├── Dockerfile ├── README.md ├── entrypoint.sh ├── ocserv-install.sh └── ocserv.conf /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.13 2 | 3 | ENV OCSERV_VERSION 1.1.2 4 | ENV CA_CN SAMPLE CA 5 | ENV CA_ORG Big Corp 6 | ENV SRV_CN SAMPLE server 7 | ENV SRV_ORG MyCompany 8 | RUN set -ex \ 9 | && apk add --no-cache --virtual .build-dependencies \ 10 | readline-dev \ 11 | libnl3-dev \ 12 | xz \ 13 | openssl \ 14 | make \ 15 | gcc \ 16 | autoconf \ 17 | musl-dev \ 18 | wget \ 19 | linux-headers \ 20 | gnutls-dev \ 21 | linux-pam-dev \ 22 | libseccomp-dev \ 23 | lz4-dev \ 24 | libev-dev \ 25 | protobuf-c-dev \ 26 | krb5-dev \ 27 | gnutls-utils \ 28 | oath-toolkit-dev \ 29 | libmaxminddb-dev \ 30 | && wget ftp://ftp.infradead.org/pub/ocserv/ocserv-$OCSERV_VERSION.tar.xz \ 31 | && mkdir -p /etc/ocserv \ 32 | && tar xf ocserv-$OCSERV_VERSION.tar.xz \ 33 | && rm ocserv-$OCSERV_VERSION.tar.xz \ 34 | && cd ocserv-$OCSERV_VERSION \ 35 | && ./configure \ 36 | && make \ 37 | && make install \ 38 | && cd .. \ 39 | && rm -rf ocserv-$OCSERV_VERSION \ 40 | && mkdir -p /etc/ocserv/certs \ 41 | && cd /etc/ocserv/certs \ 42 | && certtool --generate-privkey --outfile ca-key.pem \ 43 | && touch ca.tmpl \ 44 | && echo "cn = $CA_CN" >> ca.tmpl \ 45 | && echo "organization = $CA_ORG" >> ca.tmpl \ 46 | && echo "serial = 1" >> ca.tmpl \ 47 | && echo "expiration_days = -1" >> ca.tmpl \ 48 | && echo "ca" >> ca.tmpl \ 49 | && echo "signing_key" >> ca.tmpl \ 50 | && echo "cert_signing_key" >> ca.tmpl \ 51 | && echo "crl_signing_key" >> ca.tmpl \ 52 | && certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem \ 53 | && certtool --generate-privkey --outfile server-key.pem \ 54 | && touch server.tmpl \ 55 | && echo "cn = $SRV_CN" >> server.tmpl \ 56 | && echo "organization = $SRV_ORG" >> server.tmpl \ 57 | && echo "expiration_days = -1" >> server.tmpl \ 58 | && echo "signing_key" >> server.tmpl \ 59 | && echo "encryption_key" >> server.tmpl \ 60 | && echo "tls_www_server" >> server.tmpl \ 61 | && certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem \ 62 | && touch /etc/ocserv/ocpasswd \ 63 | && apk del .build-dependencies \ 64 | && apk add --no-cache gnutls linux-pam krb5-libs libtasn1 oath-toolkit-liboath nettle libev protobuf-c musl lz4-libs libseccomp readline libnl3 iptables \ 65 | && rm -rf /var/cache/apk/* 66 | WORKDIR /etc/ocserv 67 | COPY ocserv.conf /etc/ocserv/ocserv.conf 68 | COPY entrypoint.sh /entrypoint.sh 69 | EXPOSE 443/tcp 70 | EXPOSE 443/udp 71 | ENTRYPOINT ["sh", "/entrypoint.sh"] 72 | CMD ["ocserv", "-c", "/etc/ocserv/ocserv.conf", "-f"] 73 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OpenConnect-VPN-Server 2 | **2022 OCT UPDATE**: We dockerized and added Dockerfile to run it anywhere you want on any linux distro easily. 3 | Buggy script for configuring OpenConnect (ocserv) protocol on the server easily and automatically. 4 | 5 | **2023 JAN UPDATE**: We added a help instruction for Docker custom installation so everyone can fully customized ocserv configuration for him/her self like port number, custom header etc. 6 | 7 | ## Docker Installation 8 | 1. Install Docker 9 | 2. Build docker image 10 | ```bash 11 | docker build -t ocserv https://github.com/iw4p/OpenConnect-Cisco-AnyConnect-VPN-Server-OneKey-ocserv.git 12 | ``` 13 | 14 | 3. Run docker container 15 | ```bash 16 | docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -d ocserv 17 | ``` 18 | 19 | 4. Add user 20 | ```bash 21 | docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd testUserName 22 | ``` 23 | 24 | 5. Change user password 25 | ```bash 26 | docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd testUserName 27 | ``` 28 | 29 | 6. Delete user 30 | ```bash 31 | docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd -d testUserName 32 | ``` 33 | 34 | 7. Lock user 35 | ```bash 36 | docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd -l testUserName 37 | ``` 38 | 39 | 8. Unlock user 40 | ```bash 41 | docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd -u testUserName 42 | ``` 43 | 44 | 9. Show all users and their hashed password 45 | ```bash 46 | docker exec -ti ocserv cat /etc/ocserv/ocpasswd 47 | ``` 48 | 49 | ## Script Installation 50 | Tested on ubuntu 18.04 and 16.04. 51 | 52 | Download and saving script on your server: 53 | ```bash 54 | curl -O https://raw.githubusercontent.com/iw4p/OpenConnect-Cisco-AnyConnect-VPN-Server-OneKey-ocserv/master/ocserv-install.sh 55 | ``` 56 | 57 | Making script executable 58 | ```bash 59 | chmod +x ocserv-install.sh 60 | ``` 61 | 62 | And then just run it: 63 | ```sh 64 | ./ocserv-install.sh 65 | ``` 66 | or 67 | ```sh 68 | sudo bash ocserv-install.sh 69 | ``` 70 | 71 | 72 | ## Features 73 | - Easy install 74 | - Easy uninstall 75 | - Add User 76 | - Change Password 77 | - Show All Users 78 | - Delete User 79 | - Lock User 80 | - Unlock User 81 | 82 | ## How to connect to it? 83 | For making connection to your server, you can use `AnyConnect`, `OpenConnect` or other alternative clients. 84 | 85 | - AnyConnect: [GUI AnyConnect client for available platforms](https://it.umn.edu/vpn-downloads-guides). 86 | - OpenConnect: [OpenConnect client for Linux](https://computingforgeeks.com/how-to-connect-to-vpn-server-with-openconnect-ssl-vpn-client-on-linux/). 87 | 88 | And one more thing, contributions are welcome. 89 | 90 | ## How to customize the configuration? 