├── Dockerfile ├── README.md ├── bin └── vpn_run ├── certs ├── ca-tmp ├── serv-tmp └── user-tmp ├── changelog ├── deploys ├── deploy.yml └── restart.yml ├── dnsmasq.conf └── ocserv ├── ocpasswd └── ocserv.conf /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:trusty 2 | MAINTAINER Wyatt Pan 3 | 4 | ADD ./certs /opt/certs 5 | ADD ./bin /usr/local/bin 6 | ADD dnsmasq.conf /usr/local/etc/dnsmasq.conf 7 | RUN chmod a+x /usr/local/bin/* 8 | WORKDIR /etc/ocserv 9 | 10 | # china timezone 11 | RUN echo "Asia/Shanghai" > /etc/timezone 12 | 13 | # install compiler, dependencies, tools , dnsmasq 14 | RUN apt-get update && apt-get install -y \ 15 | build-essential wget xz-utils libgnutls28-dev \ 16 | libev-dev libwrap0-dev libpam0g-dev libseccomp-dev libreadline-dev \ 17 | libnl-route-3-dev libkrb5-dev liboath-dev libtalloc-dev \ 18 | libhttp-parser-dev libpcl1-dev libopts25-dev autogen pkg-config nettle-dev \ 19 | gnutls-bin gperf liblockfile-bin nuttcp lcov iptables unzip dnsmasq \ 20 | && rm -rf /var/lib/apt/lists/* 21 | 22 | # configuration dnsmasq 23 | RUN mkdir -p /temp && cd /temp \ 24 | && wget https://github.com/felixonmars/dnsmasq-china-list/archive/master.zip \ 25 | && unzip master.zip \ 26 | && cd dnsmasq-china-list-master \ 27 | && cp *.conf /etc/dnsmasq.d/ \ 28 | && cd / && rm -rf /temp 29 | 30 | # configuration lz4 31 | RUN mkdir -p /temp && cd /temp \ 32 | && wget https://github.com/lz4/lz4/releases/latest -O lz4.html \ 33 | && export lz4_version=$(cat lz4.html | grep -m 1 -o 'v[0-9]\.[0-9]\.[0-9]') \ 34 | && export lz4_suffix=$(cat lz4.html | grep -m 1 -o '[0-9]\.[0-9]\.[0-9]') \ 35 | && wget https://github.com/lz4/lz4/archive/$lz4_version.tar.gz \ 36 | && tar xvf $lz4_version.tar.gz \ 37 | && cd lz4-$lz4_suffix \ 38 | && make install \ 39 | && ln -sf /usr/local/lib/liblz4.* /usr/lib/ \ 40 | && cd / && rm -rf /temp 41 | 42 | # configuration ocserv 43 | RUN mkdir -p /temp && cd /temp \ 44 | && wget https://ocserv.gitlab.io/www/download.html \ 45 | && export ocserv_version=$(cat download.html | grep -o '[0-9]*\.[0-9]*\.[0-9]*') \ 46 | && wget ftp://ftp.infradead.org/pub/ocserv/ocserv-$ocserv_version.tar.xz \ 47 | && tar xvf ocserv-$ocserv_version.tar.xz \ 48 | && cd ocserv-$ocserv_version \ 49 | && ./configure --prefix=/usr --sysconfdir=/etc --with-local-talloc \ 50 | && make && make install \ 51 | && cd / && rm -rf /temp 52 | 53 | # generate sll keys 54 | RUN cd /opt/certs && ls \ 55 | && ca_cn=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w ${1:-32} | head -n 1) && bash -c "sed -i 's/Your desired authority name/$ca_cn/g' /opt/certs/ca-tmp" \ 56 | && ca_org=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w ${1:-32} | head -n 1) && bash -c "sed -i 's/Your desired orgnization name/$ca_org/g' /opt/certs/ca-tmp" \ 57 | && serv_domain=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w ${1:-12} | head -n 1) && bash -c -i "sed -i 's/yourdomainname/$serv_domain/g' /opt/certs/serv-tmp" \ 58 | && serv_org=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w ${1:-32} | head -n 1) && bash -c "sed -i 's/Your desired orgnization name/$serv_org/g' /opt/certs/serv-tmp" \ 59 | && user_id=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w ${1:-10} | head -n 1) && bash -c "sed -i 's/user/$user_id/g' /opt/certs/user-tmp" 60 | 61 | # generate [ca-key.pem] -> ca-cert.pem [ca-key] 62 | RUN certtool --generate-privkey --outfile /opt/certs/ca-key.pem && certtool --generate-self-signed --load-privkey /opt/certs/ca-key.pem --template /opt/certs/ca-tmp --outfile /opt/certs/ca-cert.pem 63 | # generate [server-key.pem] -> server-cert.pem [ca-key, server-key] 64 | RUN certtool --generate-privkey --outfile /opt/certs/server-key.pem && certtool --generate-certificate --load-privkey /opt/certs/server-key.pem --load-ca-certificate /opt/certs/ca-cert.pem --load-ca-privkey /opt/certs/ca-key.pem --template /opt/certs/serv-tmp --outfile /opt/certs/server-cert.pem 65 | # generate [user-key.pem] -> user-cert.pem [ca-key, user-key] 66 | RUN certtool --generate-privkey --outfile /opt/certs/user-key.pem && certtool --generate-certificate --load-privkey /opt/certs/user-key.pem --load-ca-certificate /opt/certs/ca-cert.pem --load-ca-privkey /opt/certs/ca-key.pem --template /opt/certs/user-tmp --outfile /opt/certs/user-cert.pem 67 | # generate user.p12 [user-key, user-cert, ca-cert] 68 | RUN openssl pkcs12 -export -inkey /opt/certs/user-key.pem -in /opt/certs/user-cert.pem -certfile /opt/certs/ca-cert.pem -out /opt/certs/user.p12 -passout pass:616 69 | 70 | CMD ["vpn_run"] 71 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## 用途 2 | 3 | 因为安装一个 Open Connect 的步骤实在太麻烦了, 特别对于新手, 所以特意参考了 jpetazzo 的 [dockvpn](https://github.com/jpetazzo/dockvpn) 弄了一个 ocserv 的. 此项目的原因和一点点介绍可见 [使用 ocserv-docker 享受自由网络](http://wppurking.github.io/2014/10/11/use-ocserv-docker-to-enjoy-freedom-internet.html) 4 | 5 | 有啥问题可以直接 [@wyatt_pan](https://twitter.com/wyatt_pan) 6 | 7 | 8 | ## 简单部署 9 | 在 [安装好 Docker 1.0+](https://gist.github.com/wppurking/55db8651a88425e0f977) 并且正常启动 Docker 后: 10 | 11 | * `cd ~;git clone https://github.com/wppurking/ocserv-docker.git` : 将当前 repo 下载, 拥有可调整的 ocserv.conf 配置文件以及 ocpasswd 用户密码文件 12 | * `docker run -d --privileged --name ocserv-docker -v ~/ocserv-docker/ocserv:/etc/ocserv -p 443:443/tcp wppurking/ocserv` : Box 自动下载. ocserv 的一些功能需要 Docker 在 privileged 权限下处理 13 | * `docker logs ocserv-docker` : 查看运行日志, 检查是否正常运行(可重复执行). 14 | 15 | ``` 16 | listening (TCP) on 0.0.0.0:443... 17 | listening (TCP) on [::]:443... 18 | listening (UDP) on 0.0.0.0:443... 19 | listening (UDP) on [::]:443... 20 | ``` 21 | 22 | ## 构建部署 23 | 构建自己本地的 images, 计算自己的 ssl key (自签名). 可以避免 N 多人使用一个证书的问题. 24 | 25 | * `cd ~ && git clone https://github.com/wppurking/ocserv-docker.git` : 将当前 repo 下载, 拥有可调整的 ocserv.conf 配置文件以及 ocpasswd 用户密码文件 26 | * `cd ~/ocserv-docker && docker build --no-cache -t ocserv-docker .` : 在 ocserv-docker 目录下, 重新构建全新的镜像使用. (例: 版本更新, 重新生成证书) 27 | * `docker run -d --privileged --name ocserv-docker -v ~/ocserv-docker/ocserv:/etc/ocserv -p 443:443/tcp ocserv-docker` : ocserv 的一些功能需要 Docker 在 privileged 权限下处理 28 | * `docker logs ocserv-docker` : 查看运行日志, 检查是否正常运行(可重复执行). 