1OCSERV(8) System Manager's Manual OCSERV(8)
2
6 ocserv - OpenConnect VPN server
7
9 ocserv options -c [config]
10 Openconnect VPN server (ocserv) is a VPN server compatible with the
12 openconnect VPN client. It follows the AnyConnect VPN protocol which is
13 used by several CISCO routers.
14
16 This a standalone server that reads a configuration file (see below for
17 more details), and waits for client connections. Log messages are redi‐
18 rected to daemon facility.
19 The server maintains two connections/channels with the client. The main
21 VPN channel is established over TCP, HTTP and TLS. This is the control
22 channel as well as the backup data channel. After its establishment a
23 UDP channel using DTLS is initiated which serves as the main data chan‐
24 nel. If the UDP channel fails to establish or is temporarily unavail‐
25 able the backup channel over TCP/TLS is being used.
26 This server supports multiple authentication methods, including PAM and
28 certificate authentication. Authenticated users are assigned an unpriv‐
29 ileged worker process and obtain a networking (tun) device and an IP
30 from a configurable pool of addresses.
31 Once authenticated, the server provides the client with an IP address
33 and a list of routes that it may access. In order to allow high-speed
34 transfers the server does not process or filter packets. It is expected
35 that the server has or will set up any required routes or firewall
36 rules.
37 It is possible to separate users into groups, which are either present
39 on their certificate, or presented on login for the user to choose.
40 That way a user may take advantage of the different settings that may
41 apply per group. See the comments on the configuration file for more
42 information.
43 It is also possible to run hostname-based virtual servers which could
45 support different authentication methods. When multiple virtual servers
46 are present clients are distinguished by the advertised server name
47 over TLS (SNI). Clients which do not support or sent SNI, are directed
48 to the default server.
49
51 -f, --foreground:
52 Do not fork server into background.
53 -d, --debug=num:
55 Enable verbose network debugging information. num must be be‐
56 tween zero and 9999.
57 -c, --config=FILE:
59 Specify the configuration file for the server.
60 -t, --test-config:
62 Test the provided configuration file and exit. A successful exit
63 error code indicates a valid configuration.
64 -p, --pid-file=FILE:
66 Specify a PID file for the server.
67 -h, --help:
69 Display usage information and exit.
70 -v, --version:
72 Output version of program and exit.
73
75 Users can be authenticated in multiple ways, which are explained in the
76 following paragraphs. Connected users can be managed using the occtl
77 tool.
78 Password authentication
80 If your system supports Pluggable Authentication Modules (PAM), then
81 ocserv will take advantage of it to password authenticate its users.
82 Otherwise a plain password file similar to the UNIX password file is
83 also supported. In that case the 'ocpasswd' tool can be used for its
84 management. Note that password authentication can be used in conjunc‐
85 tion with certificate authentication.
86 GSSAPI authentication
88 ocserv will take advantage of the MIT Kerberos project GSSAPI li‐
89 braries, and allow authentication using any method GSSAPI supports.
90 That is, mainly, Kerberos authentication. That is often more useful to
91 be combined with PAM or other password authentication methods so that a
92 fallback mechanism can be used when GSSAPI fails (e.g., when the user
93 doesn't already have a Kerberos ticket). The GSSAPI authentication is
94 implemented using SPNEGO over HTTP (RFC4559).
95 Public key (certificate) authentication
97 Public key authentication allows the user to be authenticated by the
98 possession of the private key that corresponds to a known to the server
99 public key. That allows the usage of common smart cards for user au‐
100 thentication.
101 In ocserv, a certificate authority (CA) is used to sign the client cer‐
103 tificates. That certificate authority can be local, used only by the
104 server to sign its user's known public keys which are then given to
105 users in a form of certificates. That authority need also provide a CRL
106 to allow the server to reject the revoked clients (see ca-cert, crl).
107 In certificate authentication each client presents a certificate and
109 signs data provided by the server, as part of TLS authentication, to
110 prove his possession of the corresponding private key. The certificate
111 need also contain user identifying information, for example, the user
112 ID of the client must be embedded in the certificate's Distinguished
113 Name (DN), i.e., in the Common Name, or UID fields. For the server to
114 read the name, the cert-user-oid configuration option must be set.
