1OCSERV(8)                   System Manager's Manual                  OCSERV(8)
2
3
4

NAME

6       ocserv - OpenConnect VPN server
7

SYNOPSIS

9       ocserv options -c [config]
10
11       OpenConnect  VPN  server  (ocserv)  is a VPN server compatible with the
12       OpenConnect VPN client. It follows the AnyConnect VPN protocol which is
13       used by several CISCO routers.
14

DESCRIPTION

16       This a standalone server that reads a configuration file (see below for
17       more details), and waits for client connections. Log messages  are  di‐
18       rected to the syslog daemon facility.
19
20       The server maintains two connections/channels with the client. The main
21       VPN channel is established over TCP, HTTP and TLS. This is the  control
22       channel  as  well as the backup data channel. After its establishment a
23       UDP channel using DTLS is initiated which serves as the main data chan‐
24       nel.  If  the UDP channel fails to establish or is temporarily unavail‐
25       able the backup channel over TCP/TLS is being used.
26
27       This server supports multiple authentication methods, including PAM and
28       certificate authentication. Authenticated users are assigned an unpriv‐
29       ileged worker process and obtain a networking (tun) device  and  an  IP
30       from a configurable pool of addresses.
31
32       Once  authenticated,  the server provides the client with an IP address
33       and a list of routes that it may access. In order to  allow  high-speed
34       transfers the server does not process or filter packets. It is expected
35       that the server has or will set up  any  required  routes  or  firewall
36       rules.
37
38       It  is possible to separate users into groups, which are either present
39       on their certificate, or presented on login for  the  user  to  choose.
40       That  way  a user may take advantage of the different settings that may
41       apply per group. See the comments on the configuration  file  for  more
42       information.
43
44       It  is  also possible to run hostname-based virtual servers which could
45       support different authentication methods. When multiple virtual servers
46       are  present  clients  are  distinguished by the advertised server name
47       over TLS (SNI). Clients which do not support or sent SNI, are  directed
48       to the default server.
49

OPTIONS

51       -f, --foreground:
52              Do not fork server into background.
53
54       -d, --debug=num:
55              Enable  verbose  network  debugging information. num must be be‐
56              tween zero and 9999.
57
58       -c, --config=FILE:
59              Specify the configuration file for the server.
60
61       -t, --test-config:
62              Test the provided configuration file and exit. A successful exit
63              error code indicates a valid configuration.
64
65       -p, --pid-file=FILE:
66              Specify a PID file for the server.
67
68       -h, --help:
69              Display usage information and exit.
70
71       -v, --version:
72              Output version of program and exit.
73