29 | 30 | ## 使用 31 | * 初始化好的两个账户: wyatt:616 holly:525 32 | * 如果主服务器上开启了 iptables, 一定要记得将 443 端口的 tcp 与 udp 都开放 33 | * 已经做了其能够处理的下发路由数量 (ocserv.conf 中, 感谢: kevinzhow 的 [route.sh](https://gist.github.com/kevinzhow/9661732) 和 [ip_cook.rb](https://gist.github.com/kevinzhow/9661753) ) 34 | * 接下来 就是 AnyConnect 的客户端了. Win, Mac, Linux [Link1](https://www.haskins.yale.edu/docdepot/published/WG/show.php?q=SEFTSzAx-58c63f59) (Cisco 官方需要注册...), [iOS](https://itunes.apple.com/us/app/cisco-anyconnect/id392790924?mt=8), [Android](https://play.google.com/store/apps/details?id=com.cisco.anyconnect.vpn.android.avf&hl=en) 35 | * 因为我们自己生成的 CA 证书是没有权威组织认证的, 所以 AnyConnect 需要接受这些 "不信任的 VPN" :P 36 | 37 | 38 | ## 自定义证书, 密钥 39 | 因为是构建一个独立的 box 进行分发, 方便快速部署一个 ocserv, 所以将证书, 密钥, 用户都集成在里面了, 此刻方便使用. 如果对于有担心的, 可以 `docker run -t -i wppurking/ocserv bash` 进入到 box 中使用 `certtool` 重新进行处理, 具体操作步骤参考 [[原创]linode vps debian7.5安装配置ocserv(OpenConnect server)](http://luoqkk.com/linode-vps-debian-installation-and-configuration-ocserv-openconnect-server.html) 40 | 41 | 证书是在 Docker Build 的过程中自动生成的, 其生成的目的地为 `/opt/certs` 42 | [成功更换 certs 的例子](https://twitter.com/douglas_lee/status/590245251257737216) 43 | 44 | TODO: 自签名客户端证书登陆 45 | 46 | ## 用户名 47 | 为了使新手能够最快的使用上 AnyConnect (也方便我自己同一设备能方便的链接多个不同地域的 VPS) 我预先设置了两个初始化的账号密码, 但同时将用于提供账号密码的 `ocserv/ocpasswd` 文件放在 Box 外面, 运行 Container 时使用 Volume 挂在进去, 这样方便熟悉 Docker 的用户能够方便的 使用 `ocpasswd` 命令修改或者重新生成自己的用户密码. 48 | 49 | 提供一个非常简单的更换密码操作, 复制命令就好了(建立在按照上面的操作基础上哈): 50 | ### 新添加用户 51 | ``` 52 | $> docker exec -it $(docker ps -a | grep vpn_run | awk '{print $1}') ocpasswd yourname 53 | $> Enter password: 54 | $> Re-enter password: 55 | ``` 56 | 这个的原理是借用 docker 运行中的 container , 在其里面运行 `ocpasswd` 改变 Volumn 进去的 `./ocserv/ocpasswd` 文件内容, 所以当你运行完这行命令, 本机(非 container 中)的 `./ocserv/ocpasswd` 的文件内容会真实发生变化 57 | 58 | ### 清理掉预设的两个用户名 59 | 直接打开 `./ocserv/ocpasswd` 删掉 wyatt/holly 开头的两行就好了. 60 | 61 | 62 | ## 信息 63 | * Box Size: 164 MB (原来是 380+ MB, 基础镜像缩减) 64 | * 基础 Box: ubuntu:trusty 65 | * 测试过的环境: 66 | * [Linode 1G Ubuntu 14.04 LTS] 67 | * [Vultr 768MB Ubuntu 14.04 LTS] 68 | * [DigitalOcean 512MB Docker 1.2.0 on Ubuntu 14.04] 69 | 70 | ## Refs 71 | * [ocserv 0.8.2 Manual](http://www.infradead.org/ocserv/manual.html) 72 | * [[原创]linode vps debian7.5安装配置ocserv(OpenConnect server)](http://luoqkk.com/linode-vps-debian-installation-and-configuration-ocserv-openconnect-server.html) 73 | * [Install Cisco AnyConnect Server on a Generic Linux Server](https://izhaom.in/2014/08/install-cisco-anyconnect-server-on-a-generic-linux-server/) 74 | * [AnyConnect 带来 iPhone 上的新生活](http://imkevin.me/post/80157872840/anyconnect-iphone) 75 | * [Install Ocserv on CentOS 6.5](https://botu.me/install-ocserv-on-centos6/) 76 | * [Gnutls 3.1.23 on Ubuntu 14.04](http://www.bauer-power.net/2014/06/how-to-install-gnutls-3123-from-source.html) 77 | 78 | 79 | ## 问题 80 | 81 | ### 大家最近连接上 ocserv 就断开, 我猜测因为有比较多的人使用同一个 Docker Image 使得太多人使用同一个证书, 然后我做了处理, 82 | 83 | 至少我的几台服务器已经正常, 不会断开了. 请大家 `docker rmi wppurking/ocserv` 然后再执行运行的命令下载最新的 image, 如果有条件自己 build 以下或者使用自己的证书即可. 84 | 85 | ### 关于限速, 我想应该是网络的干扰. 我部署的服务器 ( [1.5 MB/s](https://toolstud.io/data/bandwidth.php?compare=network&speed=1.5&speed_unit=MB%2Fs) 大概 12 Mbps) 如下: 86 | ![AnyConnect](http://77g8qz.com1.z0.glb.clouddn.com/anyconnect.png?imageView2/2/w/300) 87 | 88 | ### 如果你网络好的话, 那么可以看到如下的情况 ( [7.1MB/s](https://toolstud.io/data/bandwidth.php?compare=network&speed=7.1&speed_unit=MB%2Fs) 的峰值, 56.8 Mbps) : 89 | ![AnyConnect Speed](http://77g8qz.com1.z0.glb.clouddn.com/anyconnect-top.jpg?imageView2/0/h/400/q/100) 90 | -------------------------------------------------------------------------------- /bin/vpn_run: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Run the OpenConnect server normally 5 | # 6 | 7 | # start dnsmasq 8 | dnsmasq -C /usr/local/etc/dnsmasq.conf 9 | 10 | 11 | # open ipv4 ip forward 12 | sysctl -w net.ipv4.ip_forward=1 13 | 14 | if [ ! -e /dev/net/tun ]; then 15 | mkdir -p /dev/net 16 | mknod /dev/net/tun c 10 200 17 | chmod 600 /dev/net/tun 18 | fi 19 | 20 | # open iptables nat 21 | iptables -t nat -A POSTROUTING -j MASQUERADE 22 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 23 | 24 | # run it 25 | ocserv -c /etc/ocserv/ocserv.conf -f $@ 26 | -------------------------------------------------------------------------------- /certs/ca-tmp: -------------------------------------------------------------------------------- 1 | cn = "Your desired authority name" 2 | organization = "Your desired orgnization name" 3 | serial = 1 4 | expiration_days = 3650 5 | ca 6 | signing_key 7 | cert_signing_key 8 | crl_signing_key 9 | -------------------------------------------------------------------------------- /certs/serv-tmp: -------------------------------------------------------------------------------- 1 | cn = "yourdomainname.com" 2 | organization = "Your desired orgnization name" 3 | serial = 2 4 | expiration_days = 3650 5 | encryption_key 6 | signing_key 7 | tls_www_server 8 | -------------------------------------------------------------------------------- /certs/user-tmp: -------------------------------------------------------------------------------- 1 | cn = "user" 2 | unit = "user" 3 | uid = "user" 4 | expiration_days = 3650 5 | signing_key 6 | tls_www_client -------------------------------------------------------------------------------- /changelog: -------------------------------------------------------------------------------- 1 | 2016.09.02 2 | * 集成服务器 DNS, 解决 CDN 方面的问题, 使用 VPN 内网解决 DNS 大问题. @zen 3 | * 集成 radius 的编译 @zen 4 | 5 | 2016.07.23 6 | * 试验中的使用证书登陆代替密码登陆 (thanks @zen9073) 7 | * 使用脚本在每次构建的时候生成全新的密钥. 如果要更换客户端密钥会有一些麻烦. 8 | 9 | 2016.07.04 10 | * 更新到 ocserv 0.11.3 11 | * 调整编译脚本, 增加 lz4 支持 12 | * 更新 no-route 13 | * no-route 本地局域网 192.168.0.0 地址. 方便本地的开发 14 | * 更新文档, 增加 build 的使用 15 | 16 | 2015.11.08 17 | * 使用 no-route, 并且扩展到 200 条 (thanks https://github.com/CNMan/ocserv-cn-no-route) 18 | * 更新 ocserv 配置文件适应 ocserv 0.10.9 19 | * 调整 Dockerfile 以加速 docker build 的速度 20 | * Building Image 过程中, 生成随机的 certs 信息 21 | 22 | 2015.03.27 23 | * 更新文档, 增加一行命令添加自定义用户名密码的 24 | 25 | 2015.03.24 26 | * 升级到 ocserv 0.10.1 并且更换调整配置文件. (应该兼容老版本, 没大改变) [wppurking/ocserv 已更新] 27 | * 默认开打 talloc 编译参数 28 | * 默认开启 LZS 压缩(LZ4 没有, 如果是 HTTP 都 Gzip 压缩过的请求有多大效果呢?