115 The following examples demonstrate how to use certtool from GnuTLS to
117 generate such CA.
118 Generating the CA
120 ``` $ certtool --generate-privkey --outfile ca-key.pem $ cat <
121 _EOF_ca.tmpl cn = "VPN CA" organization = "Big Corp" serial = 1 expira‐
122 tion_days = -1 ca signing_key cert_signing_key crl_signing_key EOF
123 $ certtool --generate-self-signed --load-privkey ca-key.pem \ --tem‐
125 plate ca.tmpl --outfile ca-cert.pem ```
126 Generating a local server certificate
128 The following example generates the server key and certificate pair.
129 The key generated is an RSA one, but different types can be used by
130 specifying the 'ecdsa' or 'dsa' options to certtool.
131 ``` $ certtool --generate-privkey --outfile server-key.pem $ cat <
133 _EOF_server.tmpl cn = "VPN server" dns_name = "www.example.com"
134 dns_name = "vpn1.example.com" #ip_address = "1.2.3.4" organization =
135 "MyCompany" expiration_days = -1 signing_key encryption_key #only if
136 the generated key is an RSA one tls_www_server EOF
137 $ certtool --generate-certificate --load-privkey server-key.pem \
139 --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \ --tem‐
140 plate server.tmpl --outfile server-cert.pem ```
141 From this point the clients need ca-cert.pem to be able to securely
143 connect to the server.
144 Note that it is a better practice to use two separate RSA keys, one
146 with the signing_key option and another with the encryption_key.
147 Generating an external CA-signed server certificate
149 $ certtool --generate-privkey --outfile server-key.pem $ cat << _EOF_
150 >server.tmpl cn = "My server" dns_name = "www.example.com" organization
151 = "MyCompany" expiration_days = -1 signing_key encryption_key #only if
152 the generated key is an RSA one tls_www_server _EOF_ $ certtool --gen‐
153 erate-request --load-privkey server-key.pem \ --template server.tmpl
154 --outfile server-cert.csr
155 At this point you need to provide the server-cert.csr to your CA, and
157 they will send you the server certificate.
158 Generating the client certificates
160 Note that it is recommended to leave detailed personal information out
161 of the certificate as it is sent in clear during TLS authentication.
162 The following process generates a certificate and converts it to PKCS
163 #12 that is protected by a PIN and most clients are able to import (the
164 3DES cipher is used in the example because it is supported by far more
165 devices than AES).
166 ``` $ certtool --generate-privkey --outfile user-key.pem $ cat <
168 _EOF_user.tmpl cn = "user" unit = "admins" expiration_days = 365 sign‐
169 ing_key tls_www_client EOF $ certtool --generate-certificate
170 --load-privkey user-key.pem \ --load-ca-certificate ca-cert.pem
171 --load-ca-privkey ca-key.pem \ --template user.tmpl --outfile
172 user-cert.pem
173 $ certtool --to-p12 --load-privkey user-key.pem \ --pkcs-cipher
175 3des-pkcs12 \ --load-certificate user-cert.pem \ --outfile user.p12
176 --outder ```
177 Revoking a client certificate
179 To revoke the previous client certificate, i.e., preventing the user
180 from accessing the VPN resources prior to its certificate expiration,
181 use:
182 $ cat << _EOF_ >crl.tmpl crl_next_update = 365 crl_number = 1 _EOF_ $
184 cat user-cert.pem >>revoked.pem $ certtool --generate-crl
185 --load-ca-privkey ca-key.pem \ --load-ca-certificate ca-cert.pem
186 --load-certificate revoked.pem \ --template crl.tmpl --outfile crl.pem
187 After that you may want to notify ocserv of the new CRL by using the
189 HUP signal, or wait for it to reload it.
190 When there are no revoked certificates an empty revocation list should
192 be generated as follows.
193 $ certtool --generate-crl --load-ca-privkey ca-key.pem \ --load-ca-cer‐
195 tificate ca-cert.pem \ --template crl.tmpl --outfile crl.pem
196
198 Note that while this server utilizes privilege separation and all au‐
199 thentication occurs on the security module, this does not apply for TLS
200 client certificate authentication. That is due to TLS protocol limita‐
201 tion.
