2026-02-10 00:37:00 +08:00 · 2015-01-20 14:20:44 +01:00
parent 10f95ade9a
commit bcef2eb16b
2 changed files with 161 additions and 109 deletions
							
							
							
						
@@ -1,38 +1,46 @@
# User authentication method. Could be set multiple times and in 
# that case all should succeed. To enable multiple methods use
# multiple auth directives. Available options: certificate, certificate[optional],
# plain, pam. 
#auth = "certificate"
auth = "plain[./sample.passwd]"
#auth = "pam"
# plain, pam, radius[configfile,groupconfig]. 
# This indicates that a user may present a certificate. When that option
# certificate:
#  This indicates that all connecting users must present a certificate.
#
# certificate[optional]:
#  This indicates that a user may present a certificate. When that option
# is set, individual users or user groups can be forced to present a valid
# certificate by using "require-cert=true".
#auth = "certificate[optional]"
# The gid-min option is used by auto-select-group option, in order to
# select the minimum group ID.
#auth = "pam[gid-min=1000]"
# The plain option requires specifying a password file which contains
# certificate by adding "require-cert=true" in the per-user configuration file.
#
# pam[gid-min=1000]:
#  The gid-min option is used by auto-select-group option, in order to
# select the minimum valid group ID.
#
# plain[/etc/ocserv/ocpasswd]
#  The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname:encoded-password"
# One entry must be listed per line, and 'ocpasswd' can be used
# "username:groupname1,groupname2:encoded-password"
# One entry must be listed per line, and 'ocpasswd' should be used
# to generate password entries.
#auth = "plain[/etc/ocserv/ocpasswd]"
# The radius option requires specifying freeradius-client configuration
#
# radius[/etc/radiusclient/radiusclient.conf,groupconfig]:
#  The radius option requires specifying freeradius-client configuration
# file. If the groupconfig option is set, then config-per-user will be overriden,
# and all configuration will be read from radius. The supported atributes for
# radius configuration are:
# Group-Name, Framed-IPv6-Address, DNS-Server-IPv6-Address, Framed-IP-Address,
# Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server
#auth = "radius[/usr/local/etc/radiusclient/radiusclient.conf,groupconfig]"
# Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address,
# Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server
# Whether to enable seccomp worker isolation. That restricts the number of 
#auth = "certificate"
#auth = "certificate[optional]"
#auth = "pam"
#auth = "pam[gid-min=1000]"
auth = "plain[./sample.passwd]"
#auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]"
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
# system calls allowed to a worker process, in order to reduce damage from a
# bug in the worker process. It is available on Linux systems at a performance cost.
# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
isolate-workers = true
# A banner to be displayed on clients
							
								
							
							
								
							
							
						
@@ -59,31 +67,38 @@ max-same-clients = 2
# reconnects.
#listen-host-is-dyndns = true
# TCP and UDP port number
tcp-port = 443
udp-port = 443
# Accept connections using a socket file. It accepts HTTP
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
# and uses it as the primary channel. That option cannot be
# combined with certificate authentication.
listen-clear-file = /var/run/ocserv-conn.socket
# Stats report time. The number of seconds after which each
# worker process will report its usage statistics (number of
# bytes transferred etc). This is useful when accounting like
# radius is in use.
#stats-report-time = 360
# TCP and UDP port number
tcp-port = 443
udp-port = 443
# Accept connections using a socket file. The connections are
# forwarded without SSL/TLS.
listen-clear-file = /var/run/ocserv-conn.socket
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds.
# Note that when the client is behind a NAT this value
# needs to be short enough to prevent the NAT disassociating
# his UDP session from the port number. Otherwise the client
# could have his UDP connection stalled, for several minutes.
dpd = 90
# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too 
# Dead peer detection for mobile clients. That needs to
# be higher to prevent such clients being awaken too 
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
#mobile-dpd = 1800
# The mobile clients are distinguished from the header
# 'X-AnyConnect-Identifier-DeviceType'.
mobile-dpd = 1800
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
							
							
							
								
							
						
@@ -93,8 +108,11 @@ try-mtu-discovery = false
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
# The server-cert file may contain a single certificate, or
# a sorted certificate chain.
#
# There may be multiple server-cert and server-key directives,
# but each key should correspond to the preceding certificate.
server-cert = ../tests/server-cert.pem
server-key = ../tests/server-key.pem
							
								
							
							
								
							
							
						
@@ -137,9 +155,10 @@ server-key = ../tests/server-key.pem
#cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
# See the manual to generate an empty CRL initially.
#crl = /path/to/crl.pem
# Uncomment this to enable compression negotiation.
# Uncomment this to enable compression negotiation (LZS, LZ4).
#compression = true
# Set the minimum size under which a packet will not be compressed.
							
