Provided by: ocserv_1.1.3-1_amd64 
NAME
ocserv - OpenConnect VPN server
SYNOPSIS
ocserv options -c [config]
Openconnect VPN server (ocserv) is a VPN server compatible with the openconnect VPN
client. It follows the AnyConnect VPN protocol which is used by several CISCO routers.
DESCRIPTION
This a standalone server that reads a configuration file (see below for more details), and
waits for client connections. Log messages are redirected to daemon facility.
The server maintains two connections/channels with the client. The main VPN channel is
established over TCP, HTTP and TLS. This is the control channel as well as the backup data
channel. After its establishment a UDP channel using DTLS is initiated which serves as the
main data channel. If the UDP channel fails to establish or is temporarily unavailable the
backup channel over TCP/TLS is being used.
This server supports multiple authentication methods, including PAM and certificate
authentication. Authenticated users are assigned an unprivileged worker process and obtain
a networking (tun) device and an IP from a configurable pool of addresses.
Once authenticated, the server provides the client with an IP address and a list of routes
that it may access. In order to allow high-speed transfers the server does not process or
filter packets. It is expected that the server has or will set up any required routes or
firewall rules.
It is possible to separate users into groups, which are either present on their
certificate, or presented on login for the user to choose. That way a user may take
advantage of the different settings that may apply per group. See the comments on the
configuration file for more information.
It is also possible to run hostname-based virtual servers which could support different
authentication methods. When multiple virtual servers are present clients are
distinguished by the advertised server name over TLS (SNI). Clients which do not support
or sent SNI, are directed to the default server.
OPTIONS
-f, --foreground:
Do not fork server into background.
-d, --debug=num:
Enable verbose network debugging information. num must be between zero and 9999.
-c, --config=FILE:
Specify the configuration file for the server.
-t, --test-config:
Test the provided configuration file and exit. A successful exit error code
indicates a valid configuration.
-p, --pid-file=FILE:
Specify a PID file for the server.
-h, --help:
Display usage information and exit.
-v, --version:
Output version of program and exit.
AUTHENTICATION
Users can be authenticated in multiple ways, which are explained in the following
paragraphs. Connected users can be managed using the occtl tool.
Password authentication
If your system supports Pluggable Authentication Modules (PAM), then ocserv will take
advantage of it to password authenticate its users. Otherwise a plain password file
similar to the UNIX password file is also supported. In that case the 'ocpasswd' tool can
be used for its management. Note that password authentication can be used in conjunction
with certificate authentication.
GSSAPI authentication
ocserv will take advantage of the MIT Kerberos project GSSAPI libraries, and allow
authentication using any method GSSAPI supports. That is, mainly, Kerberos authentication.
That is often more useful to be combined with PAM or other password authentication methods
so that a fallback mechanism can be used when GSSAPI fails (e.g., when the user doesn't
already have a Kerberos ticket). The GSSAPI authentication is implemented using SPNEGO
over HTTP (RFC4559).
Public key (certificate) authentication
Public key authentication allows the user to be authenticated by the possession of the
private key that corresponds to a known to the server public key. That allows the usage of
common smart cards for user authentication.
In ocserv, a certificate authority (CA) is used to sign the client certificates. That
certificate authority can be local, used only by the server to sign its user's known
public keys which are then given to users in a form of certificates. That authority need
also provide a CRL to allow the server to reject the revoked clients (see ca-cert, crl).
In certificate authentication each client presents a certificate and signs data provided
by the server, as part of TLS authentication, to prove his possession of the corresponding
private key. The certificate need also contain user identifying information, for example,
the user ID of the client must be embedded in the certificate's Distinguished Name (DN),
i.e., in the Common Name, or UID fields. For the server to read the name, the
cert-user-oid configuration option must be set.
The following examples demonstrate how to use certtool from GnuTLS to generate such CA.
Generating the CA
``` $ certtool --generate-privkey --outfile ca-key.pem $ cat < _EOF_ca.tmpl cn = "VPN CA"
organization = "Big Corp" serial = 1 expiration_days = -1 ca signing_key cert_signing_key
crl_signing_key EOF
$ certtool --generate-self-signed --load-privkey ca-key.pem \ --template ca.tmpl --outfile
ca-cert.pem ```
Generating a local server certificate
The following example generates the server key and certificate pair. The key generated is
an RSA one, but different types can be used by specifying the 'ecdsa' or 'dsa' options to
certtool.