91 | In docker way, at the beginning you have to clone the repo: 92 | ```sh 93 | git clone https://github.com/iw4p/OpenConnect-Cisco-AnyConnect-VPN-Server-OneKey-ocserv.git 94 | ``` 95 | 96 | cd to the directory 97 | ```sh 98 | cd ./OpenConnect-Cisco-AnyConnect-VPN-Server-OneKey-ocserv 99 | ``` 100 | You can change port, disable UDP, add custom-header and so on. 101 | Modify and customize ocserv.conf file and then build your image with modified ocserv.conf: 102 | ```sh 103 | docker build . -t ocserv 104 | ``` 105 | 106 | Create new container from ocserv image 107 | ```sh 108 | docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -d ocserv 109 | ``` 110 | 111 | Next steps like add or remove users are same as Docker Installation part. 112 | 113 | 114 | ## Issues 115 | Feel free to submit issues and enhancement requests or contact me via [vida.page/nima](https://vida.page/nima). 116 | 117 | ## Star History 118 | 119 | [![Star History Chart](https://api.star-history.com/svg?repos=iw4p/OpenConnect-Cisco-AnyConnect-VPN-Server-OneKey-ocserv&type=Date)](https://star-history.com/#iw4p/OpenConnect-Cisco-AnyConnect-VPN-Server-OneKey-ocserv&Date) 120 | 121 | 122 | ## More 123 | The script is based on [here](https://ocserv.gitlab.io/www/recipes-ocserv-configuration-basic.html) 124 | -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | iptables -t nat -A POSTROUTING -j MASQUERADE 4 | echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf 5 | sysctl -p 6 | exec "$@" 7 | -------------------------------------------------------------------------------- /ocserv-install.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | install() { 4 | 5 | apt update -y 6 | 7 | ip=$(hostname -I|cut -f1 -d ' ') 8 | echo "Your Server IP address is:$ip" 9 | 10 | echo -e "\e[32mInstalling gnutls-bin\e[39m" 11 | 12 | apt install gnutls-bin 13 | mkdir certificates 14 | cd certificates 15 | 16 | cat << EOF > ca.tmpl 17 | cn = "VPN CA" 18 | organization = "Big Corp" 19 | serial = 1 20 | expiration_days = 3650 21 | ca 22 | signing_key 23 | cert_signing_key 24 | crl_signing_key 25 | EOF 26 | 27 | certtool --generate-privkey --outfile ca-key.pem 28 | certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem 29 | 30 | cat << EOF > server.tmpl 31 | #yourIP 32 | cn=$ip 33 | organization = "my company" 34 | expiration_days = 3650 35 | signing_key 36 | encryption_key 37 | tls_www_server 38 | EOF 39 | 40 | certtool --generate-privkey --outfile server-key.pem 41 | certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem 42 | 43 | echo -e "\e[32mInstalling ocserv\e[39m" 44 | apt install ocserv 45 | cp /etc/ocserv/ocserv.conf ~/certificates/ 46 | 47 | sed -i -e 's@auth = "@#auth = "@g' /etc/ocserv/ocserv.conf 48 | sed -i -e 's@auth = "pam@auth = "#auth = "pam"@g' /etc/ocserv/ocserv.conf 49 | sed -i -e 's@try-mtu-discovery = @try-mtu-discovery = true@g' /etc/ocserv/ocserv.conf 50 | sed -i -e 's@dns = @#dns = @g' /etc/ocserv/ocserv.conf 51 | sed -i -e 's@# multiple servers.@dns = 8.8.8.8@g' /etc/ocserv/ocserv.conf 52 | sed -i -e 's@route =@#route =@g' /etc/ocserv/ocserv.conf 53 | sed -i -e 's@no-route =@#no-route =@g' /etc/ocserv/ocserv.conf 54 | sed -i -e 's@cisco-client-compat@cisco-client-compat = true@g' /etc/ocserv/ocserv.conf 55 | sed -i -e 's@##auth = "#auth = "pam""@auth = "plain[passwd=/etc/ocserv/ocpasswd]"@g' /etc/ocserv/ocserv.conf 56 | 57 | sed -i -e 's@server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem@server-cert = /etc/ocserv/server-cert.pem@g' /etc/ocserv/ocserv.conf 58 | sed -i -e 's@server-key = /etc/ssl/private/ssl-cert-snakeoil.key@server-key = /etc/ocserv/server-key.pem@g' /etc/ocserv/ocserv.conf 59 | 60 | echo "Enter a username:" 61 | read username 62 | 63 | ocpasswd -c /etc/ocserv/ocpasswd $username 64 | iptables -t nat -A POSTROUTING -j MASQUERADE 65 | sed -i -e 's@#net.ipv4.ip_forward=@net.ipv4.ip_forward=@g' /etc/sysctl.conf 66 | 67 | sysctl -p /etc/sysctl.conf 68 | cp ~/certificates/server-key.pem /etc/ocserv/ 69 | cp ~/certificates/server-cert.pem /etc/ocserv/ 70 | echo -e "\e[32mStopping ocserv service\e[39m" 71 | service ocserv stop 72 | echo -e "\e[32mStarting ocserv service\e[39m" 73 | service ocserv start 74 | 75 | echo "OpenConnect Server Configured Succesfully" 76 | 77 | } 78 | 79 | uninstall() { 80 | sudo apt-get purge ocserv 81 | } 82 | 83 | addUser() { 84 | 85 | echo "Enter a username:" 86 | read username 87 | 88 | ocpasswd -c /etc/ocserv/ocpasswd $username 89 | 90 | } 91 | 92 | showUsers() { 93 | cat /etc/ocserv/ocpasswd 94 | } 95 | 96 | deleteUser() { 97 | echo "Enter a username:" 98 | read username 99 | ocpasswd -c /etc/ocserv/ocpasswd -d $username 100 | } 101 | 102 | lockUser() { 103 | echo "Enter a username:" 104 | read username 105 | ocpasswd -c /etc/ocserv/ocpasswd -l $username 106 | } 107 | 108 | unlockUser() { 109 | echo "Enter a username:" 110 | read username 111 | ocpasswd -c /etc/ocserv/ocpasswd -u $username 112 | } 113 | 114 | if [[ "$EUID" -ne 0 ]]; then 115 | echo "Please run as root" 116 | exit 1 117 | fi 118 | 119 | cd ~ 120 | echo ' 121 | ▒█████ ██▓███ ▓█████ ███▄ █ ▄████▄ ▒█████ ███▄ █ ███▄ █ ▓█████ ▄████▄ ▄▄▄█████▓ 122 | ▒██▒ ██▒▓██░ ██▒▓█ ▀ ██ ▀█ █ ▒██▀ ▀█ ▒██▒ ██▒ ██ ▀█ █ ██ ▀█ █ ▓█ ▀ ▒██▀ ▀█ ▓ ██▒ ▓▒ 123 | ▒██░ ██▒▓██░ ██▓▒▒███ ▓██ ▀█ ██▒ ▒▓█ ▄ ▒██░ ██▒▓██ ▀█ ██▒▓██ ▀█ ██▒▒███ ▒▓█ ▄ ▒ ▓██░ ▒░ 124 | ▒██ ██░▒██▄█▓▒ ▒▒▓█ ▄ ▓██▒ ▐▌██▒ ▒▓▓▄ ▄██▒▒██ ██░▓██▒ ▐▌██▒▓██▒ ▐▌██▒▒▓█ ▄ ▒▓▓▄ ▄██▒░ ▓██▓ ░ 125 | ░ ████▓▒░▒██▒ ░ ░░▒████▒▒██░ ▓██░ ▒ ▓███▀ ░░ ████▓▒░▒██░ ▓██░▒██░ ▓██░░▒████▒▒ ▓███▀ ░ ▒██▒ ░ 126 | ░ ▒░▒░▒░ ▒▓▒░ ░ ░░░ ▒ 127 | ░ ░░ ▒░ ▒ ▒ ░ ░▒ ▒ ░░ ▒░▒░▒░ ░ ▒░ ▒ ▒ ░ ▒░ ▒ ▒ ░░ ▒░ ░░ ░▒ ▒ ░ ▒ ░░ 128 | ░ ▒ ▒░ ░▒ ░ ░ ░ ░░ ░░ ░ ▒░ ░ ▒ ░ ▒ ▒░ ░ ░░ ░ ▒░░ ░░ ░ ▒░ ░ ░ ░ ░ ▒ ░ 129 | ░ ░ ░ ▒ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ 130 | ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ 131 | ░ ░ 132 | ██▒ █▓ ██▓███ ███▄ █ ██████ ▓█████ ██▀███ ██▒ █▓▓█████ ██▀███ 133 | ▓██░ █▒▓██░ ██▒ ██ ▀█ █ ▒██ ▒ ▓█ ▀ ▓██ ▒ ██▒▓██░ █▒▓█ ▀ ▓██ ▒ ██▒ 134 | ▓██ █▒░▓██░ ██▓▒▓██ ▀█ ██▒ ░ ▓██▄ ▒███ ▓██ ░▄█ ▒ ▓██ █▒░▒███ ▓██ ░▄█ ▒ 135 | ▒██ █░░▒██▄█▓▒ ▒▓██▒ ▐▌██▒ ▒ ██▒▒▓█ ▄ ▒██▀▀█▄ ▒██ █░░▒▓█ ▄ ▒██▀▀█▄ 136 | ▒▀█░ ▒██▒ ░ ░▒██░ ▓██░ ▒██████▒▒░▒████▒░██▓ ▒██▒ ▒▀█░ ░▒████▒░██▓ ▒██▒ 137 | ░ ▐░ ▒▓▒░ ░ ░░ ▒░ ▒ ▒ ▒ ▒▓▒ ▒ ░░░ ▒░ ░░ ▒▓ ░▒▓░ ░ ▐░ ░░ ▒░ ░░ ▒▓ ░▒▓░ 138 | ░ ░░ ░▒ ░ ░ ░░ ░ ▒░ ░ ░▒ ░ ░ ░ ░ ░ ░▒ ░ ▒░ ░ ░░ ░ ░ ░ ░▒ ░ ▒░ 139 | ░░ ░░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ░░ ░ ░░ ░ 140 | ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ 141 | ░ ░ 142 | ' 143 | 144 | 145 | PS3='Please enter your choice: ' 146 | options=("Install" "Uninstall" "Add User" "Change Password" "Show Users" "Delete User" "Lock User" "Unlock User" "Quit") 147 | select opt in "${options[@]}" 148 | do 149 | case $opt in 150 | "Install") 151 | install 152 | break 153 | ;; 154 | "Uninstall") 155 | uninstall 156 | break 157 | ;; 158 | "Add User") 159 | addUser 160 | break 161 | ;; 162 | "Change Password") 163 | addUser 164 | break 165 | ;; 166 | "Show Users") 167 | showUsers 168 | break 169 | ;; 170 | "Delete User") 171 | deleteUser 172 | break 173 | ;; 174 | "Lock User") 175 | lockUser 176 | break 177 | ;; 178 | "Unlock User") 179 | unlockUser 180 | break 181 | ;; 182 | "Quit") 183 | break 184 | ;; 185 | *) echo "invalid option $REPLY";; 186 | esac 187 | done 188 | 189 | -------------------------------------------------------------------------------- /ocserv.conf: -------------------------------------------------------------------------------- 1 | ### The following directives do not change with server reload. 2 | 3 | # User authentication method. To require multiple methods to be 4 | # used for the user to login, add multiple auth directives. The values 5 | # in the 'auth' directive are AND composed (if multiple all must 6 | # succeed). 7 | # Available options: certificate, plain, pam, radius, gssapi. 8 | # Note that authentication methods utilizing passwords cannot be 9 | # combined (e.g., the plain, pam or radius methods). 10 | 11 | # certificate: 12 | # This indicates that all connecting users must present a certificate. 13 | # The username and user group will be then extracted from it (see 14 | # cert-user-oid and cert-group-oid). The certificate to be accepted 15 | # it must be signed by the CA certificate as specified in 'ca-cert' and 16 | # it must not be listed in the CRL, as specified by the 'crl' option. 17 | # 18 | # pam[gid-min=1000]: 19 | # This enabled PAM authentication of the user. The gid-min option is used 20 | # by auto-select-group option, in order to select the minimum valid group ID. 21 | # 22 | # plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] 23 | # The plain option requires specifying a password file which contains 24 | # entries of the following format. 25 | # "username:groupname1,groupname2:encoded-password" 26 | # One entry must be listed per line, and 'ocpasswd' should be used 27 | # to generate password entries. The 'otp' suboption allows one to specify 28 | # an oath password file to be used for one time passwords; the format of 29 | # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile 30 | # 31 | # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: 32 | # The radius option requires specifying freeradius-client configuration 33 | # file. If the groupconfig option is set, then config-per-user/group will be overridden, 34 | # and all configuration will be read from radius. That also includes the 35 | # Acct-Interim-Interval, and Session-Timeout values. 36 | # 37 | # See doc/README-radius.md for the supported radius configuration atributes. 38 | # 39 | # gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] 40 | # The gssapi option allows one to use authentication methods supported by GSSAPI, 41 | # such as Kerberos tickets with ocserv. It should be best used as an alternative 42 | # to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with 43 | # tickets and without tickets to login. The default value for require-local-user-map 44 | # is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented 45 | # to have been issued within the provided number of seconds. That option is used to 46 | # restrict logins even if the KDC provides long time TGT tickets. 47 | 48 | #auth = "pam" 49 | #auth = "pam[gid-min=1000]" 50 | #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" 51 | auth = "plain[passwd=/etc/ocserv/ocpasswd]" 52 | #auth = "certificate" 53 | #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" 54 | 55 | # Specify alternative authentication methods that are sufficient 56 | # for authentication. That is, if set, any of the methods enabled 57 | # will be sufficient to login, irrespective of the main 'auth' entries. 58 | # When multiple options are present, they are OR composed (any of them 59 | # succeeding allows login). 60 | #enable-auth = "certificate" 61 | #enable-auth = "gssapi" 62 | #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" 63 | 64 | # Accounting methods available: 65 | # radius: can be combined with any authentication method, it provides 66 | # radius accounting to available users (see also stats-report-time). 67 | # 68 | # pam: can be combined with any authentication method, it provides 69 | # a validation of the connecting user's name using PAM. It is 70 | # superfluous to use this method when authentication is already 71 | # PAM. 72 | # 73 | # Only one accounting method can be specified. 74 | #acct = "radius[config=/etc/radiusclient/radiusclient.conf]" 75 | 76 | # Use listen-host to limit to specific IPs or to the IPs of a provided 77 | # hostname. 78 | #listen-host = [IP|HOSTNAME] 79 | 80 | # Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided 81 | # hostname. if not set, listen-host will be used 82 | #udp-listen-host = [IP|HOSTNAME] 83 | 84 | # When the server has a dynamic DNS address (that may change), 85 | # should set that to true to ask the client to resolve again on 86 | # reconnects. 