AUTHENTICATION

75       Users can be authenticated in multiple ways, which are explained in the
76       following paragraphs. Connected users can be managed  using  the  occtl
77       tool.
78
79   Password authentication
80       If  your  system  supports Pluggable Authentication Modules (PAM), then
81       ocserv will take advantage of it to password  authenticate  its  users.
82       Otherwise  a  plain  password file similar to the UNIX password file is
83       also supported. In that case the ´ocpasswd´ tool can be  used  for  its
84       management.  Note  that password authentication can be used in conjunc‐
85       tion with certificate authentication.
86
87   GSSAPI authentication
88       ocserv will take advantage of  the  MIT  Kerberos  project  GSSAPI  li‐
89       braries,  and  allow  authentication  using any method GSSAPI supports.
90       That is, mainly, Kerberos authentication. That is often more useful  to
91       be combined with PAM or other password authentication methods so that a
92       fallback mechanism can be used when GSSAPI fails (e.g., when  the  user
93       doesn´t  already  have a Kerberos ticket). The GSSAPI authentication is
94       implemented using SPNEGO over HTTP (RFC4559).
95
96   Public key (certificate) authentication
97       Public key authentication allows the user to be  authenticated  by  the
98       possession of the private key that corresponds to a known to the server
99       public key. That allows the usage of common smart cards  for  user  au‐
100       thentication.
101
102       In ocserv, a certificate authority (CA) is used to sign the client cer‐
103       tificates. That certificate authority can be local, used  only  by  the
104       server  to  sign  its  user´s known public keys which are then given to
105       users in a form of certificates. That authority need also provide a CRL
106       to allow the server to reject the revoked clients (see ca-cert, crl).
107
108       In  certificate  authentication  each client presents a certificate and
109       signs data provided by the server, as part of  TLS  authentication,  to
110       prove  his possession of the corresponding private key. The certificate
111       need also contain user identifying information, for example,  the  user
112       ID  of  the  client must be embedded in the certificate´s Distinguished
113       Name (DN), i.e., in the Common Name, or UID fields. For the  server  to
114       read the name, the cert-user-oid configuration option must be set.
115
116       The  following  examples demonstrate how to use certtool from GnuTLS to
117       generate such CA.
118
119   Generating the CA
120       $ certtool --generate-privkey --outfile ca-key.pem
121       $ cat << _EOF_ >ca.tmpl
122       cn = "VPN CA"
123       organization = "Big Corp"
124       serial = 1
125       expiration_days = -1
126       ca
127       signing_key
128       cert_signing_key
129       crl_signing_key
130       _EOF_
131
132       $ certtool --generate-self-signed --load-privkey ca-key.pem \
133                  --template ca.tmpl --outfile ca-cert.pem
134
135   Generating a local server certificate
136       The following example generates the server key  and  certificate  pair.
137       The  key  generated  is  an RSA one, but different types can be used by
138       specifying the ´ecdsa´ or ´dsa´ options to certtool.
139
140
141           $ certtool --generate-privkey --outfile server-key.pem
142           $ cat << _EOF_ >server.tmpl
143           cn = "VPN server"
144           dns_name = "www.example.com"
145           dns_name = "vpn1.example.com"
146           #ip_address = "1.2.3.4"
147           organization = "MyCompany"
148           expiration_days = -1
149           signing_key
150           encryption_key #only if the generated key is an RSA one
151           tls_www_server
152           _EOF_
153
154           $ certtool --generate-certificate --load-privkey server-key.pem \
155                      --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
156                      --template server.tmpl --outfile server-cert.pem
157
158
159
160       From this point the clients need ca-cert.pem to  be  able  to  securely
161       connect to the server.
162
163       Note  that  it  is  a better practice to use two separate RSA keys, one
164       with the signing_key option and another with the encryption_key.
165
166   Generating an external CA-signed server certificate
167       $ certtool --generate-privkey --outfile server-key.pem
168       $ cat << _EOF_ >server.tmpl
169       cn = "My server"
170       dns_name = "www.example.com"
171       organization = "MyCompany"
172       expiration_days = -1
173       signing_key
174       encryption_key #only if the generated key is an RSA one
175       tls_www_server
176       _EOF_
177       $ certtool --generate-request --load-privkey server-key.pem \
178                  --template server.tmpl --outfile server-cert.csr
179
180       At this point you need to provide the server-cert.csr to your  CA,  and
181       they will send you the server certificate.
182
183   Generating the client certificates
184       Note  that it is recommended to leave detailed personal information out
185       of the certificate as it is sent in clear  during  TLS  authentication.
186       The  following  process generates a certificate and converts it to PKCS
187       #12 that is protected by a PIN and most clients are able to import (the
188       3DES  cipher is used in the example because it is supported by far more
189       devices than AES).
190
191
192           $ certtool --generate-privkey --outfile user-key.pem
193           $ cat << _EOF_ >user.tmpl
194           dn = "cn=Full Name,O=Example Org,UID=username"
195           #if usernames are SAN(rfc822name) email addresses
196           #email = "username@example.com"
197           expiration_days = 365
198           signing_key
199           tls_www_client
200           _EOF_
201           $ certtool --generate-certificate --load-privkey user-key.pem \
202                      --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
203                      --template user.tmpl --outfile user-cert.pem
204
205           $ certtool --to-p12 --load-privkey user-key.pem \
206                      --pkcs-cipher 3des-pkcs12 \
207                      --load-certificate user-cert.pem \
208                      --outfile user.p12 --outder
209
210
211
212   Revoking a client certificate
213       To revoke the previous client certificate, i.e.,  preventing  the  user
214       from  accessing  the VPN resources prior to its certificate expiration,
215       use:
216
217
218           $ cat << _EOF_ >crl.tmpl
219           crl_next_update = 365
220           crl_number = 1
221           _EOF_
222           $ cat user-cert.pem >>revoked.pem
223           $ certtool --generate-crl --load-ca-privkey ca-key.pem \
224                      --load-ca-certificate ca-cert.pem --load-certificate revoked.pem \
225                      --template crl.tmpl --outfile crl.pem
226
227
228
229       After that you may want to notify ocserv of the new CRL  by  using  the
230       HUP signal, or wait for it to reload it.
231
232       When  there are no revoked certificates an empty revocation list should
233       be generated as follows.
234
235
236           $ certtool --generate-crl --load-ca-privkey ca-key.pem \
237                      --load-ca-certificate ca-cert.pem \
238                      --template crl.tmpl --outfile crl.pem
239
240
241

IMPLEMENTATION NOTES

243       Note that while this server utilizes privilege separation and  all  au‐
244       thentication occurs on the security module, this does not apply for TLS
245       client certificate authentication. That is due to TLS protocol  limita‐
246       tion.
247

NETWORKING CONSIDERATIONS

249       In  certain  setups,  where  a firewall may be blocking ICMP responses,
250       setting the MSS of TCP connections to MTU  will  eliminate  the  "black
251       hole"   connection   issues.   See   http://lartc.org/howto/lartc.cook
252       book.mtu-mss.html for instructions to enable it on a Linux system.
253