``` $ certtool --generate-privkey --outfile server-key.pem $ cat < _EOF_server.tmpl cn =
"VPN server" dns_name = "www.example.com" dns_name = "vpn1.example.com" #ip_address =
"1.2.3.4" organization = "MyCompany" expiration_days = -1 signing_key encryption_key #only
if the generated key is an RSA one tls_www_server EOF
$ certtool --generate-certificate --load-privkey server-key.pem \ --load-ca-certificate
ca-cert.pem --load-ca-privkey ca-key.pem \ --template server.tmpl --outfile
server-cert.pem ```
From this point the clients need ca-cert.pem to be able to securely connect to the server.
Note that it is a better practice to use two separate RSA keys, one with the signing_key
option and another with the encryption_key.
Generating an external CA-signed server certificate
$ certtool --generate-privkey --outfile server-key.pem $ cat << _EOF_ >server.tmpl cn =
"My server" dns_name = "www.example.com" organization = "MyCompany" expiration_days = -1
signing_key encryption_key #only if the generated key is an RSA one tls_www_server _EOF_ $
certtool --generate-request --load-privkey server-key.pem \ --template server.tmpl
--outfile server-cert.csr
At this point you need to provide the server-cert.csr to your CA, and they will send you
the server certificate.
Generating the client certificates
Note that it is recommended to leave detailed personal information out of the certificate
as it is sent in clear during TLS authentication. The following process generates a
certificate and converts it to PKCS #12 that is protected by a PIN and most clients are
able to import (the 3DES cipher is used in the example because it is supported by far more
devices than AES).
``` $ certtool --generate-privkey --outfile user-key.pem $ cat < _EOF_user.tmpl cn =
"user" unit = "admins" expiration_days = 365 signing_key tls_www_client EOF $ certtool
--generate-certificate --load-privkey user-key.pem \ --load-ca-certificate ca-cert.pem
--load-ca-privkey ca-key.pem \ --template user.tmpl --outfile user-cert.pem
$ certtool --to-p12 --load-privkey user-key.pem \ --pkcs-cipher 3des-pkcs12 \
--load-certificate user-cert.pem \ --outfile user.p12 --outder ```
Revoking a client certificate
To revoke the previous client certificate, i.e., preventing the user from accessing the
VPN resources prior to its certificate expiration, use:
$ cat << _EOF_ >crl.tmpl crl_next_update = 365 crl_number = 1 _EOF_ $ cat user-cert.pem
>>revoked.pem $ certtool --generate-crl --load-ca-privkey ca-key.pem \
--load-ca-certificate ca-cert.pem --load-certificate revoked.pem \ --template crl.tmpl
--outfile crl.pem
After that you may want to notify ocserv of the new CRL by using the HUP signal, or wait
for it to reload it.
When there are no revoked certificates an empty revocation list should be generated as
follows.
$ certtool --generate-crl --load-ca-privkey ca-key.pem \ --load-ca-certificate ca-cert.pem
\ --template crl.tmpl --outfile crl.pem
IMPLEMENTATION NOTES
Note that while this server utilizes privilege separation and all authentication occurs on
the security module, this does not apply for TLS client certificate authentication. That
is due to TLS protocol limitation.
NETWORKING CONSIDERATIONS
In certain setups, where a firewall may be blocking ICMP responses, setting the MSS of TCP
connections to MTU will eliminate the "black hole" connection issues. See
http://lartc.org/howto/lartc.cookbook.mtu-mss.html for instructions to enable it on a
Linux system.
FILES
ocserv's configuration file format
By default, if no other file is specified, ocserv looks for its configuration file at
/etc/ocserv/ocserv.conf. An example configuration file follows.
