diff --git a/TODO b/TODO index 3bf1acbc..e9c67e3f 100644 --- a/TODO +++ b/TODO @@ -10,6 +10,8 @@ * Try adding salsa20-12 and UMAC as encryption algorithms for DTLS to reduce CPU load. +* Handle users being in multiple groups. + * Keep the TLS key and certificates into the privileged process and use IPC for operations. This currently cannot be done, because the main process is the one that spawns the workers and there is no sane way to make the key diff --git a/doc/ocserv.1 b/doc/ocserv.1 index 4a40dbb4..bcd86927 100644 --- a/doc/ocserv.1 +++ b/doc/ocserv.1 @@ -1,8 +1,8 @@ -.TH ocserv 1 "20 Feb 2013" "0.0.1" "User Commands" +.TH ocserv 1 "22 Feb 2013" "0.0.1" "User Commands" .\" .\" DO NOT EDIT THIS FILE (ocserv-args.man) .\" -.\" It has been AutoGen-ed February 20, 2013 at 09:27:17 PM by AutoGen 5.16 +.\" It has been AutoGen-ed February 22, 2013 at 07:35:41 PM by AutoGen 5.16 .\" From the definitions ../src/ocserv-args.def.tmp .\" and the template file agman-cmd.tpl .\" @@ -217,15 +217,12 @@ server\-key = /path/to/key.pem # OU (organizational unit) = 2.5.4.11 #cert\-group\-oid = 2.5.4.11 .sp -# A revocation list of ca\-cert is set +# The revocation list of the certificates issued by the 'ca\-cert' above. #crl = /path/to/crl.pem .sp # GnuTLS priority string tls\-priorities = "PERFORMANCE:%SERVER_PRECEDENCE" .sp -# The default server directory -#chroot\-dir = /path/to/chroot -.sp # The time (in seconds) that a client is allowed to stay connected prior # to authentication auth\-timeout = 40 @@ -244,7 +241,7 @@ cookie\-validity = 43200 # Parameters are passed on the environment. # USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP -# in the P\-t\-P connect), IP_REMOTE (the VPN IP of the client). +# in the P\-t\-P connection), IP_REMOTE (the VPN IP of the client). #connect\-script = /usr/bin/myscript #disconnect\-script = /usr/bin/myscript .sp @@ -254,27 +251,35 @@ use\-utmp = true # PID file pid\-file = /var/run/ocserv.pid .sp +# The user the worker processes will be run as. run\-as\-user = nobody run\-as\-group = nogroup .sp +# # Network settings +# .sp +# The name of the tun device device = vpns .sp +# The pool of addresses that leases will be given from. ipv4\-network = 192.168.1.0 ipv4\-netmask = 255.255.255.0 # Use the keywork local to advertize the local P\-t\-P address as DNS server # ipv4\-dns = 192.168.2.1 ipv4\-dns = local .sp +# The same, but for IPv6. #ipv6\-address = #ipv6\-mask = #ipv6\-dns = .sp -# Leave empty to assign the default MTU of the device +# Unset to assign the default MTU of the device # mtu = .sp -# routes to be sent to client. +# Routes to be forwarded to the client. If you need the +# client to forward routes to the server, you may use the connect +# and disconnect scripts. route = 192.168.1.0/255.255.255.0 route = 192.168.5.0/255.255.255.0 .sp diff --git a/doc/sample.config b/doc/sample.config index 7a80cf08..aab7fd5b 100644 --- a/doc/sample.config +++ b/doc/sample.config @@ -23,7 +23,7 @@ udp-port = 3333 keepalive = 32400 # Dead peer detection in seconds -dpd = 240 +dpd = 440 # MTU discovery (DPD must be enabled) try-mtu-discovery = false @@ -32,13 +32,13 @@ try-mtu-discovery = false # The key may be a file, or any URL supported by GnuTLS (e.g., # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user # or pkcs11:object=my-vpn-key;object-type=private) -server-cert = /path/to/cert.pem -server-key = /path/to/key.pem +server-cert = ../test-cert.pem +server-key = ../test-key.pem # In case PKCS #11 or TPM keys