1OCSERV(8) System Manager's Manual OCSERV(8)
2
6 ocserv - OpenConnect VPN server
7
9 ocserv options -c [config]
10 OpenConnect VPN server (ocserv) is a VPN server compatible with the
12 OpenConnect VPN client. It follows the AnyConnect VPN protocol which is
13 used by several CISCO routers.
14
16 This a standalone server that reads a configuration file (see below for
17 more details), and waits for client connections. Log messages are redi‐
18 rected to daemon facility.
19 The server maintains two connections/channels with the client. The main
21 VPN channel is established over TCP, HTTP and TLS. This is the control
22 channel as well as the backup data channel. After its establishment a
23 UDP channel using DTLS is initiated which serves as the main data chan‐
24 nel. If the UDP channel fails to establish or is temporarily unavail‐
25 able the backup channel over TCP/TLS is being used.
26 This server supports multiple authentication methods, including PAM and
28 certificate authentication. Authenticated users are assigned an unpriv‐
29 ileged worker process and obtain a networking (tun) device and an IP
30 from a configurable pool of addresses.
31 Once authenticated, the server provides the client with an IP address
33 and a list of routes that it may access. In order to allow high-speed
34 transfers the server does not process or filter packets. It is expected
35 that the server has or will set up any required routes or firewall
36 rules.
37 It is possible to separate users into groups, which are either present
39 on their certificate, or presented on login for the user to choose.
40 That way a user may take advantage of the different settings that may
41 apply per group. See the comments on the configuration file for more
42 information.
43 It is also possible to run hostname-based virtual servers which could
45 support different authentication methods. When multiple virtual servers
46 are present clients are distinguished by the advertised server name
47 over TLS (SNI). Clients which do not support or sent SNI, are directed
48 to the default server.
49
51 -f, --foreground:
52 Do not fork server into background.
53 -d, --debug=num:
55 Enable verbose network debugging information. num must be be‐
56 tween zero and 9999.
57 -c, --config=FILE:
59 Specify the configuration file for the server.
60 -t, --test-config:
62 Test the provided configuration file and exit. A successful exit
63 error code indicates a valid configuration.
64 -p, --pid-file=FILE:
66 Specify a PID file for the server.
67 -h, --help:
69 Display usage information and exit.
70 -v, --version:
72 Output version of program and exit.
73
75 Users can be authenticated in multiple ways, which are explained in the
76 following paragraphs. Connected users can be managed using the occtl
77 tool.
78 Password authentication
80 If your system supports Pluggable Authentication Modules (PAM), then
81 ocserv will take advantage of it to password authenticate its users.
82 Otherwise a plain password file similar to the UNIX password file is
83 also supported. In that case the ´ocpasswd´ tool can be used for its
84 management. Note that password authentication can be used in conjunc‐
85 tion with certificate authentication.
86 GSSAPI authentication
88 ocserv will take advantage of the MIT Kerberos project GSSAPI li‐
89 braries, and allow authentication using any method GSSAPI supports.
90 That is, mainly, Kerberos authentication. That is often more useful to
91 be combined with PAM or other password authentication methods so that a
92 fallback mechanism can be used when GSSAPI fails (e.g., when the user
93 doesn´t already have a Kerberos ticket). The GSSAPI authentication is
94 implemented using SPNEGO over HTTP (RFC4559).
95 Public key (certificate) authentication
97 Public key authentication allows the user to be authenticated by the
98 possession of the private key that corresponds to a known to the server
99 public key. That allows the usage of common smart cards for user au‐
100 thentication.
101 In ocserv, a certificate authority (CA) is used to sign the client cer‐
103 tificates. That certificate authority can be local, used only by the
104 server to sign its user´s known public keys which are then given to
105 users in a form of certificates. That authority need also provide a CRL
106 to allow the server to reject the revoked clients (see ca-cert, crl).
107 In certificate authentication each client presents a certificate and
109 signs data provided by the server, as part of TLS authentication, to
110 prove his possession of the corresponding private key. The certificate
111 need also contain user identifying information, for example, the user
112 ID of the client must be embedded in the certificate´s Distinguished
113 Name (DN), i.e., in the Common Name, or UID fields. For the server to
114 read the name, the cert-user-oid configuration option must be set.
115 The following examples demonstrate how to use certtool from GnuTLS to
117 generate such CA.
118 Generating the CA
120 $ certtool --generate-privkey --outfile ca-key.pem
121 $ cat << _EOF_ >ca.tmpl
122 cn = "VPN CA"
123 organization = "Big Corp"
124 serial = 1
125 expiration_days = -1
126 ca
127 signing_key
128 cert_signing_key
129 crl_signing_key
130 _EOF_
131 $ certtool --generate-self-signed --load-privkey ca-key.pem \
133 --template ca.tmpl --outfile ca-cert.pem
134 Generating a local server certificate
136 The following example generates the server key and certificate pair.
137 The key generated is an RSA one, but different types can be used by
138 specifying the ´ecdsa´ or ´dsa´ options to certtool.
