diff --git a/doc/sample.config b/doc/sample.config index 3797a2d9..25a945be 100644 --- a/doc/sample.config +++ b/doc/sample.config @@ -1,38 +1,46 @@ # User authentication method. Could be set multiple times and in # that case all should succeed. To enable multiple methods use # multiple auth directives. Available options: certificate, certificate[optional], -# plain, pam. -#auth = "certificate" -auth = "plain[./sample.passwd]" -#auth = "pam" +# plain, pam, radius[configfile,groupconfig]. -# This indicates that a user may present a certificate. When that option +# certificate: +# This indicates that all connecting users must present a certificate. +# +# certificate[optional]: +# This indicates that a user may present a certificate. When that option # is set, individual users or user groups can be forced to present a valid -# certificate by using "require-cert=true". -#auth = "certificate[optional]" - -# The gid-min option is used by auto-select-group option, in order to -# select the minimum group ID. -#auth = "pam[gid-min=1000]" - -# The plain option requires specifying a password file which contains +# certificate by adding "require-cert=true" in the per-user configuration file. +# +# pam[gid-min=1000]: +# The gid-min option is used by auto-select-group option, in order to +# select the minimum valid group ID. +# +# plain[/etc/ocserv/ocpasswd] +# The plain option requires specifying a password file which contains # entries of the following format. -# "username:groupname:encoded-password" -# One entry must be listed per line, and 'ocpasswd' can be used +# "username:groupname1,groupname2:encoded-password" +# One entry must be listed per line, and 'ocpasswd' should be used # to generate password entries. -#auth = "plain[/etc/ocserv/ocpasswd]" - -# The radius option requires specifying freeradius-client configuration +# +# radius[/etc/radiusclient/radiusclient.conf,groupconfig]: +# The radius option requires specifying freeradius-client configuration # file. If the groupconfig option is set, then config-per-user will be overriden, # and all configuration will be read from radius. The supported atributes for # radius configuration are: -# Group-Name, Framed-IPv6-Address, DNS-Server-IPv6-Address, Framed-IP-Address, -# Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server -#auth = "radius[/usr/local/etc/radiusclient/radiusclient.conf,groupconfig]" +# Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address, +# Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server -# Whether to enable seccomp worker isolation. That restricts the number of +#auth = "certificate" +#auth = "certificate[optional]" +#auth = "pam" +#auth = "pam[gid-min=1000]" +auth = "plain[./sample.passwd]" +#auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]" + +# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of # system calls allowed to a worker process, in order to reduce damage from a # bug in the worker process. It is available on Linux systems at a performance cost. +# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). isolate-workers = true # A banner to be displayed on clients @@ -59,31 +67,38 @@ max-same-clients = 2 # reconnects. #listen-host-is-dyndns = true +# TCP and UDP port number +tcp-port = 443 +udp-port = 443 + +# Accept connections using a socket file. It accepts HTTP +# connections (i.e., without SSL/TLS unlike its TCP counterpart), +# and uses it as the primary channel. That option cannot be +# combined with certificate authentication. +listen-clear-file = /var/run/ocserv-conn.socket + # Stats report time. The number of seconds after which each # worker process will report its usage statistics (number of # bytes transferred etc). This is useful when accounting like # radius is in use. #stats-report-time = 360 -# TCP and UDP port number -tcp-port = 443 -udp-port = 443 - -# Accept connections using a socket file. The connections are -# forwarded without SSL/TLS. -listen-clear-file = /var/run/ocserv-conn.socket - # Keepalive in seconds keepalive = 32400 # Dead peer detection in seconds. +# Note that when the client is behind a NAT this value +# needs to be short enough to prevent the NAT disassociating +# his UDP session from the port number. Otherwise the client +# could have his UDP connection stalled, for several minutes. dpd = 90 -# Dead peer detection for mobile clients. The needs to -# be much higher to prevent such clients being awaken too +# Dead peer detection for mobile clients. That needs to +# be higher to prevent such clients being awaken too # often by the DPD messages, and save battery. -# (clients that send the X-AnyConnect-Identifier-DeviceType) -#mobile-dpd = 1800 +# The mobile clients are distinguished from the header +# 'X-AnyConnect-Identifier-DeviceType'. +mobile-dpd = 1800 # MTU discovery (DPD must be enabled) try-mtu-discovery = false @@ -93,8 +108,11 @@ try-mtu-discovery = false # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user # or pkcs11:object=my-vpn-key;object-type=private) # -# There may be multiple certificate and key pairs and each key -# should correspond to the preceding certificate. +# The server-cert file may contain a single certificate, or +# a sorted certificate chain. +# +# There may be multiple server-cert and server-key directives, +# but each key should correspond to the preceding certificate. server-cert = ../tests/server-cert.pem server-key = ../tests/server-key.pem @@ -137,9 +155,10 @@ server-key = ../tests/server-key.pem #cert-group-oid = 2.5.4.11 # The revocation list of the certificates issued by the 'ca-cert' above. +# See the manual to generate an empty CRL initially. #crl = /path/to/crl.pem -# Uncomment this to enable compression negotiation. +# Uncomment this to enable compression negotiation (LZS, LZ4). #compression = true # Set the minimum size under which a packet will not be compressed. @@ -150,16 +169,15 @@ server-key = ../tests/server-key.pem # GnuTLS priority string; note that SSL 3.0 is disabled by default # as there are no openconnect (and possibly anyconnect clients) using -# that protocol. The default string below enforces perfect forward secrecy (PFS) -# on the main channel. -tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128" -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" +# that protocol. The string below does not enforce perfect forward +# secrecy, in order to be compatible with legacy clients. +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" # More combinations in priority strings are available, check # http://gnutls.org/manual/html_node/Priority-Strings.html -# E.g., to old default without perfect forward secrecy (PFS) -# on the main channel: -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128" +# E.g., the string below enforces perfect forward secrecy (PFS) +# on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" # The time (in seconds) that a client is allowed to stay connected prior # to authentication @@ -205,16 +223,25 @@ rekey-time = 172800 # option. rekey-method = ssl -# Script to call when a client connects and obtains an IP -# Parameters are passed on the environment. +# Script to call when a client connects and obtains an IP. +# The following parameters are passed on the environment. # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP # in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 +# assigned), IPV6_REMOVE (the IPv6 remote address), and # ID (a unique numeric ID); REASON may be "connect" or "disconnect". -#connect-script = /scripts/ocserv-script -#disconnect-script = /scripts/ocserv-script + +# The disconnect script will receive the additional values: STATS_BYTES_IN, +# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes +# output from the tun device, and the duration of the session in seconds. + +#connect-script = /usr/bin/myscript +#disconnect-script = /usr/bin/myscript # UTMP +# Register the connected clients to utmp. This will allow viewing +# the connected clients using the command 'who'. use-utmp = true # Whether to enable support for the occtl tool (i.e., either through D-BUS, @@ -225,14 +252,13 @@ use-occtl = true # if you use more than a single servers. #occtl-socket-file = /var/run/occtl.socket - # PID file. It can be overriden in the command line. pid-file = /var/run/ocserv.pid # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot -# socket file used for IPC, will be appended with .PID +# socket file used for server IPC (worker-main), will be appended with .PID # It must be accessible within the chroot environment (if any) socket-file = /var/run/ocserv-socket @@ -256,7 +282,7 @@ run-as-group = daemon # Network settings # -# The name of the tun device +# The name to use for the tun device device = vpns # Whether the generated IPs will be predictable, i.e., IP stays the @@ -270,6 +296,9 @@ default-domain = example.com ipv4-network = 192.168.1.0 ipv4-netmask = 255.255.255.0 +# An alternative way of specifying the network: +#ipv4-network = 192.168.1.0/24 + # The advertized DNS server. Use multiple lines for # multiple servers. # dns = fc00::4be0 @@ -287,10 +316,13 @@ ipv6-network = fda9:4efe:7e3b:03ea::/64 # Prior to leasing any IP from the pool ping it to verify that # it is not in use by another (unrelated to this server) host. +# Only set to true, if there can be occupied addresses in the +# IP range for leases. ping-leases = false -# Unset to assign the default MTU of the device -# mtu = +# Use this option to enforce an MTU value to the incoming +# connections. Unset to use the default MTU of the TUN device. +#mtu = 1420 # Unset to enable bandwidth restrictions (in