FILES

255   ocserv´s configuration file format
256       By default, if no other file is specified, ocserv looks for its config‐
257       uration  file at /etc/ocserv/ocserv.conf. An example configuration file
258       follows.
259
260
261           ### The following directives do not change with server reload.
262
263           # User authentication method. To require multiple methods to be
264           # used for the user to login, add multiple auth directives. The values
265           # in the ´auth´ directive are AND composed (if multiple all must
266           # succeed).
267           # Available options: certificate, plain, pam, radius, gssapi.
268           # Note that authentication methods utilizing passwords cannot be
269           # combined (e.g., the plain, pam or radius methods).
270
271           # certificate:
272           #  This indicates that all connecting users must present a certificate.
273           #  The username and user group will be then extracted from it (see
274           #  cert-user-oid and cert-group-oid). The certificate to be accepted
275           #  it must be signed by the CA certificate as specified in ´ca-cert´ and
276           #  it must not be listed in the CRL, as specified by the ´crl´ option.
277           #
278           # pam[gid-min=1000]:
279           #  This enabled PAM authentication of the user. The gid-min option is used
280           # by auto-select-group option, in order to select the minimum valid group ID.
281           #
282           # plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
283           #  The plain option requires specifying a password file which contains
284           # entries of the following format.
285           # "username:groupname1,groupname2:encoded-password"
286           # One entry must be listed per line, and ´ocpasswd´ should be used
287           # to generate password entries. The ´otp´ suboption allows one to specify
288           # an oath password file to be used for one time passwords; the format of
289           # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
290           #
291           # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
292           #  The radius option requires specifying freeradius-client configuration
293           # file. If the groupconfig option is set, then config-per-user/group will be overridden,
294           # and all configuration will be read from radius. That also includes the
295           # Acct-Interim-Interval, and Session-Timeout values.
296           #
297           # See doc/README-radius.md for the supported radius configuration attributes.
298           #
299           # gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
300           #  The gssapi option allows one to use authentication methods supported by GSSAPI,
301           # such as Kerberos tickets with ocserv. It should be best used as an alternative
302           # to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
303           # tickets and without tickets to login. The default value for require-local-user-map
304           # is true. The ´tgt-freshness-time´ if set, it would require the TGT tickets presented
305           # to have been issued within the provided number of seconds. That option is used to
306           # restrict logins even if the KDC provides long time TGT tickets.
307
308           #auth = "pam"
309           #auth = "pam[gid-min=1000]"
310           #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
311           auth = "plain[passwd=./sample.passwd]"
312           #auth = "certificate"
313           #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
314
315           # Specify alternative authentication methods that are sufficient
316           # for authentication. That is, if set, any of the methods enabled
317           # will be sufficient to login, irrespective of the main ´auth´ entries.
318           # When multiple options are present, they are OR composed (any of them
319           # succeeding allows login).
320           #enable-auth = "certificate"
321           #enable-auth = "gssapi"
322           #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
323
324           # Accounting methods available:
325           # radius: can be combined with any authentication method, it provides
326           #      radius accounting to available users (see also stats-report-time).
327           #
328           # pam: can be combined with any authentication method, it provides
329           #      a validation of the connecting user´s name using PAM. It is
330           #      superfluous to use this method when authentication is already
331           #      PAM.
332           #
333           # Only one accounting method can be specified.
334           #acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
335
336           # Use listen-host to limit to specific IPs or to the IPs of a provided
337           # hostname.
338           #listen-host = [IP|HOSTNAME]
339
340           # Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
341           # hostname. if not set, listen-host will be used
342           #udp-listen-host = [IP|HOSTNAME]
343
344           # When the server has a dynamic DNS address (that may change),
345           # should set that to true to ask the client to resolve again on
346           # reconnects.
347           #listen-host-is-dyndns = true
348
349           # move the listen socket within the specified network namespace
350           # listen-netns = "foo"
351
352           # TCP and UDP port number
353           tcp-port = 443
354           udp-port = 443
355
356           # The user the worker processes will be run as. This should be a dedicated
357           # unprivileged user (e.g., ´ocserv´) and no other services should run as this
358           # user.
359           run-as-user = nobody
360           run-as-group = daemon
361
362           # socket file used for IPC with occtl. You only need to set that,
363           # if you use more than a single servers.
364           #occtl-socket-file = /var/run/occtl.socket
365
366           # socket file used for server IPC (worker-main), will be appended with .PID
367           # It must be accessible within the chroot environment (if any), so it is best
368           # specified relatively to the chroot directory.
369           socket-file = /var/run/ocserv-socket
370
371           # The default server directory. Does not require any devices present.
372           #chroot-dir = /var/lib/ocserv
373
374           # The key and the certificates of the server
375           # The key may be a file, or any URL supported by GnuTLS (e.g.,
376           # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
377           # or pkcs11:object=my-vpn-key;object-type=private)
378           #
379           # The server-cert file may contain a single certificate, or
380           # a sorted certificate chain.
381           # There may be multiple server-cert and server-key directives,
382           # but each key should correspond to the preceding certificate.