139 $ certtool --generate-privkey --outfile server-key.pem
142 $ cat << _EOF_ >server.tmpl
143 cn = "VPN server"
144 dns_name = "www.example.com"
145 dns_name = "vpn1.example.com"
146 #ip_address = "1.2.3.4"
147 organization = "MyCompany"
148 expiration_days = -1
149 signing_key
150 encryption_key #only if the generated key is an RSA one
151 tls_www_server
152 _EOF_
153 $ certtool --generate-certificate --load-privkey server-key.pem \
155 --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
156 --template server.tmpl --outfile server-cert.pem
157 From this point the clients need ca-cert.pem to be able to securely
161 connect to the server.
162 Note that it is a better practice to use two separate RSA keys, one
164 with the signing_key option and another with the encryption_key.
165 Generating an external CA-signed server certificate
167 $ certtool --generate-privkey --outfile server-key.pem
168 $ cat << _EOF_ >server.tmpl
169 cn = "My server"
170 dns_name = "www.example.com"
171 organization = "MyCompany"
172 expiration_days = -1
173 signing_key
174 encryption_key #only if the generated key is an RSA one
175 tls_www_server
176 _EOF_
177 $ certtool --generate-request --load-privkey server-key.pem \
178 --template server.tmpl --outfile server-cert.csr
179 At this point you need to provide the server-cert.csr to your CA, and
181 they will send you the server certificate.
182 Generating the client certificates
184 Note that it is recommended to leave detailed personal information out
185 of the certificate as it is sent in clear during TLS authentication.
186 The following process generates a certificate and converts it to PKCS
187 #12 that is protected by a PIN and most clients are able to import (the
188 3DES cipher is used in the example because it is supported by far more
189 devices than AES).
190 $ certtool --generate-privkey --outfile user-key.pem
193 $ cat << _EOF_ >user.tmpl
194 cn = "user"
195 unit = "admins"
196 expiration_days = 365
197 signing_key
198 tls_www_client
199 _EOF_
200 $ certtool --generate-certificate --load-privkey user-key.pem \
201 --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
202 --template user.tmpl --outfile user-cert.pem
203 $ certtool --to-p12 --load-privkey user-key.pem \
205 --pkcs-cipher 3des-pkcs12 \
206 --load-certificate user-cert.pem \
207 --outfile user.p12 --outder
208 Revoking a client certificate
212 To revoke the previous client certificate, i.e., preventing the user
213 from accessing the VPN resources prior to its certificate expiration,
214 use:
215 $ cat << _EOF_ >crl.tmpl
218 crl_next_update = 365
219 crl_number = 1
220 _EOF_
221 $ cat user-cert.pem >>revoked.pem
222 $ certtool --generate-crl --load-ca-privkey ca-key.pem \
223 --load-ca-certificate ca-cert.pem --load-certificate revoked.pem \
224 --template crl.tmpl --outfile crl.pem
225 After that you may want to notify ocserv of the new CRL by using the
229 HUP signal, or wait for it to reload it.
230 When there are no revoked certificates an empty revocation list should
232 be generated as follows.
233 $ certtool --generate-crl --load-ca-privkey ca-key.pem \
236 --load-ca-certificate ca-cert.pem \
237 --template crl.tmpl --outfile crl.pem
238
242 Note that while this server utilizes privilege separation and all au‐
243 thentication occurs on the security module, this does not apply for TLS
244 client certificate authentication. That is due to TLS protocol limita‐
245 tion.
246
248 In certain setups, where a firewall may be blocking ICMP responses,
249 setting the MSS of TCP connections to MTU will eliminate the "black
250 hole" connection issues. See http://lartc.org/howto/lartc.cook‐
251 book.mtu-mss.html for instructions to enable it on a Linux system.
252
254 ocserv´s configuration file format
255 By default, if no other file is specified, ocserv looks for its config‐
256 uration file at /etc/ocserv/ocserv.conf. An example configuration file
257 follows.
258 ### The following directives do not change with server reload.
261 # User authentication method. To require multiple methods to be
263 # used for the user to login, add multiple auth directives. The values
264 # in the ´auth´ directive are AND composed (if multiple all must
265 # succeed).
266 # Available options: certificate, plain, pam, radius, gssapi.
267 # Note that authentication methods utilizing passwords cannot be
268 # combined (e.g., the plain, pam or radius methods).
269 # certificate:
271 # This indicates that all connecting users must present a certificate.
272 # The username and user group will be then extracted from it (see
273 # cert-user-oid and cert-group-oid). The certificate to be accepted
274 # it must be signed by the CA certificate as specified in ´ca-cert´ and
275 # it must not be listed in the CRL, as specified by the ´crl´ option.