待测试) 29 | * 修复自动下载部署脚本无法解析 0.10.1 这样两位数字版本好的问题 30 | 31 | 2014.12.06 32 | * 指定所使用的 container 为 [ubuntu:trusty], 避免因使用 [ubuntu] 将所有 container 都下载下来 33 | * 解决在编译安装 ocserv 0.8.8 时, libtalloc, libhttp-parser not found 问题; [libprotobuf-c was not found 还未>解决] 34 | 35 | 2014.09.23 36 | * 自动下载最新版本的 ocserv (thanks @catatnight) 37 | * 自动创建 /dev/net/tun (thanks @hongqn) 38 | 39 | 2014.08.14 40 | * 取消 wppurking/ocserv-base-lib, 改为由 docker hub 来进行 automate build 41 | 42 | 2014.08.11 43 | * 新增加 wppurking/ocserv-base-lib(base-lib), 仅仅将 ocserv 所需要的 lib 文件安装(依赖 Ubuntu:latest); 44 | * 将生成 certs 所需要的 teamplate(Country 啊, Domain 啊等等信息) 抽取出来 45 | * 修改 wppurking/ocserv 的 Dockerfile, 通过自动构建代替原来的手动构建 46 | * 自动下载源代码进行编译安装 ocserv, 方便 ocserv 升级重新构建 47 | * 每一次自动构建通过抽取出来的 template file 生成新 certs 48 | 49 | 2014.08.06 50 | * 初始化这个项目, 使用手工创建了 wppurking/ocserv Box 51 | * 剥离出 ocserv 的配置文件 52 | * 达到第一个可以使用 docker run 的版本 53 | -------------------------------------------------------------------------------- /deploys/deploy.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: hk3 3 | name: recompile and run ocserv 4 | vars: 5 | vpn_name: ocserv-docker 6 | port: 8443 7 | 8 | tasks: 9 | - name: update git 10 | git: repo=https://github.com/wppurking/ocserv-docker.git 11 | dest=~/ocserv-docker 12 | force=true 13 | 14 | - name: rebuild docker 15 | shell: docker build --no-cache -t {{ vpn_name }} . chdir=~/ocserv-docker 16 | 17 | - name: delete img 18 | shell: docker images | fgrep '' | awk '{print $ 3}' | xargs docker rmi 19 | ignore_errors: true 20 | 21 | - name: Stop old ocserv 22 | shell: docker rm -vf {{ vpn_name }} 23 | ignore_errors: true 24 | 25 | - name: run new ocserv 26 | shell: docker run -d --privileged --name {{ vpn_name }} -v ~/ocserv-docker/ocserv:/etc/ocserv -p {{ port }}:443/tcp {{ vpn_name }} 27 | 28 | - name: move user.p12 to nginx share place 29 | shell: docker run --rm ocserv-docker cat /opt/certs/user.p12 > /usr/share/nginx/html/user.p12 30 | -------------------------------------------------------------------------------- /deploys/restart.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: hk3 3 | name: restart ocserv 4 | vars: 5 | vpn_name: ocserv-docker 6 | port: 8443 7 | 8 | tasks: 9 | - name: Stop old ocserv 10 | shell: docker rm -vf {{ vpn_name }} 11 | ignore_errors: true 12 | 13 | - name: run new ocserv 14 | shell: docker run -d --privileged --name {{ vpn_name }} -v ~/ocserv-docker/ocserv:/etc/ocserv -p {{ port }}:443/tcp {{ vpn_name }} 15 | -------------------------------------------------------------------------------- /dnsmasq.conf: -------------------------------------------------------------------------------- 1 | no-resolv 2 | no-poll 3 | server=8.8.8.8 4 | listen-address=0.0.0.0 5 | bind-interfaces 6 | conf-dir=/etc/dnsmasq.d/ 7 | -------------------------------------------------------------------------------- /ocserv/ocpasswd: -------------------------------------------------------------------------------- 1 | wyatt:*:$5$ExKuUh1w1v/67AQt$tg/mf33OOJ2bMvLtSdX55v0wF2BLfxgm7YPlVPAcCX0 2 | holly:*:$5$HCRJ7HmiQZrc5Amp$iU2G4TDDaL1/TGZKaksGJeGp7A.Nffs0BiObZ6SFttB 3 | -------------------------------------------------------------------------------- /ocserv/ocserv.conf: -------------------------------------------------------------------------------- 1 | # User authentication method. Could be set multiple times and in 2 | # that case all should succeed. To enable multiple methods use 3 | # multiple auth directives. Available options: certificate, 4 | # plain, pam, radius, gssapi. 5 | # 6 | # Note that authentication methods cannot be changed with reload. 7 | 8 | # certificate: 9 | # This indicates that all connecting users must present a certificate. 10 | # 11 | # pam[gid-min=1000]: 12 | # This enabled PAM authentication of the user. The gid-min option is used 13 | # by auto-select-group option, in order to select the minimum valid group ID. 14 | # 15 | # plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] 16 | # The plain option requires specifying a password file which contains 17 | # entries of the following format. 18 | # "username:groupname1,groupname2:encoded-password" 19 | # One entry must be listed per line, and 'ocpasswd' should be used 20 | # to generate password entries. The 'otp' suboption allows to specify 21 | # an oath password file to be used for one time passwords; the format of 22 | # the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile 23 | # 24 | # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]: 25 | # The radius option requires specifying freeradius-client configuration 26 | # file. If the groupconfig option is set, then config-per-user will be overriden, 27 | # and all configuration will be read from radius. The 'override-interim-updates' if set to 28 | # true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered. 29 | # 30 | # gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] 31 | # The gssapi option allows to use authentication methods supported by GSSAPI, 32 | # such as Kerberos tickets with ocserv. It should be best used as an alternative 33 | # to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with 34 | # tickets and without tickets to login. The default value for require-local-user-map 35 | # is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented 36 | # to have been issued within the provided number of seconds. That option is used to 37 | # restrict logins even if the KDC provides long time TGT tickets. 38 | 39 | #auth = "pam" 40 | #auth = "pam[gid-min=1000]" 41 | #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" 42 | # ---------- 设置加载密码文件 ----------- 43 | auth = "plain[passwd=/etc/ocserv/ocpasswd]" 44 | #auth = "certificate" 45 | #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" 46 | 47 | # Specify alternative authentication methods that are sufficient 48 | # for authentication. That is, if set, any of the methods enabled 49 | # will be sufficient to login. 50 | enable-auth = "certificate" 51 | #enable-auth = "gssapi" 52 | #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" 53 | 54 | # Accounting methods available: 55 | # radius: can be combined with any authentication method, it provides 56 | # radius accounting to available users (see also stats-report-time). 57 | # 58 | # pam: can be combined with any authentication method, it provides 59 | # a validation of the connecting user's name using PAM. It is 60 | # superfluous to use this method when authentication is already 61 | # PAM. 62 | # 63 | # Only one accounting method can be specified. 64 | #acct = "radius[config=/etc/radiusclient/radiusclient.conf]" 65 | 66 | # Use listen-host to limit to specific IPs or to the IPs of a provided 67 | # hostname. 68 | #listen-host = [IP|HOSTNAME] 69 | 70 | # When the server has a dynamic DNS address (that may change), 71 | # should set that to true to ask the client to resolve again on 72 | # reconnects. 