NAME
ocserv - OpenConnect VPN server
SYNOPSIS
ocserv options -c [config]
OpenConnect VPN server (ocserv) is a VPN server compatible with the OpenConnect VPN client. It follows the AnyConnect VPN protocol which is used by several CISCO routers.
DESCRIPTION
This a standalone server that reads a configuration file (see below for more details), and waits for client connections. Log messages are directed to the syslog daemon facility.
The server maintains two connections/channels with the client. The main VPN channel is established over TCP, HTTP and TLS. This is the control channel as well as the backup data channel. After its establishment a UDP channel using DTLS is initiated which serves as the main data channel. If the UDP channel fails to establish or is temporarily unavailable the backup channel over TCP/TLS is being used.
This server supports multiple authentication methods, including PAM and certificate authentication. Authenticated users are assigned an unprivileged worker process and obtain a networking (tun) device and an IP from a configurable pool of addresses.
Once authenticated, the server provides the client with an IP address and a list of routes that it may access. In order to allow high-speed transfers the server does not process or filter packets. It is expected that the server has or will set up any required routes or firewall rules.
It is possible to separate users into groups, which are either present on their certificate, or presented on login for the user to choose. That way a user may take advantage of the different settings that may apply per group. See the comments on the configuration file for more information.
It is also possible to run hostname-based virtual servers which could support different authentication methods. When multiple virtual servers are present clients are distinguished by the advertised server name over TLS (SNI). Clients which do not support or sent SNI, are directed to the default server.
OPTIONS
-f, --foreground:
Do not fork server into background.
-d, --debug=num:
Enable verbose network debugging information. num must be between zero and 9999.
-c, --config=FILE:
Specify the configuration file for the server.
-t, --test-config:
Test the provided configuration file and exit. A successful exit error code indicates a valid configuration.
-p, --pid-file=FILE:
Specify a PID file for the server.
-h, --help:
Display usage information and exit.
-v, --version:
Output version of program and exit.
AUTHENTICATION
Users can be authenticated in multiple ways, which are explained in the following paragraphs. Connected users can be managed using the occtl tool.
Password
authentication
If your system supports Pluggable Authentication Modules
(PAM), then ocserv will take advantage of it to password
authenticate its users. Otherwise a plain password file
similar to the UNIX password file is also supported. In that
case the ´ocpasswd´ tool can be used for its
management. Note that password authentication can be used in
conjunction with certificate authentication.
GSSAPI
authentication
ocserv will take advantage of the MIT Kerberos project
GSSAPI libraries, and allow authentication using any method
GSSAPI supports. That is, mainly, Kerberos authentication.
That is often more useful to be combined with PAM or other
password authentication methods so that a fallback mechanism
can be used when GSSAPI fails (e.g., when the user
doesn´t already have a Kerberos ticket). The GSSAPI
authentication is implemented using SPNEGO over HTTP
(RFC4559).
Public key
(certificate) authentication
Public key authentication allows the user to be
authenticated by the possession of the private key that
corresponds to a known to the server public key. That allows
the usage of common smart cards for user authentication.
In ocserv, a certificate authority (CA) is used to sign the client certificates. That certificate authority can be local, used only by the server to sign its user´s known public keys which are then given to users in a form of certificates. That authority need also provide a CRL to allow the server to reject the revoked clients (see ca-cert, crl).
In certificate authentication each client presents a certificate and signs data provided by the server, as part of TLS authentication, to prove his possession of the corresponding private key. The certificate need also contain user identifying information, for example, the user ID of the client must be embedded in the certificate´s Distinguished Name (DN), i.e., in the Common Name, or UID fields. For the server to read the name, the cert-user-oid configuration option must be set.
The following examples demonstrate how to use certtool from GnuTLS to generate such CA.
Generating
the CA
$ certtool --generate-privkey --outfile ca-key.pem
$ cat << _EOF_ >ca.tmpl
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
$ certtool
--generate-self-signed --load-privkey ca-key.pem \
--template ca.tmpl --outfile ca-cert.pem
Generating a
local server certificate
The following example generates the server key and
certificate pair. The key generated is an RSA one, but
different types can be used by specifying the
´ecdsa´ or ´dsa´ options to
certtool.
|
$ certtool --generate-privkey --outfile server-key.pem |
$ cat << _EOF_
>server.tmpl
cn = "VPN server"
dns_name = "www.example.com"
dns_name = "vpn1.example.com"
#ip_address = "1.2.3.4"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
$ certtool
--generate-certificate --load-privkey server-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey
ca-key.pem \
--template server.tmpl --outfile server-cert.pem
From this point the clients need ca-cert.pem to be able to securely connect to the server.