bytes/sec). The # setting here is global, but can also be set per user or per group. @@ -307,84 +339,97 @@ ping-leases = false # config-per-user/group or even connect and disconnect scripts. # # To set the server as the default gateway for the client just -# comment out all routes from the server. +# comment out all routes from the server, or use the special keyword +# 'default'. + route = 192.168.1.0/255.255.255.0 route = 192.168.5.0/255.255.255.0 #route = fef4:db8:1000:1001::/64 +# Groups that a client is allowed to select from. +# A client may belong in multiple groups, and in certain use-cases +# it is needed to switch between them. For these cases the client can +# select prior to authentication. Add multiple entries for multiple groups. +# The group may be followed by a user-friendly name in brackets. +#select-group = group1 +#select-group = group2[My special group] + +# The name of the (virtual) group that if selected it would assign the user +# to its default group. +#default-select-group = DEFAULT + +# Instead of specifying manually all the allowed groups, you may instruct +# ocserv to scan all available groups and include the full list. +#auto-select-group = true + # Configuration files that will be applied per user connection or # per group. Each file name on these directories must match the username # or the groupname. # The options allowed in the configuration files are dns, nbns, -# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, -# net-priority and cgroup. +# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, +# net-priority, deny-roaming, no-udp, user-profile, require-cert, and cgroup. # # Note that the 'iroute' option allows to add routes on the server # based on a user or group. The syntax depends on the input accepted -# by the commands route-add-cmd and route-del-cmd (see below). +# by the commands route-add-cmd and route-del-cmd (see below). The no-udp +# is a boolean option (e.g., no-udp = true), and will prevent a UDP session +# for that specific user or group. #config-per-user = /etc/ocserv/config-per-user/ #config-per-group = /etc/ocserv/config-per-group/ # When config-per-xxx is specified and there is no group or user that # matches, then utilize the following configuration. - #default-user-config = /etc/ocserv/defaults/user.conf #default-group-config = /etc/ocserv/defaults/group.conf -# Groups that a client is allowed to select from. -# A client may belong in multiple groups, and in certain use-cases -# it is needed to switch between them. For these cases the client can -# select prior to authentication. Add multiple entries for multiple groups. -#select-group = group1 -#select-group = group2[My group 2] -#select-group = tost[The tost group] - -# The name of the group that if selected it would allow to use -# the assigned by default group. -#default-select-group = DEFAULT - -# Instead of specifying manually all the allowed groups, you may instruct -# ocserv to scan all available groups and include the full list. That -# option is only functional on plain authentication. -#auto-select-group = true +# This option is only valid in a user/group configuration file. If the +# auth mode is certificate[optional], it requires a certificate for this +# particular user or group. +#require-cert = true # The system command to use to setup a route. %{R} will be replaced with the # route/mask and %{D} with the (tun) device. # -# The following example is from linux systems. %{R} should be something -# like 192.168.2.0/24 +# The following example is from linux systems. %R should be something +# like 192.168.2.0/24 (the argument of iroute). #route-add-cmd = "ip route add %{R} dev %{D}" #route-del-cmd = "ip route delete %{R} dev %{D}" -# This option allows to forward a proxy. The special strings '%{U}' +# This option allows to forward a proxy. The special keywords '%{U}' # and '%{G}', if present will be replaced by the username and group name. #proxy-url = http://example.com/ -#proxy-url = http://example.com/%{U}/%{G}/hello +#proxy-url = http://example.com/%{U}/ # # The following options are for (experimental) AnyConnect client # compatibility. +# This option must be set to true to support legacy CISCO clients. +# A side effect of this option is that it will no longer be required +# for clients to present their certificate on every connection. +# That is they may resume a cookie without presenting a certificate +# (when certificate authentication is used). +#cisco-client-compat = true + # Client profile xml. A sample file exists in doc/profile.xml. +# It is required by some of the CISCO clients. # This file must be accessible from inside the worker's chroot. -# It is not used by the openconnect client. -#user-profile = profile.xml +#user-profile = /path/to/file.xml # Binary files that may be