202
204 In certain setups, where a firewall may be blocking ICMP responses,
205 setting the MSS of TCP connections to MTU will eliminate the "black
206 hole" connection issues. See http://lartc.org/howto/lartc.cook‐
207 book.mtu-mss.html for instructions to enable it on a Linux system.
208
210 ocserv's configuration file format
211 By default, if no other file is specified, ocserv looks for its config‐
212 uration file at /etc/ocserv/ocserv.conf. An example configuration file
213 follows.
214 ``` ### The following directives do not change with server reload.#
216 used for the user to login, add multiple auth directives. The values #
217 in the 'auth' directive are AND composed (if multiple all must # suc‐
218 ceed). # Available options: certificate, plain, pam, radius, gssapi. #
219 Note that authentication methods utilizing passwords cannot be # com‐
220 bined (e.g., the plain, pam or radius methods).# This indicates that
221 all connecting users must present a certificate. # The username and
222 user group will be then extracted from it (see # cert-user-oid and
223 cert-group-oid). The certificate to be accepted # it must be signed by
224 the CA certificate as specified in 'ca-cert' and # it must not be
225 listed in the CRL, as specified by the 'crl' option. # #
226 pam[gid-min=1000]: # This enabled PAM authentication of the user. The
227 gid-min option is used # by auto-select-group option, in order to se‐
228 lect the minimum valid group ID. # # plain[passwd=/etc/ocserv/oc‐
229 passwd,otp=/etc/ocserv/users.otp] # The plain option requires specify‐
230 ing a password file which contains # entries of the following format. #
231 "username:groupname1,groupname2:encoded-password" # One entry must be
232 listed per line, and 'ocpasswd' should be used # to generate password
233 entries. The 'otp' suboption allows one to specify # an oath password
234 file to be used for one time passwords; the format of # the file is de‐
235 scribed in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
236 # # radius[config=/etc/radiusclient/radiusclient.conf,groupcon‐
237 fig=true,nas-identifier=name]: # The radius option requires specifying
238 freeradius-client configuration # file. If the groupconfig option is
239 set, then config-per-user/group will be overridden, # and all configu‐
240 ration will be read from radius. That also includes the # Acct-In‐
241 terim-Interval, and Session-Timeout values. # # See doc/README-ra‐
242 dius.md for the supported radius configuration atributes. # # gss‐
243 api[keytab=/etc/key.tab,require-local-user-map=true,tgt-fresh‐
244 ness-time=900] # The gssapi option allows one to use authentication
245 methods supported by GSSAPI, # such as Kerberos tickets with ocserv. It
246 should be best used as an alternative # to PAM (i.e., have pam in auth
247 and gssapi in enable-auth), to allow users with # tickets and without
248 tickets to login. The default value for require-local-user-map # is
249 true. The 'tgt-freshness-time' if set, it would require the TGT tickets
250 presented # to have been issued within the provided number of seconds.
251 That option is used to # restrict logins even if the KDC provides long
252 time TGT tickets.#auth = "pam[gid-min=1000]" #auth =
253 "plain[passwd=./sample.passwd,otp=./sample.otp]" auth =
254 "plain[passwd=./sample.passwd]" #auth = "certificate" #auth = "ra‐
255 dius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"# for
256 authentication. That is, if set, any of the methods enabled # will be
257 sufficient to login, irrespective of the main 'auth' entries. # When
258 multiple options are present, they are OR composed (any of them # suc‐
259 ceeding allows login). #enable-auth = "certificate" #enable-auth =
260 "gssapi" #enable-auth = "gssapi[keytab=/etc/key.tab,require-lo‐
261 cal-user-map=true,tgt-freshness-time=900]"# radius: can be combined
262 with any authentication method, it provides # radius accounting to
263 available users (see also stats-report-time). # # pam: can be combined
264 with any authentication method, it provides # a validation of the con‐
265 necting user's name using PAM. It is # superfluous to use this method
266 when authentication is already # PAM. # # Only one accounting method
267 can be specified. #acct = "radius[config=/etc/radiusclient/ra‐
268 diusclient.conf]"# hostname. #listen-host = [IP|HOSTNAME]# hostname. if
269 not set, listen-host will be used #udp-listen-host = [IP|HOSTNAME]#
270 should set that to true to ask the client to resolve again on # recon‐
271 nects. #listen-host-is-dyndns = true# listen-netns = "foo"tcp-port =