Note that it is a better practice to use two separate RSA keys, one with the signing_key option and another with the encryption_key.
Generating
an external CA-signed server certificate
$ certtool --generate-privkey --outfile server-key.pem
$ cat << _EOF_ >server.tmpl
cn = "My server"
dns_name = "www.example.com"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
$ certtool --generate-request --load-privkey server-key.pem
\
--template server.tmpl --outfile server-cert.csr
At this point you need to provide the server-cert.csr to your CA, and they will send you the server certificate.
Generating
the client certificates
Note that it is recommended to leave detailed personal
information out of the certificate as it is sent in clear
during TLS authentication. The following process generates a
certificate and converts it to PKCS #12 that is protected by
a PIN and most clients are able to import (the 3DES cipher
is used in the example because it is supported by far more
devices than AES).
|
$ certtool --generate-privkey --outfile user-key.pem |
$ cat << _EOF_
>user.tmpl
dn = "cn=Full Name,O=Example Org,UID=username"
#if usernames are SAN(rfc822name) email addresses
#email = "username [AT] example.com"
expiration_days = 365
signing_key
tls_www_client
_EOF_
$ certtool --generate-certificate --load-privkey
user-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey
ca-key.pem \
--template user.tmpl --outfile user-cert.pem
$ certtool
--to-p12 --load-privkey user-key.pem \
--pkcs-cipher 3des-pkcs12 \
--load-certificate user-cert.pem \
--outfile user.p12 --outder
Revoking a
client certificate
To revoke the previous client certificate, i.e., preventing
the user from accessing the VPN resources prior to its
certificate expiration, use:
|
$ cat << _EOF_ >crl.tmpl |
crl_next_update = 365
crl_number = 1
_EOF_
$ cat user-cert.pem >>revoked.pem
$ certtool --generate-crl --load-ca-privkey ca-key.pem \
--load-ca-certificate ca-cert.pem --load-certificate
revoked.pem \
--template crl.tmpl --outfile crl.pem
After that you may want to notify ocserv of the new CRL by using the HUP signal, or wait for it to reload it.
When there are no revoked certificates an empty revocation list should be generated as follows.
|
$ certtool --generate-crl --load-ca-privkey ca-key.pem \ |
--load-ca-certificate
ca-cert.pem \
--template crl.tmpl --outfile crl.pem
FILES
ocserv´s
configuration file format
By default, if no other file is specified, ocserv looks for
its configuration file at /etc/ocserv/ocserv.conf. An
example configuration file follows.
|
### The following directives do not change with server reload. |
# User
authentication method. To require multiple methods to be
# used for the user to login, add multiple auth directives.
The values
# in the ´auth´ directive are AND composed (if
multiple all must
# succeed).
# Available options: certificate, plain, pam, radius,
gssapi.
# Note that authentication methods utilizing passwords
cannot be
# combined (e.g., the plain, pam or radius methods).
# certificate:
# This indicates that all connecting users must present a
certificate.
# The username and user group will be then extracted from it
(see
# cert-user-oid and cert-group-oid). The certificate to be
accepted
# it must be signed by the CA certificate as specified in
´ca-cert´ and
# it must not be listed in the CRL, as specified by the
´crl´ option.
#
# pam[gid-min=1000]:
# This enabled PAM authentication of the user. The gid-min
option is used
# by auto-select-group option, in order to select the
minimum valid group ID.
#
#
plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
# The plain option requires specifying a password file which
contains
# entries of the following format.
#
"username:groupname1,groupname2:encoded-password"
# One entry must be listed per line, and
´ocpasswd´ should be used
# to generate password entries. The ´otp´
suboption allows one to specify
# an oath password file to be used for one time passwords;
the format of
# the file is described in
https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
#
#
radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
# The radius option requires specifying freeradius-client
configuration
# file. If the groupconfig option is set, then
config-per-user/group will be overridden,
# and all configuration will be read from radius. That also
includes the
# Acct-Interim-Interval, and Session-Timeout values.
#
# See doc/README-radius.md for the supported radius
configuration attributes.
