Provided by: eurephia_1.1.0-4_amd64 bug

NAME

       eurephia-variables - eurephia configuration variables

DESCRIPTION

       Overview  over  all  eurephia  configuration variables.  These variables are stored in the
       database and can be modified by the eurephiadm config command.

PASSWORD HASH

       These variables are related to the password hash configuration.  All of them must be  set,
       but  they  can  be  changed  over  time without affecting the functionality of the already
       stored passwords.

       These parameters are the first to be set when  eurephia_init  is  run.   The  minimum  and
       maximum  hash  rounds  are bechmarked for you with this tool to find more suitable numbers
       for the hardware eurephia will be running on.

       passwordhash_salt_length
              Sets number of bytes to use for the password hash salt.

       passwordhash_rounds_min
              Sets the minimum number of hashing rounds to perform when calculating new  password
              hashes.

       passwordhash_rounds_max
              Sets  the maximum number of hashing rounds to perform when calculating new password
              hashes

ATTEMPTS SETTINGS

       eurephia can blacklist user names, certificates and IP addresses based on number of failed
       attempts.   The  following  parameters  defines  the  limits  of how many attempts you are
       willing to allow before blacklisting them.

       allow_cert_attempts
              Defines the number of attempts of failed login attempts you allow before  you  will
              blacklist  the OpenVPN clients cerrtificate.  This number should normally be higher
              than allow_username_attempts. Default is 5.

       allow_username_attempts
              Defines the number of failed ttempts for a user name can be tried before  you  will
              blacklist the user name from further attempts.  Default is 3.

       allow_ipaddr_attempts
              Defines  the number of failed attempts for an IP address to be used before you will
              blacklist the IP address from further attempts.   This  one  should  be  the  least
              strictest limit.  You also need to consider if your clients will log in via a proxy
              or NATed network and how many of your clients will do so.  If you  experience  many
              users  failing to log on and more of them are behind the same proxy or NAT gateway,
              this may blacklist the IP address quicker than intended.  But if among many failing
              attempts  a valid authentication happens, the attempts counter will be reset again,
              so this limit do not need to be too forgiving.  Default is 10.

FIREWALL INTEGRATION

       If you are running the OpenVPN server with eurephia on a Linux server, it is  possible  to
       let  eurephia interact with the firewall as well.  These settings will enable the firewall
       integration and tell eurephia how to interact with the  firewall.   These  parameters  are
       very  iptables oriented.  The iptables firewall module must be enabled at compile time and
       be installed to work.

       firewall_interface
              This is the variable which enables firewall integration. This variable  must  point
              at  the  firewall  driver,  which  is a shared object file which eurephia will load
              dynamically.  These drivers are prefixed efw and will be found in the same  lib  or
              lib64  directory  as  the  eurephia-auth and edb-sqlite modules.  The variable must
              contain the full path to the driver module.

       firewall_command
              This defines the binary the  firewall  module  will  execute  to  help  update  the
              firewall.  For iptables this defaults to /sbin/iptables.

       firewall_destination
              Defines  which  predefined  firewall  rule  to use when updating the firewall.  The
              default value is vpn_users.

       firewall_blacklist_destination
              This activates firewall based IP address blacklisting in addition to  the  internal
              blacklist  in  eurephia.   This  variable  defines  which firewall rule to use when
              wanting to blacklist an IP address.

       firewall_blacklist_send_to
              This is an optional parameter.  Normally when eurephia blacklists an IP address  it
              will  default  to  drop  the  network  packets  from  that client. You can use this
              variable to send it to a different firewall target.  This is useful if you to,  for
              example, log the incident to the system log before dropping the packets.

EUREPHIA UTILITIES

       These settings are used by the eurephia administration utility, eurephiadm.

       eurephiadmin_autologout
              This  defines  how  long a eurephia administration utility may have an open session
              before it is considered inactive.  When exceeding  this  limit,  the  administrator
              user  will  be  out  automatically.   The  unit for this setting is minutes and the
              default value is 10.

       eurephiadm_xslt_path
              The eurephiadm utility uses XSLT templates for generating the output to the screen.
              This  variable  gives  you  the  possibility to have your own set of templates in a
              different directory instead of using the system wide XSLT  templates  installed  by
              default.  This variable is not set by default.

OPENVPN RELATED VARIABLES

       openvpn_devtype
              The  eurephia-auth  plug-in  will try to auto-detect the device type, which must be
              either tun or tap.  If this auto-detection fails, this configuration variable needs
              to be set to tun or tap.  This value must correspond to the OpenVPN configuration.

SEE ALSO

       eurephiadm-config(7), eurephia_init(7),
       Administrators Tutorial and Manual

AUTHOR

       Copyright (C) 2008-2012  David Sommerseth <dazo@users.sourceforge.net>