ -19,6 +19,13 @@ All arguments must be options.
This program is openconnect VPN server (ocserv), a server compatible with the
This program is openconnect VPN server (ocserv), a server compatible with the
openconnect VPN client. It is believed to be compatible with the protocol
openconnect VPN client. It is believed to be compatible with the protocol
used by CISCO's AnyConnect SSL VPN.
used by CISCO's AnyConnect SSL VPN.
Multiple authentication methods are available including PAM and certificate
authentication.
Authenticated users are assigned an unprivileged worker process and obtain 
a networking (tun) device and IP from a configurable pool of address.
Currently there is no tool to manipulate logged-in users. However,
they can be disconnected by killing their worker process. The pid of that
process can be seen with @var{who -u} if utmp logging is enabled.
.SH "OPTIONS"
.SH "OPTIONS"
.TP
.TP
.BR \-f ", " -\-foreground
.BR \-f ", " -\-foreground
						
							
						
						
							
						
						
						
@@ -129,9 +136,10 @@ the HUP signal.
.sp
.sp
.SH "IMPLEMENTATION NOTES"
.SH "IMPLEMENTATION NOTES"
Note that while this server utilizes privilege separation for password
Note that while this server utilizes privilege separation for password
authentication, this does not occur for TLS and client certificate authentication.
authentication, this does not apply for TLS and client certificate authentication.
This was done to take advantage of multi\-core systems by distributing the
This has the advantage of spreading TLS calculations to multiple workers (i.e. cores)
expensive TLS calculations to the workers.
if available, but at the cost of each worker having a copy of the server's 
private key.
.SH FILES
.SH FILES
.br
.br
\fBocserv's configuration file format\fP
\fBocserv's configuration file format\fP
						
							
						
						
							
						
						
						
@@ -165,10 +173,10 @@ tcp\-port = 3333
udp\-port = 3333
udp\-port = 3333
.sp
.sp
# Keepalive in seconds
# Keepalive in seconds
keepalive = 3600
keepalive = 32400
.sp
.sp
# Dead peer detection in seconds
# Dead peer detection in seconds
dpd = 60
dpd = 240
.sp
.sp
# The key and the certificates of the server
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (i.e., tpmkey or pkcs11)
# The key may be a file, or any URL supported by GnuTLS (i.e., tpmkey or pkcs11)
						
							
						
						
							
						
						
						
@@ -209,7 +217,7 @@ auth\-timeout = 40
# Once a client is authenticated he's provided a cookie with
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
# of that cookie.
cookie\-validity = 14400
cookie\-validity = 43200
.sp
.sp
# A cookie database. If not set cookies are stored in memory and
# A cookie database. If not set cookies are stored in memory and
# server restarts won't preserve them.
# server restarts won't preserve them.
						
							
						
						
							
						
						
						
@@ -273,10 +281,13 @@ The operation failed or the command syntax was not valid.
Supports both TCP and UDP VPN tunnels using TLS and Datagram TLS.
Supports both TCP and UDP VPN tunnels using TLS and Datagram TLS.
.ti -4
.ti -4
\fB*\fP
\fB*\fP
Support for the server key being stored in TPM, a hardware security module (HSM), or smart card.
Support for the server key being stored in TPM, hardware security modules (HSM), or even a smart card. They can be specified as files using the tpmkey or pkcs11 URLs.
.ti -4
.ti -4
\fB*\fP
\fB*\fP
Authentication using PAM (username\-password) or certificates
Authentication using PAM or certificates.
.ti -4
\fB*\fP
Each client is isolated from the others on a separate process with a separate tun device. This allows routing using the system facilies, allows having separate settings per user or group (e.g. bandwidth limits).
.ti -4
.ti -4
\fB*\fP
\fB*\fP
Privilege separation between the main process which performs TUN allocation and authentication, with the worker processes which handles messages from the client.
Privilege separation between the main process which performs TUN allocation and authentication, with the worker processes which handles messages from the client.
						
						
						
							
						
						
@@ -293,7 +304,7 @@ Nikos Mavrogiannopoulos
Copyright (C) 2013 Nikos Mavrogiannopoulos all rights reserved.
Copyright (C) 2013 Nikos Mavrogiannopoulos all rights reserved.
This program is released under the terms of the GNU General Public License, version 2.
This program is released under the terms of the GNU General Public License, version 2.
.SH "BUGS"
.SH "BUGS"
Please send bug reports to: nmav@gnutls.org
Please send bug reports to: openconnect-devel@lists.infradead.org
.SH "NOTES"
.SH "NOTES"
This manual page was \fIAutoGen\fP-erated from the \fBocserv\fP
This manual page was \fIAutoGen\fP-erated from the \fBocserv\fP
option definitions.
option definitions.
						