#
#
gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
# The gssapi option allows one to use authentication methods
supported by GSSAPI,
# such as Kerberos tickets with ocserv. It should be best
used as an alternative
# to PAM (i.e., have pam in auth and gssapi in enable-auth),
to allow users with
# tickets and without tickets to login. The default value
for require-local-user-map
# is true. The ´tgt-freshness-time´ if set, it
would require the TGT tickets presented
# to have been issued within the provided number of seconds.
That option is used to
# restrict logins even if the KDC provides long time TGT
tickets.
#auth =
"pam"
#auth = "pam[gid-min=1000]"
#auth =
"plain[passwd=./sample.passwd,otp=./sample.otp]"
auth = "plain[passwd=./sample.passwd]"
#auth = "certificate"
#auth =
"radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
# Specify
alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods
enabled
# will be sufficient to login, irrespective of the main
´auth´ entries.
# When multiple options are present, they are OR composed
(any of them
# succeeding allows login).
#enable-auth = "certificate"
#enable-auth = "gssapi"
#enable-auth =
"gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
# Accounting
methods available:
# radius: can be combined with any authentication method, it
provides
# radius accounting to available users (see also
stats-report-time).
#
# pam: can be combined with any authentication method, it
provides
# a validation of the connecting user´s name using
PAM. It is
# superfluous to use this method when authentication is
already
# PAM.
#
# Only one accounting method can be specified.
#acct =
"radius[config=/etc/radiusclient/radiusclient.conf]"
# Use
listen-host to limit to specific IPs or to the IPs of a
provided
# hostname.
#listen-host = [IP|HOSTNAME]
# Use
udp-listen-host to limit udp to specific IPs or to the IPs
of a provided
# hostname. if not set, listen-host will be used
#udp-listen-host = [IP|HOSTNAME]
# When the
server has a dynamic DNS address (that may change),
# should set that to true to ask the client to resolve again
on
# reconnects.
#listen-host-is-dyndns = true
# move the
listen socket within the specified network namespace
# listen-netns = "foo"
# TCP and UDP
port number
tcp-port = 443
udp-port = 443
# The user the
worker processes will be run as. This should be a dedicated
# unprivileged user (e.g., ´ocserv´) and no
other services should run as this
# user.
run-as-user = nobody
run-as-group = daemon
# socket file
used for IPC with occtl. You only need to set that,
# if you use more than a single server.
#occtl-socket-file = /var/run/occtl.socket
# socket file
used for server IPC (worker-main), will be appended with
.PID
# It must be accessible within the chroot environment (if
any), so it is best
# specified relatively to the chroot directory.
socket-file = /var/run/ocserv-socket
# The default
server directory. Does not require any devices present.
#chroot-dir = /var/lib/ocserv
# The key and
the certificates of the server
# The key may be a file, or any URL supported by GnuTLS
(e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# The server-cert file may contain a single certificate, or
# a sorted certificate chain.
# There may be multiple server-cert and server-key
directives,
# but each key should correspond to the preceding
certificate.
# The certificate files will be reloaded when changed
allowing for in-place
# certificate renewal (they are checked and reloaded
periodically;
# a SIGHUP signal to main server will force reload).
#server-cert =
/etc/ocserv/server-cert.pem
#server-key = /etc/ocserv/server-key.pem
server-cert = ../tests/certs/server-cert.pem
server-key = ../tests/certs/server-key.pem
#
Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
# versions of GnuTLS for supporting DHE ciphersuites.
# Can be generated using:
# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
#dh-params = /etc/ocserv/dh.pem
# In case PKCS
#11, TPM or encrypted keys are used the PINs should be
available
# in files. The srk-pin-file is applicable to TPM keys only,
and is the
# storage root key.
#pin-file = /etc/ocserv/pin.txt
#srk-pin-file = /etc/ocserv/srkpin.txt
# The password
or PIN needed to unlock the key in server-key file.
# Only needed if the file is encrypted or a PKCS #11 object.
This
# is an alternative method to pin-file.
#key-pin = 1234
# The SRK PIN
for TPM.
# This is an alternative method to srk-pin-file.
#srk-pin = 1234
# The
Certificate Authority that will be used to verify
# client certificates (public keys) if certificate
authentication
# is set.
#ca-cert = /etc/ocserv/ca.pem
ca-cert = ../tests/certs/ca.pem
# The number of
sub-processes to use for the security module
(authentication)
# processes. Typically this should not be set as the number
of processes
# is determined automatically by the initially set maximum
number of clients.
#sec-mod-scale = 4
### All
configuration options below this line are reloaded on a
SIGHUP.