276 #
277 # pam[gid-min=1000]:
278 # This enabled PAM authentication of the user. The gid-min option is used
279 # by auto-select-group option, in order to select the minimum valid group ID.
280 #
281 # plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
282 # The plain option requires specifying a password file which contains
283 # entries of the following format.
284 # "username:groupname1,groupname2:encoded-password"
285 # One entry must be listed per line, and ´ocpasswd´ should be used
286 # to generate password entries. The ´otp´ suboption allows one to specify
287 # an oath password file to be used for one time passwords; the format of
288 # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
289 #
290 # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
291 # The radius option requires specifying freeradius-client configuration
292 # file. If the groupconfig option is set, then config-per-user/group will be overridden,
293 # and all configuration will be read from radius. That also includes the
294 # Acct-Interim-Interval, and Session-Timeout values.
295 #
296 # See doc/README-radius.md for the supported radius configuration attributes.
297 #
298 # gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
299 # The gssapi option allows one to use authentication methods supported by GSSAPI,
300 # such as Kerberos tickets with ocserv. It should be best used as an alternative
301 # to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
302 # tickets and without tickets to login. The default value for require-local-user-map
303 # is true. The ´tgt-freshness-time´ if set, it would require the TGT tickets presented
304 # to have been issued within the provided number of seconds. That option is used to
305 # restrict logins even if the KDC provides long time TGT tickets.
306 #auth = "pam"
308 #auth = "pam[gid-min=1000]"
309 #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
310 auth = "plain[passwd=./sample.passwd]"
311 #auth = "certificate"
312 #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
313 # Specify alternative authentication methods that are sufficient
315 # for authentication. That is, if set, any of the methods enabled
316 # will be sufficient to login, irrespective of the main ´auth´ entries.
317 # When multiple options are present, they are OR composed (any of them
318 # succeeding allows login).
319 #enable-auth = "certificate"
320 #enable-auth = "gssapi"
321 #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
322 # Accounting methods available:
324 # radius: can be combined with any authentication method, it provides
325 # radius accounting to available users (see also stats-report-time).
326 #
327 # pam: can be combined with any authentication method, it provides
328 # a validation of the connecting user´s name using PAM. It is
329 # superfluous to use this method when authentication is already
330 # PAM.
331 #
332 # Only one accounting method can be specified.
333 #acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
334 # Use listen-host to limit to specific IPs or to the IPs of a provided
336 # hostname.
337 #listen-host = [IP|HOSTNAME]
338 # Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
340 # hostname. if not set, listen-host will be used
341 #udp-listen-host = [IP|HOSTNAME]
342 # When the server has a dynamic DNS address (that may change),
344 # should set that to true to ask the client to resolve again on
345 # reconnects.
346 #listen-host-is-dyndns = true
347 # move the listen socket within the specified network namespace
349 # listen-netns = "foo"
350 # TCP and UDP port number
352 tcp-port = 443
353 udp-port = 443
354 # The user the worker processes will be run as. This should be a dedicated
356 # unprivileged user (e.g., ´ocserv´) and no other services should run as this
357 # user.
358 run-as-user = nobody
359 run-as-group = daemon
360 # socket file used for IPC with occtl. You only need to set that,
362 # if you use more than a single servers.
363 #occtl-socket-file = /var/run/occtl.socket
364 # socket file used for server IPC (worker-main), will be appended with .PID
366 # It must be accessible within the chroot environment (if any), so it is best
367 # specified relatively to the chroot directory.
368 socket-file = /var/run/ocserv-socket
369 # The default server directory. Does not require any devices present.
371 #chroot-dir = /var/lib/ocserv
372 # The key and the certificates of the server
374 # The key may be a file, or any URL supported by GnuTLS (e.g.,
375 # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
376 # or pkcs11:object=my-vpn-key;object-type=private)
377 #
378 # The server-cert file may contain a single certificate, or
379 # a sorted certificate chain.
380 # There may be multiple server-cert and server-key directives,
381 # but each key should correspond to the preceding certificate.
382 # The certificate files will be reloaded when changed allowing for in-place
383 # certificate renewal (they are checked and reloaded periodically;
384 # a SIGHUP signal to main server will force reload).
385 #server-cert = /etc/ocserv/server-cert.pem
387 #server-key = /etc/ocserv/server-key.pem
388 server-cert = ../tests/certs/server-cert.pem
389 server-key = ../tests/certs/server-key.pem
390 # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
392 # versions of GnuTLS for supporting DHE ciphersuites.
393 # Can be generated using:
394 # certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
395 #dh-params = /etc/ocserv/dh.pem
396 # In case PKCS #11, TPM or encrypted keys are used the PINs should be available
398 # in files. The srk-pin-file is applicable to TPM keys only, and is the
399 # storage root key.
