### generated by vpn_openconnect.py ### tcp-port = {{ listen_ports.tcp }} udp-port = {{ listen_ports.udp }} run-as-user = nobody run-as-group = daemon {% if "radius" in authentication.mode %} auth = "radius [config=/run/ocserv/radiusclient.conf]" {% else %} auth = "plain[/run/ocserv/ocpasswd]" {% endif %} {% if ssl.cert_file %} server-cert = {{ ssl.cert_file }} {% endif %} {% if ssl.key_file %} server-key = {{ ssl.key_file }} {% endif %} {% if ssl.ca_cert_file %} ca-cert = {{ ssl.ca_cert_file }} {% endif %} socket-file = /run/ocserv/ocserv.socket occtl-socket-file = /run/ocserv/occtl.socket use-occtl = true isolate-workers = true keepalive = 300 dpd = 60 mobile-dpd = 300 switch-to-tcp-timeout = 30 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" auth-timeout = 240 idle-timeout = 1200 mobile-idle-timeout = 1800 min-reauth-time = 3 cookie-timeout = 300 rekey-method = ssl try-mtu-discovery = true cisco-client-compat = true dtls-legacy = true # The name to use for the tun device device = sslvpn # An alternative way of specifying the network: {% if network_settings %} # DNS settings {% if network_settings.name_server is string %} dns = {{ network_settings.name_server }} {% else %} {% for dns in network_settings.name_server %} dns = {{ dns }} {% endfor %} {% endif %} # IPv4 network pool {% if network_settings.client_ip_settings %} {% if network_settings.client_ip_settings.subnet %} ipv4-network = {{ network_settings.client_ip_settings.subnet }} {% endif %} {% endif %} # IPv6 network pool {% if network_settings.client_ipv6_pool %} {% if network_settings.client_ipv6_pool.prefix %} ipv6-network = {{ network_settings.client_ipv6_pool.prefix }} ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }} {% endif %} {% endif %} {% if network_settings.split_dns is defined %} {% for tmp in network_settings.split_dns %} split-dns = {{ tmp }} {% endfor %} {% endif %} {% endif %} {% if network_settings.push_route is string %} route = {{ network_settings.push_route }} {% else %} {% for route in network_settings.push_route %} route = {{ route }} {% endfor %} {% endif %} # HTTP security headers included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains included-http-headers = X-Frame-Options: deny included-http-headers = X-Content-Type-Options: nosniff included-http-headers = Content-Security-Policy: default-src ´none´ included-http-headers = X-Permitted-Cross-Domain-Policies: none included-http-headers = Referrer-Policy: no-referrer included-http-headers = Clear-Site-Data: "cache","cookies","storage" included-http-headers = Cross-Origin-Embedder-Policy: require-corp included-http-headers = Cross-Origin-Opener-Policy: same-origin included-http-headers = Cross-Origin-Resource-Policy: same-origin included-http-headers = X-XSS-Protection: 0 included-http-headers = Pragma: no-cache included-http-headers = Cache-control: no-store, no-cache