87 | #listen-host-is-dyndns = true 88 | 89 | # move the listen socket within the specified network namespace 90 | # listen-netns = "foo" 91 | 92 | # TCP and UDP port number 93 | tcp-port = 443 94 | # udp-port = 443 95 | 96 | # The user the worker processes will be run as. This should be a dedicated 97 | # unprivileged user (e.g., 'ocserv') and no other services should run as this 98 | # user. 99 | run-as-user = nobody 100 | run-as-group = daemon 101 | 102 | # socket file used for IPC with occtl. You only need to set that, 103 | # if you use more than a single servers. 104 | #occtl-socket-file = /var/run/occtl.socket 105 | 106 | # socket file used for server IPC (worker-main), will be appended with .PID 107 | # It must be accessible within the chroot environment (if any), so it is best 108 | # specified relatively to the chroot directory. 109 | socket-file = /var/run/ocserv-socket 110 | 111 | # The default server directory. Does not require any devices present. 112 | #chroot-dir = /var/lib/ocserv 113 | 114 | # The key and the certificates of the server 115 | # The key may be a file, or any URL supported by GnuTLS (e.g., 116 | # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user 117 | # or pkcs11:object=my-vpn-key;object-type=private) 118 | # 119 | # The server-cert file may contain a single certificate, or 120 | # a sorted certificate chain. 121 | # There may be multiple server-cert and server-key directives, 122 | # but each key should correspond to the preceding certificate. 123 | # The certificate files will be reloaded when changed allowing for in-place 124 | # certificate renewal (they are checked and reloaded periodically; 125 | # a SIGHUP signal to main server will force reload). 126 | 127 | #server-cert = /etc/ocserv/server-cert.pem 128 | #server-key = /etc/ocserv/server-key.pem 129 | server-cert = /etc/ocserv/certs/server-cert.pem 130 | server-key = /etc/ocserv/certs/server-key.pem 131 | 132 | # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 133 | # versions of GnuTLS for supporting DHE ciphersuites. 134 | # Can be generated using: 135 | # certtool --generate-dh-params --outfile /etc/ocserv/dh.pem 136 | #dh-params = /etc/ocserv/dh.pem 137 | 138 | # In case PKCS #11, TPM or encrypted keys are used the PINs should be available 139 | # in files. The srk-pin-file is applicable to TPM keys only, and is the 140 | # storage root key. 141 | #pin-file = /etc/ocserv/pin.txt 142 | #srk-pin-file = /etc/ocserv/srkpin.txt 143 | 144 | # The password or PIN needed to unlock the key in server-key file. 145 | # Only needed if the file is encrypted or a PKCS #11 object. This 146 | # is an alternative method to pin-file. 147 | #key-pin = 1234 148 | 149 | # The SRK PIN for TPM. 150 | # This is an alternative method to srk-pin-file. 151 | #srk-pin = 1234 152 | 153 | # The Certificate Authority that will be used to verify 154 | # client certificates (public keys) if certificate authentication 155 | # is set. 156 | #ca-cert = /etc/ocserv/ca.pem 157 | ca-cert = /etc/ocserv/certs/ca-cert.pem 158 | 159 | 160 | ### All configuration options below this line are reloaded on a SIGHUP. 161 | ### The options above, will remain unchanged. Note however, that the 162 | ### server-cert, server-key, dh-params and ca-cert options will be reloaded 163 | ### if the provided file changes, on server reload. That allows certificate 164 | ### rotation, but requires the server key to remain the same for seamless 165 | ### operation. If the server key changes on reload, there may be connection 166 | ### failures during the reloading time. 167 | 168 | 169 | # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 170 | # system calls allowed to a worker process, in order to reduce damage from a 171 | # bug in the worker process. It is available on Linux systems at a performance cost. 172 | # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). 173 | # Note however, that process isolation is restricted to the specific libc versions 174 | # the isolation was tested at. If you get random failures on worker processes, try 175 | # disabling that option and report the failures you, along with system and debugging 176 | # information at: https://gitlab.com/ocserv/ocserv/issues 177 | isolate-workers = true 178 | 179 | # A banner to be displayed on clients after connection 180 | #banner = "Welcome" 181 | 182 | # A banner to be displayed on clients before connection 183 | #pre-login-banner = "Welcome" 184 | 185 | # Limit the number of clients. Unset or set to zero if unknown. In 186 | # that case the maximum value is ~8k clients. 187 | #max-clients = 1024 188 | max-clients = 16 189 | 190 | # Limit the number of identical clients (i.e., users connecting 191 | # multiple times). Unset or set to zero for unlimited. 192 | max-same-clients = 2 193 | 194 | # When the server receives connections from a proxy, like haproxy 195 | # which supports the proxy protocol, set this to obtain the correct 196 | # client addresses. The proxy protocol would then be expected in 197 | # the TCP or UNIX socket (not the UDP one). Although both v1 198 | # and v2 versions of proxy protocol are supported, the v2 version 199 | # is recommended as it is more efficient in parsing. 200 | #listen-proxy-proto = true 201 | 202 | # Rate limit the number of incoming connections to one every X milliseconds 203 | # (X is the provided value), as the secmod backlog grows. This 204 | # makes the server more resilient (and prevents connection failures) on 205 | # multiple concurrent connections. Set to zero for no limit. 206 | rate-limit-ms = 100 207 | 208 | # Stats report time. The number of seconds after which each 209 | # worker process will report its usage statistics (number of 210 | # bytes transferred etc). This is useful when accounting like 211 | # radius is in use. 212 | #stats-report-time = 360 213 | 214 | # Stats reset time. The period of time statistics kept by main/sec-mod 215 | # processes will be reset. These are the statistics shown by cmd 216 | # 'occtl show stats'. For daily: 86400, weekly: 604800 217 | # This is unrelated to stats-report-time. 218 | server-stats-reset-time = 604800 219 | 220 | # Keepalive in seconds 221 | keepalive = 32400 222 | 223 | # Dead peer detection in seconds. 