tests: check the ability to load encrypted key files

tests/Makefile.am

@@ -8,7 +8,8 @@ EXTRA_DIST = ca-key.pem ca.pem common.sh server-cert.pem server-key.pem test1.co
 	test-explicit-ip user-config-explicit/test2 user-config-explicit/test3 \
 	user-config-explicit/test4 test-pass-opt-cert.config test-gssapi.config \
 	test-ban.config test-sighup.config test-gssapi-local-map.config \
-	test-cookie-invalidation.config
+	test-cookie-invalidation.config test-enc-key2.config test-enc-key.config \
+	server-key-ossl.pem server-key-p8.pem
 
 SUBDIRS = docker-ocserv docker-kerberos
 
@@ -17,7 +18,7 @@ dist_check_SCRIPTS = test-pass test-pass-cert test-cert test-iroute test-pass-sc
 	ocpasswd-test test-pass-group-cert-no-pass unix-test test-pass-opt-cert \
 	test-cookie-timeout test-cookie-timeout-2 radius-test test-explicit-ip \
 	radius-test test-gssapi kerberos-test pam-test test-ban test-sighup \
-	test-cookie-invalidation radius-test-config
+	test-cookie-invalidation radius-test-config test-enc-key
 
 
 AM_CPPFLAGS = \
@@ -46,7 +47,7 @@ TESTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \
 	ocpasswd-test test-pass-group-cert-no-pass unix-test test-pass-opt-cert \
 	test-cookie-timeout test-cookie-timeout-2 test-explicit-ip radius-test \
 	test-gssapi kerberos-test pam-test test-ban test-sighup ipv4-prefix \
-	radius-test-config kkdcp-parsing json-escape
+	radius-test-config kkdcp-parsing json-escape test-enc-key
 
 TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
 	top_builddir="$(top_builddir)"

tests/server-key-ossl.pem

@@ -0,0 +1,35 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,B247C654353F6D91
+
+Rtgu0cfHpMtnqhRE71tdKd92S8t01+p8xWly9DWlfi5GIsUbjvzlFwMLAGIgkmA0
+fPkUotU0xIlajM+50eUnk1EUCAO8yks1dMjCKUWDa0ybGOLLpY4mvXqlPp5aUizs
+RZrxr1uBjDIPy5SGq0zbf3FQpbKiVvPLkAeXMk4fNXG1oZEpVW+S0TnTR9QPr0JO
+2DyLcXn2jNXjb9AoZgXATqeCbvx93A+3c2qrn7tFeYd2qgpGcrLKCNVTfSa2xjEg
+ag1GX4OzgcMc+QYiLPFDTQAS4rGGnbFvOGunARa6B/QK+D7wfZ3VItt10ueiaPIu
+oMIFutH9gr5wITSSyagUbP6BNIIvGl4gOs7tOHp6Jtx23FaoE8SYWk25IUO2migq
+qnXwgJqDJ3NwEn8ovECVmb4pKJqNqIMeAEUe5ylYUWgsdy5PVcKdVrb8zPZaSuEq
+jhORUmw6udiASO9HcOsypXEGPlbD1XFDPe54u+3XblW7KzXyWgBiv/iu3ChWSXPy
+Du6cbmpckaVURJy39XR+TWVBC/5qYvyrfyGzTlN9OX3HEhspAVDVg2kWdngS7vA8
+wHuKUFTewP9Id8uDfN4bWYVr+LiGDNj7ugMBtabWv0Xph1kh++M4e5T2/rRHqdHA
+N8mIzNxrUrUg9U8bGj+i4+VFizhL/jBTYH6jmxa6uP20qOI1dhFvTg7MdfgnRBOp
+KSXN9RXbEsCFO3tQgabNxznHxJuX7NjalmrmAPNERkDmQsNV1z66ScK/hyS6IcSJ
+1Ci5dK8adhRokj2TupYCrQuUFtlVmURpLv6P1/6HpU5sIfmbXoshz/jzJwg3MdJE
+awX2YyrjA2bUkaLmCu6z+0fAlXDz39839Z99LecYDftuMk+4yU+0X03MugD1LmpP
+ldOG/gl9tlejuKiKJiwNWIg0EfYvG0FuhR1BM5cl61X9LbMAvhQJkVlA+s/YvHx5
+ulWAspMFAlpGRnC9kIuVI//kb/kuUMJR0jHmiuXXOMnPoRmTXj0223os+KKi4BmH
+yota14iEfMZcTllzQzZN+WuAvPMnN9e/OhHUJPNwBGPopckrU0J9pUkeI2NxkVcT
+Sa/8S2DC0Qqlp0/JMVAEACs0N2tdwhAL8AWOt/mHCtQWo9fHEP2eEJmUCTXwyl41
+hDe7biGp9FsMkdCAL16PsbgACLzi5+eC62DzxeHXnUE4T1eWTAr91yxpW0QKnBtw
+quKR/H06nLd+3Rz5UTxIHw5RJk98q9phXHV+inP2A2+plEPMSoLNdVzeeT2HJuhH
+EgFdIuKAY9z5dkHu351itY4/80TfDsGHrfHGoBE134u/hsql1q/dD8Vhi98fsqc3
+dRorIQKfWRUT9gaxXCRnJSVJjsfu4NZnaearjzm9xR8UfcNVEUPQ/71WmGK89N0I
+CrIIFzq7vUJhy8d6vL17TU3zhFjdqfSQOPsaitm/Mht9Iw2GQmEzJkp0cA24uYT6
+Omoyqh37tu/JsttSAghpB9nY9hTBf6KjqeQlwPxlkANac3T0ODWWWSX39slssCxh
+PGLNfwK1tZCsLWzqKZi0i3BVdRWiTgBf9wyXXy/zw27okMrCZWrW4s63Cy88YIUJ
++gLXAEtAR96bAXgmme3A3QjjpnTWVkDteZ6AbjdAp5PHuPfp3GjdsRHdLJMgvA6I
+PUPPGnY121z4+fVNR3GyzjXugecgX6+u+WdNJPSYI9U8xfGAde6uTPp/xJV6t8Fm
+8h63r2cBjYn5iF2l8ZdqzjFYIk+2NldHEloz+mla5elgsqtZrKjsGhQlh2niYYbU
+0EgLf3LdRIW4r8kEdbbt9+B5XcH56QV9IzP30GGxUlP/G7SoNUSdGFzJ44tluNGC
+dReVkjqxYLp1NKN2F4FbQg==
+-----END RSA PRIVATE KEY-----