### The options above, will remain unchanged. Note however,
that the
### server-cert, server-key, dh-params and ca-cert options
will be reloaded
### if the provided file changes, on server reload. That
allows certificate
### rotation, but requires the server key to remain the same
for seamless
### operation. If the server key changes on reload, there
may be connection
### failures during the reloading time.
# Whether to
enable seccomp/Linux namespaces worker isolation. That
restricts the number of
# system calls allowed to a worker process, in order to
reduce damage from a
# bug in the worker process. It is available on Linux
systems at a performance cost.
# The performance cost is roughly 2% overhead at transfer
time (tested on a Linux 3.17.8).
# Note however, that process isolation is restricted to the
specific libc versions
# the isolation was tested at. If you get random failures on
worker processes, try
# disabling that option and report the failures you, along
with system and debugging
# information at:
https://gitlab.com/openconnect/ocserv/issues
isolate-workers = true
# A banner to
be displayed on clients after connection
#banner = "Welcome"
# A banner to
be displayed on clients before connection
#pre-login-banner = "Welcome"
# Limit the
number of clients. Unset or set to zero if unknown. In
# that case the maximum value is ~8k clients.
#max-clients = 1024
max-clients = 16
# Limit the
number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
# When the
server receives connections from a proxy, like haproxy
# which supports the proxy protocol, set this to obtain the
correct
# client addresses. The proxy protocol would then be
expected in
# the TCP or UNIX socket (not the UDP one). Although both v1
# and v2 versions of proxy protocol are supported, the v2
version
# is recommended as it is more efficient in parsing.
#listen-proxy-proto = true
# Rate limit
the number of incoming connections to one every X
milliseconds
# (X is the provided value), as the secmod backlog grows.
This
# makes the server more resilient (and prevents connection
failures) on
# multiple concurrent connections. Set to zero for no limit.
rate-limit-ms = 100
# Stats report
time. The number of seconds after which each
# worker process will report its usage statistics (number of
# bytes transferred etc). This is useful when accounting
like
# radius is in use.
#stats-report-time = 360
# Stats reset
time. The period of time statistics kept by main/sec-mod
# processes will be reset. These are the statistics shown by
cmd
# ´occtl show stats´. For daily: 86400, weekly:
604800
# This is unrelated to stats-report-time.
server-stats-reset-time = 604800
# Keepalive in
seconds
keepalive = 32400
# Dead peer
detection in seconds.
# Note that when the client is behind a NAT this value
# needs to be short enough to prevent the NAT disassociating
# his UDP session from the port number. Otherwise the client
# could have his UDP connection stalled, for several
minutes.
dpd = 90
# Dead peer
detection for mobile clients. That needs to
# be higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# The mobile clients are distinguished from the header
# ´X-AnyConnect-Identifier-Platform´.
mobile-dpd = 1800
# If using
DTLS, and no UDP traffic is received for this
# many seconds, attempt to send future traffic over the TCP
# connection instead, in an attempt to wake up the client
# in the case that there is a NAT and the UDP translation
# was deleted. If this is unset, do not attempt to use this
# recovery mechanism.
switch-to-tcp-timeout = 25
# MTU discovery
(DPD must be enabled)
try-mtu-discovery = false
# To enable
load-balancer connection draining, set server-drain-ms to a
value
# higher than your load-balancer health probe interval.
#server-drain-ms = 15000
# If you have a
certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response
within
# the TLS handshake. That will prevent the client from
connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca
--outfile response
# Make sure that you replace the following file in an atomic
way.
#ocsp-response = /etc/ocserv/ocsp.der
# The object
identifier that will be used to read the user ID in the
client
# certificate. The object identifier should be part of the
certificate´s DN
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1,
SAN(rfc822name)
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object
identifier that will be used to read the user group in the
# client certificate. The object identifier should be part
of the certificate´s
# DN. If the user may belong to multiple groups, then use
multiple such fields
# in the certificate´s DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# The
revocation list of the certificates issued by the
´ca-cert´ above.
# See the manual to generate an empty CRL initially. The CRL
will be reloaded
# periodically when ocserv detects a change in the file. To
force a reload use
# SIGHUP.
#crl = /etc/ocserv/crl.pem
# Uncomment
this to enable compression negotiation (LZS, LZ4).
# To increase security it is recommended to keep it
disabled;
# see https://ocserv.openconnect-vpn.net/technical.html for
rationale.
#compression = false
# Set the
minimum size under which a packet will not be compressed.