``` ### The following directives do not change with server reload.# used for the user to
login, add multiple auth directives. The values # in the 'auth' directive are AND composed
(if multiple all must # succeed). # Available options: certificate, plain, pam, radius,
gssapi. # Note that authentication methods utilizing passwords cannot be # combined (e.g.,
the plain, pam or radius methods).# This indicates that all connecting users must present
a certificate. # The username and user group will be then extracted from it (see #
cert-user-oid and cert-group-oid). The certificate to be accepted # it must be signed by
the CA certificate as specified in 'ca-cert' and # it must not be listed in the CRL, as
specified by the 'crl' option. # # pam[gid-min=1000]: # This enabled PAM authentication of
the user. The gid-min option is used # by auto-select-group option, in order to select the
minimum valid group ID. # # plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] #
The plain option requires specifying a password file which contains # entries of the
following format. # "username:groupname1,groupname2:encoded-password" # One entry must be
listed per line, and 'ocpasswd' should be used # to generate password entries. The 'otp'
suboption allows one to specify # an oath password file to be used for one time passwords;
the format of # the file is described in
https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile # #
radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: #
The radius option requires specifying freeradius-client configuration # file. If the
groupconfig option is set, then config-per-user/group will be overridden, # and all
configuration will be read from radius. That also includes the # Acct-Interim-Interval,
and Session-Timeout values. # # See doc/README-radius.md for the supported radius
configuration atributes. # #
gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] # The
gssapi option allows one to use authentication methods supported by GSSAPI, # such as
Kerberos tickets with ocserv. It should be best used as an alternative # to PAM (i.e.,
have pam in auth and gssapi in enable-auth), to allow users with # tickets and without
tickets to login. The default value for require-local-user-map # is true. The
'tgt-freshness-time' if set, it would require the TGT tickets presented # to have been
issued within the provided number of seconds. That option is used to # restrict logins
even if the KDC provides long time TGT tickets.#auth = "pam[gid-min=1000]" #auth =
"plain[passwd=./sample.passwd,otp=./sample.otp]" auth = "plain[passwd=./sample.passwd]"
#auth = "certificate" #auth =
"radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"# for authentication.
That is, if set, any of the methods enabled # will be sufficient to login, irrespective of
the main 'auth' entries. # When multiple options are present, they are OR composed (any of
them # succeeding allows login). #enable-auth = "certificate" #enable-auth = "gssapi"
#enable-auth =
"gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"# radius:
can be combined with any authentication method, it provides # radius accounting to
available users (see also stats-report-time). # # pam: can be combined with any
authentication method, it provides # a validation of the connecting user's name using PAM.
It is # superfluous to use this method when authentication is already # PAM. # # Only one
accounting method can be specified. #acct =
"radius[config=/etc/radiusclient/radiusclient.conf]"# hostname. #listen-host =
[IP|HOSTNAME]# hostname. if not set, listen-host will be used #udp-listen-host =
[IP|HOSTNAME]# should set that to true to ask the client to resolve again on # reconnects.
#listen-host-is-dyndns = true# listen-netns = "foo"tcp-port = 443 udp-port = 443#
unprivileged user (e.g., 'ocserv') and no other services should run as this # user.
run-as-user = nobody run-as-group = daemon# if you use more than a single servers.
#occtl-socket-file = /var/run/occtl.socket# It must be accessible within the chroot
environment (if any), so it is best # specified relatively to the chroot directory.
socket-file = /var/run/ocserv-socket#chroot-dir = /var/lib/ocserv# The key may be a file,
or any URL supported by GnuTLS (e.g., #
tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user # or
pkcs11:object=my-vpn-key;object-type=private) # # The server-cert file may contain a
single certificate, or # a sorted certificate chain. # There may be multiple server-cert
and server-key directives, # but each key should correspond to the preceding certificate.
# The certificate files will be reloaded when changed allowing for in-place # certificate
renewal (they are checked and reloaded periodically; # a SIGHUP signal to main server will
force reload).#server-key = /etc/ocserv/server-key.pem server-cert =
../tests/certs/server-cert.pem server-key = ../tests/certs/server-key.pem# versions of
GnuTLS for supporting DHE ciphersuites. # Can be generated using: # certtool
--generate-dh-params --outfile /etc/ocserv/dh.pem #dh-params = /etc/ocserv/dh.pem# in
files. The srk-pin-file is applicable to TPM keys only, and is the # storage root key.