73 | #listen-host-is-dyndns = true 74 | 75 | # TCP and UDP port number 76 | tcp-port = 443 77 | #udp-port = 443 78 | 79 | # Accept connections using a socket file. It accepts HTTP 80 | # connections (i.e., without SSL/TLS unlike its TCP counterpart), 81 | # and uses it as the primary channel. That option cannot be 82 | # combined with certificate authentication. 83 | #listen-clear-file = /var/run/ocserv-conn.socket 84 | 85 | # The user the worker processes will be run as. It should be 86 | # unique (no other services run as this user). 87 | run-as-user = nobody 88 | run-as-group = daemon 89 | 90 | # socket file used for IPC with occtl. You only need to set that, 91 | # if you use more than a single servers. 92 | #occtl-socket-file = /var/run/occtl.socket 93 | 94 | # socket file used for server IPC (worker-main), will be appended with .PID 95 | # It must be accessible within the chroot environment (if any), so it is best 96 | # specified relatively to the chroot directory. 97 | socket-file = /var/run/ocserv-socket 98 | 99 | # The default server directory. Does not require any devices present. 100 | #chroot-dir = /path/to/chroot 101 | 102 | # The key and the certificates of the server 103 | # The key may be a file, or any URL supported by GnuTLS (e.g., 104 | # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user 105 | # or pkcs11:object=my-vpn-key;object-type=private) 106 | # 107 | # The server-cert file may contain a single certificate, or 108 | # a sorted certificate chain. 109 | # 110 | # There may be multiple server-cert and server-key directives, 111 | # but each key should correspond to the preceding certificate. 112 | # -------- Dockerfile 中生成的 cert ------- 113 | server-cert = /opt/certs/server-cert.pem 114 | server-key = /opt/certs/server-key.pem 115 | 116 | # Diffie-Hellman parameters. Only needed if you require support 117 | # for the DHE ciphersuites (by default this server supports ECDHE). 118 | # Can be generated using: 119 | # certtool --generate-dh-params --outfile /path/to/dh.pem 120 | #dh-params = /path/to/dh.pem 121 | 122 | # In case PKCS #11, TPM or encrypted keys are used the PINs should be available 123 | # in files. The srk-pin-file is applicable to TPM keys only, and is the 124 | # storage root key. 125 | #pin-file = /path/to/pin.txt 126 | #srk-pin-file = /path/to/srkpin.txt 127 | 128 | # The password or PIN needed to unlock the key in server-key file. 129 | # Only needed if the file is encrypted or a PKCS #11 object. This 130 | # is an alternative method to pin-file. 131 | #key-pin = 1234 132 | 133 | # The SRK PIN for TPM. 134 | # This is an alternative method to srk-pin-file. 135 | #srk-pin = 1234 136 | 137 | # The Certificate Authority that will be used to verify 138 | # client certificates (public keys) if certificate authentication 139 | # is set. 140 | # -------------- 需要证书登陆的需要 ------------- 141 | ca-cert = /opt/certs/ca-cert.pem 142 | #ca-cert = /etc/ssl/certs/ca.pem 143 | 144 | 145 | ### All configuration options below this line are reloaded on a SIGHUP. 146 | ### The options above, will remain unchanged. 147 | 148 | # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 149 | # system calls allowed to a worker process, in order to reduce damage from a 150 | # bug in the worker process. It is available on Linux systems at a performance cost. 151 | # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). 152 | isolate-workers = true 153 | 154 | # A banner to be displayed on clients 155 | #banner = "Welcome" 156 | 157 | # Limit the number of clients. Unset or set to zero for unlimited. 158 | #max-clients = 1024 159 | max-clients = 0 160 | 161 | # Limit the number of identical clients (i.e., users connecting 162 | # multiple times). Unset or set to zero for unlimited. 163 | max-same-clients = 0 164 | 165 | # When the server has a dynamic DNS address (that may change), 166 | # should set that to true to ask the client to resolve again on 167 | # reconnects. 168 | #listen-host-is-dyndns = true 169 | 170 | # When the server receives connections from a proxy, like haproxy 171 | # which supports the proxy protocol, set this to obtain the correct 172 | # client addresses. The proxy protocol (v2) would then be expected in 173 | # the TCP or UNIX socket (not the UDP one). 174 | #listen-proxy-proto = true 175 | 176 | # Limit the number of client connections to one every X milliseconds 177 | # (X is the provided value). Set to zero for no limit. 178 | rate-limit-ms = 0 179 | 180 | # Stats report time. The number of seconds after which each 181 | # worker process will report its usage statistics (number of 182 | # bytes transferred etc). This is useful when accounting like 183 | # radius is in use. 184 | #stats-report-time = 360 185 | 186 | # Keepalive in seconds 187 | keepalive = 32400 188 | 189 | # Dead peer detection in seconds. 190 | # Note that when the client is behind a NAT this value 191 | # needs to be short enough to prevent the NAT disassociating 192 | # his UDP session from the port number. Otherwise the client 193 | # could have his UDP connection stalled, for several minutes. 194 | dpd = 90 195 | 196 | # Dead peer detection for mobile clients. That needs to 197 | # be higher to prevent such clients being awaken too 198 | # often by the DPD messages, and save battery. 199 | # The mobile clients are distinguished from the header 200 | # 'X-AnyConnect-Identifier-DeviceType'. 201 | mobile-dpd = 1800 202 | 203 | # MTU discovery (DPD must be enabled) 204 | try-mtu-discovery = true 205 | 206 | # If you have a certificate from a CA that provides an OCSP 207 | # service you may provide a fresh OCSP status response within 208 | # the TLS handshake. That will prevent the client from connecting 209 | # independently on the OCSP server. 210 | # You can update this response periodically using: 211 | # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response 212 | # Make sure that you replace the following file in an atomic way. 213 | #ocsp-response = /path/to/ocsp.der 214 | 215 | # The object identifier that will be used to read the user ID in the client 216 | # certificate. The object identifier should be part of the certificate's DN 217 | # https://technet.microsoft.com/en-us/library/cc772812(WS.10).aspx 218 | # Useful OIDs are: 219 | # CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 220 | cert-user-oid = 0.9.2342.19200300.100.1.1 221 | 222 | # The object identifier that will be used to read the user group in the 223 | # client certificate. The object identifier should be part of the certificate's 224 | # DN. Useful OIDs are: 225 | # OU (organizational unit) = 2.5.4.11 226 | #cert-group-oid = 2.5.4.11 227 | 228 | # The revocation list of the certificates issued by the 'ca-cert' above. 