383           # The certificate files will be reloaded when changed allowing for in-place
384           # certificate renewal (they are checked and reloaded periodically;
385           # a SIGHUP signal to main server will force reload).
386
387           #server-cert = /etc/ocserv/server-cert.pem
388           #server-key = /etc/ocserv/server-key.pem
389           server-cert = ../tests/certs/server-cert.pem
390           server-key = ../tests/certs/server-key.pem
391
392           # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
393           # versions of GnuTLS for supporting DHE ciphersuites.
394           # Can be generated using:
395           # certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
396           #dh-params = /etc/ocserv/dh.pem
397
398           # In case PKCS #11, TPM or encrypted keys are used the PINs should be available
399           # in files. The srk-pin-file is applicable to TPM keys only, and is the
400           # storage root key.
401           #pin-file = /etc/ocserv/pin.txt
402           #srk-pin-file = /etc/ocserv/srkpin.txt
403
404           # The password or PIN needed to unlock the key in server-key file.
405           # Only needed if the file is encrypted or a PKCS #11 object. This
406           # is an alternative method to pin-file.
407           #key-pin = 1234
408
409           # The SRK PIN for TPM.
410           # This is an alternative method to srk-pin-file.
411           #srk-pin = 1234
412
413           # The Certificate Authority that will be used to verify
414           # client certificates (public keys) if certificate authentication
415           # is set.
416           #ca-cert = /etc/ocserv/ca.pem
417           ca-cert = ../tests/certs/ca.pem
418
419           # The number of sub-processes to use for the security module (authentication)
420           # processes. Typically this should not be set as the number of processes
421           # is determined automatically by the initially set maximum number of clients.
422           #sec-mod-scale = 4
423
424
425
426           ### All configuration options below this line are reloaded on a SIGHUP.
427           ### The options above, will remain unchanged. Note however, that the
428           ### server-cert, server-key, dh-params and ca-cert options will be reloaded
429           ### if the provided file changes, on server reload. That allows certificate
430           ### rotation, but requires the server key to remain the same for seamless
431           ### operation. If the server key changes on reload, there may be connection
432           ### failures during the reloading time.
433
434
435           # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
436           # system calls allowed to a worker process, in order to reduce damage from a
437           # bug in the worker process. It is available on Linux systems at a performance cost.
438           # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
439           # Note however, that process isolation is restricted to the specific libc versions
440           # the isolation was tested at. If you get random failures on worker processes, try
441           # disabling that option and report the failures you, along with system and debugging
442           # information at: https://gitlab.com/openconnect/ocserv/issues
443           isolate-workers = true
444
445           # A banner to be displayed on clients after connection
446           #banner = "Welcome"
447
448           # A banner to be displayed on clients before connection
449           #pre-login-banner = "Welcome"
450
451           # Limit the number of clients. Unset or set to zero if unknown. In
452           # that case the maximum value is ~8k clients.
453           #max-clients = 1024
454           max-clients = 16
455
456           # Limit the number of identical clients (i.e., users connecting
457           # multiple times). Unset or set to zero for unlimited.
458           max-same-clients = 2
459
460           # When the server receives connections from a proxy, like haproxy
461           # which supports the proxy protocol, set this to obtain the correct
462           # client addresses. The proxy protocol would then be expected in
463           # the TCP or UNIX socket (not the UDP one). Although both v1
464           # and v2 versions of proxy protocol are supported, the v2 version
465           # is recommended as it is more efficient in parsing.
466           #listen-proxy-proto = true
467
468           # Rate limit the number of incoming connections to one every X milliseconds
469           # (X is the provided value), as the secmod backlog grows. This
470           # makes the server more resilient (and prevents connection failures) on
471           # multiple concurrent connections. Set to zero for no limit.
472           rate-limit-ms = 100
473
474           # Stats report time. The number of seconds after which each
475           # worker process will report its usage statistics (number of
476           # bytes transferred etc). This is useful when accounting like
477           # radius is in use.
478           #stats-report-time = 360
479
480           # Stats reset time. The period of time statistics kept by main/sec-mod
481           # processes will be reset. These are the statistics shown by cmd
482           # ´occtl show stats´. For daily: 86400, weekly: 604800
483           # This is unrelated to stats-report-time.
484           server-stats-reset-time = 604800
485
486           # Keepalive in seconds
487           keepalive = 32400
488
489           # Dead peer detection in seconds.
490           # Note that when the client is behind a NAT this value
491           # needs to be short enough to prevent the NAT disassociating
492           # his UDP session from the port number. Otherwise the client
493           # could have his UDP connection stalled, for several minutes.
494           dpd = 90
495
496           # Dead peer detection for mobile clients. That needs to
497           # be higher to prevent such clients being awaken too
498           # often by the DPD messages, and save battery.
499           # The mobile clients are distinguished from the header
500           # ´X-AnyConnect-Identifier-Platform´.
501           mobile-dpd = 1800
502
503           # If using DTLS, and no UDP traffic is received for this
504           # many seconds, attempt to send future traffic over the TCP
505           # connection instead, in an attempt to wake up the client
506           # in the case that there is a NAT and the UDP translation
507           # was deleted. If this is unset, do not attempt to use this
508           # recovery mechanism.
509           switch-to-tcp-timeout = 25
510
511           # MTU discovery (DPD must be enabled)
512           try-mtu-discovery = false
513
514           # To enable load-balancer connection draining, set server-drain-ms to a value
515           # higher than your load-balancer health probe interval.
516           #server-drain-ms = 15000
517
518           # If you have a certificate from a CA that provides an OCSP