272 443 udp-port = 443# unprivileged user (e.g., 'ocserv') and no other
273 services should run as this # user. run-as-user = nobody run-as-group =
274 daemon# if you use more than a single servers. #occtl-socket-file =
275 /var/run/occtl.socket# It must be accessible within the chroot environ‐
276 ment (if any), so it is best # specified relatively to the chroot di‐
277 rectory. socket-file = /var/run/ocserv-socket#chroot-dir = /var/lib/oc‐
278 serv# The key may be a file, or any URL supported by GnuTLS (e.g., #
279 tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user # or
280 pkcs11:object=my-vpn-key;object-type=private) # # The server-cert file
281 may contain a single certificate, or # a sorted certificate chain. #
282 There may be multiple server-cert and server-key directives, # but each
283 key should correspond to the preceding certificate. # The certificate
284 files will be reloaded when changed allowing for in-place # certificate
285 renewal (they are checked and reloaded periodically; # a SIGHUP signal
286 to main server will force reload).#server-key = /etc/oc‐
287 serv/server-key.pem server-cert = ../tests/certs/server-cert.pem
288 server-key = ../tests/certs/server-key.pem# versions of GnuTLS for sup‐
289 porting DHE ciphersuites. # Can be generated using: # certtool --gener‐
290 ate-dh-params --outfile /etc/ocserv/dh.pem #dh-params = /etc/oc‐
291 serv/dh.pem# in files. The srk-pin-file is applicable to TPM keys only,
292 and is the # storage root key. #pin-file = /etc/ocserv/pin.txt
293 #srk-pin-file = /etc/ocserv/srkpin.txt# Only needed if the file is en‐
294 crypted or a PKCS #11 object. This # is an alternative method to
295 pin-file. #key-pin = 1234# This is an alternative method to
296 srk-pin-file. #srk-pin = 1234# client certificates (public keys) if
297 certificate authentication # is set. #ca-cert = /etc/ocserv/ca.pem
298 ca-cert = ../tests/certs/ca.pem
299 All configuration options below this line are reloaded on a SIGHUP.
301 ### The options above, will remain unchanged. Note however, that the
302 ### server-cert, server-key, dh-params and ca-cert options will be
303 reloaded ### if the provided file changes, on server reload. That al‐
304 lows certificate ### rotation, but requires the server key to remain
305 the same for seamless ### operation. If the server key changes on
306 reload, there may be connection ### failures during the reloading
307 time.# system calls allowed to a worker process, in order to reduce
308 damage from a # bug in the worker process. It is available on Linux
309 systems at a performance cost. # The performance cost is roughly 2%
310 overhead at transfer time (tested on a Linux 3.17.8). # Note however,
311 that process isolation is restricted to the specific libc versions #
312 the isolation was tested at. If you get random failures on worker pro‐
313 cesses, try # disabling that option and report the failures you, along
314 with system and debugging # information at: https://gitlab.com/oc‐
315 serv/ocserv/issues isolate-workers = true#banner = "Welcome"#pre-lo‐
316 gin-banner = "Welcome"# that case the maximum value is ~8k clients.
317 #max-clients = 1024 max-clients = 16# multiple times). Unset or set to
318 zero for unlimited. max-same-clients = 2# which supports the proxy pro‐
319 tocol, set this to obtain the correct # client addresses. The proxy
320 protocol would then be expected in # the TCP or UNIX socket (not the
321 UDP one). Although both v1 # and v2 versions of proxy protocol are sup‐
322 ported, the v2 version # is recommended as it is more efficient in
323 parsing. #listen-proxy-proto = true# (X is the provided value), as the
324 secmod backlog grows. This # makes the server more resilient (and pre‐
325 vents connection failures) on # multiple concurrent connections. Set to
326 zero for no limit. rate-limit-ms = 100# worker process will report its
327 usage statistics (number of # bytes transferred etc). This is useful
328 when accounting like # radius is in use. #stats-report-time = 360# pro‐
329 cesses will be reset. These are the statistics shown by cmd # 'occtl
330 show stats'. For daily: 86400, weekly: 604800 # This is unrelated to
331 stats-report-time. server-stats-reset-time = 604800keepalive = 32400#
332 Note that when the client is behind a NAT this value # needs to be
333 short enough to prevent the NAT disassociating # his UDP session from
334 the port number. Otherwise the client # could have his UDP connection
335 stalled, for several minutes. dpd = 90# be higher to prevent such
336 clients being awaken too # often by the DPD messages, and save battery.