229 | # See the manual to generate an empty CRL initially. The CRL will be reloaded 230 | # periodically when ocserv detects a change in the file. To force a reload use 231 | # SIGHUP. 232 | #crl = /path/to/crl.pem 233 | 234 | # Uncomment this to enable compression negotiation (LZS, LZ4). 235 | # ----- 打开 lz4 ----- 236 | compression = true 237 | 238 | # Set the minimum size under which a packet will not be compressed. 239 | # That is to allow low-latency for VoIP packets. The default size 240 | # is 256 bytes. Modify it if the clients typically use compression 241 | # as well of VoIP with codecs that exceed the default value. 242 | # ------ 少于 256 bytes 不压缩 ----- 243 | no-compress-limit = 256 244 | 245 | # GnuTLS priority string; note that SSL 3.0 is disabled by default 246 | # as there are no openconnect (and possibly anyconnect clients) using 247 | # that protocol. The string below does not enforce perfect forward 248 | # secrecy, in order to be compatible with legacy clients. 249 | # 250 | # Note that the most performant ciphersuites are the moment are the ones 251 | # involving AES-GCM. These are very fast in x86 and x86-64 hardware, and 252 | # in addition require no padding, thus taking full advantage of the MTU. 253 | # For that to be taken advantage of, the openconnect client must be 254 | # used, and the server must be compiled against GnuTLS 3.2.7 or later. 255 | # Use "gnutls-cli --benchmark-tls-ciphers", to see the performance 256 | # difference with AES_128_CBC_SHA1 (the default for anyconnect clients) 257 | # in your system. 258 | 259 | tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" 260 | 261 | # More combinations in priority strings are available, check 262 | # http://gnutls.org/manual/html_node/Priority-Strings.html 263 | # E.g., the string below enforces perfect forward secrecy (PFS) 264 | # on the main channel. 265 | #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" 266 | 267 | # The time (in seconds) that a client is allowed to stay connected prior 268 | # to authentication 269 | auth-timeout = 40 270 | 271 | # The time (in seconds) that a client is allowed to stay idle (no traffic) 272 | # before being disconnected. Unset to disable. 273 | idle-timeout = 86400 274 | 275 | # The time (in seconds) that a mobile client is allowed to stay idle (no 276 | # traffic) before being disconnected. Unset to disable. 277 | mobile-idle-timeout = 86400 278 | 279 | # The time (in seconds) that a client is not allowed to reconnect after 280 | # a failed authentication attempt. 281 | min-reauth-time = 300 282 | 283 | # Banning clients in ocserv works with a point system. IP addresses 284 | # that get a score over that configured number are banned for 285 | # min-reauth-time seconds. By default a wrong password attempt is 10 points, 286 | # a KKDCP POST is 1 point, and a connection is 1 point. Note that 287 | # due to difference processes being involved the count of points 288 | # will not be real-time precise. 289 | # 290 | # Score banning cannot be reliably used when receiving proxied connections 291 | # locally from an HTTP server (i.e., when listen-clear-file is used). 292 | # 293 | # Set to zero to disable. 294 | max-ban-score = 50 295 | 296 | # The time (in seconds) that all score kept for a client is reset. 297 | ban-reset-time = 300 298 | 299 | # In case you'd like to change the default points. 300 | #ban-points-wrong-password = 10 301 | #ban-points-connection = 1 302 | #ban-points-kkdcp = 1 303 | 304 | # Cookie timeout (in seconds) 305 | # Once a client is authenticated he's provided a cookie with 306 | # which he can reconnect. That cookie will be invalided if not 307 | # used within this timeout value. On a user disconnection, that 308 | # cookie will also be active for this time amount prior to be 309 | # invalid. That should allow a reasonable amount of time for roaming 310 | # between different networks. 311 | # ----- 拉长 ----- 312 | cookie-timeout = 86400000 313 | 314 | # If this is enabled (not recommended) the cookies will stay 315 | # valid even after a user manually disconnects, and until they 316 | # expire. This may improve roaming with some broken clients. 317 | #persistent-cookies = true 318 | 319 | # Whether roaming is allowed, i.e., if true a cookie is 320 | # restricted to a single IP address and cannot be re-used 321 | # from a different IP. 322 | deny-roaming = false 323 | 324 | # ReKey time (in seconds) 325 | # ocserv will ask the client to refresh keys periodically once 326 | # this amount of seconds is elapsed. Set to zero to disable (note 327 | # that, some clients fail if rekey is disabled). 328 | # ----- 拉长 ----- 329 | rekey-time = 86400000 330 | 331 | # ReKey method 332 | # Valid options: ssl, new-tunnel 333 | # ssl: Will perform an efficient rehandshake on the channel allowing 334 | # a seamless connection during rekey. 335 | # new-tunnel: Will instruct the client to discard and re-establish the channel. 336 | # Use this option only if the connecting clients have issues with the ssl 337 | # option. 338 | rekey-method = ssl 339 | 340 | # Script to call when a client connects and obtains an IP. 341 | # The following parameters are passed on the environment. 342 | # REASON, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client), 343 | # IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL 344 | # (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client), 345 | # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 346 | # assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and 347 | # ID (a unique numeric ID); REASON may be "connect" or "disconnect". 348 | # In addition the following variables OCSERV_ROUTES (the applied routes for this 349 | # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), 350 | # will contain a space separated list of routes or DNS servers. A version 351 | # of these variables with the 4 or 6 suffix will contain only the IPv4 or 352 | # IPv6 values. 353 | 354 | # The disconnect script will receive the additional values: STATS_BYTES_IN, 355 | # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 356 | # output from the tun device, and the duration of the session in seconds. 