519           # service you may provide a fresh OCSP status response within
520           # the TLS handshake. That will prevent the client from connecting
521           # independently on the OCSP server.
522           # You can update this response periodically using:
523           # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
524           # Make sure that you replace the following file in an atomic way.
525           #ocsp-response = /etc/ocserv/ocsp.der
526
527           # The object identifier that will be used to read the user ID in the client
528           # certificate. The object identifier should be part of the certificate´s DN
529           # Useful OIDs are:
530           #  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1, SAN(rfc822name)
531           cert-user-oid = 0.9.2342.19200300.100.1.1
532
533           # The object identifier that will be used to read the user group in the
534           # client certificate. The object identifier should be part of the certificate´s
535           # DN. If the user may belong to multiple groups, then use multiple such fields
536           # in the certificate´s DN. Useful OIDs are:
537           #  OU (organizational unit) = 2.5.4.11
538           #cert-group-oid = 2.5.4.11
539
540           # The revocation list of the certificates issued by the ´ca-cert´ above.
541           # See the manual to generate an empty CRL initially. The CRL will be reloaded
542           # periodically when ocserv detects a change in the file. To force a reload use
543           # SIGHUP.
544           #crl = /etc/ocserv/crl.pem
545
546           # Uncomment this to enable compression negotiation (LZS, LZ4).
547           #compression = true
548
549           # Set the minimum size under which a packet will not be compressed.
550           # That is to allow low-latency for VoIP packets. The default size
551           # is 256 bytes. Modify it if the clients typically use compression
552           # as well of VoIP with codecs that exceed the default value.
553           #no-compress-limit = 256
554
555           # GnuTLS priority string; note that SSL 3.0 is disabled by default
556           # as there are no openconnect (and possibly anyconnect clients) using
557           # that protocol. The string below does not enforce perfect forward
558           # secrecy, in order to be compatible with legacy clients.
559           #
560           # Note that the most performant ciphersuites are the moment are the ones
561           # involving AES-GCM. These are very fast in x86 and x86-64 hardware, and
562           # in addition require no padding, thus taking full advantage of the MTU.
563           # For that to be taken advantage of, the openconnect client must be
564           # used, and the server must be compiled against GnuTLS 3.2.7 or later.
565           # Use "gnutls-cli --benchmark-tls-ciphers", to see the performance
566           # difference with AES_128_CBC_SHA1 (the default for anyconnect clients)
567           # in your system.
568
569           tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
570
571           # More combinations in priority strings are available, check
572           # http://gnutls.org/manual/html_node/Priority-Strings.html
573           # E.g., the string below enforces perfect forward secrecy (PFS)
574           # on the main channel.
575           #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
576
577           # That option requires the established DTLS channel to use the same
578           # cipher as the primary TLS channel.Note also, that this option implies
579           # that the dtls-legacy option is false; this option cannot be enforced
580           # in the legacy/compat protocol.
581           #match-tls-dtls-ciphers = true
582
583           # The time (in seconds) that a client is allowed to stay connected prior
584           # to authentication
585           auth-timeout = 240
586
587           # The time (in seconds) that a client is allowed to stay idle (no traffic)
588           # before being disconnected. Unset to disable.
589           #idle-timeout = 1200
590
591           # The time (in seconds) that a client is allowed to stay connected
592           # Unset to disable. When set a client will be disconnected after being
593           # continuously connected for this amount of time, and its cookies will
594           # be invalidated (i.e., re-authentication will be required).
595           #session-timeout = 86400
596
597           # The time (in seconds) that a mobile client is allowed to stay idle (no
598           # traffic) before being disconnected. Unset to disable.
599           #mobile-idle-timeout = 2400
600
601           # The time (in seconds) that a client is not allowed to reconnect after
602           # a failed authentication attempt.
603           min-reauth-time = 300
604
605           # Banning clients in ocserv works with a point system. IP addresses
606           # that get a score over that configured number are banned for
607           # min-reauth-time seconds. By default a wrong password attempt is 10 points,
608           # a KKDCP POST is 1 point, and a connection is 1 point. Note that
609           # due to different processes being involved the count of points
610           # will not be real-time precise. Local subnet IPs are exempt to allow
611           # services that check for process health.
612           #
613           # Set to zero to disable.
614           max-ban-score = 80
615
616           # The time (in seconds) that all score kept for a client is reset.
617           ban-reset-time = 1200
618
619           # In case you´d like to change the default points.
620           #ban-points-wrong-password = 10
621           #ban-points-connection = 1
622           #ban-points-kkdcp = 1
623
624           # Cookie timeout (in seconds)
625           # Once a client is authenticated he´s provided a cookie with
626           # which he can reconnect. That cookie will be invalidated if not
627           # used within this timeout value. This cookie remains valid, during
628           # the user´s connected time, and after user disconnection it
629           # remains active for this amount of time. That setting should allow a
630           # reasonable amount of time for roaming between different networks.
631           cookie-timeout = 300
632
633           # If this is enabled (not recommended) the cookies will stay
634           # valid even after a user manually disconnects, and until they
635           # expire. This may improve roaming with some broken clients.
636           #persistent-cookies = true
637
638           # Whether roaming is allowed, i.e., if true a cookie is
639           # restricted to a single IP address and cannot be reused
640           # from a different IP.
641           deny-roaming = false
642
643           # ReKey time (in seconds)
644           # ocserv will ask the client to refresh keys periodically once
645           # this amount of seconds is elapsed. Set to zero to disable (note