337 # The mobile clients are distinguished from the header # 'X-AnyCon‐
338 nect-Identifier-Platform'. mobile-dpd = 1800# many seconds, attempt to
339 send future traffic over the TCP # connection instead, in an attempt to
340 wake up the client # in the case that there is a NAT and the UDP trans‐
341 lation # was deleted. If this is unset, do not attempt to use this #
342 recovery mechanism. switch-to-tcp-timeout = 25try-mtu-discovery =
343 false# higher than your load-balancer health probe interval.
344 #server-drain-ms = 15000# service you may provide a fresh OCSP status
345 response within # the TLS handshake. That will prevent the client from
346 connecting # independently on the OCSP server. # You can update this
347 response periodically using: # ocsptool --ask --load-cert=your_cert
348 --load-issuer=your_ca --outfile response # Make sure that you replace
349 the following file in an atomic way. #ocsp-response = /etc/oc‐
350 serv/ocsp.der# certificate. The object identifier should be part of the
351 certificate's DN # Useful OIDs are: # CN = 2.5.4.3, UID =
352 0.9.2342.19200300.100.1.1, SAN(rfc822name) cert-user-oid =
353 0.9.2342.19200300.100.1.1# client certificate. The object identifier
354 should be part of the certificate's # DN. If the user may belong to
355 multiple groups, then use multiple such fields # in the certificate's
356 DN. Useful OIDs are: # OU (organizational unit) = 2.5.4.11
357 #cert-group-oid = 2.5.4.11# See the manual to generate an empty CRL
358 initially. The CRL will be reloaded # periodically when ocserv detects
359 a change in the file. To force a reload use # SIGHUP. #crl = /etc/oc‐
360 serv/crl.pem#compression = true# That is to allow low-latency for VoIP
361 packets. The default size # is 256 bytes. Modify it if the clients typ‐
362 ically use compression # as well of VoIP with codecs that exceed the
363 default value. #no-compress-limit = 256# as there are no openconnect
364 (and possibly anyconnect clients) using # that protocol. The string be‐
365 low does not enforce perfect forward # secrecy, in order to be compati‐
366 ble with legacy clients. # # Note that the most performant ciphersuites
367 are the moment are the ones # involving AES-GCM. These are very fast in
368 x86 and x86-64 hardware, and # in addition require no padding, thus
369 taking full advantage of the MTU. # For that to be taken advantage of,
370 the openconnect client must be # used, and the server must be compiled
371 against GnuTLS 3.2.7 or later. # Use "gnutls-cli --benchmark-tls-ci‐
372 phers", to see the performance # difference with AES_128_CBC_SHA1 (the
373 default for anyconnect clients) # in your system.
374 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COM‐
376 PAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"# http://gnutls.org/man‐
377 ual/html_node/Priority-Strings.html # E.g., the string below enforces
378 perfect forward secrecy (PFS) # on the main channel. #tls-priorities =
379 "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"# ci‐
380 pher as the primary TLS channel. This cannot be combined with # lis‐
381 ten-clear-file since the ciphersuite information is not available # in
382 that configuration. Note also, that this option implies that #
383 dtls-legacy option is false; this option cannot be enforced # in the
384 legacy/compat protocol. #match-tls-dtls-ciphers = true# to authentica‐
385 tion auth-timeout = 240# before being disconnected. Unset to disable.