357 | 358 | #connect-script = /usr/bin/myscript 359 | #disconnect-script = /usr/bin/myscript 360 | 361 | # UTMP 362 | # Register the connected clients to utmp. This will allow viewing 363 | # the connected clients using the command 'who'. 364 | #use-utmp = true 365 | 366 | # Whether to enable support for the occtl tool (i.e., either through D-BUS, 367 | # or via a unix socket). 368 | use-occtl = true 369 | 370 | # PID file. It can be overriden in the command line. 371 | pid-file = /var/run/ocserv.pid 372 | 373 | # Set the protocol-defined priority (SO_PRIORITY) for packets to 374 | # be sent. That is a number from 0 to 6 with 0 being the lowest 375 | # priority. Alternatively this can be used to set the IP Type- 376 | # Of-Service, by setting it to a hexadecimal number (e.g., 0x20). 377 | # This can be set per user/group or globally. 378 | net-priority = 6 379 | 380 | # Set the VPN worker process into a specific cgroup. This is Linux 381 | # specific and can be set per user/group or globally. 382 | #cgroup = "cpuset,cpu:test" 383 | 384 | # 385 | # Network settings 386 | # 387 | 388 | # The name to use for the tun device 389 | device = vpns 390 | 391 | # Whether the generated IPs will be predictable, i.e., IP stays the 392 | # same for the same user when possible. 393 | predictable-ips = true 394 | 395 | # The default domain to be advertised 396 | # -------- 不需要这个 ----------- 397 | #default-domain = example.com 398 | 399 | 400 | # The pool of addresses that leases will be given from. If the leases 401 | # are given via Radius, or via the explicit-ip? per-user config option then 402 | # these network values should contain a network with at least a single 403 | # address that will remain under the full control of ocserv (that is 404 | # to be able to assign the local part of the tun device address). 405 | # Note that, you could use addresses from a subnet of your LAN network if you 406 | # enable proxy arp in the LAN interface (see http://infradead.org/ocserv/recipes-ocserv-pseudo-bridge.html); 407 | # in that case it is recommended to set ping-leases to true. 408 | ipv4-network = 10.0.0.0 409 | ipv4-netmask = 255.0.0.0 410 | 411 | # An alternative way of specifying the network: 412 | #ipv4-network = 192.168.1.0/24 413 | 414 | # The IPv6 subnet that leases will be given from. 415 | #ipv6-network = fda9:4efe:7e3b:03ea::/64 416 | 417 | # Specify the size of the network to provide to clients. It is 418 | # generally recommended to provide clients with a /64 network in 419 | # IPv6, but any subnet may be specified. To provide clients only 420 | # with a single IP use the prefix 128. 421 | #ipv6-subnet-prefix = 128 422 | #ipv6-subnet-prefix = 64 423 | 424 | # Whether to tunnel all DNS queries via the VPN. This is the default 425 | # when a default route is set. 426 | #tunnel-all-dns = true 427 | 428 | # The advertized DNS server. Use multiple lines for 429 | # multiple servers. 430 | # dns = fc00::4be0 431 | #dns = 8.8.8.8 432 | #dns = 8.8.4.4 433 | dns = 10.0.0.1 434 | 435 | # The NBNS server (if any) 436 | #nbns = 192.168.1.3 437 | 438 | # The domains over which the provided DNS should be used. Use 439 | # multiple lines for multiple domains. 440 | #split-dns = example.com 441 | 442 | # Prior to leasing any IP from the pool ping it to verify that 443 | # it is not in use by another (unrelated to this server) host. 444 | # Only set to true, if there can be occupied addresses in the 445 | # IP range for leases. 446 | ping-leases = false 447 | 448 | # Use this option to enforce an MTU value to the incoming 449 | # connections. Unset to use the default MTU of the TUN device. 450 | #mtu = 1420 451 | mtu = 1482 452 | 453 | # Unset to enable bandwidth restrictions (in bytes/sec). The 454 | # setting here is global, but can also be set per user or per group. 455 | #rx-data-per-sec = 40000 456 | #tx-data-per-sec = 40000 457 | 458 | # The number of packets (of MTU size) that are available in 459 | # the output buffer. The default is low to improve latency. 460 | # Setting it higher will improve throughput. 461 | #output-buffer = 10 462 | output-buffer = 20 463 | 464 | # Routes to be forwarded to the client. If you need the 465 | # client to forward routes to the server, you may use the 466 | # config-per-user/group or even connect and disconnect scripts. 467 | # 468 | # To set the server as the default gateway for the client just 469 | # comment out all routes from the server, or use the special keyword 470 | # 'default'. 471 | 472 | #route = 10.10.10.0/255.255.255.0 473 | #route = 192.168.0.0/255.255.0.0 474 | #route = fef4:db8:1000:1001::/64 475 | 476 | # Subsets of the routes above that will not be routed by 477 | # the server. 478 | 479 | # ------ route 与 no-route 只能选一个 ------ 480 | # 让 server 所在的服务器也不走路由(可 ssh). 481 | no-route = 192.168.0.0/255.255.0.0 482 | no-route = 1.0.0.0/255.192.0.0 483 | no-route = 1.64.0.0/255.224.0.0 484 | no-route = 1.112.0.0/255.248.0.0 485 | no-route = 1.176.0.0/255.240.0.0 486 | no-route = 1.192.0.0/255.240.0.0 487 | no-route = 14.0.0.0/255.224.0.0 488 | no-route = 14.96.0.0/255.224.0.0 489 | no-route = 14.128.0.0/255.224.0.0 490 | no-route = 14.192.0.0/255.224.0.0 491 | no-route = 27.0.0.0/255.192.0.0 492 | no-route = 27.96.0.0/255.224.0.0 493 | no-route = 27.128.0.0/255.224.0.0 494 | no-route = 27.176.0.0/255.240.0.0 495 | no-route = 27.192.0.0/255.224.0.0 496 | no-route = 27.224.0.0/255.252.0.0 497 | no-route = 36.0.0.0/255.192.0.0 498 | no-route = 36.96.0.0/255.224.0.0 499 | no-route = 36.128.0.0/255.192.0.0 500 | no-route = 36.192.0.0/255.224.0.0 501 | no-route = 36.240.0.0/255.240.0.0 502 | no-route = 39.0.0.0/255.255.0.0 503 | no-route = 39.64.0.0/255.224.0.0 504 | no-route = 39.96.0.0/255.240.0.0 505 | no-route = 39.128.0.0/255.192.0.0 506 | no-route = 40.72.0.0/255.254.0.0 507 | no-route = 40.124.0.0/255.252.0.0 508 | no-route = 42.0.0.0/255.248.0.0 509 | no-route = 42.48.0.0/255.240.0.0 510 | no-route = 42.80.0.0/255.240.0.0 511 | no-route = 42.96.0.0/255.224.0.0 512 | no-route = 42.128.0.0/255.128.0.0 513 | no-route = 43.224.0.0/255.224.0.0 514 | no-route = 45.3.32.0/255.255.224.0 515 | no-route = 45.65.16.0/255.255.240.0 516 | no-route = 45.78.80.0/255.255.240.0 517 | no-route = 45.112.0.0/255.240.0.0 518 | no-route = 45.248.0.0/255.248.0.0 519 | no-route = 47.92.0.0/255.252.0.0 520 | no-route = 47.96.0.0/255.224.0.0 521 | no-route = 49.0.0.0/255.128.0.0 522 | no-route = 49.128.0.0/255.224.0.0 523 | no-route = 49.192.0.0/255.192.0.0 524 | no-route = 52.80.0.0/255.252.0.0 525 | no-route = 54.222.0.0/255.254.0.0 526 | no-route = 58.0.0.0/255.128.0.0 527 | no-route = 58.128.0.0/255.224.0.0 528 | no-route = 58.192.0.0/255.224.0.0 529 | no-route = 58.240.0.0/255.240.0.0 530 | no-route = 59.32.0.0/255.224.0.0 531 | no-route = 59.64.0.0/255.224.0.0 532 | no-route = 59.96.0.0/255.240.0.0 533 | no-route = 59.144.0.0/255.240.0.0 534 | no-route = 59.160.0.0/255.224.0.0 535 | no-route = 59.192.0.0/255.192.0.0 536 | no-route = 60.0.0.0/255.224.0.0 537 | no-route = 60.48.0.0/255.240.0.0 538 | no-route = 60.160.0.0/255.224.0.0 539 | no-route = 60.192.0.0/255.192.0.0 540 | no-route = 61.0.0.0/255.192.0.0 541 | no-route = 61.80.0.0/255.248.0.0 542 | no-route = 61.128.0.0/255.192.0.0 543 | no-route = 61.224.0.0/255.224.0.0 544 | no-route = 91.234.36.0/255.255.255.0 545 | no-route = 101.0.0.0/255.128.0.0 546 | no-route = 101.128.0.0/255.224.0.0 547 | no-route = 101.192.0.0/255.240.0.0 548 | no-route = 101.224.0.0/255.224.0.0 549 | no-route = 103.0.0.0/255.0.0.0 550 | no-route = 104.167.16.0/255.255.240.0 551 | no-route = 104.207.32.0/255.255.224.0 552 | no-route = 106.0.0.0/255.128.0.0 553 | no-route = 106.224.0.0/255.240.0.0 554 | no-route = 110.0.0.0/255.128.0.0 555 | no-route = 110.144.0.0/255.240.0.0 556 | no-route = 110.160.0.0/255.224.0.0 557 | no-route = 110.192.0.0/255.192.0.0 558 | no-route = 111.0.0.0/255.192.0.0 559 | no-route = 111.64.0.0/255.224.0.0 560 | no-route = 111.112.0.0/255.240.0.0 561 | no-route = 111.128.0.0/255.192.0.0 562 | no-route = 111.192.0.0/255.224.0.0 563 | no-route = 111.224.0.0/255.240.0.0 564 | no-route = 112.0.0.0/255.128.0.0 565 | no-route = 112.128.0.0/255.240.0.0 566 | no-route = 112.192.0.0/255.252.0.0 567 | no-route = 112.224.0.0/255.224.0.0 568 | no-route = 113.0.0.0/255.128.0.0 569 | no-route = 113.128.0.0/255.240.0.0 570 | no-route = 113.192.0.0/255.192.0.0 571 | no-route = 114.16.0.0/255.240.0.0 572 | no-route = 114.48.0.0/255.240.0.0 573 | no-route = 114.64.0.0/255.192.0.0 574 | no-route = 114.128.0.0/255.240.0.0 575 | no-route = 114.192.0.0/255.192.0.0 576 | no-route = 115.0.0.0/255.0.0.0 577 | no-route = 116.0.0.0/255.0.0.0 578 | no-route = 117.0.0.0/255.128.0.0 579 | no-route = 117.128.0.0/255.192.0.0 580 | no-route = 118.16.0.0/255.240.0.0 581 | no-route = 118.64.0.0/255.192.0.0 582 | no-route = 118.128.0.0/255.128.0.0 583 | no-route = 119.0.0.0/255.128.0.0 584 | no-route = 119.128.0.0/255.192.0.0 585 | no-route = 119.224.0.0/255.224.0.0 586 | no-route = 120.0.0.0/255.192.0.0 587 | no-route = 120.64.0.0/255.224.0.0 588 | no-route = 120.128.0.0/255.240.0.0 589 | no-route = 120.192.0.0/255.192.0.0 590 | no-route = 121.0.0.0/255.128.0.0 591 | no-route = 121.192.0.0/255.192.0.0 592 | no-route = 122.0.0.0/254.0.0.0 593 | no-route = 124.0.0.0/255.0.0.0 594 | no-route = 125.0.0.0/255.128.0.0 595 | no-route = 125.160.0.0/255.224.0.0 596 | no-route = 125.192.0.0/255.192.0.0 597 | no-route = 137.59.59.0/255.255.255.0 598 | no-route = 137.59.88.0/255.255.252.0 599 | no-route = 139.0.0.0/255.224.0.0 600 | no-route = 139.128.0.0/255.128.0.0 601 | no-route = 140.64.0.0/255.240.0.0 602 | no-route = 140.128.0.0/255.240.0.0 603 | no-route = 140.192.0.0/255.192.0.0 604 | no-route = 144.0.0.0/255.248.0.0 605 | no-route = 144.12.0.0/255.255.0.0 606 | no-route = 144.48.0.0/255.248.0.0 607 | no-route = 144.123.0.0/255.255.0.0 608 | no-route = 144.255.0.0/255.255.0.0 609 | no-route = 146.196.0.0/255.255.128.0 610 | no-route = 150.0.0.0/255.255.0.0 611 | no-route = 150.96.0.0/255.224.0.0 612 | no-route = 150.128.0.0/255.240.0.0 613 | no-route = 150.192.0.0/255.192.0.0 614 | no-route = 152.104.128.0/255.255.128.0 615 | no-route = 153.0.0.0/255.192.0.0 616 | no-route = 153.96.0.0/255.224.0.0 617 | no-route = 157.0.0.0/255.255.0.0 618 | no-route = 157.18.0.0/255.255.0.0 619 | no-route = 157.61.0.0/255.255.0.0 620 | no-route = 157.112.0.0/255.240.0.0 621 | no-route = 157.144.0.0/255.240.0.0 622 | no-route = 157.255.0.0/255.255.0.0 623 | no-route = 159.226.0.0/255.255.0.0 624 | no-route = 160.19.208.0/255.255.240.0 625 | no-route = 160.20.48.0/255.255.252.0 626 | no-route = 160.202.0.0/255.255.0.0 627 | no-route = 160.238.64.0/255.255.252.0 628 | no-route = 161.207.0.0/255.255.0.0 629 | no-route = 162.105.0.0/255.255.0.0 630 | no-route = 163.0.0.0/255.192.0.0 631 | no-route = 163.96.0.0/255.224.0.0 632 | no-route = 163.128.0.0/255.192.0.0 633 | no-route = 163.192.0.0/255.224.0.0 634 | no-route = 166.111.0.0/255.255.0.0 635 | no-route = 167.139.0.0/255.255.0.0 636 | no-route = 167.189.0.0/255.255.0.0 637 | no-route = 167.220.244.0/255.255.252.0 638 | no-route = 168.160.0.0/255.255.0.0 639 | no-route = 170.179.0.0/255.255.0.0 640 | no-route = 171.0.0.0/255.128.0.0 641 | no-route = 171.192.0.0/255.224.0.0 642 | no-route = 175.0.0.0/255.128.0.0 643 | no-route = 175.128.0.0/255.192.0.0 644 | no-route = 180.64.0.0/255.192.0.0 645 | no-route = 180.128.0.0/255.128.0.0 646 | no-route = 182.0.0.0/255.0.0.0 647 | no-route = 183.0.0.0/255.192.0.0 648 | no-route = 183.64.0.0/255.224.0.0 649 | no-route = 183.128.0.0/255.128.0.0 650 | no-route = 192.124.154.0/255.255.255.0 651 | no-route = 192.140.128.0/255.255.128.0 652 | no-route = 202.0.0.0/255.128.0.0 653 | no-route = 202.128.0.0/255.192.0.0 654 | no-route = 202.192.0.0/255.224.0.0 655 | no-route = 203.0.0.0/255.0.0.0 656 | no-route = 210.0.0.0/255.192.0.0 657 | no-route = 210.64.0.0/255.224.0.0 658 | no-route = 210.160.0.0/255.224.0.0 659 | no-route = 210.192.0.0/255.224.0.0 660 | no-route = 211.64.0.0/255.248.0.0 661 | no-route = 211.80.0.0/255.240.0.0 662 | no-route = 211.96.0.0/255.248.0.0 663 | no-route = 211.136.0.0/255.248.0.0 664 | no-route = 211.144.0.0/255.240.0.0 665 | no-route = 211.160.0.0/255.248.0.0 666 | no-route = 218.0.0.0/255.128.0.0 667 | no-route = 218.160.0.0/255.224.0.0 668 | no-route = 218.192.0.0/255.192.0.0 669 | no-route = 219.64.0.0/255.224.0.0 670 | no-route = 219.128.0.0/255.224.0.0 671 | no-route = 219.192.0.0/255.192.0.0 672 | no-route = 220.96.0.0/255.224.0.0 673 | no-route = 220.128.0.0/255.128.0.0 674 | no-route = 221.0.0.0/255.224.0.0 675 | no-route = 221.96.0.0/255.224.0.0 676 | no-route = 221.128.0.0/255.128.0.0 677 | no-route = 222.0.0.0/255.0.0.0 678 | no-route = 223.0.0.0/255.224.0.0 679 | no-route = 223.64.0.0/255.192.0.0 680 | no-route = 223.128.0.0/255.128.0.0 681 | 682 | 683 | # Note the that following two firewalling options currently are available 684 | # in Linux systems with iptables software. 