# That is to allow low-latency for VoIP packets. The default
size
# is 256 bytes. Modify it if the clients typically use
compression
# as well of VoIP with codecs that exceed the default value.
#no-compress-limit = 256
# GnuTLS
priority string; note that SSL 3.0 is disabled by default
# as there are no openconnect (and possibly anyconnect
clients) using
# that protocol. The string below does not enforce perfect
forward
# secrecy, in order to be compatible with legacy clients.
#
# Note that the most performant ciphersuites are the moment
are the ones
# involving AES-GCM. These are very fast in x86 and x86-64
hardware, and
# in addition require no padding, thus taking full advantage
of the MTU.
# For that to be taken advantage of, the openconnect client
must be
# used, and the server must be compiled against GnuTLS 3.2.7
or later.
# Use "gnutls-cli --benchmark-tls-ciphers", to see
the performance
# difference with AES_128_CBC_SHA1 (the default for
anyconnect clients)
# in your system.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
# More
combinations in priority strings are available, check
# http://gnutls.org/manual/html_node/Priority-Strings.html
# E.g., the string below enforces perfect forward secrecy
(PFS)
# on the main channel.
#tls-priorities =
"NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
# That option
requires the established DTLS channel to use the same
# cipher as the primary TLS channel.Note also, that this
option implies
# that the dtls-legacy option is false; this option cannot
be enforced
# in the legacy/compat protocol.
#match-tls-dtls-ciphers = true
# The time (in
seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 240
# The time (in
seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
#idle-timeout = 1200
# The time (in
seconds) that a client is allowed to stay connected
# Unset to disable. When set a client will be disconnected
after being
# continuously connected for this amount of time, and its
cookies will
# be invalidated (i.e., re-authentication will be required).
#session-timeout = 86400
# The time (in
seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
# The time (in
seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
min-reauth-time = 300
# Banning
clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned
for
# min-reauth-time seconds. By default a wrong password
attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note
that
# due to different processes being involved the count of
points
# will not be real-time precise. Local subnet IPs are exempt
to allow
# services that check for process health.
#
# Set to zero to disable.
max-ban-score = 80
# The time (in
seconds) that all score kept for a client is reset.
ban-reset-time = 1200
# In case
you´d like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
#ban-points-kkdcp = 1
# Cookie
timeout (in seconds)
# Once a client is authenticated he´s provided a
cookie with
# which he can reconnect. That cookie will be invalidated if
not
# used within this timeout value. This cookie remains valid,
during
# the user´s connected time, and after user
disconnection it
# remains active for this amount of time. That setting
should allow a
# reasonable amount of time for roaming between different
networks.
cookie-timeout = 300
# If this is
enabled (not recommended) the cookies will stay
# valid even after a user manually disconnects, and until
they
# expire. This may improve roaming with some broken clients.
#persistent-cookies = true
# Whether
roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be reused
# from a different IP.
deny-roaming = false
# ReKey time
(in seconds)
# ocserv will ask the client to refresh keys periodically
once
# this amount of seconds is elapsed. Set to zero to disable
(note
# that, some clients fail if rekey is disabled).
rekey-time = 172800
# ReKey method
# Valid options: ssl, new-tunnel
# ssl: Will perform an efficient rehandshake on the channel
allowing
# a seamless connection during rekey.
# new-tunnel: Will instruct the client to discard and
re-establish the channel.
# Use this option only if the connecting clients have issues
with the ssl
# option.
rekey-method = ssl
# Script to
call when a client connects and obtains an IP.
# The following parameters are passed on the environment.
# REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the
real IP of the client),
# REMOTE_HOSTNAME (the remotely advertised hostname),
IP_REAL_LOCAL
# (the local interface IP the client connected), IP_LOCAL
# (the local IP in the P-t-P connection), IP_REMOTE (the VPN
IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4
and IPv6
# assigned), IPV6_REMOTE (the IPv6 remote address),
IPV6_PREFIX, and
# ID (a unique numeric ID); REASON may be
"connect" or "disconnect".
# In addition the following variables OCSERV_ROUTES (the
applied routes for this
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for
this client),
# will contain a space separated list of routes or DNS
servers. A version
# of these variables with the 4 or 6 suffix will contain
only the IPv4 or
# IPv6 values. The connect script must return zero as exit
code, or the
# client connection will be refused.
# The
disconnect script will receive the additional values:
STATS_BYTES_IN,
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit
counter of the bytes
# output from the tun device, and the duration of the
session in seconds.