386 #idle-timeout = 1200# Unset to disable. When set a client will be dis‐
387 connected after being # continuously connected for this amount of time,
388 and its cookies will # be invalidated (i.e., re-authentication will be
389 required). #session-timeout = 86400# traffic) before being discon‐
390 nected. Unset to disable. #mobile-idle-timeout = 2400# a failed authen‐
391 tication attempt. min-reauth-time = 300# that get a score over that
392 configured number are banned for # min-reauth-time seconds. By default
393 a wrong password attempt is 10 points, # a KKDCP POST is 1 point, and a
394 connection is 1 point. Note that # due to difference processes being
395 involved the count of points # will not be real-time precise. # # Score
396 banning cannot be reliably used when receiving proxied connections #
397 locally from an HTTP server (i.e., when listen-clear-file is used). # #
398 Set to zero to disable. max-ban-score = 80ban-reset-time =
399 1200#ban-points-wrong-password = 10 #ban-points-connection = 1
400 #ban-points-kkdcp = 1# Once a client is authenticated he's provided a
401 cookie with # which he can reconnect. That cookie will be invalidated
402 if not # used within this timeout value. This cookie remains valid,
403 during # the user's connected time, and after user disconnection it #
404 remains active for this amount of time. That setting should allow a #
405 reasonable amount of time for roaming between different networks.
406 cookie-timeout = 300# valid even after a user manually disconnects, and
407 until they # expire. This may improve roaming with some broken clients.
408 #persistent-cookies = true# restricted to a single IP address and can‐
409 not be re-used # from a different IP. deny-roaming = false# ocserv will
410 ask the client to refresh keys periodically once # this amount of sec‐
411 onds is elapsed. Set to zero to disable (note # that, some clients fail
412 if rekey is disabled). rekey-time = 172800# Valid options: ssl,
413 new-tunnel # ssl: Will perform an efficient rehandshake on the channel
414 allowing # a seamless connection during rekey. # new-tunnel: Will in‐
415 struct the client to discard and re-establish the channel. # Use this
416 option only if the connecting clients have issues with the ssl # op‐
417 tion. rekey-method = ssl# The following parameters are passed on the
418 environment. # REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the
419 real IP of the client), # REMOTE_HOSTNAME (the remotely advertised
420 hostname), IP_REAL_LOCAL # (the local interface IP the client con‐
421 nected), IP_LOCAL # (the local IP in the P-t-P connection), IP_REMOTE
422 (the VPN IP of the client), # IPV6_LOCAL (the IPv6 local address if
423 there are both IPv4 and IPv6 # assigned), IPV6_REMOTE (the IPv6 remote
424 address), IPV6_PREFIX, and # ID (a unique numeric ID); REASON may be
425 "connect" or "disconnect". # In addition the following variables OC‐
426 SERV_ROUTES (the applied routes for this # client), OCSERV_NO_ROUTES,
427 OCSERV_DNS (the DNS servers for this client), # will contain a space
428 separated list of routes or DNS servers. A version # of these variables
429 with the 4 or 6 suffix will contain only the IPv4 or # IPv6 values. The
430 connect script must return zero as exit code, or the # client connec‐
431 tion will be refused.# STATS_BYTES_OUT, STATS_DURATION that contain a
432 64-bit counter of the bytes # output from the tun device, and the dura‐
433 tion of the session in seconds.#disconnect-script = /usr/bin/myscript#
434 available. It will contain REASON with "host-update" value and the #
435 variable REMOTE_HOSTNAME in addition to the connect variables.# Regis‐
436 ter the connected clients to utmp. This will allow viewing # the con‐
437 nected clients using the command 'who'. #use-utmp = true# or via a unix
438 socket). use-occtl = truepid-file = /var/run/ocserv.pid# All messages
439 at the configure level and lower will be displayed. # Supported levels
440 (default 0) # 0 default (Same as basic) # 1 basic # 2 info # 3 debug #
441 4 http # 8 sensitive # 9 TLS log-level = 1# be sent. That is a number
442 from 0 to 6 with 0 being the lowest # priority. Alternatively this can
443 be used to set the IP Type- # Of-Service, by setting it to a hexadeci‐
444 mal number (e.g., 0x20). # This can be set per user/group or globally.
445 #net-priority = 3# specific and can be set per user/group or globally.
