### generated by vpn_openconnect.py ###

{% if listen_address is vyos_defined %}
listen-host = {{ listen_address }}
{% endif %}

tcp-port = {{ listen_ports.tcp }}
udp-port = {{ listen_ports.udp }}

run-as-user = nobody
run-as-group = daemon

{% if accounting.mode.radius is vyos_defined %}
acct = "radius [config=/run/ocserv/radiusclient.conf]"
{% endif %}

{% if "radius" in authentication.mode %}
auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]"
{%     if authentication.identity_based_config.disabled is not vyos_defined %}
{%         if "group" in authentication.identity_based_config.mode %}
config-per-group = {{ authentication.identity_based_config.directory }}
default-group-config = {{ authentication.identity_based_config.default_config }}
{%         endif %}
{%     endif %}
{% elif "local" in authentication.mode %}
{%     if authentication.mode.local == "password-otp" %}
auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"
{%     elif authentication.mode.local == "otp" %}
auth = "plain[otp=/run/ocserv/users.oath]"
{%     else %}
auth = "plain[/run/ocserv/ocpasswd]"
{%     endif %}
{% else %}
auth = "plain[/run/ocserv/ocpasswd]"
{% endif %}

{% if "identity_based_config" in authentication %}
{%     if "user" in authentication.identity_based_config.mode %}
config-per-user = {{ authentication.identity_based_config.directory }}
default-user-config = {{ authentication.identity_based_config.default_config }}
{%     endif %}
{% endif %}

{% if ssl.certificate is vyos_defined %}
server-cert = /run/ocserv/cert.pem
server-key = /run/ocserv/cert.key
{%     if ssl.passphrase is vyos_defined %}
key-pin = {{ ssl.passphrase }}
{%     endif %}
{% endif %}

{% if ssl.ca_certificate is vyos_defined %}
ca-cert = /run/ocserv/ca.pem
{% endif %}

socket-file = /run/ocserv/ocserv.socket
occtl-socket-file = /run/ocserv/occtl.socket
use-occtl = true
isolate-workers = true
keepalive = 300
dpd = 60
mobile-dpd = 300
switch-to-tcp-timeout = 30
{% if tls_version_min == '1.0' %}
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
{% elif tls_version_min == '1.1' %}
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0"
{% elif tls_version_min == '1.2' %}
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"
{% elif tls_version_min == '1.3' %}
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"
{% endif %}
auth-timeout = 240
idle-timeout = 1200
mobile-idle-timeout = 1800
min-reauth-time = 3
cookie-timeout = 300
rekey-method = ssl
try-mtu-discovery = true
cisco-client-compat = true
dtls-legacy = true
max-ban-score = 80
ban-reset-time = 300

# The name to use for the tun device
device = sslvpn

# DNS settings
{% if network_settings.name_server is vyos_defined %}
{%     for dns in network_settings.name_server %}
dns = {{ dns }}
{%     endfor %}
{% endif %}
{% if network_settings.tunnel_all_dns is vyos_defined %}
{%     if "yes" in network_settings.tunnel_all_dns %}
tunnel-all-dns = true
{%     else %}
tunnel-all-dns = false
{%     endif %}
{% endif %}

# IPv4 network pool
{% if network_settings.client_ip_settings.subnet is vyos_defined %}
ipv4-network = {{ network_settings.client_ip_settings.subnet }}
{% endif %}

# IPv6 network pool
{% if network_settings.client_ipv6_pool.prefix is vyos_defined %}
ipv6-network = {{ network_settings.client_ipv6_pool.prefix }}
ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }}
{% endif %}

{% if network_settings.push_route is vyos_defined %}
{%     for route in network_settings.push_route %}
route = {{ route }}
{%     endfor %}
{% endif %}

{% if network_settings.split_dns is vyos_defined %}
{%     for tmp in network_settings.split_dns %}
split-dns = {{ tmp }}
{%     endfor %}
{% endif %}

{% if authentication.group is vyos_defined %}
# Group settings
{%     for grp in authentication.group %}
select-group = {{ grp }}
{%     endfor %}
{% endif %}

{% if http_security_headers is vyos_defined %}
# HTTP security headers
included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
included-http-headers = X-Frame-Options: deny
included-http-headers = X-Content-Type-Options: nosniff
included-http-headers = Content-Security-Policy: default-src "none"
included-http-headers = X-Permitted-Cross-Domain-Policies: none
included-http-headers = Referrer-Policy: no-referrer
included-http-headers = Clear-Site-Data: "cache","cookies","storage"
included-http-headers = Cross-Origin-Embedder-Policy: require-corp
included-http-headers = Cross-Origin-Opener-Policy: same-origin
included-http-headers = Cross-Origin-Resource-Policy: same-origin
included-http-headers = X-XSS-Protection: 0
included-http-headers = Pragma: no-cache
included-http-headers = Cache-control: no-store, no-cache
{% endif %}