are used the PINs should be available # in files. The srk-pin-file is applicable to TPM keys only (It's the storage # root key). -pin-file = /path/to/pin.txt +#pin-file = /path/to/pin.txt #srk-pin-file = /path/to/srkpin.txt # The Certificate Authority that will be used @@ -75,7 +75,7 @@ auth-timeout = 40 # Once a client is authenticated he's provided a cookie with # which he can reconnect. This option sets the maximum lifetime # of that cookie. -cookie-validity = 43200 +cookie-validity = 172800 # A cookie database. If not set cookies are stored in memory and # server restarts won't preserve them. @@ -116,4 +116,4 @@ ipv4-dns = local # mtu = route = 192.168.1.0/255.255.255.0 -route = 192.168.5.0/255.255.255.0 +#route = 192.168.5.0/255.255.255.0 diff --git a/src/ocserv-args.c b/src/ocserv-args.c index 6baa5601..c49b55a8 100644 --- a/src/ocserv-args.c +++ b/src/ocserv-args.c @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (ocserv-args.c) * - * It has been AutoGen-ed February 20, 2013 at 09:27:15 PM by AutoGen 5.16 + * It has been AutoGen-ed February 22, 2013 at 07:35:35 PM by AutoGen 5.16 * From the definitions ocserv-args.def * and the template file options * diff --git a/src/ocserv-args.def b/src/ocserv-args.def index 7c1a216c..3e760b4b 100644 --- a/src/ocserv-args.def +++ b/src/ocserv-args.def @@ -133,15 +133,12 @@ server-key = /path/to/key.pem # OU (organizational unit) = 2.5.4.11 #cert-group-oid = 2.5.4.11 -# A revocation list of ca-cert is set +# The revocation list of the certificates issued by the 'ca-cert' above. #crl = /path/to/crl.pem # GnuTLS priority string tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE" -# The default server directory -#chroot-dir = /path/to/chroot - # The time (in seconds) that a client is allowed to stay connected prior # to authentication auth-timeout = 40 @@ -160,7 +157,7 @@ cookie-validity = 43200 # Parameters are passed on the environment. # USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP -# in the P-t-P connect), IP_REMOTE (the VPN IP of the client). +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). #connect-script = /usr/bin/myscript #disconnect-script = /usr/bin/myscript @@ -170,27 +167,35 @@ use-utmp = true # PID file pid-file = /var/run/ocserv.pid +# The user the worker processes will be run as. run-as-user = nobody run-as-group = nogroup +# # Network settings +# +# The name of the tun device device = vpns +# The pool of addresses that leases will be given from. ipv4-network = 192.168.1.0 ipv4-netmask = 255.255.255.0 # Use the keywork local to advertize the local P-t-P address as DNS server # ipv4-dns = 192.168.2.1 ipv4-dns = local +# The same, but for IPv6. #ipv6-address = #ipv6-mask = #ipv6-dns = -# Leave empty to assign the default MTU of the device +# Unset to assign the default MTU of the device # mtu = -# routes to be sent to client. +# Routes to be forwarded to the client. If you need the +# client to forward routes to the server, you may use the connect +# and disconnect scripts. route = 192.168.1.0/255.255.255.0 route = 192.168.5.0/255.255.255.0 diff --git a/src/ocserv-args.h b/src/ocserv-args.h index 5cb65f83..05581eeb 100644 --- a/src/ocserv-args.h +++ b/src/ocserv-args.h @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (ocserv-args.h) * - * It has been AutoGen-ed February 20, 2013 at 09:27:15 PM by AutoGen 5.16 + * It has been AutoGen-ed February 22, 2013 at 07:35:35 PM by AutoGen 5.16 * From the definitions ocserv-args.def * and the template file options *