#pin-file = /etc/ocserv/pin.txt #srk-pin-file = /etc/ocserv/srkpin.txt# Only needed if the
file is encrypted or a PKCS #11 object. This # is an alternative method to pin-file.
#key-pin = 1234# This is an alternative method to srk-pin-file. #srk-pin = 1234# client
certificates (public keys) if certificate authentication # is set. #ca-cert =
/etc/ocserv/ca.pem ca-cert = ../tests/certs/ca.pem
All configuration options below this line are reloaded on a SIGHUP.
### The options above, will remain unchanged. Note however, that the ### server-cert,
server-key, dh-params and ca-cert options will be reloaded ### if the provided file
changes, on server reload. That allows certificate ### rotation, but requires the server
key to remain the same for seamless ### operation. If the server key changes on reload,
there may be connection ### failures during the reloading time.# system calls allowed to a
worker process, in order to reduce damage from a # bug in the worker process. It is
available on Linux systems at a performance cost. # The performance cost is roughly 2%
overhead at transfer time (tested on a Linux 3.17.8). # Note however, that process
isolation is restricted to the specific libc versions # the isolation was tested at. If
you get random failures on worker processes, try # disabling that option and report the
failures you, along with system and debugging # information at:
https://gitlab.com/ocserv/ocserv/issues isolate-workers = true#banner =
"Welcome"#pre-login-banner = "Welcome"# that case the maximum value is ~8k clients.
#max-clients = 1024 max-clients = 16# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2# which supports the proxy protocol, set this to obtain the correct #
client addresses. The proxy protocol would then be expected in # the TCP or UNIX socket
(not the UDP one). Although both v1 # and v2 versions of proxy protocol are supported, the
v2 version # is recommended as it is more efficient in parsing. #listen-proxy-proto =
true# (X is the provided value), as the secmod backlog grows. This # makes the server more
resilient (and prevents connection failures) on # multiple concurrent connections. Set to
zero for no limit. rate-limit-ms = 100# worker process will report its usage statistics
(number of # bytes transferred etc). This is useful when accounting like # radius is in
use. #stats-report-time = 360# processes will be reset. These are the statistics shown by
cmd # 'occtl show stats'. For daily: 86400, weekly: 604800 # This is unrelated to
stats-report-time. server-stats-reset-time = 604800keepalive = 32400# Note that when the
client is behind a NAT this value # needs to be short enough to prevent the NAT
disassociating # his UDP session from the port number. Otherwise the client # could have
his UDP connection stalled, for several minutes. dpd = 90# be higher to prevent such
clients being awaken too # often by the DPD messages, and save battery. # The mobile
clients are distinguished from the header # 'X-AnyConnect-Identifier-Platform'. mobile-dpd
= 1800# many seconds, attempt to send future traffic over the TCP # connection instead, in
an attempt to wake up the client # in the case that there is a NAT and the UDP translation
# was deleted. If this is unset, do not attempt to use this # recovery mechanism.
switch-to-tcp-timeout = 25try-mtu-discovery = false# higher than your load-balancer health
probe interval. #server-drain-ms = 15000# service you may provide a fresh OCSP status
response within # the TLS handshake. That will prevent the client from connecting #
independently on the OCSP server. # You can update this response periodically using: #
ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response # Make sure
that you replace the following file in an atomic way. #ocsp-response =
/etc/ocserv/ocsp.der# certificate. The object identifier should be part of the
certificate's DN # Useful OIDs are: # CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1,
SAN(rfc822name) cert-user-oid = 0.9.2342.19200300.100.1.1# client certificate. The object
identifier should be part of the certificate's # DN. If the user may belong to multiple
groups, then use multiple such fields # in the certificate's DN. Useful OIDs are: # OU
(organizational unit) = 2.5.4.11 #cert-group-oid = 2.5.4.11# See the manual to generate an
empty CRL initially. The CRL will be reloaded # periodically when ocserv detects a change
in the file. To force a reload use # SIGHUP. #crl = /etc/ocserv/crl.pem#compression =
true# That is to allow low-latency for VoIP packets. The default size # is 256 bytes.