tests/server-key-p8.pem

@@ -0,0 +1,33 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFwjAcBgoqhkiG9w0BDAEDMA4ECALw2WwU1fEfAgIBCASCBaBbjqP8l01wSs9q
+8qqHi4ZXARX4Ne5aTrhZEDY2yVHJPTanQVn1kYO23j1WMpT/a4ZlNW0Skc4gFT+h
+JJCqAZTro9Vcix0v3NE0x83cst9UJg+FuA8ROSMRR/09mbybIpH34iUJCFK1H2+F
+oYgPc0xIsLC+HgFRSdh4wibJfevaT435OvQi/Q1jvYxOkv0hGRgSsd1xMCpITY5M
+VLonFA8LSaD7U4vy/mGFw7MoMoggXDgz1uTM1SZiqiGfd4CqVYf+HluAtDkAsPD2
+WtITiA189OBqErzsCC2JmrdM4gqwA45e7tzBNxKarik591MXHFA44cqu/tBgGLpD
+tF+4hhYYbL39LNSQE39GuR6HhoOM0ar2h28SEZjFTCrQr0smuGMdmFZayOX25hT2
+o3zs/T36w+hsPqQCSSKxPXgQ7M9PFWzsiyTEDj84FLro+I0AEaol3O3J9BNfoeDe
+fvRJ76+1gHv78yDEptaDvH9I83hcf2onzjqBHisd5IzBHfuQ6o/76QvFi9MzSXie
+d3mj35xxF5ICBldRgBSlGEKh/RGRa9+FqjAnjFUOI4PlhSD+bLDvZhzm6dNg/6Rp
+h5Pk6WktLV3RYM/8kwDZNwVrlJlKV7o5/H0fKij7sVtEDqrkzFNuLU+Dw+YH3+92
+Um/csjWlOaRBjf1rQKKicDY+oDaKyp7KeyGdE9Cs8YAIVwL/O7QB8OI/t83BcIlh
+1wZ+FDBRADD+rF0ATkFsbbAJ3bFtpnLiJA1ERDbxbF4emBNQ+HIABSYhGsetxn8G
+zxVc4nEefMjfX+1arBuem4yomFFBWva8tlDImNxGFAkmge708DAEiFjTwUABpdqz
+A3RF+kXfiAXqGLGlDm3bYH5d7j11HWle6b2FDPgoU32p1wX1YL52FR4RrsFJIQzr
+fBeJO/MgxqOgEwocVSj9zaLZnMS3a8RRnCXYouAyvbMpnH1TnsCylcOrjO9v7sjX
+8XI6iS0MkWYJIahItCK9VViAXA+4NqLVYyFCDMlv+8lV2XMPNaRQh2dRTWLJIXgd
+FV3z2/6P4MO6cRnZZ2UvYWMOWPPGV4ycaTdMIWYfhifmGlkjaU42pbxgmxSS4xUy
++Nx+l26s7awKpih7OL+lazejBDTXo45ICl3aDTUDpNpVwpCNRrit43kJnM+QljES
+/xSv9XcW/GbJGh/CoAafscODeGoRYu9sw+xFLzvwUs8tAWSu8leGIMksnOUNCF17
+u+0w+kANrKDLKZZnLQWCUpuJ8c4VSvvfiOCxFrNxS+lbZYxZaIhIpN3LcAZoB4z5
+CJ0rGbOJJ48NkHMugD7sjouj3BNrYvKbTqcGIejISJkXg+8XinByC1KGqq6GigHk
+oETndtfm7pA5mIrqUZ9N6JZ1TL3hM487Xs98AorB35W2hDK1a2VpJQb/TDldDHgP
+7DRdLWsUVOqBBhxaMxSEBkFGXgmXFweGJR+7p3B3tixMDjCRhswa4PPn9wXDZ8Pn
+3EJQ5b4HsmBSuf6BYpz5tbsr++iZzWkfNm3sxHVdej0djcMNMy3xlzUwryTQpIUm
+SPXv6pI1NgLzr6YMcgI5SlZQJxwmhCIhNS+ftrruf+GFeXX2l/hNnVjw5xWhmmX+
+L0P8dGp6os/YsR2rygKMZmMhhs5U55N7HKRsR5F6A0km8IFZ2tIFU4kwsjEj5Ed1
+LKZRCWSDxSeVR7/OpdUtGy2xq9mhsIxQF4zZj1xdFZXD/+0JlMA0tToBktQChosV
+2gKnJphNjFslbOOrZiw8ZJ+JTtsrHHuHLPKylFEMvxTq2siVL6QUu7xF4z2TAne5
+pCfOabcaBPdGw4LD29wdmo6idSlk2moaP9rHJbC1CQKetMeCcxfA3BcvgD1IcecJ
+a6IcMiTiTNKOh88/Y2YB6TF+2AWy/XgQMJ+dLD8ZFBNj14NLh9A=
+-----END ENCRYPTED PRIVATE KEY-----