224 | # Note that when the client is behind a NAT this value 225 | # needs to be short enough to prevent the NAT disassociating 226 | # his UDP session from the port number. Otherwise the client 227 | # could have his UDP connection stalled, for several minutes. 228 | dpd = 90 229 | 230 | # Dead peer detection for mobile clients. That needs to 231 | # be higher to prevent such clients being awaken too 232 | # often by the DPD messages, and save battery. 233 | # The mobile clients are distinguished from the header 234 | # 'X-AnyConnect-Identifier-Platform'. 235 | mobile-dpd = 1800 236 | 237 | # If using DTLS, and no UDP traffic is received for this 238 | # many seconds, attempt to send future traffic over the TCP 239 | # connection instead, in an attempt to wake up the client 240 | # in the case that there is a NAT and the UDP translation 241 | # was deleted. If this is unset, do not attempt to use this 242 | # recovery mechanism. 243 | switch-to-tcp-timeout = 25 244 | 245 | # MTU discovery (DPD must be enabled) 246 | try-mtu-discovery = true 247 | 248 | # To enable load-balancer connection draining, set server-drain-ms to a value 249 | # higher than your load-balancer health probe interval. 250 | #server-drain-ms = 15000 251 | 252 | # If you have a certificate from a CA that provides an OCSP 253 | # service you may provide a fresh OCSP status response within 254 | # the TLS handshake. That will prevent the client from connecting 255 | # independently on the OCSP server. 256 | # You can update this response periodically using: 257 | # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response 258 | # Make sure that you replace the following file in an atomic way. 259 | #ocsp-response = /etc/ocserv/ocsp.der 260 | 261 | # The object identifier that will be used to read the user ID in the client 262 | # certificate. The object identifier should be part of the certificate's DN 263 | # Useful OIDs are: 264 | # CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1, SAN(rfc822name) 265 | cert-user-oid = 2.5.4.3 266 | 267 | # The object identifier that will be used to read the user group in the 268 | # client certificate. The object identifier should be part of the certificate's 269 | # DN. If the user may belong to multiple groups, then use multiple such fields 270 | # in the certificate's DN. Useful OIDs are: 271 | # OU (organizational unit) = 2.5.4.11 272 | #cert-group-oid = 2.5.4.11 273 | 274 | # The revocation list of the certificates issued by the 'ca-cert' above. 275 | # See the manual to generate an empty CRL initially. The CRL will be reloaded 276 | # periodically when ocserv detects a change in the file. To force a reload use 277 | # SIGHUP. 278 | #crl = /etc/ocserv/crl.pem 279 | 280 | # Uncomment this to enable compression negotiation (LZS, LZ4). 281 | compression = true 282 | 283 | # Set the minimum size under which a packet will not be compressed. 284 | # That is to allow low-latency for VoIP packets. The default size 285 | # is 256 bytes. Modify it if the clients typically use compression 286 | # as well of VoIP with codecs that exceed the default value. 287 | no-compress-limit = 256 288 | 289 | # GnuTLS priority string; note that SSL 3.0 is disabled by default 290 | # as there are no openconnect (and possibly anyconnect clients) using 291 | # that protocol. The string below does not enforce perfect forward 292 | # secrecy, in order to be compatible with legacy clients. 293 | # 294 | # Note that the most performant ciphersuites are the moment are the ones 295 | # involving AES-GCM. These are very fast in x86 and x86-64 hardware, and 296 | # in addition require no padding, thus taking full advantage of the MTU. 297 | # For that to be taken advantage of, the openconnect client must be 298 | # used, and the server must be compiled against GnuTLS 3.2.7 or later. 299 | # Use "gnutls-cli --benchmark-tls-ciphers", to see the performance 300 | # difference with AES_128_CBC_SHA1 (the default for anyconnect clients) 301 | # in your system. 302 | 303 | tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" 304 | 305 | # More combinations in priority strings are available, check 306 | # http://gnutls.org/manual/html_node/Priority-Strings.html 307 | # E.g., the string below enforces perfect forward secrecy (PFS) 308 | # on the main channel. 309 | #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" 310 | 311 | # That option requires the established DTLS channel to use the same 312 | # cipher as the primary TLS channel. This cannot be combined with 313 | # listen-clear-file since the ciphersuite information is not available 314 | # in that configuration. Note also, that this option implies that 315 | # dtls-legacy option is false; this option cannot be enforced 316 | # in the legacy/compat protocol. 317 | #match-tls-dtls-ciphers = true 318 | 319 | # The time (in seconds) that a client is allowed to stay connected prior 320 | # to authentication 321 | auth-timeout = 240 322 | 323 | # The time (in seconds) that a client is allowed to stay idle (no traffic) 324 | # before being disconnected. Unset to disable. 325 | #idle-timeout = 1200 326 | 327 | # The time (in seconds) that a client is allowed to stay connected 328 | # Unset to disable. When set a client will be disconnected after being 329 | # continuously connected for this amount of time, and its cookies will 330 | # be invalidated (i.e., re-authentication will be required). 331 | #session-timeout = 86400 332 | 333 | # The time (in seconds) that a mobile client is allowed to stay idle (no 334 | # traffic) before being disconnected. Unset to disable. 