summaryrefslogtreecommitdiff
path: root/data/templates/ocserv/ocserv_config.tmpl
blob: 3a27eb755268c8819a583948ea7e1b051b2a96a4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
### generated by vpn_openconnect.py ###

tcp-port = {{ listen_ports.tcp }}
udp-port = {{ listen_ports.udp }}

run-as-user = nobody
run-as-group = daemon

{% if "radius" in authentication.mode %}
auth = "radius [config=/run/ocserv/radiusclient.conf]"
{% else %}
auth = "plain[/run/ocserv/ocpasswd]"
{% endif %}

{% if ssl.cert_file %}
server-cert = {{  ssl.cert_file }}
{% endif %}

{% if ssl.key_file %}
server-key = {{  ssl.key_file }}
{% endif %}

{% if ssl.ca_cert_file %}
ca-cert = {{  ssl.ca_cert_file }}
{% endif %}

socket-file = /run/ocserv/ocserv.socket
occtl-socket-file = /run/ocserv/occtl.socket
use-occtl = true
isolate-workers = true
keepalive = 300
dpd = 60
mobile-dpd = 300
switch-to-tcp-timeout = 30
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
auth-timeout = 240
idle-timeout = 1200
mobile-idle-timeout = 1800
min-reauth-time = 3
cookie-timeout = 300
rekey-method = ssl
try-mtu-discovery = true
cisco-client-compat = true
dtls-legacy = true


# The name to use for the tun device
device = sslvpn

# An alternative way of specifying the network:
{% if network_settings %}
# DNS settings
{%   if network_settings.name_server is string %}
dns = {{ network_settings.name_server }}
{%   else %}
{%     for dns in network_settings.name_server %}
dns = {{ dns }}
{%     endfor %}
{%   endif %}
# IPv4 network pool
{%   if network_settings.client_ip_settings %}
{%     if network_settings.client_ip_settings.subnet %}
ipv4-network = {{ network_settings.client_ip_settings.subnet }}
{%     endif %}
{%   endif %}
# IPv6 network pool
{%   if network_settings.client_ipv6_pool %}
{%     if network_settings.client_ipv6_pool.prefix %}
ipv6-network = {{ network_settings.client_ipv6_pool.prefix }}
ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }}
{%     endif %}
{%   endif %}
{%   if network_settings.split_dns is defined %}
{%     for tmp in network_settings.split_dns %}
split-dns = {{ tmp }}
{%     endfor %}
{%   endif %}
{% endif %}

{% if network_settings.push_route is string %}
route = {{ network_settings.push_route }}
{% else %}
{%   for route in network_settings.push_route %}
route = {{ route }}
{%   endfor %}
{% endif %}

{% if http_security_headers is defined %}
# HTTP security headers
included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
included-http-headers = X-Frame-Options: deny
included-http-headers = X-Content-Type-Options: nosniff
included-http-headers = Content-Security-Policy: default-src ´none´
included-http-headers = X-Permitted-Cross-Domain-Policies: none
included-http-headers = Referrer-Policy: no-referrer
included-http-headers = Clear-Site-Data: "cache","cookies","storage"
included-http-headers = Cross-Origin-Embedder-Policy: require-corp
included-http-headers = Cross-Origin-Opener-Policy: same-origin
included-http-headers = Cross-Origin-Resource-Policy: same-origin
included-http-headers = X-XSS-Protection: 0
included-http-headers = Pragma: no-cache
included-http-headers = Cache-control: no-store, no-cache
{% endif %}