646           # that, some clients fail if rekey is disabled).
647           rekey-time = 172800
648
649           # ReKey method
650           # Valid options: ssl, new-tunnel
651           #  ssl: Will perform an efficient rehandshake on the channel allowing
652           #       a seamless connection during rekey.
653           #  new-tunnel: Will instruct the client to discard and re-establish the channel.
654           #       Use this option only if the connecting clients have issues with the ssl
655           #       option.
656           rekey-method = ssl
657
658           # Script to call when a client connects and obtains an IP.
659           # The following parameters are passed on the environment.
660           # REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
661           # REMOTE_HOSTNAME (the remotely advertised hostname), IP_REAL_LOCAL
662           # (the local interface IP the client connected), IP_LOCAL
663           # (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
664           # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
665           # assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
666           # ID (a unique numeric ID); REASON may be "connect" or "disconnect".
667           # In addition the following variables OCSERV_ROUTES (the applied routes for this
668           # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
669           # will contain a space separated list of routes or DNS servers. A version
670           # of these variables with the 4 or 6 suffix will contain only the IPv4 or
671           # IPv6 values. The connect script must return zero as exit code, or the
672           # client connection will be refused.
673
674           # The disconnect script will receive the additional values: STATS_BYTES_IN,
675           # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
676           # output from the tun device, and the duration of the session in seconds.
677
678           #connect-script = /usr/bin/myscript
679           #disconnect-script = /usr/bin/myscript
680
681           # This script is to be called when the client´s advertised hostname becomes
682           # available. It will contain REASON with "host-update" value and the
683           # variable REMOTE_HOSTNAME in addition to the connect variables.
684
685           #host-update-script = /usr/bin/myhostnamescript
686
687           # UTMP
688           # Register the connected clients to utmp. This will allow viewing
689           # the connected clients using the command ´who´.
690           #use-utmp = true
691
692           # Whether to enable support for the occtl tool (i.e., either through D-BUS,
693           # or via a unix socket).
694           use-occtl = true
695
696           # PID file. It can be overridden in the command line.
697           pid-file = /var/run/ocserv.pid
698
699           # Log Level. Ocserv sends the logging messages to standard error
700           # as well as the system log. The log level can be overridden in the
701           # command line with the -d option. All messages at the configured
702           # level and lower will be displayed.
703           # Supported levels (default 0):
704           #   0 default (Same as basic)
705           #   1 basic
706           #   2 info
707           #   3 debug
708           #   4 http
709           #   8 sensitive
710           #   9 TLS
711           log-level = 3
712
713           # Set the protocol-defined priority (SO_PRIORITY) for packets to
714           # be sent. That is a number from 0 to 6 with 0 being the lowest
715           # priority. Alternatively this can be used to set the IP Type-
716           # Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
717           # This can be set per user/group or globally.
718           #net-priority = 3
719
720           # Set the VPN worker process into a specific cgroup. This is Linux
721           # specific and can be set per user/group or globally.
722           #cgroup = "cpuset,cpu:test"
723
724           #
725           # Network settings
726           #
727
728           # The name to use for the tun device
729           device = vpns
730
731           # Whether the generated IPs will be predictable, i.e., IP stays the
732           # same for the same user when possible.
733           predictable-ips = true
734
735           # The default domain to be advertised. Multiple domains (functional on
736           # openconnect clients) can be provided in a space separated list.
737           default-domain = example.com
738           #default-domain = "example.com one.example.com"
739
740           # The pool of addresses that leases will be given from. If the leases
741           # are given via Radius, or via the explicit-ip? per-user config option then
742           # these network values should contain a network with at least a single
743           # address that will remain under the full control of ocserv (that is
744           # to be able to assign the local part of the tun device address).
745           # Note that, you could use addresses from a subnet of your LAN network if you
746           # enable [proxy arp in the LAN interface](http://ocserv.gitlab.io/www/recipes-ocserv-pseudo-bridge.html);
747           # in that case it is recommended to set ping-leases to true.
748           ipv4-network = 192.168.1.0
749           ipv4-netmask = 255.255.255.0
750
751           # An alternative way of specifying the network:
752           #ipv4-network = 192.168.1.0/24
753
754           # The IPv6 subnet that leases will be given from.
755           #ipv6-network = fda9:4efe:7e3b:03ea::/48
756
757           # Specify the size of the network to provide to clients. It is
758           # generally recommended to provide clients with a /64 network in
759           # IPv6, but any subnet may be specified. To provide clients only
760           # with a single IP use the prefix 128.
761           #ipv6-subnet-prefix = 128
762           #ipv6-subnet-prefix = 64
763
764           # Whether to tunnel all DNS queries via the VPN. This is the default
765           # when a default route is set.
766           #tunnel-all-dns = true
767
768           # The advertised DNS server. Use multiple lines for
769           # multiple servers.
770           # dns = fc00::4be0
771           dns = 192.168.1.2
772
773           # The NBNS server (if any)
774           #nbns = 192.168.1.3
775
776           # The domains over which the provided DNS should be used. Use
777           # multiple lines for multiple domains.
778           #split-dns = example.com
779
780           # Prior to leasing any IP from the pool ping it to verify that
781           # it is not in use by another (unrelated to this server) host.
782           # Only set to true, if there can be occupied addresses in the
783           # IP range for leases.
784           ping-leases = false
785
786           # Use this option to set a link MTU value to the incoming
787           # connections. Unset to use the default MTU of the TUN device.