335 | #mobile-idle-timeout = 2400 336 | 337 | # The time (in seconds) that a client is not allowed to reconnect after 338 | # a failed authentication attempt. 339 | min-reauth-time = 300 340 | 341 | # Banning clients in ocserv works with a point system. IP addresses 342 | # that get a score over that configured number are banned for 343 | # min-reauth-time seconds. By default a wrong password attempt is 10 points, 344 | # a KKDCP POST is 1 point, and a connection is 1 point. Note that 345 | # due to difference processes being involved the count of points 346 | # will not be real-time precise. 347 | # 348 | # Score banning cannot be reliably used when receiving proxied connections 349 | # locally from an HTTP server (i.e., when listen-clear-file is used). 350 | # 351 | # Set to zero to disable. 352 | max-ban-score = 80 353 | 354 | # The time (in seconds) that all score kept for a client is reset. 355 | ban-reset-time = 1200 356 | 357 | # In case you'd like to change the default points. 358 | #ban-points-wrong-password = 10 359 | #ban-points-connection = 1 360 | #ban-points-kkdcp = 1 361 | 362 | # Cookie timeout (in seconds) 363 | # Once a client is authenticated he's provided a cookie with 364 | # which he can reconnect. That cookie will be invalidated if not 365 | # used within this timeout value. This cookie remains valid, during 366 | # the user's connected time, and after user disconnection it 367 | # remains active for this amount of time. That setting should allow a 368 | # reasonable amount of time for roaming between different networks. 369 | cookie-timeout = 300 370 | 371 | # If this is enabled (not recommended) the cookies will stay 372 | # valid even after a user manually disconnects, and until they 373 | # expire. This may improve roaming with some broken clients. 374 | #persistent-cookies = true 375 | 376 | # Whether roaming is allowed, i.e., if true a cookie is 377 | # restricted to a single IP address and cannot be re-used 378 | # from a different IP. 379 | deny-roaming = false 380 | 381 | # ReKey time (in seconds) 382 | # ocserv will ask the client to refresh keys periodically once 383 | # this amount of seconds is elapsed. Set to zero to disable (note 384 | # that, some clients fail if rekey is disabled). 385 | rekey-time = 172800 386 | 387 | # ReKey method 388 | # Valid options: ssl, new-tunnel 389 | # ssl: Will perform an efficient rehandshake on the channel allowing 390 | # a seamless connection during rekey. 391 | # new-tunnel: Will instruct the client to discard and re-establish the channel. 392 | # Use this option only if the connecting clients have issues with the ssl 393 | # option. 394 | rekey-method = ssl 395 | 396 | # Script to call when a client connects and obtains an IP. 397 | # The following parameters are passed on the environment. 398 | # REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client), 399 | # REMOTE_HOSTNAME (the remotely advertised hostname), IP_REAL_LOCAL 400 | # (the local interface IP the client connected), IP_LOCAL 401 | # (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client), 402 | # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 403 | # assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and 404 | # ID (a unique numeric ID); REASON may be "connect" or "disconnect". 405 | # In addition the following variables OCSERV_ROUTES (the applied routes for this 406 | # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), 407 | # will contain a space separated list of routes or DNS servers. A version 408 | # of these variables with the 4 or 6 suffix will contain only the IPv4 or 409 | # IPv6 values. The connect script must return zero as exit code, or the 410 | # client connection will be refused. 411 | 412 | # The disconnect script will receive the additional values: STATS_BYTES_IN, 413 | # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 414 | # output from the tun device, and the duration of the session in seconds. 415 | 416 | #connect-script = /usr/bin/myscript 417 | #disconnect-script = /usr/bin/myscript 418 | 419 | # This script is to be called when the client's advertised hostname becomes 420 | # available. It will contain REASON with "host-update" value and the 421 | # variable REMOTE_HOSTNAME in addition to the connect variables. 422 | 423 | #host-update-script = /usr/bin/myhostnamescript 424 | 425 | # UTMP 426 | # Register the connected clients to utmp. This will allow viewing 427 | # the connected clients using the command 'who'. 428 | #use-utmp = true 429 | 430 | # Whether to enable support for the occtl tool (i.e., either through D-BUS, 431 | # or via a unix socket). 432 | use-occtl = true 433 | 434 | # PID file. It can be overridden in the command line. 435 | pid-file = /var/run/ocserv.pid 436 | 437 | # Set the protocol-defined priority (SO_PRIORITY) for packets to 438 | # be sent. That is a number from 0 to 6 with 0 being the lowest 439 | # priority. Alternatively this can be used to set the IP Type- 440 | # Of-Service, by setting it to a hexadecimal number (e.g., 0x20). 441 | # This can be set per user/group or globally. 442 | #net-priority = 3 443 | 444 | # Set the VPN worker process into a specific cgroup. This is Linux 445 | # specific and can be set per user/group or globally. 446 | #cgroup = "cpuset,cpu:test" 447 | 448 | # 449 | # Network settings 450 | # 451 | 452 | # The name to use for the tun device 453 | device = vpns 454 | 455 | # Whether the generated IPs will be predictable, i.e., IP stays the 456 | # same for the same user when possible. 