400 #pin-file = /etc/ocserv/pin.txt
401 #srk-pin-file = /etc/ocserv/srkpin.txt
402 # The password or PIN needed to unlock the key in server-key file.
404 # Only needed if the file is encrypted or a PKCS #11 object. This
405 # is an alternative method to pin-file.
406 #key-pin = 1234
407 # The SRK PIN for TPM.
409 # This is an alternative method to srk-pin-file.
410 #srk-pin = 1234
411 # The Certificate Authority that will be used to verify
413 # client certificates (public keys) if certificate authentication
414 # is set.
415 #ca-cert = /etc/ocserv/ca.pem
416 ca-cert = ../tests/certs/ca.pem
417 # The number of sub-processes to use for the security module (authentication)
419 # processes. Typically this should not be set as the number of processes
420 # is determined automatically by the initially set maximum number of clients.
421 #sec-mod-scale = 4
422 ### All configuration options below this line are reloaded on a SIGHUP.
426 ### The options above, will remain unchanged. Note however, that the
427 ### server-cert, server-key, dh-params and ca-cert options will be reloaded
428 ### if the provided file changes, on server reload. That allows certificate
429 ### rotation, but requires the server key to remain the same for seamless
430 ### operation. If the server key changes on reload, there may be connection
431 ### failures during the reloading time.
432 # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
435 # system calls allowed to a worker process, in order to reduce damage from a
436 # bug in the worker process. It is available on Linux systems at a performance cost.
437 # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
438 # Note however, that process isolation is restricted to the specific libc versions
439 # the isolation was tested at. If you get random failures on worker processes, try
440 # disabling that option and report the failures you, along with system and debugging
441 # information at: https://gitlab.com/ocserv/ocserv/issues
442 isolate-workers = true
443 # A banner to be displayed on clients after connection
445 #banner = "Welcome"
446 # A banner to be displayed on clients before connection
448 #pre-login-banner = "Welcome"
449 # Limit the number of clients. Unset or set to zero if unknown. In
451 # that case the maximum value is ~8k clients.
452 #max-clients = 1024
453 max-clients = 16
454 # Limit the number of identical clients (i.e., users connecting
456 # multiple times). Unset or set to zero for unlimited.
457 max-same-clients = 2
458 # When the server receives connections from a proxy, like haproxy
460 # which supports the proxy protocol, set this to obtain the correct
461 # client addresses. The proxy protocol would then be expected in
462 # the TCP or UNIX socket (not the UDP one). Although both v1
463 # and v2 versions of proxy protocol are supported, the v2 version
464 # is recommended as it is more efficient in parsing.
465 #listen-proxy-proto = true
466 # Rate limit the number of incoming connections to one every X milliseconds
468 # (X is the provided value), as the secmod backlog grows. This
469 # makes the server more resilient (and prevents connection failures) on
470 # multiple concurrent connections. Set to zero for no limit.
471 rate-limit-ms = 100
472 # Stats report time. The number of seconds after which each
474 # worker process will report its usage statistics (number of
475 # bytes transferred etc). This is useful when accounting like
476 # radius is in use.
477 #stats-report-time = 360
478 # Stats reset time. The period of time statistics kept by main/sec-mod
480 # processes will be reset. These are the statistics shown by cmd
481 # ´occtl show stats´. For daily: 86400, weekly: 604800
482 # This is unrelated to stats-report-time.
483 server-stats-reset-time = 604800
484 # Keepalive in seconds
486 keepalive = 32400
487 # Dead peer detection in seconds.
489 # Note that when the client is behind a NAT this value
490 # needs to be short enough to prevent the NAT disassociating
491 # his UDP session from the port number. Otherwise the client
492 # could have his UDP connection stalled, for several minutes.
493 dpd = 90
494 # Dead peer detection for mobile clients. That needs to
496 # be higher to prevent such clients being awaken too
497 # often by the DPD messages, and save battery.
498 # The mobile clients are distinguished from the header
499 # ´X-AnyConnect-Identifier-Platform´.
500 mobile-dpd = 1800
501 # If using DTLS, and no UDP traffic is received for this
503 # many seconds, attempt to send future traffic over the TCP
504 # connection instead, in an attempt to wake up the client
505 # in the case that there is a NAT and the UDP translation
506 # was deleted. If this is unset, do not attempt to use this
507 # recovery mechanism.
508 switch-to-tcp-timeout = 25
509 # MTU discovery (DPD must be enabled)
511 try-mtu-discovery = false
512 # To enable load-balancer connection draining, set server-drain-ms to a value
514 # higher than your load-balancer health probe interval.