#connect-script
= /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# This script
is to be called when the client´s advertised hostname
becomes
# available. It will contain REASON with
"host-update" value and the
# variable REMOTE_HOSTNAME in addition to the connect
variables.
#host-update-script = /usr/bin/myhostnamescript
# UTMP
# Register the connected clients to utmp. This will allow
viewing
# the connected clients using the command ´who´.
#use-utmp = true
# Whether to
enable support for the occtl tool (i.e., either through
D-BUS,
# or via a unix socket).
use-occtl = true
# PID file. It
can be overridden in the command line.
pid-file = /var/run/ocserv.pid
# Log Level.
Ocserv sends the logging messages to standard error
# as well as the system log. The log level can be overridden
in the
# command line with the -d option. All messages at the
configured
# level and lower will be displayed.
# Supported levels (default 0):
# 0 default (Same as info)
# 1 basic
# 2 info
# 3 debug
# 4 http
# 8 sensitive
# 9 TLS
log-level = 2
# Set the
protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the
lowest
# priority. Alternatively this can be used to set the IP
Type-
# Of-Service, by setting it to a hexadecimal number (e.g.,
0x20).
# This can be set per user/group or globally.
#net-priority = 3
# Set the VPN
worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
#
# Network settings
#
# The name to
use for the tun device
device = vpns
# Whether the
generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true
# The default
domain to be advertised. Multiple domains (functional on
# openconnect clients) can be provided in a space separated
list.
default-domain = example.com
#default-domain = "example.com
one.example.com"
# The pool of
addresses that leases will be given from. If the leases
# are given via Radius, or via the explicit-ip? per-user
config option then
# these network values should contain a network with at
least a single
# address that will remain under the full control of ocserv
(that is
# to be able to assign the local part of the tun device
address).
# Note that, you could use addresses from a subnet of your
LAN network if you
# enable [proxy arp in the LAN
interface](http://ocserv.openconnect-vpn.net/recipes-ocserv-pseudo-bridge.html);
# in that case it is recommended to set ping-leases to true.
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
# An
alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6
subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48
# Specify the
size of the network to provide to clients. It is
# generally recommended to provide clients with a /64
network in
# IPv6, but any subnet may be specified. To provide clients
only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64
# Whether to
tunnel all DNS queries via the VPN. This is the default
# when a default route is set.
#tunnel-all-dns = true
# The
advertised DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
dns = 192.168.1.2
# The NBNS
server (if any)
#nbns = 192.168.1.3
# The domains
over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to
leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server)
host.
# Only set to true, if there can be occupied addresses in
the
# IP range for leases.
ping-leases = false
# Use this
option to set a link MTU value to the incoming
# connections. Unset to use the default MTU of the TUN
device.
# Note that the MTU is negotiated using the value set and
the
# value sent by the peer.
#mtu = 1420
# Unset to
enable bandwidth restrictions (in bytes/second). The
# setting here is global, but can also be set per user or
per group.
# The RX direction refers to received data on the server
from the
# VPN client, and the TX refers to transmitted data by the
server
# to the client.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of
packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10
# Routes to be
forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect
scripts.
#
# To set the server as the default gateway for the client
just
# comment out all routes from the server, or use the special
keyword
# ´default´.
route =
10.10.10.0/255.255.255.0
route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#route = default
# Subsets of
the routes above that will not be routed by
# the server.
no-route = 192.168.5.0/255.255.255.0
# Note the that
following two firewalling options currently are available
# in Linux systems with iptables software.
# If set, the
script /usr/libexec/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from
accessing
# any other routes. In case of defaultroute, the no-routes
are restricted.
# All the routes applied by ocserv can be reverted using
/usr/libexec/ocserv-fw
# --removeall. This option can be set globally or in the
per-user configuration.
#restrict-user-to-routes = true
# This option
implies restrict-user-to-routes set to true. If set, the
# script /usr/libexec/ocserv-fw will be called to restrict
the user to
# access specific ports in the network. This option can be
set globally
# or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443),
sctp(99), tcp(583), icmp(), icmpv6()"
# You could
also use negation, i.e., block the user from accessing these
ports only.
#restrict-user-to-ports = "!(tcp(443),
tcp(80))"
# When set to
true, all client´s iroutes are made visible to all
# connecting clients except for the ones offering them. This
option
# only makes sense if config-per-user is set.
#expose-iroutes = true
# Groups that a
client is allowed to select from.
# A client may belong in multiple groups, and in certain
use-cases
# it is needed to switch between them. For these cases the
client can
# select prior to authentication. Add multiple entries for
multiple groups.
