mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 00:37:00 +08:00
doc update
This commit is contained in:
Nikos Mavrogiannopoulos
2
TODO
2
TODO
@@ -10,6 +10,8 @@
|
||||
* Try adding salsa20-12 and UMAC as encryption algorithms for DTLS to reduce
|
||||
CPU load.
|
||||
|
||||
* Handle users being in multiple groups.
|
||||
|
||||
* Keep the TLS key and certificates into the privileged process and use IPC
|
||||
for operations. This currently cannot be done, because the main process is
|
||||
the one that spawns the workers and there is no sane way to make the key
|
||||
|
||||
23
doc/ocserv.1
23
doc/ocserv.1
@@ -1,8 +1,8 @@
|
||||
.TH ocserv 1 "20 Feb 2013" "0.0.1" "User Commands"
|
||||
.TH ocserv 1 "22 Feb 2013" "0.0.1" "User Commands"
|
||||
.\"
|
||||
.\" DO NOT EDIT THIS FILE (ocserv-args.man)
|
||||
.\"
|
||||
.\" It has been AutoGen-ed February 20, 2013 at 09:27:17 PM by AutoGen 5.16
|
||||
.\" It has been AutoGen-ed February 22, 2013 at 07:35:41 PM by AutoGen 5.16
|
||||
.\" From the definitions ../src/ocserv-args.def.tmp
|
||||
.\" and the template file agman-cmd.tpl
|
||||
.\"
|
||||
@@ -217,15 +217,12 @@ server\-key = /path/to/key.pem
|
||||
# OU (organizational unit) = 2.5.4.11
|
||||
#cert\-group\-oid = 2.5.4.11
|
||||
.sp
|
||||
# A revocation list of ca\-cert is set
|
||||
# The revocation list of the certificates issued by the 'ca\-cert' above.
|
||||
#crl = /path/to/crl.pem
|
||||
.sp
|
||||
# GnuTLS priority string
|
||||
tls\-priorities = "PERFORMANCE:%SERVER_PRECEDENCE"