457 | predictable-ips = true 458 | 459 | # The default domain to be advertised. Multiple domains (functional on 460 | # openconnect clients) can be provided in a space separated list. 461 | default-domain = example.com 462 | #default-domain = "example.com one.example.com" 463 | 464 | # The pool of addresses that leases will be given from. If the leases 465 | # are given via Radius, or via the explicit-ip? per-user config option then 466 | # these network values should contain a network with at least a single 467 | # address that will remain under the full control of ocserv (that is 468 | # to be able to assign the local part of the tun device address). 469 | # Note that, you could use addresses from a subnet of your LAN network if you 470 | # enable [proxy arp in the LAN interface](http://ocserv.gitlab.io/www/recipes-ocserv-pseudo-bridge.html); 471 | # in that case it is recommended to set ping-leases to true. 472 | ipv4-network = 10.11.0.0 473 | ipv4-netmask = 255.255.255.0 474 | 475 | # An alternative way of specifying the network: 476 | #ipv4-network = 192.168.1.0/24 477 | 478 | # The IPv6 subnet that leases will be given from. 479 | #ipv6-network = fda9:4efe:7e3b:03ea::/48 480 | 481 | # Specify the size of the network to provide to clients. It is 482 | # generally recommended to provide clients with a /64 network in 483 | # IPv6, but any subnet may be specified. To provide clients only 484 | # with a single IP use the prefix 128. 485 | #ipv6-subnet-prefix = 128 486 | #ipv6-subnet-prefix = 64 487 | 488 | # Whether to tunnel all DNS queries via the VPN. This is the default 489 | # when a default route is set. 490 | #tunnel-all-dns = true 491 | 492 | # The advertized DNS server. Use multiple lines for 493 | # multiple servers. 494 | # dns = fc00::4be0 495 | dns = 1.1.1.1 496 | dns = 8.8.8.8 497 | dns = 8.8.4.4 498 | 499 | # The NBNS server (if any) 500 | #nbns = 192.168.1.3 501 | 502 | # The domains over which the provided DNS should be used. Use 503 | # multiple lines for multiple domains. 504 | #split-dns = example.com 505 | 506 | # Prior to leasing any IP from the pool ping it to verify that 507 | # it is not in use by another (unrelated to this server) host. 508 | # Only set to true, if there can be occupied addresses in the 509 | # IP range for leases. 510 | ping-leases = false 511 | 512 | # Use this option to set a link MTU value to the incoming 513 | # connections. Unset to use the default MTU of the TUN device. 514 | # Note that the MTU is negotiated using the value set and the 515 | # value sent by the peer. 516 | #mtu = 1420 517 | 518 | # Unset to enable bandwidth restrictions (in bytes/sec). The 519 | # setting here is global, but can also be set per user or per group. 520 | #rx-data-per-sec = 40000 521 | #tx-data-per-sec = 40000 522 | 523 | # The number of packets (of MTU size) that are available in 524 | # the output buffer. The default is low to improve latency. 525 | # Setting it higher will improve throughput. 526 | #output-buffer = 10 527 | 528 | # Routes to be forwarded to the client. If you need the 529 | # client to forward routes to the server, you may use the 530 | # config-per-user/group or even connect and disconnect scripts. 531 | # 532 | # To set the server as the default gateway for the client just 533 | # comment out all routes from the server, or use the special keyword 534 | # 'default'. 535 | 536 | #route = 10.11.0.0/255.255.255.0 537 | #route = 192.168.0.0/255.255.0.0 538 | #route = fef4:db8:1000:1001::/64 539 | route = default 540 | 541 | # Subsets of the routes above that will not be routed by 542 | # the server. 543 | 544 | #no-route = 192.168.5.0/255.255.255.0 545 | 546 | # Note the that following two firewalling options currently are available 547 | # in Linux systems with iptables software. 548 | 549 | # If set, the script /usr/bin/ocserv-fw will be called to restrict 550 | # the user to its allowed routes and prevent him from accessing 551 | # any other routes. In case of defaultroute, the no-routes are restricted. 552 | # All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw 553 | # --removeall. This option can be set globally or in the per-user configuration. 554 | #restrict-user-to-routes = true 555 | 556 | # This option implies restrict-user-to-routes set to true. If set, the 557 | # script /usr/bin/ocserv-fw will be called to restrict the user to 558 | # access specific ports in the network. This option can be set globally 559 | # or in the per-user configuration. 560 | #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" 561 | 562 | # You could also use negation, i.e., block the user from accessing these ports only. 563 | #restrict-user-to-ports = "!(tcp(443), tcp(80))" 564 | 565 | # When set to true, all client's iroutes are made visible to all 566 | # connecting clients except for the ones offering them. This option 567 | # only makes sense if config-per-user is set. 568 | #expose-iroutes = true 569 | 570 | # Groups that a client is allowed to select from. 571 | # A client may belong in multiple groups, and in certain use-cases 572 | # it is needed to switch between them. For these cases the client can 573 | # select prior to authentication. Add multiple entries for multiple groups. 574 | # The group may be followed by a user-friendly name in brackets. 575 | #select-group = group1 576 | #select-group = group2[My special group] 577 | 578 | # The name of the (virtual) group that if selected it would assign the user 579 | # to its default group. 580 | #default-select-group = DEFAULT 581 | 582 | # Instead of specifying manually all the allowed groups, you may instruct 583 | # ocserv to scan all available groups and include the full list. 584 | #auto-select-group = true 585 | 586 | # Configuration files that will be applied per user connection or 587 | # per group. Each file name on these directories must match the username 588 | # or the groupname. 589 | # The options allowed in the configuration files are dns, nbns, 590 | # ipv?