515 #server-drain-ms = 15000
516 # If you have a certificate from a CA that provides an OCSP
518 # service you may provide a fresh OCSP status response within
519 # the TLS handshake. That will prevent the client from connecting
520 # independently on the OCSP server.
521 # You can update this response periodically using:
522 # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
523 # Make sure that you replace the following file in an atomic way.
524 #ocsp-response = /etc/ocserv/ocsp.der
525 # The object identifier that will be used to read the user ID in the client
527 # certificate. The object identifier should be part of the certificate´s DN
528 # Useful OIDs are:
529 # CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1, SAN(rfc822name)
530 cert-user-oid = 0.9.2342.19200300.100.1.1
531 # The object identifier that will be used to read the user group in the
533 # client certificate. The object identifier should be part of the certificate´s
534 # DN. If the user may belong to multiple groups, then use multiple such fields
535 # in the certificate´s DN. Useful OIDs are:
536 # OU (organizational unit) = 2.5.4.11
537 #cert-group-oid = 2.5.4.11
538 # The revocation list of the certificates issued by the ´ca-cert´ above.
540 # See the manual to generate an empty CRL initially. The CRL will be reloaded
541 # periodically when ocserv detects a change in the file. To force a reload use
542 # SIGHUP.
543 #crl = /etc/ocserv/crl.pem
544 # Uncomment this to enable compression negotiation (LZS, LZ4).
546 #compression = true
547 # Set the minimum size under which a packet will not be compressed.
549 # That is to allow low-latency for VoIP packets. The default size
550 # is 256 bytes. Modify it if the clients typically use compression
551 # as well of VoIP with codecs that exceed the default value.
552 #no-compress-limit = 256
553 # GnuTLS priority string; note that SSL 3.0 is disabled by default
555 # as there are no openconnect (and possibly anyconnect clients) using
556 # that protocol. The string below does not enforce perfect forward
557 # secrecy, in order to be compatible with legacy clients.
558 #
559 # Note that the most performant ciphersuites are the moment are the ones
560 # involving AES-GCM. These are very fast in x86 and x86-64 hardware, and
561 # in addition require no padding, thus taking full advantage of the MTU.
562 # For that to be taken advantage of, the openconnect client must be
563 # used, and the server must be compiled against GnuTLS 3.2.7 or later.
564 # Use "gnutls-cli --benchmark-tls-ciphers", to see the performance
565 # difference with AES_128_CBC_SHA1 (the default for anyconnect clients)
566 # in your system.
567 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
569 # More combinations in priority strings are available, check
571 # http://gnutls.org/manual/html_node/Priority-Strings.html
572 # E.g., the string below enforces perfect forward secrecy (PFS)
573 # on the main channel.
574 #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
575 # That option requires the established DTLS channel to use the same
577 # cipher as the primary TLS channel.Note also, that this option implies
578 # that the dtls-legacy option is false; this option cannot be enforced
579 # in the legacy/compat protocol.
580 #match-tls-dtls-ciphers = true
581 # The time (in seconds) that a client is allowed to stay connected prior
583 # to authentication
584 auth-timeout = 240
585 # The time (in seconds) that a client is allowed to stay idle (no traffic)
587 # before being disconnected. Unset to disable.
588 #idle-timeout = 1200
589 # The time (in seconds) that a client is allowed to stay connected
591 # Unset to disable. When set a client will be disconnected after being
592 # continuously connected for this amount of time, and its cookies will
593 # be invalidated (i.e., re-authentication will be required).
594 #session-timeout = 86400
595 # The time (in seconds) that a mobile client is allowed to stay idle (no
597 # traffic) before being disconnected. Unset to disable.
598 #mobile-idle-timeout = 2400
599 # The time (in seconds) that a client is not allowed to reconnect after
601 # a failed authentication attempt.
602 min-reauth-time = 300
603 # Banning clients in ocserv works with a point system. IP addresses
605 # that get a score over that configured number are banned for
606 # min-reauth-time seconds. By default a wrong password attempt is 10 points,
607 # a KKDCP POST is 1 point, and a connection is 1 point. Note that
608 # due to different processes being involved the count of points
609 # will not be real-time precise. Local subnet IPs are exempt to allow
610 # services that check for process health.
611 #
612 # Set to zero to disable.
613 max-ban-score = 80
614 # The time (in seconds) that all score kept for a client is reset.
616 ban-reset-time = 1200
617 # In case you´d like to change the default points.
619 #ban-points-wrong-password = 10
620 #ban-points-connection = 1
621 #ban-points-kkdcp = 1
622 # Cookie timeout (in seconds)
624 # Once a client is authenticated he´s provided a cookie with
625 # which he can reconnect. That cookie will be invalidated if not
626 # used within this timeout value. This cookie remains valid, during
627 # the user´s connected time, and after user disconnection it
628 # remains active for this amount of time. That setting should allow a
629 # reasonable amount of time for roaming between different networks.