							
							
								
							
						
@@ -150,16 +169,15 @@ server-key = ../tests/server-key.pem
# GnuTLS priority string; note that SSL 3.0 is disabled by default
# as there are no openconnect (and possibly anyconnect clients) using
# that protocol. The default string below enforces perfect forward secrecy (PFS) 
# on the main channel.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
# that protocol. The string below does not enforce perfect forward
# secrecy, in order to be compatible with legacy clients.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
# More combinations in priority strings are available, check
# http://gnutls.org/manual/html_node/Priority-Strings.html
# E.g., to old default without perfect forward secrecy (PFS)
# on the main channel:
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
# E.g., the string below enforces perfect forward secrecy (PFS) 
# on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
							
								
							
							
								
							
							
						
@@ -205,16 +223,25 @@ rekey-time = 172800
#       option.
rekey-method = ssl
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# Script to call when a client connects and obtains an IP.
# The following parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
# assigned), IPV6_REMOVE (the IPv6 remote address), and
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
#connect-script = /scripts/ocserv-script
#disconnect-script = /scripts/ocserv-script
# The disconnect script will receive the additional values: STATS_BYTES_IN,
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
# output from the tun device, and the duration of the session in seconds.
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
# Register the connected clients to utmp. This will allow viewing
# the connected clients using the command 'who'.
use-utmp = true
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
							
							
							
								
							
						
@@ -225,14 +252,13 @@ use-occtl = true
# if you use more than a single servers.
#occtl-socket-file = /var/run/occtl.socket
# PID file. It can be overriden in the command line.
pid-file = /var/run/ocserv.pid
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# socket file used for IPC, will be appended with .PID
# socket file used for server IPC (worker-main), will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket
							
							
							
								
							
						
@@ -256,7 +282,7 @@ run-as-group = daemon
# Network settings
#
# The name of the tun device
# The name to use for the tun device
device = vpns
# Whether the generated IPs will be predictable, i.e., IP stays the
							
							
							
								
							
						
@@ -270,6 +296,9 @@ default-domain = example.com
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
							
							
							
								
							
						
@@ -287,10 +316,13 @@ ipv6-network = fda9:4efe:7e3b:03ea::/64
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
# Only set to true, if there can be occupied addresses in the
# IP range for leases.
ping-leases = false
# Unset to assign the default MTU of the device
# mtu = 
# Use this option to enforce an MTU value to the incoming
# connections. Unset to use the default MTU of the TUN device.
#mtu = 1420
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
							
							
							
								
							
						
@@ -307,84 +339,97 @@ ping-leases = false
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server.
# comment out all routes from the server, or use the special keyword
# 'default'.
route = 192.168.1.0/255.255.255.0
route = 192.168.5.0/255.255.255.0
#route = fef4:db8:1000:1001::/64
# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
# The group may be followed by a user-friendly name in brackets.
#select-group = group1
#select-group = group2[My special group]
# The name of the (virtual) group that if selected it would assign the user
# to its default group.
#default-select-group = DEFAULT
# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list.
#auto-select-group = true
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
#  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
#  net-priority and cgroup.
#  ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route,
#  net-priority, deny-roaming, no-udp, user-profile, require-cert, and cgroup.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below).
# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
# for that specific user or group.
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf
# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
#select-group = group1
#select-group = group2[My group 2]
#select-group = tost[The tost group]
# The name of the group that if selected it would allow to use
# the assigned by default group.
#default-select-group = DEFAULT
# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list. That
# option is only functional on plain authentication.
#auto-select-group = true
# This option is only valid in a user/group configuration file. If the
# auth mode is certificate[optional], it requires a certificate for this
# particular user or group.
#require-cert = true
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask and %{D} with the (tun) device.
#
# The following example is from linux systems. %{R} should be something
# like 192.168.2.0/24
# The following example is from linux systems. %R should be something
# like 192.168.2.0/24 (the argument of iroute).
#route-add-cmd = "ip route add %{R} dev %{D}"
#route-del-cmd = "ip route delete %{R} dev %{D}"
# This option allows to forward a proxy. The special strings '%{U}'
# This option allows to forward a proxy. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/%{G}/hello
#proxy-url = http://example.com/%{U}/
#
# The following options are for (experimental) AnyConnect client 
# compatibility. 
# This option must be set to true to support legacy CISCO clients.
# A side effect of this option is that it will no longer be required 
# for clients to present their certificate on every connection.
# That is they may resume a cookie without presenting a certificate
# (when certificate authentication is used).
#cisco-client-compat = true
# Client profile xml. A sample file exists in doc/profile.xml.
# It is required by some of the CISCO clients.
# This file must be accessible from inside the worker's chroot. 
# It is not used by the openconnect client.
#user-profile = profile.xml
#user-profile = /path/to/file.xml
# Binary files that may be downloaded by the CISCO client. Must
# be within any chroot environment.
# be within any chroot environment. Normally you don't need
# to use this option.
#binary-files = /path/to/binaries
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be 
# set for them.
#cisco-client-compat = false
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment.
# authentication and prior to VPN tunnel establishment. You shouldn't
# need to use this option normally; if you do and you think that
# this may help others, please send your settings and reason to
# the openconnect mailing list. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#custom-header = "X-My-Header: hi there"
							