-network, ipv4-netmask, rx/tx-data-per-sec, iroute, route, no-route, 591 | # explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, 592 | # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, 593 | # restrict-user-to-routes, cgroup, stats-report-time, 594 | # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, 595 | # split-dns and session-timeout. 596 | # 597 | # Note that the 'iroute' option allows one to add routes on the server 598 | # based on a user or group. The syntax depends on the input accepted 599 | # by the commands route-add-cmd and route-del-cmd (see below). The no-udp 600 | # is a boolean option (e.g., no-udp = true), and will prevent a UDP session 601 | # for that specific user or group. The hostname option will set a 602 | # hostname to override any proposed by the user. Note also, that, any 603 | # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. 604 | 605 | #config-per-user = /etc/ocserv/config-per-user/ 606 | #config-per-group = /etc/ocserv/config-per-group/ 607 | 608 | # When config-per-xxx is specified and there is no group or user that 609 | # matches, then utilize the following configuration. 610 | #default-user-config = /etc/ocserv/defaults/user.conf 611 | #default-group-config = /etc/ocserv/defaults/group.conf 612 | 613 | # The system command to use to setup a route. %{R} will be replaced with the 614 | # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. 615 | # 616 | # The following example is from linux systems. %{R} should be something 617 | # like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute). 618 | 619 | #route-add-cmd = "ip route add %{R} dev %{D}" 620 | #route-del-cmd = "ip route delete %{R} dev %{D}" 621 | 622 | # This option allows one to forward a proxy. The special keywords '%{U}' 623 | # and '%{G}', if present will be replaced by the username and group name. 624 | #proxy-url = http://example.com/ 625 | #proxy-url = http://example.com/%{U}/ 626 | 627 | # This option allows you to specify a URL location where a client can 628 | # post using MS-KKDCP, and the message will be forwarded to the provided 629 | # KDC server. That is a translation URL between HTTP and Kerberos. 630 | # In MIT kerberos you'll need to add in realms: 631 | # EXAMPLE.COM = { 632 | # kdc = https://ocserv.example.com/KdcProxy 633 | # http_anchors = FILE:/etc/ocserv-ca.pem 634 | # } 635 | # In some distributions the krb5-k5tls plugin of kinit is required. 636 | # 637 | # The following option is available in ocserv, when compiled with GSSAPI support. 638 | 639 | #kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT" 640 | #kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88" 641 | #kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88" 642 | #kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88" 643 | 644 | # Client profile xml. This can be used to advertise alternative servers 645 | # to the client. A minimal file can be: 646 | # 647 | # 648 | # 649 | # 650 | # VPN Server name 651 | # localhost 652 | # 653 | # 654 | # 655 | # 656 | # Other fields may be used by some of the CISCO clients. 657 | # This file must be accessible from inside the worker's chroot. 658 | # Note that: 659 | # (1) enabling this option is not recommended as it will allow the 660 | # worker processes to open arbitrary files (when isolate-workers is 661 | # set to true). 662 | # (2) This option cannot be set per-user or per-group; only the global 663 | # version is being sent to client. 664 | #user-profile = profile.xml 665 | 666 | # 667 | # The following options are for (experimental) AnyConnect client 668 | # compatibility. 669 | 670 | # This option will enable the pre-draft-DTLS version of DTLS, and 671 | # will not require clients to present their certificate on every TLS 672 | # connection. It must be set to true to support legacy CISCO clients 673 | # and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true. 674 | cisco-client-compat = true 675 | 676 | # This option allows one to disable the DTLS-PSK negotiation (enabled by default). 677 | # The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate 678 | # the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the 679 | # DTLS channel to negotiate its ciphers and the DTLS protocol version. 680 | #dtls-psk = false 681 | 682 | # This option allows one to disable the legacy DTLS negotiation (enabled by default, 683 | # but that may change in the future). 684 | # The legacy DTLS uses a pre-draft version of the DTLS protocol and was 685 | # from AnyConnect protocol. It has several limitations, that are addressed 686 | # by the dtls-psk protocol supported by openconnect 7.08+. 687 | dtls-legacy = true 688 | 689 | #Advanced options 690 | 691 | # Option to allow sending arbitrary custom headers to the client after 692 | # authentication and prior to VPN tunnel establishment. You shouldn't 693 | # need to use this option normally; if you do and you think that 694 | # this may help others, please send your settings and reason to 695 | # the openconnect mailing list. The special keywords '%{U}' 696 | # and '%{G}', if present will be replaced by the username and group name. 697 | #custom-header = "X-My-Header: hi there" 698 | # custom-header = "X-Powered-By: PHP/5.2.17" 699 | 700 | 701 | 702 | # An example virtual host with different authentication methods serviced 703 | # by this server. 704 | 705 | #[vhost:www.example.com] 706 | #auth = "certificate" 707 | 708 | #ca-cert = ../tests/certs/ca.pem 709 | 710 | # The certificate set here must include a 'dns_name' corresponding to 711 | # the virtual host name. 712 | 713 | #server-cert = ../tests/certs/server-cert-secp521r1.pem 714 | #server-key = ../tests/certs/server-key-secp521r1.pem 715 | 716 | #ipv4-network = 192.168.2.0 717 | #ipv4-netmask = 255.255.255.0 718 | 719 | #cert-user-oid = 0.9.2342.19200300.100.1.1 --------------------------------------------------------------------------------