630 cookie-timeout = 300
631 # If this is enabled (not recommended) the cookies will stay
633 # valid even after a user manually disconnects, and until they
634 # expire. This may improve roaming with some broken clients.
635 #persistent-cookies = true
636 # Whether roaming is allowed, i.e., if true a cookie is
638 # restricted to a single IP address and cannot be re-used
639 # from a different IP.
640 deny-roaming = false
641 # ReKey time (in seconds)
643 # ocserv will ask the client to refresh keys periodically once
644 # this amount of seconds is elapsed. Set to zero to disable (note
645 # that, some clients fail if rekey is disabled).
646 rekey-time = 172800
647 # ReKey method
649 # Valid options: ssl, new-tunnel
650 # ssl: Will perform an efficient rehandshake on the channel allowing
651 # a seamless connection during rekey.
652 # new-tunnel: Will instruct the client to discard and re-establish the channel.
653 # Use this option only if the connecting clients have issues with the ssl
654 # option.
655 rekey-method = ssl
656 # Script to call when a client connects and obtains an IP.
658 # The following parameters are passed on the environment.
659 # REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
660 # REMOTE_HOSTNAME (the remotely advertised hostname), IP_REAL_LOCAL
661 # (the local interface IP the client connected), IP_LOCAL
662 # (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
663 # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
664 # assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
665 # ID (a unique numeric ID); REASON may be "connect" or "disconnect".
666 # In addition the following variables OCSERV_ROUTES (the applied routes for this
667 # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
668 # will contain a space separated list of routes or DNS servers. A version
669 # of these variables with the 4 or 6 suffix will contain only the IPv4 or
670 # IPv6 values. The connect script must return zero as exit code, or the
671 # client connection will be refused.
672 # The disconnect script will receive the additional values: STATS_BYTES_IN,
674 # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
675 # output from the tun device, and the duration of the session in seconds.
676 #connect-script = /usr/bin/myscript
678 #disconnect-script = /usr/bin/myscript
679 # This script is to be called when the client´s advertised hostname becomes
681 # available. It will contain REASON with "host-update" value and the
682 # variable REMOTE_HOSTNAME in addition to the connect variables.
683 #host-update-script = /usr/bin/myhostnamescript
685 # UTMP
687 # Register the connected clients to utmp. This will allow viewing
688 # the connected clients using the command ´who´.
689 #use-utmp = true
690 # Whether to enable support for the occtl tool (i.e., either through D-BUS,
692 # or via a unix socket).
693 use-occtl = true
694 # PID file. It can be overridden in the command line.
696 pid-file = /var/run/ocserv.pid
697 # Log Level. It can be overridden in the command line with the -d option.
699 # All messages at the configure level and lower will be displayed.
700 # Supported levels (default 0)
701 # 0 default (Same as basic)
702 # 1 basic
703 # 2 info
704 # 3 debug
705 # 4 http
706 # 8 sensitive
707 # 9 TLS
708 log-level = 1
709 # Set the protocol-defined priority (SO_PRIORITY) for packets to
711 # be sent. That is a number from 0 to 6 with 0 being the lowest
712 # priority. Alternatively this can be used to set the IP Type-
713 # Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
714 # This can be set per user/group or globally.
715 #net-priority = 3
716 # Set the VPN worker process into a specific cgroup. This is Linux
718 # specific and can be set per user/group or globally.
719 #cgroup = "cpuset,cpu:test"
720 #
722 # Network settings
723 #
724 # The name to use for the tun device
726 device = vpns
727 # Whether the generated IPs will be predictable, i.e., IP stays the
729 # same for the same user when possible.
730 predictable-ips = true
731 # The default domain to be advertised. Multiple domains (functional on
733 # openconnect clients) can be provided in a space separated list.
734 default-domain = example.com
735 #default-domain = "example.com one.example.com"
736 # The pool of addresses that leases will be given from. If the leases
738 # are given via Radius, or via the explicit-ip? per-user config option then
739 # these network values should contain a network with at least a single
740 # address that will remain under the full control of ocserv (that is
741 # to be able to assign the local part of the tun device address).
742 # Note that, you could use addresses from a subnet of your LAN network if you
743 # enable [proxy arp in the LAN interface](http://ocserv.gitlab.io/www/recipes-ocserv-pseudo-bridge.html);
744 # in that case it is recommended to set ping-leases to true.
745 ipv4-network = 192.168.1.0
746 ipv4-netmask = 255.255.255.0
747 # An alternative way of specifying the network:
749 #ipv4-network = 192.168.1.0/24
750 # The IPv6 subnet that leases will be given from.
752 #ipv6-network = fda9:4efe:7e3b:03ea::/48
753 # Specify the size of the network to provide to clients. It is
755 # generally recommended to provide clients with a /64 network in
756 # IPv6, but any subnet may be specified. To provide clients only
757 # with a single IP use the prefix 128.