Modify it if the clients typically use compression # as well of VoIP with codecs that
exceed the default value. #no-compress-limit = 256# as there are no openconnect (and
possibly anyconnect clients) using # that protocol. The string below does not enforce
perfect forward # secrecy, in order to be compatible with legacy clients. # # Note that
the most performant ciphersuites are the moment are the ones # involving AES-GCM. These
are very fast in x86 and x86-64 hardware, and # in addition require no padding, thus
taking full advantage of the MTU. # For that to be taken advantage of, the openconnect
client must be # used, and the server must be compiled against GnuTLS 3.2.7 or later. #
Use "gnutls-cli --benchmark-tls-ciphers", to see the performance # difference with
AES_128_CBC_SHA1 (the default for anyconnect clients) # in your system.
tls-priorities =
"NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"#
http://gnutls.org/manual/html_node/Priority-Strings.html # E.g., the string below enforces
perfect forward secrecy (PFS) # on the main channel. #tls-priorities =
"NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"# cipher as the primary
TLS channel. This cannot be combined with # listen-clear-file since the ciphersuite
information is not available # in that configuration. Note also, that this option implies
that # dtls-legacy option is false; this option cannot be enforced # in the legacy/compat
protocol. #match-tls-dtls-ciphers = true# to authentication auth-timeout = 240# before
being disconnected. Unset to disable. #idle-timeout = 1200# Unset to disable. When set a
client will be disconnected after being # continuously connected for this amount of time,
and its cookies will # be invalidated (i.e., re-authentication will be required).
#session-timeout = 86400# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400# a failed authentication attempt. min-reauth-time = 300# that
get a score over that configured number are banned for # min-reauth-time seconds. By
default a wrong password attempt is 10 points, # a KKDCP POST is 1 point, and a connection
is 1 point. Note that # due to difference processes being involved the count of points #
will not be real-time precise. # # Score banning cannot be reliably used when receiving
proxied connections # locally from an HTTP server (i.e., when listen-clear-file is used).
# # Set to zero to disable. max-ban-score = 80ban-reset-time =
1200#ban-points-wrong-password = 10 #ban-points-connection = 1 #ban-points-kkdcp = 1# Once
a client is authenticated he's provided a cookie with # which he can reconnect. That
cookie will be invalidated if not # used within this timeout value. This cookie remains
valid, during # the user's connected time, and after user disconnection it # remains
active for this amount of time. That setting should allow a # reasonable amount of time
for roaming between different networks. cookie-timeout = 300# valid even after a user
manually disconnects, and until they # expire. This may improve roaming with some broken
clients. #persistent-cookies = true# restricted to a single IP address and cannot be
re-used # from a different IP. deny-roaming = false# ocserv will ask the client to refresh
keys periodically once # this amount of seconds is elapsed. Set to zero to disable (note #
that, some clients fail if rekey is disabled). rekey-time = 172800# Valid options: ssl,
new-tunnel # ssl: Will perform an efficient rehandshake on the channel allowing # a
seamless connection during rekey. # new-tunnel: Will instruct the client to discard and
re-establish the channel. # Use this option only if the connecting clients have issues
with the ssl # option. rekey-method = ssl# The following parameters are passed on the
environment. # REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the
client), # REMOTE_HOSTNAME (the remotely advertised hostname), IP_REAL_LOCAL # (the local
interface IP the client connected), IP_LOCAL # (the local IP in the P-t-P connection),
IP_REMOTE (the VPN IP of the client), # IPV6_LOCAL (the IPv6 local address if there are
both IPv4 and IPv6 # assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and #
ID (a unique numeric ID); REASON may be "connect" or "disconnect". # In addition the
following variables OCSERV_ROUTES (the applied routes for this # client),
OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), # will contain a space
separated list of routes or DNS servers. A version # of these variables with the 4 or 6
suffix will contain only the IPv4 or # IPv6 values. The connect script must return zero as
exit code, or the # client connection will be refused.# STATS_BYTES_OUT, STATS_DURATION
that contain a 64-bit counter of the bytes # output from the tun device, and the duration
of the session in seconds.#disconnect-script = /usr/bin/myscript# available. It will
contain REASON with "host-update" value and the # variable REMOTE_HOSTNAME in addition to
the connect variables.# Register the connected clients to utmp. This will allow viewing #
the connected clients using the command 'who'. #use-utmp = true# or via a unix socket).