788           # Note that the MTU is negotiated using the value set and the
789           # value sent by the peer.
790           #mtu = 1420
791
792           # Unset to enable bandwidth restrictions (in bytes/sec). The
793           # setting here is global, but can also be set per user or per group.
794           #rx-data-per-sec = 40000
795           #tx-data-per-sec = 40000
796
797           # The number of packets (of MTU size) that are available in
798           # the output buffer. The default is low to improve latency.
799           # Setting it higher will improve throughput.
800           #output-buffer = 10
801
802           # Routes to be forwarded to the client. If you need the
803           # client to forward routes to the server, you may use the
804           # config-per-user/group or even connect and disconnect scripts.
805           #
806           # To set the server as the default gateway for the client just
807           # comment out all routes from the server, or use the special keyword
808           # ´default´.
809
810           route = 10.10.10.0/255.255.255.0
811           route = 192.168.0.0/255.255.0.0
812           #route = fef4:db8:1000:1001::/64
813           #route = default
814
815           # Subsets of the routes above that will not be routed by
816           # the server.
817
818           no-route = 192.168.5.0/255.255.255.0
819
820           # Note the that following two firewalling options currently are available
821           # in Linux systems with iptables software.
822
823           # If set, the script /usr/bin/ocserv-fw will be called to restrict
824           # the user to its allowed routes and prevent him from accessing
825           # any other routes. In case of defaultroute, the no-routes are restricted.
826           # All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
827           # --removeall. This option can be set globally or in the per-user configuration.
828           #restrict-user-to-routes = true
829
830           # This option implies restrict-user-to-routes set to true. If set, the
831           # script /usr/bin/ocserv-fw will be called to restrict the user to
832           # access specific ports in the network. This option can be set globally
833           # or in the per-user configuration.
834           #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
835
836           # You could also use negation, i.e., block the user from accessing these ports only.
837           #restrict-user-to-ports = "!(tcp(443), tcp(80))"
838
839           # When set to true, all client´s iroutes are made visible to all
840           # connecting clients except for the ones offering them. This option
841           # only makes sense if config-per-user is set.
842           #expose-iroutes = true
843
844           # Groups that a client is allowed to select from.
845           # A client may belong in multiple groups, and in certain use-cases
846           # it is needed to switch between them. For these cases the client can
847           # select prior to authentication. Add multiple entries for multiple groups.
848           # The group may be followed by a user-friendly name in brackets.
849           #select-group = group1
850           #select-group = group2[My special group]
851
852           # The name of the (virtual) group that if selected it would assign the user
853           # to its default group.
854           #default-select-group = DEFAULT
855
856           # Instead of specifying manually all the allowed groups, you may instruct
857           # ocserv to scan all available groups and include the full list.
858           #auto-select-group = true
859
860           # Configuration files that will be applied per user connection or
861           # per group. Each file name on these directories must match the username
862           # or the groupname.
863           # The options allowed in the configuration files are dns, nbns,
864           #  ipv?-network, ipv4-netmask, rx/tx-data-per-sec, iroute, route, no-route,
865           #  explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
866           #  keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
867           #  restrict-user-to-routes, cgroup, stats-report-time,
868           #  mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
869           #  split-dns and session-timeout.
870           #
871           # Note that the ´iroute´ option allows one to add routes on the server
872           # based on a user or group. The syntax depends on the input accepted
873           # by the commands route-add-cmd and route-del-cmd (see below). The no-udp
874           # is a boolean option (e.g., no-udp = true), and will prevent a UDP session
875           # for that specific user or group. The hostname option will set a
876           # hostname to override any proposed by the user. Note also, that, any
877           # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
878
879           #config-per-user = /etc/ocserv/config-per-user/
880           #config-per-group = /etc/ocserv/config-per-group/
881
882           # When config-per-xxx is specified and there is no group or user that
883           # matches, then utilize the following configuration.
884           #default-user-config = /etc/ocserv/defaults/user.conf
885           #default-group-config = /etc/ocserv/defaults/group.conf
886
887           # The system command to use to setup a route. %{R} will be replaced with the
888           # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
889           #
890           # The following example is from linux systems. %{R} should be something
891           # like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute).
892
893           #route-add-cmd = "ip route add %{R} dev %{D}"
894           #route-del-cmd = "ip route delete %{R} dev %{D}"
895
896           # This option allows one to forward a proxy. The special keywords ´%{U}´
897           # and ´%{G}´, if present will be replaced by the username and group name.
898           #proxy-url = http://example.com/
899           #proxy-url = http://example.com/%{U}/
900
901           # This option allows you to specify a URL location where a client can
902           # post using MS-KKDCP, and the message will be forwarded to the provided
903           # KDC server. That is a translation URL between HTTP and Kerberos.
904           # In MIT kerberos you´ll need to add in realms:
905           #   EXAMPLE.COM = {
906           #     kdc = https://ocserv.example.com/KdcProxy
907           #     http_anchors = FILE:/etc/ocserv-ca.pem
908           #   }
909           # In some distributions the krb5-k5tls plugin of kinit is required.
910           #
911           # The following option is available in ocserv, when compiled with GSSAPI support.
912
913           #kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT"
914           #kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88"
915           #kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88"
916           #kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88"