446 #cgroup = "cpuset,cpu:test"#device = vpns# same for the same user when
447 possible. predictable-ips = true# openconnect clients) can be provided
448 in a space separated list. default-domain = example.com #default-domain
449 = "example.com one.example.com"# are given via Radius, or via the ex‐
450 plicit-ip? per-user config option then # these network values should
451 contain a network with at least a single # address that will remain un‐
452 der the full control of ocserv (that is # to be able to assign the lo‐
453 cal part of the tun device address). # Note that, you could use ad‐
454 dresses from a subnet of your LAN network if you # enable proxy arp in
455 the LAN interface http://ocserv.gitlab.io/www/recipes-oc‐
456 serv-pseudo-bridge.html; # in that case it is recommended to set
457 ping-leases to true. ipv4-network = 192.168.1.0 ipv4-netmask =
458 255.255.255.0#ipv4-network = 192.168.1.0/24#ipv6-network =
459 fda9:4efe:7e3b:03ea::/48# generally recommended to provide clients with
460 a /64 network in # IPv6, but any subnet may be specified. To provide
461 clients only # with a single IP use the prefix 128. #ipv6-subnet-prefix
462 = 128 #ipv6-subnet-prefix = 64# when a default route is set. #tun‐
463 nel-all-dns = true# multiple servers. # dns = fc00::4be0 dns =
464 192.168.1.2#nbns = 192.168.1.3# multiple lines for multiple domains.
465 #split-dns = example.com# it is not in use by another (unrelated to
466 this server) host. # Only set to true, if there can be occupied ad‐
467 dresses in the # IP range for leases. ping-leases = false# connections.
468 Unset to use the default MTU of the TUN device. # Note that the MTU is
469 negotiated using the value set and the # value sent by the peer. #mtu =
470 1420# setting here is global, but can also be set per user or per
471 group. #rx-data-per-sec = 40000 #tx-data-per-sec = 40000# the output
472 buffer. The default is low to improve latency. # Setting it higher will
473 improve throughput. #output-buffer = 10# client to forward routes to
474 the server, you may use the # config-per-user/group or even connect and
475 disconnect scripts. # # To set the server as the default gateway for
476 the client just # comment out all routes from the server, or use the
477 special keyword # 'default'.
478 route = 10.10.10.0/255.255.255.0 route = 192.168.0.0/255.255.0.0 #route
480 = fef4:db8:1000:1001::/64 #route = default# the server.
481 no-route = 192.168.5.0/255.255.255.0# in Linux systems with iptables
483 software.# the user to its allowed routes and prevent him from access‐
484 ing # any other routes. In case of defaultroute, the no-routes are re‐
485 stricted. # All the routes applied by ocserv can be reverted using
486 /usr/bin/ocserv-fw # --removeall. This option can be set globally or in
487 the per-user configuration. #restrict-user-to-routes = true# script
488 /usr/bin/ocserv-fw will be called to restrict the user to # access spe‐
489 cific ports in the network. This option can be set globally # or in the
490 per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80),
491 udp(443), sctp(99), tcp(583), icmp(), icmpv6()"#restrict-user-to-ports
492 = "!(tcp(443), tcp(80))"# connecting clients except for the ones offer‐
493 ing them. This option # only makes sense if config-per-user is set.