use-occtl = truepid-file = /var/run/ocserv.pid# All messages at the configure level and
lower will be displayed. # Supported levels (default 0) # 0 default (Same as basic) # 1
basic # 2 info # 3 debug # 4 http # 8 sensitive # 9 TLS log-level = 1# be sent. That is a
number from 0 to 6 with 0 being the lowest # priority. Alternatively this can be used to
set the IP Type- # Of-Service, by setting it to a hexadecimal number (e.g., 0x20). # This
can be set per user/group or globally. #net-priority = 3# specific and can be set per
user/group or globally. #cgroup = "cpuset,cpu:test"#device = vpns# same for the same user
when possible. predictable-ips = true# openconnect clients) can be provided in a space
separated list. default-domain = example.com #default-domain = "example.com
one.example.com"# are given via Radius, or via the explicit-ip? per-user config option
then # these network values should contain a network with at least a single # address that
will remain under the full control of ocserv (that is # to be able to assign the local
part of the tun device address). # Note that, you could use addresses from a subnet of
your LAN network if you # enable proxy arp in the LAN interface
http://ocserv.gitlab.io/www/recipes-ocserv-pseudo-bridge.html; # in that case it is
recommended to set ping-leases to true. ipv4-network = 192.168.1.0 ipv4-netmask =
255.255.255.0#ipv4-network = 192.168.1.0/24#ipv6-network = fda9:4efe:7e3b:03ea::/48#
generally recommended to provide clients with a /64 network in # IPv6, but any subnet may
be specified. To provide clients only # with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128 #ipv6-subnet-prefix = 64# when a default route is set.
#tunnel-all-dns = true# multiple servers. # dns = fc00::4be0 dns = 192.168.1.2#nbns =
192.168.1.3# multiple lines for multiple domains. #split-dns = example.com# it is not in
use by another (unrelated to this server) host. # Only set to true, if there can be
occupied addresses in the # IP range for leases. ping-leases = false# connections. Unset
to use the default MTU of the TUN device. # Note that the MTU is negotiated using the
value set and the # value sent by the peer. #mtu = 1420# setting here is global, but can
also be set per user or per group. #rx-data-per-sec = 40000 #tx-data-per-sec = 40000# the
output buffer. The default is low to improve latency. # Setting it higher will improve
throughput. #output-buffer = 10# client to forward routes to the server, you may use the #
config-per-user/group or even connect and disconnect scripts. # # To set the server as the
default gateway for the client just # comment out all routes from the server, or use the
special keyword # 'default'.
route = 10.10.10.0/255.255.255.0 route = 192.168.0.0/255.255.0.0 #route =
fef4:db8:1000:1001::/64 #route = default# the server.
no-route = 192.168.5.0/255.255.255.0# in Linux systems with iptables software.# the user
to its allowed routes and prevent him from accessing # any other routes. In case of
defaultroute, the no-routes are restricted. # All the routes applied by ocserv can be
reverted using /usr/bin/ocserv-fw # --removeall. This option can be set globally or in the
per-user configuration. #restrict-user-to-routes = true# script /usr/bin/ocserv-fw will be
called to restrict the user to # access specific ports in the network. This option can be
set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443),
tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"#restrict-user-to-ports =
"!(tcp(443), tcp(80))"# connecting clients except for the ones offering them. This option
# only makes sense if config-per-user is set. #expose-iroutes = true# A client may belong
in multiple groups, and in certain use-cases # it is needed to switch between them. For
these cases the client can # select prior to authentication. Add multiple entries for
multiple groups. # The group may be followed by a user-friendly name in brackets.
#select-group = group1 #select-group = group2[My special group]# to its default group.