917
918           # Client profile xml. This can be used to advertise alternative servers
919           # to the client. A minimal file can be:
920           # <?xml version="1.0" encoding="UTF-8"?>
921           # <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
922           #    <ServerList>
923           #         <HostEntry>
924           #                <HostName>VPN Server name</HostName>
925           #                <HostAddress>localhost</HostAddress>
926           #         </HostEntry>
927           #    </ServerList>
928           # </AnyConnectProfile>
929           #
930           # Other fields may be used by some of the CISCO clients.
931           # This file must be accessible from inside the worker´s chroot.
932           # Note that:
933           #  (1) enabling this option is not recommended as it will allow the
934           #      worker processes to open arbitrary files (when isolate-workers is
935           #      set to true).
936           #  (2) This option cannot be set per-user or per-group; only the global
937           #      version is being sent to client.
938           #user-profile = profile.xml
939
940           #
941           # The following options are for (experimental) AnyConnect client
942           # compatibility.
943
944           # This option will enable the pre-draft-DTLS version of DTLS, and
945           # will not require clients to present their certificate on every TLS
946           # connection. It must be set to true to support legacy CISCO clients
947           # and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true.
948           cisco-client-compat = true
949
950           # This option allows one to disable the DTLS-PSK negotiation (enabled by default).
951           # The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate
952           # the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the
953           # DTLS channel to negotiate its ciphers and the DTLS protocol version.
954           #dtls-psk = false
955
956           # This option allows one to disable the legacy DTLS negotiation (enabled by default,
957           # but that may change in the future).
958           # The legacy DTLS uses a pre-draft version of the DTLS protocol and was
959           # from AnyConnect protocol. It has several limitations, that are addressed
960           # by the dtls-psk protocol supported by openconnect 7.08+.
961           dtls-legacy = true
962
963           # This option will enable the settings needed for Cisco SVC IPPhone clients
964           # to connect. It implies dtls-legacy = true and tls-priorities is changed to
965           # only the ciphers the device supports.
966           cisco-svc-client-compat = false
967
968           # This option will enable the X-CSTP-Client-Bypass-Protocol (disabled by default).
969           # If the server has not configured an IPv6 or IPv4 address pool, enabling this option
970           # will instruct the client to bypass the server for that IP protocol. The option is
971           # currently only understood by Anyconnect clients.
972           client-bypass-protocol = false
973
974           # The following options are related to server camouflage (hidden service)
975
976           # This option allows you to enable the camouflage feature of ocserv that makes it look
977           # like a web server to unauthorized parties.
978           # With "camouflage" enabled, connection to the VPN can be established only if the client provided a specific
979           # "secret string" in the connection URL, e.g. "https://example.com/?mysecretkey",
980           # otherwise the server will return HTTP error for all requests.
981           camouflage = false
982
983           # The URL prefix that should be set on the client (after ´?´ sign) to pass through the camouflage check,
984           # e.g. in case of ´mysecretkey´, the server URL on the client should be like "https://example.com/?mysecretkey".
985           camouflage_secret = "mysecretkey"
986
987           # Defines the realm (browser prompt) for HTTP authentication.
988           # If no realm is set, the server will return 404 Not found error instead of 401 Unauthorized.
989           # Better change it from the default value to avoid fingerprinting.
990           camouflage_realm = "Restricted Content"
991
992           #Advanced options
993
994           # Option to allow sending arbitrary custom headers to the client after
995           # authentication and prior to VPN tunnel establishment. You shouldn´t
996           # need to use this option normally; if you do and you think that
997           # this may help others, please send your settings and reason to
998           # the openconnect mailing list. The special keywords ´%{U}´
999           # and ´%{G}´, if present will be replaced by the username and group name.
1000           #custom-header = "X-My-Header: hi there"
1001
1002
1003
1004           # An example virtual host with different authentication methods serviced
1005           # by this server.
1006
1007           [vhost:www.example.com]
1008           auth = "certificate"
1009
1010           ca-cert = ../tests/certs/ca.pem
1011
1012           # The certificate set here must include a ´dns_name´ corresponding to
1013           # the virtual host name.
1014
1015           server-cert = ../tests/certs/server-cert-secp521r1.pem
1016           server-key = ../tests/certs/server-key-secp521r1.pem
1017
1018           ipv4-network = 192.168.2.0
1019           ipv4-netmask = 255.255.255.0
1020
1021           cert-user-oid = 0.9.2342.19200300.100.1.1
1022
1023           # HTTP headers
1024           included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
1025           included-http-headers = X-Frame-Options: deny
1026           included-http-headers = X-Content-Type-Options: nosniff
1027           included-http-headers = Content-Security-Policy: default-src ´none´
1028           included-http-headers = X-Permitted-Cross-Domain-Policies: none
1029           included-http-headers = Referrer-Policy: no-referrer
1030           included-http-headers = Clear-Site-Data: "cache","cookies","storage"
1031           included-http-headers = Cross-Origin-Embedder-Policy: require-corp
1032           included-http-headers = Cross-Origin-Opener-Policy: same-origin
1033           included-http-headers = Cross-Origin-Resource-Policy: same-origin
1034           included-http-headers = X-XSS-Protection: 0
1035           included-http-headers = Pragma: no-cache
1036           included-http-headers = Cache-control: no-store, no-cache
1037
1038
1039

SEE ALSO

1041       occtl(8), ocpasswd(8), openconnect(8)
1042
1044       Copyright (C) 2013-2018 Nikos Mavrogiannopoulos and others, all  rights
1045       reserved.  This  program is released under the terms of the GNU General
1046       Public License, version 2.
1047

AUTHORS

1049       Written by Nikos Mavrogiannopoulos. Many people have contributed to it.
1050
1051
1052
1053                                September 2023                       OCSERV(8)
Impressum