# The group may be followed by a user-friendly name in
brackets.
#select-group = group1
#select-group = group2[My special group]
# The name of
the (virtual) group that if selected it would assign the
user
# to its default group.
#default-select-group = DEFAULT
# Instead of
specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full
list.
#auto-select-group = true
# Configuration
files that will be applied per user connection or
# per group. Each file name on these directories must match
the username
# or the groupname.
# The options allowed in the configuration files are dns,
nbns,
# ipv?-network, ipv4-netmask, rx/tx-data-per-sec, iroute,
route, no-route,
# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming,
no-udp,
# keepalive, dpd, mobile-dpd, max-same-clients,
tunnel-all-dns,
# restrict-user-to-routes, cgroup, stats-report-time,
# mtu, idle-timeout, mobile-idle-timeout,
restrict-user-to-ports,
# split-dns and session-timeout.
#
# Note that the ´iroute´ option allows one to
add routes on the server
# based on a user or group. The syntax depends on the input
accepted
# by the commands route-add-cmd and route-del-cmd (see
below). The no-udp
# is a boolean option (e.g., no-udp = true), and will
prevent a UDP session
# for that specific user or group. The hostname option will
set a
# hostname to override any proposed by the user. Note also,
that, any
# routes, no-routes, DNS or NBNS servers present will
overwrite the global ones.
#config-per-user
= /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# When
config-per-xxx is specified and there is no group or user
that
# matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf
# The system
command to use to setup a route. %{R} will be replaced with
the
# route/mask, %{RI} with the route in CIDR format, and %{D}
with the (tun) device.
#
# The following example is from linux systems. %{R} should
be something
# like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24
(the argument of iroute).
#route-add-cmd
= "ip route add %{R} dev %{D}"
#route-del-cmd = "ip route delete %{R} dev
%{D}"
# This option
allows one to forward a proxy. The special keywords
´%{U}´
# and ´%{G}´, if present will be replaced by the
username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
# This option
allows you to specify a URL location where a client can
# post using MS-KKDCP, and the message will be forwarded to
the provided
# KDC server. That is a translation URL between HTTP and
Kerberos.
# In MIT kerberos you´ll need to add in realms:
# EXAMPLE.COM = {
# kdc = https://ocserv.example.com/KdcProxy
# http_anchors = FILE:/etc/ocserv-ca.pem
# }
# In some distributions the krb5-k5tls plugin of kinit is
required.
#
# The following option is available in ocserv, when compiled
with GSSAPI support.
#kkdcp =
"SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT"
#kkdcp = "/KdcProxy KERBEROS.REALM
udp [AT] 127.1:88"
#kkdcp = "/KdcProxy KERBEROS.REALM
tcp [AT] 127.1:88"
#kkdcp = "/KdcProxy KERBEROS.REALM
tcp@[::1]:88"
# Client
profile xml. This can be used to advertise alternative
servers
# to the client. A minimal file can be:
# <?xml version="1.0"
encoding="UTF-8"?>
# <AnyConnectProfile
xmlns="http://schemas.xmlsoap.org/encoding/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/
AnyConnectProfile.xsd">
|
# |
<ServerList> | |||
|
# |
||||
|
<HostEntry> | ||||
|
# |
<HostName>VPN Server name</HostName> | |||
|
# |
<HostAddress>localhost</HostAddress> | |||
|
# |
||||
|
</HostEntry> | ||||
|
# |
</ServerList> |
# </AnyConnectProfile>
#
# Other fields may be used by some of the CISCO clients.
# This file must be accessible from inside the
worker´s chroot.
# Note that:
# (1) enabling this option is not recommended as it will
allow the
# worker processes to open arbitrary files (when
isolate-workers is
# set to true).
# (2) This option cannot be set per-user or per-group; only
the global
# version is being sent to client.
#user-profile = profile.xml
#
# The following options are for (experimental) AnyConnect
client
# compatibility.
# This option
will enable the pre-draft-DTLS version of DTLS, and
# will not require clients to present their certificate on
every TLS
# connection. It must be set to true to support legacy CISCO
clients
# and openconnect clients < 7.08. When set to true, it
implies dtls-legacy = true.
cisco-client-compat = true
# This option
allows one to disable the DTLS-PSK negotiation (enabled by
default).
# The DTLS-PSK negotiation was introduced in ocserv 0.11.5
to deprecate
# the pre-draft-DTLS negotiation inherited from AnyConnect.
It allows the
# DTLS channel to negotiate its ciphers and the DTLS
protocol version.