						
						
						
 
						
						
							
						
						
						
@@ -2,7 +2,7 @@
 *  
 *  
 *  DO NOT EDIT THIS FILE   (ocserv-args.c)
 *  DO NOT EDIT THIS FILE   (ocserv-args.c)
 *  
 *  
 *  It has been AutoGen-ed  February 15, 2013 at 11:01:15 PM by AutoGen 5.16
 *  It has been AutoGen-ed  February 16, 2013 at 04:33:31 PM by AutoGen 5.16
 *  From the definitions    ocserv-args.def
 *  From the definitions    ocserv-args.def
 *  and the template file   options
 *  and the template file   options
 *
 *
						
							
						
						
							
						
						
						
@@ -65,7 +65,7 @@ extern FILE * option_usage_fp;
/*
/*
 *  ocserv option static const strings
 *  ocserv option static const strings
 */
 */
static char const ocserv_opt_strs[1523] =
static char const ocserv_opt_strs[1970] =
/*     0 */ "ocserv\n"
/*     0 */ "ocserv\n"
            "Copyright (C) 2013 Nikos Mavrogiannopoulos, all rights reserved.\n"
            "Copyright (C) 2013 Nikos Mavrogiannopoulos, all rights reserved.\n"
            "This is free software. It is licensed for use, modification and\n"
            "This is free software. It is licensed for use, modification and\n"
						
							
						
						
							
						
						
						
@@ -104,8 +104,15 @@ static char const ocserv_opt_strs[1523] =
/*  1257 */ "\n"
/*  1257 */ "\n"
            "This program is openconnect VPN server (ocserv), a server compatible with\n"
            "This program is openconnect VPN server (ocserv), a server compatible with\n"
            "the openconnect VPN client.  It is believed to be compatible with the\n"
            "the openconnect VPN client.  It is believed to be compatible with the\n"
            "protocol used by CISCO's AnyConnect SSL VPN.\n\0"
            "protocol used by CISCO's AnyConnect SSL VPN.\n\n"
/*  1448 */ "Usage: ocserv [options] -c [config]\n"
            "Multiple authentication methods are available including PAM and certificate\n"
            "authentication.  Authenticated users are assigned an unprivileged worker\n"
            "process and obtain a networking (tun) device and IP from a configurable\n"
            "pool of address.\n\n"
            "Currently there is no tool to manipulate logged-in users.  However, they\n"
            "can be disconnected by killing their worker process.  The pid of that\n"
            "process can be seen with ``who -u'' if utmp logging is enabled.\n\0"
/*  1895 */ "Usage: ocserv [options] -c [config]\n"
            "ocserv --help for usage instructions.\n";
            "ocserv --help for usage instructions.\n";
/*
/*
						
							
						
						
							
						
						
						
@@ -272,7 +279,7 @@ static tOptDesc optDesc[OPTION_CT] = {
#define ocserv_full_usage (NULL)
#define ocserv_full_usage (NULL)
#define ocserv_short_usage (ocserv_opt_strs+1448)
#define ocserv_short_usage (ocserv_opt_strs+1895)
#endif /* not defined __doxygen__ */
#endif /* not defined __doxygen__ */
						
							
						
						
						
						
 
						
						
							
						
						
						
@@ -14,7 +14,17 @@ explain       = "";
detail  = "This program is openconnect VPN server (ocserv), a server compatible with the
detail  = "This program is openconnect VPN server (ocserv), a server compatible with the
openconnect VPN client. It is believed to be compatible with the protocol
openconnect VPN client. It is believed to be compatible with the protocol
used by CISCO's AnyConnect SSL VPN.";
used by CISCO's AnyConnect SSL VPN.
Multiple authentication methods are available including PAM and certificate
authentication.
Authenticated users are assigned an unprivileged worker process and obtain 
a networking (tun) device and IP from a configurable pool of address.
Currently there is no tool to manipulate logged-in users. However,
they can be disconnected by killing their worker process. The pid of that
process can be seen with @var{who -u} if utmp logging is enabled.
";
copyright = {
copyright = {
						
							
						
						
						
						
 
						
						
							
						
						
						
@@ -2,7 +2,7 @@
 *  
 *  
 *  DO NOT EDIT THIS FILE   (ocserv-args.h)
 *  DO NOT EDIT THIS FILE   (ocserv-args.h)
 *  
 *  
 *  It has been AutoGen-ed  February 15, 2013 at 11:01:15 PM by AutoGen 5.16
 *  It has been AutoGen-ed  February 16, 2013 at 04:33:31 PM by AutoGen 5.16
 *  From the definitions    ocserv-args.def
 *  From the definitions    ocserv-args.def
 *  and the template file   options
 *  and the template file   options
 *
 *