mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 08:46:58 +08:00
5a4ce846b7
That process is called security-module (sec-mod) and communicates with the workers using a unix domain socket.
142 lines
4.1 KiB
Plaintext
142 lines
4.1 KiB
Plaintext
# User authentication method. Could be set multiple times and in that case
|
|
# all should succeed.
|
|
# Options: certificate, pam.
|
|
#auth = "certificate"
|
|
auth = "plain[./sample.passwd]"
|
|
#auth = "pam"
|
|
|
|
# A banner to be displayed on clients
|
|
#banner = "Welcome"
|
|
|
|
# Client config xml. The variable $GROUP will be replaced by
|
|
# the user's group name. This file must be accessible from inside
|
|
# the worker's chroot. It is not used by the openconnect client.
|
|
#user-profile = /profile.xml
|
|
|
|
# Unless set to false it is required for clients to present their
|
|
# certificate even if they are authenticating via a previously granted
|
|
# cookie. Legacy CISCO clients do not do that, and thus this option
|
|
# should be set for them.
|
|
#always-require-cert = false
|
|
|
|
# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
|
|
#listen-host = [IP|HOSTNAME]
|
|
|
|
# Limit the number of clients. Unset or set to zero for unlimited.
|
|
#max-clients = 1024
|
|
max-clients = 16
|
|
|
|
# Limit the number of identical clients (i.e., users connecting multiple times)
|
|
# Unset or set to zero for unlimited.
|
|
max-same-clients = 2
|
|
|
|
# TCP and UDP port number
|
|
tcp-port = 443
|
|
udp-port = 443
|
|
|
|
# Keepalive in seconds
|
|
keepalive = 32400
|
|
|
|
# Dead peer detection in seconds
|
|
dpd = 440
|
|
|
|
# MTU discovery (DPD must be enabled)
|
|
try-mtu-discovery = false
|
|
|
|
# The key and the certificates of the server
|
|
# The key may be a file, or any URL supported by GnuTLS (e.g.,
|
|
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
|
|
# or pkcs11:object=my-vpn-key;object-type=private)
|
|
server-cert = ../test-cert.pem
|
|
server-key = ../test-key.pem
|
|
|
|
# In case PKCS #11 or TPM keys are used the PINs should be available
|
|
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
|
|
# root key).
|
|
#pin-file = /path/to/pin.txt
|
|
#srk-pin-file = /path/to/srkpin.txt
|
|
|
|
# The Certificate Authority that will be used
|
|
# to verify clients if certificate authentication
|
|
# is set.
|
|
#ca-cert = /path/to/ca.pem
|
|
|
|
# The object identifier that will be used to read the user ID in the client certificate.
|
|
# The object identifier should be part of the certificate's DN
|
|
# Useful OIDs are:
|
|
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
|
|
#cert-user-oid = 0.9.2342.19200300.100.1.1
|
|
|
|
# The object identifier that will be used to read the user group in the client
|
|
# certificate. The object identifier should be part of the certificate's DN
|
|
# Useful OIDs are:
|
|
# OU (organizational unit) = 2.5.4.11
|
|
#cert-group-oid = 2.5.4.11
|
|
|
|
# A revocation list of ca-cert is set
|
|
#crl = /path/to/crl.pem
|
|
|
|
# GnuTLS priority string
|
|
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE"
|
|
|
|
# The default server directory
|
|
#chroot-dir = /path/to/chroot
|
|
|
|
# The time (in seconds) that a client is allowed to stay connected prior
|
|
# to authentication
|
|
auth-timeout = 40
|
|
|
|
# The time (in seconds) that a client is not allowed to reconnect after a failed
|
|
# authentication attempt.
|
|
min-reauth-time = 10
|
|
|
|
# Cookie validity time (in seconds)
|
|
# Once a client is authenticated he's provided a cookie with
|
|
# which he can reconnect. This option sets the maximum lifetime
|
|
# of that cookie.
|
|
cookie-validity = 172800
|
|
|
|
# A cookie database. If not set cookies are stored in memory and
|
|
# server restarts won't preserve them.
|
|
#cookie-db = /var/tmp/cookies.db
|
|
|
|
# Script to call when a client connects and obtains an IP
|
|
# Parameters are passed on the environment.
|
|
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
|
|
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
|
# in the P-t-P connect), IP_REMOTE (the VPN IP of the client).
|
|
#connect-script = /usr/bin/myscript
|
|
#disconnect-script = /usr/bin/myscript
|
|
|
|
# UTMP
|
|
use-utmp = true
|
|
|
|
# PID file
|
|
pid-file = /var/run/ocserv.pid
|
|
|
|
# socket file
|
|
socket-file = /var/run/ocserv-socket
|
|
|
|
run-as-user = nobody
|
|
run-as-group = nogroup
|
|
|
|
# Network settings
|
|
|
|
device = vpns
|
|
|
|
ipv4-network = 192.168.1.0
|
|
ipv4-netmask = 255.255.255.0
|
|
# Use the keywork local to advertize the local P-t-P address as DNS server
|
|
# ipv4-dns = 192.168.2.1
|
|
ipv4-dns = local
|
|
|
|
#ipv6-address =
|
|
#ipv6-mask =
|
|
#ipv6-dns =
|
|
|
|
# Leave empty to assign the default MTU of the device
|
|
# mtu =
|
|
|
|
route = 192.168.1.0/255.255.255.0
|
|
#route = 192.168.5.0/255.255.255.0
|