685 | 686 | # If set, the script /usr/bin/ocserv-fw will be called to restrict 687 | # the user to its allowed routes and prevent him from accessing 688 | # any other routes. In case of defaultroute, the no-routes are restricted. 689 | # All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw 690 | # --removeall. This option can be set globally or in the per-user configuration. 691 | #restrict-user-to-routes = true 692 | 693 | # This option implies restrict-user-to-routes set to true. If set, the 694 | # script /usr/bin/ocserv-fw will be called to restrict the user to 695 | # access specific ports in the network. This option can be set globally 696 | # or in the per-user configuration. 697 | #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" 698 | 699 | # You could also use negation, i.e., block the user from accessing these ports only. 700 | #restrict-user-to-ports = "!(tcp(443), tcp(80))" 701 | 702 | # When set to true, all client's iroutes are made visible to all 703 | # connecting clients except for the ones offering them. This option 704 | # only makes sense if config-per-user is set. 705 | #expose-iroutes = true 706 | 707 | # Groups that a client is allowed to select from. 708 | # A client may belong in multiple groups, and in certain use-cases 709 | # it is needed to switch between them. For these cases the client can 710 | # select prior to authentication. Add multiple entries for multiple groups. 711 | # The group may be followed by a user-friendly name in brackets. 712 | #select-group = group1 713 | #select-group = group2[My special group] 714 | 715 | # The name of the (virtual) group that if selected it would assign the user 716 | # to its default group. 717 | #default-select-group = DEFAULT 718 | 719 | # Instead of specifying manually all the allowed groups, you may instruct 720 | # ocserv to scan all available groups and include the full list. 721 | #auto-select-group = true 722 | 723 | # Configuration files that will be applied per user connection or 724 | # per group. Each file name on these directories must match the username 725 | # or the groupname. 726 | # The options allowed in the configuration files are dns, nbns, 727 | # ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route, 728 | # explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, 729 | # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, 730 | # restrict-user-to-routes, user-profile, cgroup, stats-report-time, 731 | # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, 732 | # and session-timeout. 733 | # 734 | # Note that the 'iroute' option allows to add routes on the server 735 | # based on a user or group. The syntax depends on the input accepted 736 | # by the commands route-add-cmd and route-del-cmd (see below). The no-udp 737 | # is a boolean option (e.g., no-udp = true), and will prevent a UDP session 738 | # for that specific user or group. The hostname option will set a 739 | # hostname to override any proposed by the user. Note also, that, any 740 | # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. 741 | 742 | #config-per-user = /etc/ocserv/config-per-user/ 743 | #config-per-group = /etc/ocserv/config-per-group/ 744 | 745 | # When config-per-xxx is specified and there is no group or user that 746 | # matches, then utilize the following configuration. 747 | #default-user-config = /etc/ocserv/defaults/user.conf 748 | #default-group-config = /etc/ocserv/defaults/group.conf 749 | 750 | # The system command to use to setup a route. %{R} will be replaced with the 751 | # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. 752 | # 753 | # The following example is from linux systems. %{R} should be something 754 | # like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute). 755 | 756 | #route-add-cmd = "ip route add %{R} dev %{D}" 757 | #route-del-cmd = "ip route delete %{R} dev %{D}" 758 | 759 | # This option allows to forward a proxy. The special keywords '%{U}' 760 | # and '%{G}', if present will be replaced by the username and group name. 761 | #proxy-url = http://example.com/ 762 | #proxy-url = http://example.com/%{U}/ 763 | 764 | # This option allows you to specify a URL location where a client can 765 | # post using MS-KKDCP, and the message will be forwarded to the provided 766 | # KDC server. That is a translation URL between HTTP and Kerberos. 767 | # In MIT kerberos you'll need to add in realms: 768 | # EXAMPLE.COM = { 769 | # kdc = https://ocserv.example.com/KdcProxy 770 | # http_anchors = FILE:/etc/ocserv-ca.pem 771 | # } 772 | # This option is available if ocserv is compiled with GSSAPI support. 773 | 774 | #kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT" 775 | #kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88" 776 | #kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88" 777 | #kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88" 778 | 779 | # 780 | # The following options are for (experimental) AnyConnect client 781 | # compatibility. 782 | 783 | # This option must be set to true to support legacy CISCO clients. 784 | # A side effect of this option is that it will no longer be required 785 | # for clients to present their certificate on every connection. 786 | # That is they may resume a cookie without presenting a certificate 787 | # (when certificate authentication is used). 788 | cisco-client-compat = true 789 | 790 | # Client profile xml. A sample file exists in doc/profile.xml. 791 | # It is required by some of the CISCO clients. 792 | # This file must be accessible from inside the worker's chroot. 793 | # Note that enabling this option is not recommended as it will allow 794 | # the worker processes to open arbitrary files (when isolate-workers is 795 | # set to true). 796 | #user-profile = /path/to/file.xml 797 | 798 | #Advanced options 799 | 800 | # Option to allow sending arbitrary custom headers to the client after 801 | # authentication and prior to VPN tunnel establishment. You shouldn't 802 | # need to use this option normally; if you do and you think that 803 | # this may help others, please send your settings and reason to 804 | # the openconnect mailing list. The special keywords '%{U}' 805 | # and '%{G}', if present will be replaced by the username and group name. 806 | #custom-header = "X-My-Header: hi there" 807 | --------------------------------------------------------------------------------