#dtls-psk = false
# This option
allows one to disable the legacy DTLS negotiation (enabled
by default,
# but that may change in the future).
# The legacy DTLS uses a pre-draft version of the DTLS
protocol and was
# from AnyConnect protocol. It has several limitations, that
are addressed
# by the dtls-psk protocol supported by openconnect 7.08+.
dtls-legacy = true
# This option
will enable the settings needed for Cisco SVC IPPhone
clients
# to connect. It implies dtls-legacy = true and
tls-priorities is changed to
# only the ciphers the device supports.
cisco-svc-client-compat = false
# This option
will enable the X-CSTP-Client-Bypass-Protocol (disabled by
default).
# If the server has not configured an IPv6 or IPv4 address
pool, enabling this option
# will instruct the client to bypass the server for that IP
protocol. The option is
# currently only understood by Anyconnect clients.
client-bypass-protocol = false
# The following options are related to server camouflage (hidden service)
# This option
allows you to enable the camouflage feature of ocserv that
makes it look
# like a web server to unauthorized parties.
# With "camouflage" enabled, connection to the VPN
can be established only if the client provided a specific
# "secret string" in the connection URL, e.g.
"https://example.com/?mysecretkey";,
# otherwise the server will return HTTP error for all
requests.
camouflage = false
# The URL
prefix that should be set on the client (after
´?´ sign) to pass through the camouflage check,
# e.g. in case of ´mysecretkey´, the server URL
on the client should be like
"https://example.com/?mysecretkey";.
camouflage_secret = "mysecretkey"
# Defines the
realm (browser prompt) for HTTP authentication.
# If no realm is set, the server will return 404 Not found
error instead of 401 Unauthorized.
# Better change it from the default value to avoid
fingerprinting.
camouflage_realm = "Restricted Content"
#Advanced options
# Option to
allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment. You
shouldn´t
# need to use this option normally; if you do and you think
that
# this may help others, please send your settings and reason
to
# the openconnect mailing list. The special keywords
´%{U}´
# and ´%{G}´, if present will be replaced by the
username and group name.
#custom-header = "X-My-Header: hi there"
# An example
virtual host with different authentication methods serviced
# by this server.
[vhost:www.example.com]
auth = "certificate"
ca-cert = ../tests/certs/ca.pem
# The
certificate set here must include a ´dns_name´
corresponding to
# the virtual host name.
server-cert =
../tests/certs/server-cert-secp521r1.pem
server-key = ../tests/certs/server-key-secp521r1.pem
ipv4-network =
192.168.2.0
ipv4-netmask = 255.255.255.0
cert-user-oid = 0.9.2342.19200300.100.1.1
# HTTP headers
included-http-headers = Strict-Transport-Security:
max-age=31536000 ; includeSubDomains
included-http-headers = X-Frame-Options: deny
included-http-headers = X-Content-Type-Options: nosniff
included-http-headers = Content-Security-Policy: default-src
´none´
included-http-headers = X-Permitted-Cross-Domain-Policies:
none
included-http-headers = Referrer-Policy: no-referrer
included-http-headers = Clear-Site-Data:
"cache","cookies","storage"
included-http-headers = Cross-Origin-Embedder-Policy:
require-corp
included-http-headers = Cross-Origin-Opener-Policy:
same-origin
included-http-headers = Cross-Origin-Resource-Policy:
same-origin
included-http-headers = X-XSS-Protection: 0
included-http-headers = Pragma: no-cache
included-http-headers = Cache-control: no-store,
no-cache
IMPLEMENTATION NOTES
Note that while this server utilizes privilege separation and all authentication occurs on the security module, this does not apply for TLS client certificate authentication. That is due to TLS protocol limitation.
NETWORKING CONSIDERATIONS
In certain setups, where a firewall may be blocking ICMP responses, setting the MSS of TCP connections to MTU will eliminate the "black hole" connection issues. See http://lartc.org/howto/lartc.cookbook.mtu-mss.html for instructions to enable it on a Linux system.
AUTHORS
Written by Nikos Mavrogiannopoulos. Many people have contributed to it.
REPORTING BUGS
Issue tracker: https://gitlab.com/openconnect/ocserv/-/issues
COPYRIGHT
Copyright (C) 2013-2018 Nikos Mavrogiannopoulos and others, all rights reserved. This program is released under the terms of the GNU General Public License, version 2.