							
							
						
 
							
							
								
							
							
						
@@ -77,38 +77,45 @@ An example configuration file follows.
# that case all should succeed. To enable multiple methods use
# multiple auth directives. Available options: certificate, certificate[optional],
# plain, pam, radius[configfile,groupconfig]. 
#auth = "certificate"
#auth = "pam"
# This indicates that a user may present a certificate. When that option
# certificate:
#  This indicates that all connecting users must present a certificate.
#
# certificate[optional]:
#  This indicates that a user may present a certificate. When that option
# is set, individual users or user groups can be forced to present a valid
# certificate by using "require-cert=true".
#auth = "certificate[optional]"
# The gid-min option is used by auto-select-group option, in order to
# certificate by adding "require-cert=true" in the per-user configuration file.
#
# pam[gid-min=1000]:
#  The gid-min option is used by auto-select-group option, in order to
# select the minimum valid group ID.
#auth = "pam[gid-min=1000]"
# The plain option requires specifying a password file which contains
#
# plain[/etc/ocserv/ocpasswd]
#  The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname1,groupname2:encoded-password"
# One entry must be listed per line, and 'ocpasswd' can be used
# One entry must be listed per line, and 'ocpasswd' should be used
# to generate password entries.
#auth = "plain[/etc/ocserv/ocpasswd]"
# The radius option requires specifying freeradius-client configuration
#
# radius[/etc/radiusclient/radiusclient.conf,groupconfig]:
#  The radius option requires specifying freeradius-client configuration
# file. If the groupconfig option is set, then config-per-user will be overriden,
# and all configuration will be read from radius. The supported atributes for
# radius configuration are:
# Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address,
# Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server
#auth = "certificate"
#auth = "certificate[optional]"
#auth = "pam"
#auth = "pam[gid-min=1000]"
#auth = "plain[/etc/ocserv/ocpasswd]"
#auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]"
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
# system calls allowed to a worker process, in order to reduce damage from a
# bug in the worker process. It is available on Linux systems at a performance cost.
# The performance cost is roughly double the time needed for fork() per client, and 
# 2% overhead at transfer time (tested on a Linux 3.17.8).
# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
#isolate-workers = true
# A banner to be displayed on clients
							
								
							
							
								
							
							
						
@@ -136,8 +143,8 @@ max-same-clients = 2
#listen-host-is-dyndns = true
# TCP and UDP port number
tcp-port = 3333
udp-port = 3333
tcp-port = 4443
udp-port = 4443
# Accept connections using a socket file. It accepts HTTP
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
							
								
							
							
								
							
							
						
@@ -239,7 +246,7 @@ server-key = /path/to/key.pem
# as there are no openconnect (and possibly anyconnect clients) using
# that protocol. The string below does not enforce perfect forward
# secrecy, in order to be compatible with legacy clients.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
# More combinations in priority strings are available, check
# http://gnutls.org/manual/html_node/Priority-Strings.html
							
								
							
							
								
							
							
						
@@ -344,7 +351,7 @@ run-as-group = nogroup
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
cgroup = "cpuset,cpu:test"
#cgroup = "cpuset,cpu:test"
#
# Network settings