758 #ipv6-subnet-prefix = 128
759 #ipv6-subnet-prefix = 64
760 # Whether to tunnel all DNS queries via the VPN. This is the default
762 # when a default route is set.
763 #tunnel-all-dns = true
764 # The advertised DNS server. Use multiple lines for
766 # multiple servers.
767 # dns = fc00::4be0
768 dns = 192.168.1.2
769 # The NBNS server (if any)
771 #nbns = 192.168.1.3
772 # The domains over which the provided DNS should be used. Use
774 # multiple lines for multiple domains.
775 #split-dns = example.com
776 # Prior to leasing any IP from the pool ping it to verify that
778 # it is not in use by another (unrelated to this server) host.
779 # Only set to true, if there can be occupied addresses in the
780 # IP range for leases.
781 ping-leases = false
782 # Use this option to set a link MTU value to the incoming
784 # connections. Unset to use the default MTU of the TUN device.
785 # Note that the MTU is negotiated using the value set and the
786 # value sent by the peer.
787 #mtu = 1420
788 # Unset to enable bandwidth restrictions (in bytes/sec). The
790 # setting here is global, but can also be set per user or per group.
791 #rx-data-per-sec = 40000
792 #tx-data-per-sec = 40000
793 # The number of packets (of MTU size) that are available in
795 # the output buffer. The default is low to improve latency.
796 # Setting it higher will improve throughput.
797 #output-buffer = 10
798 # Routes to be forwarded to the client. If you need the
800 # client to forward routes to the server, you may use the
801 # config-per-user/group or even connect and disconnect scripts.
802 #
803 # To set the server as the default gateway for the client just
804 # comment out all routes from the server, or use the special keyword
805 # ´default´.
806 route = 10.10.10.0/255.255.255.0
808 route = 192.168.0.0/255.255.0.0
809 #route = fef4:db8:1000:1001::/64
810 #route = default
811 # Subsets of the routes above that will not be routed by
813 # the server.
814 no-route = 192.168.5.0/255.255.255.0
816 # Note the that following two firewalling options currently are available
818 # in Linux systems with iptables software.
819 # If set, the script /usr/bin/ocserv-fw will be called to restrict
821 # the user to its allowed routes and prevent him from accessing
822 # any other routes. In case of defaultroute, the no-routes are restricted.
823 # All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
824 # --removeall. This option can be set globally or in the per-user configuration.
825 #restrict-user-to-routes = true
826 # This option implies restrict-user-to-routes set to true. If set, the
828 # script /usr/bin/ocserv-fw will be called to restrict the user to
829 # access specific ports in the network. This option can be set globally
830 # or in the per-user configuration.
831 #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
832 # You could also use negation, i.e., block the user from accessing these ports only.
834 #restrict-user-to-ports = "!(tcp(443), tcp(80))"
835 # When set to true, all client´s iroutes are made visible to all
837 # connecting clients except for the ones offering them. This option
838 # only makes sense if config-per-user is set.
839 #expose-iroutes = true
840 # Groups that a client is allowed to select from.
842 # A client may belong in multiple groups, and in certain use-cases
843 # it is needed to switch between them. For these cases the client can
844 # select prior to authentication. Add multiple entries for multiple groups.
845 # The group may be followed by a user-friendly name in brackets.
846 #select-group = group1
847 #select-group = group2[My special group]
848 # The name of the (virtual) group that if selected it would assign the user
850 # to its default group.
851 #default-select-group = DEFAULT
852 # Instead of specifying manually all the allowed groups, you may instruct
854 # ocserv to scan all available groups and include the full list.
855 #auto-select-group = true
856 # Configuration files that will be applied per user connection or
858 # per group. Each file name on these directories must match the username
859 # or the groupname.
860 # The options allowed in the configuration files are dns, nbns,
861 # ipv?-network, ipv4-netmask, rx/tx-data-per-sec, iroute, route, no-route,
862 # explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
863 # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
864 # restrict-user-to-routes, cgroup, stats-report-time,
865 # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
866 # split-dns and session-timeout.
867 #
868 # Note that the ´iroute´ option allows one to add routes on the server
869 # based on a user or group. The syntax depends on the input accepted
870 # by the commands route-add-cmd and route-del-cmd (see below). The no-udp
871 # is a boolean option (e.g., no-udp = true), and will prevent a UDP session
872 # for that specific user or group. The hostname option will set a
873 # hostname to override any proposed by the user. Note also, that, any
874 # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
875 #config-per-user = /etc/ocserv/config-per-user/
877 #config-per-group = /etc/ocserv/config-per-group/
878 # When config-per-xxx is specified and there is no group or user that
880 # matches, then utilize the following configuration.