downloaded by the CISCO client. Must -# be within any chroot environment. +# be within any chroot environment. Normally you don't need +# to use this option. #binary-files = /path/to/binaries -# Unless set to false it is required for clients to present their -# certificate even if they are authenticating via a previously granted -# cookie and complete their authentication in the same TCP connection. -# Legacy CISCO clients do not do that, and thus this option should be -# set for them. -#cisco-client-compat = false - #Advanced options # Option to allow sending arbitrary custom headers to the client after -# authentication and prior to VPN tunnel establishment. +# authentication and prior to VPN tunnel establishment. You shouldn't +# need to use this option normally; if you do and you think that +# this may help others, please send your settings and reason to +# the openconnect mailing list. The special keywords '%{U}' +# and '%{G}', if present will be replaced by the username and group name. #custom-header = "X-My-Header: hi there" + diff --git a/src/ocserv-args.def b/src/ocserv-args.def index 4a5d2b40..d5dde7ba 100644 --- a/src/ocserv-args.def +++ b/src/ocserv-args.def @@ -77,38 +77,45 @@ An example configuration file follows. # that case all should succeed. To enable multiple methods use # multiple auth directives. Available options: certificate, certificate[optional], # plain, pam, radius[configfile,groupconfig]. -#auth = "certificate" -#auth = "pam" -# This indicates that a user may present a certificate. When that option +# certificate: +# This indicates that all connecting users must present a certificate. +# +# certificate[optional]: +# This indicates that a user may present a certificate. When that option # is set, individual users or user groups can be forced to present a valid -# certificate by using "require-cert=true". -#auth = "certificate[optional]" - -# The gid-min option is used by auto-select-group option, in order to +# certificate by adding "require-cert=true" in the per-user configuration file. +# +# pam[gid-min=1000]: +# The gid-min option is used by auto-select-group option, in order to # select the minimum valid group ID. -#auth = "pam[gid-min=1000]" - -# The plain option requires specifying a password file which contains +# +# plain[/etc/ocserv/ocpasswd] +# The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" -# One entry must be listed per line, and 'ocpasswd' can be used +# One entry must be listed per line, and 'ocpasswd' should be used # to generate password entries. -#auth = "plain[/etc/ocserv/ocpasswd]" - -# The radius option requires specifying freeradius-client configuration +# +# radius[/etc/radiusclient/radiusclient.conf,groupconfig]: +# The radius option requires specifying freeradius-client configuration # file. If the groupconfig option is set, then config-per-user will be overriden, # and all configuration will be read from radius. The supported atributes for # radius configuration are: # Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address, # Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server + +#auth = "certificate" +#auth = "certificate[optional]" +#auth = "pam" +#auth = "pam[gid-min=1000]" +#auth = "plain[/etc/ocserv/ocpasswd]" #auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]" # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of # system calls allowed to a worker process, in order to reduce damage from a # bug in the worker process. It is available on Linux systems at a performance cost. -# The performance cost is roughly double the time needed for fork() per client, and -# 2% overhead at transfer time (tested on a Linux 3.17.8). +# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). #isolate-workers = true # A banner to be displayed on clients @@ -136,8 +143,8 @@ max-same-clients = 2 #listen-host-is-dyndns = true # TCP and UDP port number -tcp-port = 3333 -udp-port = 3333 +tcp-port = 4443 +udp-port = 4443 # Accept connections using a socket file. It accepts HTTP # connections (i.e., without SSL/TLS unlike its TCP counterpart), @@ -239,7 +246,7 @@ server-key = /path/to/key.pem # as there are no openconnect (and possibly anyconnect clients) using # that protocol. The string below does not enforce perfect forward # secrecy, in order to be compatible with legacy clients. -tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128" +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" # More combinations in priority strings are available, check # http://gnutls.org/manual/html_node/Priority-Strings.html @@ -344,7 +351,7 @@ run-as-group = nogroup # Set the VPN worker process into a specific cgroup. This is Linux # specific and can be set per user/group or globally. -cgroup = "cpuset,cpu:test" +#cgroup = "cpuset,cpu:test" # # Network settings