|
||||
.sp
|
||||
# The default server directory
|
||||
#chroot\-dir = /path/to/chroot
|
||||
.sp
|
||||
# The time (in seconds) that a client is allowed to stay connected prior
|
||||
# to authentication
|
||||
auth\-timeout = 40
|
||||
@@ -244,7 +241,7 @@ cookie\-validity = 43200
|
||||
# Parameters are passed on the environment.
|
||||
# USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
|
||||
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
||||
# in the P\-t\-P connect), IP_REMOTE (the VPN IP of the client).
|
||||
# in the P\-t\-P connection), IP_REMOTE (the VPN IP of the client).
|
||||
#connect\-script = /usr/bin/myscript
|
||||
#disconnect\-script = /usr/bin/myscript
|
||||
.sp
|
||||
@@ -254,27 +251,35 @@ use\-utmp = true
|
||||
# PID file
|
||||
pid\-file = /var/run/ocserv.pid
|
||||
.sp
|
||||
# The user the worker processes will be run as.
|
||||
run\-as\-user = nobody
|
||||
run\-as\-group = nogroup
|
||||
.sp
|
||||
#
|
||||
# Network settings
|
||||
#
|
||||
.sp
|
||||
# The name of the tun device
|
||||
device = vpns
|
||||
.sp
|
||||
# The pool of addresses that leases will be given from.
|
||||
ipv4\-network = 192.168.1.0
|
||||
ipv4\-netmask = 255.255.255.0
|
||||
# Use the keywork local to advertize the local P\-t\-P address as DNS server
|
||||
# ipv4\-dns = 192.168.2.1
|
||||
ipv4\-dns = local
|
||||
.sp
|
||||
# The same, but for IPv6.
|
||||
#ipv6\-address =
|
||||
#ipv6\-mask =
|
||||
#ipv6\-dns =
|
||||
.sp
|
||||
# Leave empty to assign the default MTU of the device
|
||||
# Unset to assign the default MTU of the device
|
||||
# mtu =
|
||||
.sp
|
||||
# routes to be sent to client.
|
||||
# Routes to be forwarded to the client. If you need the
|
||||
# client to forward routes to the server, you may use the connect
|
||||
# and disconnect scripts.
|
||||
route = 192.168.1.0/255.255.255.0
|
||||
route = 192.168.5.0/255.255.255.0
|
||||
.sp
|
||||
|
||||
@@ -23,7 +23,7 @@ udp-port = 3333
|
||||
keepalive = 32400
|
||||
|
||||
# Dead peer detection in seconds
|
||||
dpd = 240
|
||||
dpd = 440
|
||||
|
||||
# MTU discovery (DPD must be enabled)
|
||||
try-mtu-discovery = false
|
||||
@@ -32,13 +32,13 @@ try-mtu-discovery = false
|
||||
# The key may be a file, or any URL supported by GnuTLS (e.g.,
|
||||
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
|
||||
# or pkcs11:object=my-vpn-key;object-type=private)
|
||||
server-cert = /path/to/cert.pem
|
||||
server-key = /path/to/key.pem
|
||||
server-cert = ../test-cert.pem
|
||||
server-key = ../test-key.pem
|
||||
|
||||
# In case PKCS #11 or TPM keys are used the PINs should be available
|
||||
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
|
||||
# root key).
|
||||
pin-file = /path/to/pin.txt
|
||||
#pin-file = /path/to/pin.txt
|
||||
#srk-pin-file = /path/to/srkpin.txt
|
||||
|
||||
# The Certificate Authority that will be used
|
||||
@@ -75,7 +75,7 @@ auth-timeout = 40
|
||||
# Once a client is authenticated he's provided a cookie with
|
||||
# which he can reconnect. This option sets the maximum lifetime
|
||||
# of that cookie.
|
||||
cookie-validity = 43200
|
||||
cookie-validity = 172800
|
||||
|
||||
# A cookie database. If not set cookies are stored in memory and
|
||||
# server restarts won't preserve them.
|
||||
@@ -116,4 +116,4 @@ ipv4-dns = local
|
||||
# mtu =
|
||||
|
||||
route = 192.168.1.0/255.255.255.0
|
||||
route = 192.168.5.0/255.255.255.0
|
||||
#route = 192.168.5.0/255.255.255.0
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
*
|
||||
* DO NOT EDIT THIS FILE (ocserv-args.c)
|
||||
*
|
||||
* It has been AutoGen-ed February 20, 2013 at 09:27:15 PM by AutoGen 5.16
|
||||
* It has been AutoGen-ed February 22, 2013 at 07:35:35 PM by AutoGen 5.16
|
||||
* From the definitions ocserv-args.def
|
||||
* and the template file options
|
||||
*
|
||||
|
||||
@@ -133,15 +133,12 @@ server-key = /path/to/key.pem
|
||||
# OU (organizational unit) = 2.5.4.11
|
||||
#cert-group-oid = 2.5.4.11
|
||||
|
||||
# A revocation list of ca-cert is set
|
||||
# The revocation list of the certificates issued by the 'ca-cert' above.
|
||||
#crl = /path/to/crl.pem
|
||||
|
||||
# GnuTLS priority string
|
||||
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE"
|
||||
|
||||
# The default server directory
|
||||
#chroot-dir = /path/to/chroot
|
||||
|
||||
# The time (in seconds) that a client is allowed to stay connected prior
|
||||
# to authentication
|
||||
auth-timeout = 40
|
||||
@@ -160,7 +157,7 @@ cookie-validity = 43200
|
||||
# Parameters are passed on the environment.
|
||||
# USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
|
||||
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
||||
# in the P-t-P connect), IP_REMOTE (the VPN IP of the client).
|
||||
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client).
|
||||
#connect-script = /usr/bin/myscript
|
||||
#disconnect-script = /usr/bin/myscript
|
||||
|
||||
@@ -170,27 +167,35 @@ use-utmp = true
|
||||
# PID file
|
||||
pid-file = /var/run/ocserv.pid
|
||||
|
||||
# The user the worker processes will be run as.
|
||||
run-as-user = nobody
|
||||
run-as-group = nogroup
|
||||
|
||||
#
|
||||
# Network settings
|
||||
#
|
||||
|
||||
# The name of the tun device
|
||||
device = vpns
|
||||
|
||||
# The pool of addresses that leases will be given from.
|
||||
ipv4-network = 192.168.1.0
|
||||
ipv4-netmask = 255.255.255.0
|
||||
# Use the keywork local to advertize the local P-t-P address as DNS server
|
||||
# ipv4-dns = 192.168.2.1
|
||||
ipv4-dns = local
|
||||
|
||||
# The same, but for IPv6.
|
||||
#ipv6-address =
|
||||
#ipv6-mask =
|
||||
#ipv6-dns =
|
||||
|
||||
# Leave empty to assign the default MTU of the device
|
||||
# Unset to assign the default MTU of the device
|
||||
# mtu =
|
||||
|
||||
# routes to be sent to client.
|
||||
# Routes to be forwarded to the client. If you need the
|
||||
# client to forward routes to the server, you may use the connect
|
||||
# and disconnect scripts.
|
||||
route = 192.168.1.0/255.255.255.0
|
||||
route = 192.168.5.0/255.255.255.0
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
*
|
||||
* DO NOT EDIT THIS FILE (ocserv-args.h)
|
||||
*
|
||||
* It has been AutoGen-ed February 20, 2013 at 09:27:15 PM by AutoGen 5.16
|
||||
* It has been AutoGen-ed February 22, 2013 at 07:35:35 PM by AutoGen 5.16
|
||||
* From the definitions ocserv-args.def
|
||||
* and the template file options
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user