From 4bfbe6d7bd7b1731180802e6e067f3682c9966c2 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Tue, 19 Feb 2013 21:40:11 +0100
Subject: [PATCH] updated sample config

---
 doc/sample.config | 91 +++++++++++++++++++++++++++++------------------
 1 file changed, 56 insertions(+), 35 deletions(-)

diff --git a/doc/sample.config b/doc/sample.config
index f5999bec..7a80cf08 100644
--- a/doc/sample.config
+++ b/doc/sample.config
@@ -1,44 +1,45 @@
 # User authentication method. Could be set multiple times and in that case
 # all should succeed.
 # Options: certificate, pam. 
-#auth = certificate
+#auth = "certificate"
 auth = "pam"
 
-# UTMP
-use-utmp = true
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
 
-# PID file
-pid-file = /var/run/ocserv.pid
-
-# Limit the number of clients. Set to zero for unlimited.
-# max-clients = 1024
-max-clients = 4
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
 
 # Limit the number of identical clients (i.e., users connecting multiple times)
 # Unset or set to zero for unlimited.
 max-same-clients = 2
 
-# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
-# listen-host = [IP|HOSTNAME]
-
-# The time (in seconds) that a client is allowed to stay connected prior
-# to authentication
-auth-timeout = 40
-
 # TCP and UDP port number
 tcp-port = 3333
 udp-port = 3333
 
 # Keepalive in seconds
-keepalive = 60
+keepalive = 32400
 
 # Dead peer detection in seconds
-dpd = 30
+dpd = 240
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
 
 # The key and the certificates of the server
-# The key may be a file, or any URL supported by GnuTLS (i.e., tpmkey or pkcs11)
-server-cert = ./test-cert.pem
-server-key = ./test-key.pem
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+server-cert = /path/to/cert.pem
+server-key = /path/to/key.pem
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
 
 # The Certificate Authority that will be used
 # to verify clients if certificate authentication
@@ -47,23 +48,52 @@ server-key = ./test-key.pem
 
 # The object identifier that will be used to read the user ID in the client certificate.
 # The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
 #cert-user-oid = 0.9.2342.19200300.100.1.1
 
+# The object identifier that will be used to read the user group in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
 # A revocation list of ca-cert is set
 #crl = /path/to/crl.pem
 
 # GnuTLS priority string
-tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE"
 
 # The default server directory
-#chroot-dir = /root
+#chroot-dir = /path/to/chroot
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
 
 # Cookie validity time (in seconds)
 # Once a client is authenticated he's provided a cookie with
 # which he can reconnect. This option sets the maximum lifetime
 # of that cookie.
-cookie-validity = 14400
-#cookie-db = /var/tmp/vpn-cookies.db
+cookie-validity = 43200
+
+# A cookie database. If not set cookies are stored in memory and
+# server restarts won't preserve them.
+#cookie-db = /var/tmp/cookies.db
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connect), IP_REMOTE (the VPN IP of the client).
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# PID file
+pid-file = /var/run/ocserv.pid
 
 run-as-user = nobody
 run-as-group = nogroup
@@ -72,15 +102,6 @@ run-as-group = nogroup
 
 device = vpns
 
-# Script to call when a client connects and obtains an IP
-# Parameters are passed on the environment.
-# USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
-# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
-# in the P-t-P connect), IP_REMOTE (the VPN IP of the client).
-#connect-script = /bin/echo
-#disconnect-script = /bin/echo
-
-# The pool from which the VPN user IPs will be drawn from.
 ipv4-network = 192.168.1.0
 ipv4-netmask = 255.255.255.0
 # Use the keywork local to advertize the local P-t-P address as DNS server
@@ -95,4 +116,4 @@ ipv4-dns = local
 # mtu = 
 
 route = 192.168.1.0/255.255.255.0
-#route = 192.168.5.0/255.255.255.0
+route = 192.168.5.0/255.255.255.0