summaryrefslogtreecommitdiff
path: root/data/templates/ocserv/ocserv_config.j2
AgeCommit message (Collapse)Author
2024-04-29openconnect: T4982: Support defining minimum TLS version in openconnect VPNAlex W
2023-12-16ocserv: T5796: add smoketest for new "http-security-headers" featureChristian Breunig
2023-12-16ocserv: T5796: add CLI knob "http-security-headers"fett0
OCserv manual recommended HTTP headers tobe included in the configuration. (cherry picked from commit ad65d37ddf92ec8416c84707d7d41e63346b550c)
2023-12-02 T5796:add/fixed OCSERV HTTP security headersfett0
2023-05-12ocserv: T3896: improve XML definition and add warning about 3rd party configsChristian Breunig
When enabling identity-based-config, users can add arbitrary config keys that are processed by ocserv. The user "must know" what he is been doing, as invalid config option will make the ocserv daemon go ... whoop! Thus add a warning and inform the user about this setting.
2023-05-12Merge pull request #1783 from PeppyH/T3896-ocserv-config-per-xChristian Breunig
ocserv: T3896: add CLI options to configure ocserv config-per-user/group
2023-04-20ocserv: T3896: refactor: change ocserv config-per-x node nameJamie Austin
Changes the node name from config-per-x to identity-based-config, as a result the j2 templates and vpn_openeconnect.py has been refactored to update the node name when accessing it's child nodes.
2023-01-28T4958: ocserv: openconnect: refactor RADIUS accounting supportJamie Austin
2023-01-28T4958: ocserv: openconnect: adds support for configuring RADIUS accountingJamie Austin
Adds CLI configuration options to configure RADIUS accounting for OpenConnect VPN sessions. This functionality cannot be used outside of the RADIUS OpenConnect VPN authentication mode
2023-01-26ocserv: T3896: add CLI options to configure ocserv config-per-user/groupJamie Austin
Adds CLI configurations under VPN - OpenConnect to facilitate per user/group vpn session configurations. Validation has been added to restrict config-per-group to be exclusive to OpenConnect RADIUS authentication as the config file is looked up based on a RADIUS response attribute - as well as sanity check that the necessary configs are configured when not disabled.
2022-09-16ocserv: openconnect: T4656: add listen-address CLI optionDemon_H
This will set the listen-host ocserv configuration option.
2022-08-24T3896: update group syntax per PR1463RageLtMan
2022-08-18T3896: update groupconfig syntax per PR1463RageLtMan
Address @sever-sever's suggestion to refactor how groupconfig is defined, parsed, and set (with his proposed conditional string appending Py-sugar). Use the disable-mobike refactor as template for XML simplification. Testing: None yet
2022-08-18T3896: Use group selector and forced dns tunnelingRageLtMan
Enterprise RADIUS configurations often utilize group selectors for authentication and attribute distribution for connecting clients. Ocserv implements this functionality via the `select-group` config file attribute, repeating for multiple groups. When a user selects their membership group and the request is passed to the RADIUS server, ocserv will match the returned Class attribute against the value selected by the user. This functionality also works for local group membership resolution, although VyOS currently doesn't have group membership configuration for this. Expose the tunnel-all-dns option in the ocserv config file allowing users who deploy default routes to select split-dns and those who do not to enable full DNS tunneling. Testing: Smoketests & build Configured groups in openconnect profile and verified existence in /run/ocserv/ocserv.conf Configured forced dns tunneling and verified presence of setting in /run/ocserv/ocserv.conf
2022-08-18T3896: Drop cserv local user req, add groupconfigRageLtMan
From ocserv documentation: ``` If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from radius. That also includes the Acct-Interim-Interval, and Session-Timeout values. ``` Implement yes/no configuration and parameter handling during jinja rendering. Fix bug wherein openconnect-server configuration requires creation of local user accounts even when RADIUS authentication is used. Testing: Set the groupconfig=yes param and observed change in generated /run/ocserv/ocserv.conf. Removed the local users via `delete vpn openconnect authentication local-users` and observed commit & service operation
2022-08-15ocserv: openconnect: T4614: add support for split-dnsChristian Poessinger
set vpn openconnect network-settings split-dns <domain>
2022-08-15ocserv: T4333: migrate to new vyos_defined Jinja2 testChristian Poessinger
2022-05-01openconnect: T4353: fix Jinja2 linting errorsChristian Poessinger