494 #expose-iroutes = true# A client may belong in multiple groups, and in
495 certain use-cases # it is needed to switch between them. For these
496 cases the client can # select prior to authentication. Add multiple en‐
497 tries for multiple groups. # The group may be followed by a
498 user-friendly name in brackets. #select-group = group1 #select-group =
499 group2[My special group]# to its default group. #default-select-group =
500 DEFAULT# ocserv to scan all available groups and include the full list.
501 #auto-select-group = true# per group. Each file name on these directo‐
502 ries must match the username # or the groupname. # The options allowed
503 in the configuration files are dns, nbns, # ipv?-network, ipv4-netmask,
504 rx/tx-data-per-sec, iroute, route, no-route, # explicit-ipv4, ex‐
505 plicit-ipv6, net-priority, deny-roaming, no-udp, # keepalive, dpd, mo‐
506 bile-dpd, max-same-clients, tunnel-all-dns, # restrict-user-to-routes,
507 cgroup, stats-report-time, # mtu, idle-timeout, mobile-idle-timeout,
508 restrict-user-to-ports, # split-dns and session-timeout. # # Note that
509 the 'iroute' option allows one to add routes on the server # based on a
510 user or group. The syntax depends on the input accepted # by the com‐
511 mands route-add-cmd and route-del-cmd (see below). The no-udp # is a
512 boolean option (e.g., no-udp = true), and will prevent a UDP session #
513 for that specific user or group. The hostname option will set a # host‐
514 name to override any proposed by the user. Note also, that, any #
515 routes, no-routes, DNS or NBNS servers present will overwrite the
516 global ones.#config-per-group = /etc/ocserv/config-per-group/# matches,
517 then utilize the following configuration. #default-user-config =
518 /etc/ocserv/defaults/user.conf #default-group-config = /etc/ocserv/de‐
519 faults/group.conf# route/mask, %{RI} with the route in CIDR format, and
520 %{D} with the (tun) device. # # The following example is from linux
521 systems. %{R} should be something # like 192.168.2.0/255.255.255.0 and
522 %{RI} 192.168.2.0/24 (the argument of iroute).#route-del-cmd = "ip
523 route delete %{R} dev %{D}"# and '%{G}', if present will be replaced by
524 the username and group name. #proxy-url = http://example.com/
525 #proxy-url = http://example.com/%{U}/# post using MS-KKDCP, and the
526 message will be forwarded to the provided # KDC server. That is a
527 translation URL between HTTP and Kerberos. # In MIT kerberos you'll
528 need to add in realms: # EXAMPLE.COM = { # kdc = https://ocserv.exam‐
529 ple.com/KdcProxy # http_anchors = FILE:/etc/ocserv-ca.pem # } # In some
530 distributions the krb5-k5tls plugin of kinit is required. # # The fol‐
531 lowing option is available in ocserv, when compiled with GSSAPI sup‐
532 port.#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88" #kkdcp =
533 "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88" #kkdcp = "/KdcProxy KER‐
534 BEROS.REALM tcp@[::1]:88"# to the client. A minimal file can be: #
535 <?xml version="1.0" encoding="UTF-8"?> # # # Other fields may be used
536 by some of the CISCO clients. # This file must be accessible from in‐
537 side the worker's chroot. # Note that: # (1) enabling this option is
538 not recommended as it will allow the # worker processes to open arbi‐
539 trary files (when isolate-workers is # set to true). # (2) This option
540 cannot be set per-user or per-group; only the global # version is being
541 sent to client. #user-profile = profile.xml# compatibility.# will not
542 require clients to present their certificate on every TLS # connection.
543 It must be set to true to support legacy CISCO clients # and opencon‐
544 nect clients < 7.08. When set to true, it implies dtls-legacy = true.
545 cisco-client-compat = true# The DTLS-PSK negotiation was introduced in
546 ocserv 0.11.5 to deprecate # the pre-draft-DTLS negotiation inherited
547 from AnyConnect. It allows the # DTLS channel to negotiate its ciphers
548 and the DTLS protocol version. #dtls-psk = false# but that may change
549 in the future). # The legacy DTLS uses a pre-draft version of the DTLS
550 protocol and was # from AnyConnect protocol. It has several limita‐
551 tions, that are addressed # by the dtls-psk protocol supported by open‐
552 connect 7.08+. dtls-legacy = true# If the server has not configured an
553 IPv6 or IPv4 address pool, enabling this option # will instruct the
554 client to bypass the server for that IP protocol. The option is # cur‐
555 rently only understood by Anyconnect clients. client-bypass-protocol =
556 false# authentication and prior to VPN tunnel establishment. You
557 shouldn't # need to use this option normally; if you do and you think
558 that # this may help others, please send your settings and reason to #
559 the openconnect mailing list. The special keywords '%{U}' # and '%{G}',
560 if present will be replaced by the username and group name. #cus‐
561 tom-header = "X-My-Header: hi there"# by this server.
562 [vhost:www.example.com] auth = "certificate"
564 ca-cert = ../tests/certs/ca.pem# the virtual host name.
566 server-cert = ../tests/certs/server-cert-secp521r1.pem server-key =
568 ../tests/certs/server-key-secp521r1.pem
569 ipv4-network = 192.168.2.0 ipv4-netmask = 255.255.255.0
571 cert-user-oid = 0.9.2342.19200300.100.1.1 ```
573
575 occtl(8), ocpasswd(8), openconnect(8)
576
578 Copyright (C) 2013-2018 Nikos Mavrogiannopoulos and others, all rights
579 reserved. This program is released under the terms of the GNU General
580 Public License, version 2.
581
583 Written by Nikos Mavrogiannopoulos. Many people have contributed to it.
584 May 2021 OCSERV(8)