tests/test-enc-key

@@ -0,0 +1,54 @@
+#!/bin/sh
+#
+# Copyright (C) 2015 Red Hat, Inc.
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+SERV="${SERV:-../src/ocserv}"
+srcdir=${srcdir:-.}
+PORT=4456
+
+. `dirname $0`/common.sh
+
+echo "Testing local backend with encrypted PKCS #8 key file... "
+
+launch_server -d 1 -f -c test-enc-key.config & PID=$!
+wait_server $PID
+
+echo "Connecting to obtain cookie... "
+( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
+	fail $PID "Could not receive cookie from server"
+
+kill $PID
+wait
+
+sleep 3
+
+echo "Testing local backend with encrypted openssl key file... "
+
+launch_server -d 1 -f -c test-enc-key2.config & PID=$!
+wait_server $PID
+
+echo "Connecting to obtain cookie... "
+( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
+	fail $PID "Could not receive cookie from server"
+
+kill $PID
+wait
+
+
+exit 0

tests/test-enc-key.config

@@ -0,0 +1,186 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+#auth = "certificate"
+auth = "plain[./test1.passwd]"
+#auth = "pam"
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 4456
+udp-port = 4456
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = ./server-cert.pem
+server-key = ./server-key-p8.pem
+
+key-pin = 1234
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+cookie-validity = 172800
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# PID file
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = /var/run/ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = nobody
+run-as-group = daemon
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+# Use the keywork local to advertize the local P-t-P address as DNS server
+ipv4-dns = 192.168.1.1
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+#ipv6-address = 
+#ipv6-mask = 
+#ipv6-dns = 
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu = 
+
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. They are only available if the server is built 
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#always-require-cert = false
+

tests/test-enc-key2.config

@@ -0,0 +1,186 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+#auth = "certificate"
+auth = "plain[./test1.passwd]"
+#auth = "pam"
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 4456
+udp-port = 4456
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = ./server-cert.pem
+server-key = ./server-key-ossl.pem
+
+key-pin = 1234
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+cookie-validity = 172800
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# PID file
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = /var/run/ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = nobody
+run-as-group = daemon
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+# Use the keywork local to advertize the local P-t-P address as DNS server
+ipv4-dns = 192.168.1.1
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+#ipv6-address = 
+#ipv6-mask = 
+#ipv6-dns = 
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu = 
+
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. They are only available if the server is built 
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#always-require-cert = false
+