#default-select-group = DEFAULT# ocserv to scan all available groups and include the full
list. #auto-select-group = true# per group. Each file name on these directories must match
the username # or the groupname. # The options allowed in the configuration files are dns,
nbns, # ipv?-network, ipv4-netmask, rx/tx-data-per-sec, iroute, route, no-route, #
explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, # keepalive, dpd,
mobile-dpd, max-same-clients, tunnel-all-dns, # restrict-user-to-routes, cgroup,
stats-report-time, # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, #
split-dns and session-timeout. # # Note that the 'iroute' option allows one to add routes
on the server # based on a user or group. The syntax depends on the input accepted # by
the commands route-add-cmd and route-del-cmd (see below). The no-udp # is a boolean option
(e.g., no-udp = true), and will prevent a UDP session # for that specific user or group.
The hostname option will set a # hostname to override any proposed by the user. Note also,
that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global
ones.#config-per-group = /etc/ocserv/config-per-group/# matches, then utilize the
following configuration. #default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf# route/mask, %{RI} with the route
in CIDR format, and %{D} with the (tun) device. # # The following example is from linux
systems. %{R} should be something # like 192.168.2.0/255.255.255.0 and %{RI}
192.168.2.0/24 (the argument of iroute).#route-del-cmd = "ip route delete %{R} dev %{D}"#
and '%{G}', if present will be replaced by the username and group name. #proxy-url =
http://example.com/ #proxy-url = http://example.com/%{U}/# post using MS-KKDCP, and the
message will be forwarded to the provided # KDC server. That is a translation URL between
HTTP and Kerberos. # In MIT kerberos you'll need to add in realms: # EXAMPLE.COM = { # kdc
= https://ocserv.example.com/KdcProxy # http_anchors = FILE:/etc/ocserv-ca.pem # } # In
some distributions the krb5-k5tls plugin of kinit is required. # # The following option is
available in ocserv, when compiled with GSSAPI support.#kkdcp = "/KdcProxy KERBEROS.REALM
udp@127.0.0.1:88" #kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88" #kkdcp = "/KdcProxy
KERBEROS.REALM tcp@[::1]:88"# to the client. A minimal file can be: # <?xml version="1.0"
encoding="UTF-8"?> # # # Other fields may be used by some of the CISCO clients. # This
file must be accessible from inside the worker's chroot. # Note that: # (1) enabling this
option is not recommended as it will allow the # worker processes to open arbitrary files
(when isolate-workers is # set to true). # (2) This option cannot be set per-user or
per-group; only the global # version is being sent to client. #user-profile = profile.xml#
compatibility.# will not require clients to present their certificate on every TLS #
connection. It must be set to true to support legacy CISCO clients # and openconnect
clients < 7.08. When set to true, it implies dtls-legacy = true. cisco-client-compat =
true# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate # the
pre-draft-DTLS negotiation inherited from AnyConnect. It allows the # DTLS channel to
negotiate its ciphers and the DTLS protocol version. #dtls-psk = false# but that may
change in the future). # The legacy DTLS uses a pre-draft version of the DTLS protocol and
was # from AnyConnect protocol. It has several limitations, that are addressed # by the
dtls-psk protocol supported by openconnect 7.08+. dtls-legacy = true# If the server has
not configured an IPv6 or IPv4 address pool, enabling this option # will instruct the
client to bypass the server for that IP protocol. The option is # currently only
understood by Anyconnect clients. client-bypass-protocol = false# authentication and prior
to VPN tunnel establishment. You shouldn't # need to use this option normally; if you do
and you think that # this may help others, please send your settings and reason to # the
openconnect mailing list. The special keywords '%{U}' # and '%{G}', if present will be
replaced by the username and group name. #custom-header = "X-My-Header: hi there"# by this
server.
[vhost:www.example.com] auth = "certificate"
ca-cert = ../tests/certs/ca.pem# the virtual host name.
server-cert = ../tests/certs/server-cert-secp521r1.pem server-key =
../tests/certs/server-key-secp521r1.pem
ipv4-network = 192.168.2.0 ipv4-netmask = 255.255.255.0
cert-user-oid = 0.9.2342.19200300.100.1.1 ```
SEE ALSO
occtl(8), ocpasswd(8), openconnect(8)
COPYRIGHT
Copyright (C) 2013-2018 Nikos Mavrogiannopoulos and others, all rights reserved. This
program is released under the terms of the GNU General Public License, version 2.
AUTHORS
Written by Nikos Mavrogiannopoulos. Many people have contributed to it.
May 2021 OCSERV(8)