881 #default-user-config = /etc/ocserv/defaults/user.conf
882 #default-group-config = /etc/ocserv/defaults/group.conf
883 # The system command to use to setup a route. %{R} will be replaced with the
885 # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
886 #
887 # The following example is from linux systems. %{R} should be something
888 # like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute).
889 #route-add-cmd = "ip route add %{R} dev %{D}"
891 #route-del-cmd = "ip route delete %{R} dev %{D}"
892 # This option allows one to forward a proxy. The special keywords ´%{U}´
894 # and ´%{G}´, if present will be replaced by the username and group name.
895 #proxy-url = http://example.com/
896 #proxy-url = http://example.com/%{U}/
897 # This option allows you to specify a URL location where a client can
899 # post using MS-KKDCP, and the message will be forwarded to the provided
900 # KDC server. That is a translation URL between HTTP and Kerberos.
901 # In MIT kerberos you´ll need to add in realms:
902 # EXAMPLE.COM = {
903 # kdc = https://ocserv.example.com/KdcProxy
904 # http_anchors = FILE:/etc/ocserv-ca.pem
905 # }
906 # In some distributions the krb5-k5tls plugin of kinit is required.
907 #
908 # The following option is available in ocserv, when compiled with GSSAPI support.
909 #kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT"
911 #kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88"
912 #kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88"
913 #kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88"
914 # Client profile xml. This can be used to advertise alternative servers
916 # to the client. A minimal file can be:
917 # <?xml version="1.0" encoding="UTF-8"?>
918 # <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
919 # <ServerList>
920 # <HostEntry>
921 # <HostName>VPN Server name</HostName>
922 # <HostAddress>localhost</HostAddress>
923 # </HostEntry>
924 # </ServerList>
925 # </AnyConnectProfile>
926 #
927 # Other fields may be used by some of the CISCO clients.
928 # This file must be accessible from inside the worker´s chroot.
929 # Note that:
930 # (1) enabling this option is not recommended as it will allow the
931 # worker processes to open arbitrary files (when isolate-workers is
932 # set to true).
933 # (2) This option cannot be set per-user or per-group; only the global
934 # version is being sent to client.
935 #user-profile = profile.xml
936 #
938 # The following options are for (experimental) AnyConnect client
939 # compatibility.
940 # This option will enable the pre-draft-DTLS version of DTLS, and
942 # will not require clients to present their certificate on every TLS
943 # connection. It must be set to true to support legacy CISCO clients
944 # and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true.
945 cisco-client-compat = true
946 # This option allows one to disable the DTLS-PSK negotiation (enabled by default).
948 # The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate
949 # the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the
950 # DTLS channel to negotiate its ciphers and the DTLS protocol version.
951 #dtls-psk = false
952 # This option allows one to disable the legacy DTLS negotiation (enabled by default,
954 # but that may change in the future).
955 # The legacy DTLS uses a pre-draft version of the DTLS protocol and was
956 # from AnyConnect protocol. It has several limitations, that are addressed
957 # by the dtls-psk protocol supported by openconnect 7.08+.
958 dtls-legacy = true
959 # This option will enable the X-CSTP-Client-Bypass-Protocol (disabled by default).
961 # If the server has not configured an IPv6 or IPv4 address pool, enabling this option
962 # will instruct the client to bypass the server for that IP protocol. The option is
963 # currently only understood by Anyconnect clients.
964 client-bypass-protocol = false
965 #Advanced options
967 # Option to allow sending arbitrary custom headers to the client after
969 # authentication and prior to VPN tunnel establishment. You shouldn´t
970 # need to use this option normally; if you do and you think that
971 # this may help others, please send your settings and reason to
972 # the openconnect mailing list. The special keywords ´%{U}´
973 # and ´%{G}´, if present will be replaced by the username and group name.
974 #custom-header = "X-My-Header: hi there"
975 # An example virtual host with different authentication methods serviced
979 # by this server.
980 [vhost:www.example.com]
982 auth = "certificate"
983 ca-cert = ../tests/certs/ca.pem
985 # The certificate set here must include a ´dns_name´ corresponding to
987 # the virtual host name.
988 server-cert = ../tests/certs/server-cert-secp521r1.pem
990 server-key = ../tests/certs/server-key-secp521r1.pem
991 ipv4-network = 192.168.2.0
993 ipv4-netmask = 255.255.255.0
994 cert-user-oid = 0.9.2342.19200300.100.1.1
996
1000 occtl(8), ocpasswd(8), openconnect(8)
1001
1003 Copyright (C) 2013-2018 Nikos Mavrogiannopoulos and others, all rights
1004 reserved. This program is released under the terms of the GNU General
1005 Public License, version 2.
1006
1008 Written by Nikos Mavrogiannopoulos. Many people have contributed to it.
1009 February 2022 OCSERV(8)