### generated by vpn_openconnect.py ### {% if listen_address is vyos_defined %} listen-host = {{ listen_address }} {% endif %} tcp-port = {{ listen_ports.tcp }} udp-port = {{ listen_ports.udp }} run-as-user = nobody run-as-group = daemon {% if accounting.mode.radius is vyos_defined %} acct = "radius [config=/run/ocserv/radiusclient.conf]" {% endif %} {% if "radius" in authentication.mode %} auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" {% if authentication.identity_based_config.disabled is not vyos_defined %} {% if "group" in authentication.identity_based_config.mode %} config-per-group = {{ authentication.identity_based_config.directory }} default-group-config = {{ authentication.identity_based_config.default_config }} {% endif %} {% endif %} {% elif "local" in authentication.mode %} {% if authentication.mode.local == "password-otp" %} auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" {% elif authentication.mode.local == "otp" %} auth = "plain[otp=/run/ocserv/users.oath]" {% else %} auth = "plain[/run/ocserv/ocpasswd]" {% endif %} {% else %} auth = "plain[/run/ocserv/ocpasswd]" {% endif %} {% if "identity_based_config" in authentication %} {% if "user" in authentication.identity_based_config.mode %} config-per-user = {{ authentication.identity_based_config.directory }} default-user-config = {{ authentication.identity_based_config.default_config }} {% endif %} {% endif %} {% if ssl.certificate is vyos_defined %} server-cert = /run/ocserv/cert.pem server-key = /run/ocserv/cert.key {% if ssl.passphrase is vyos_defined %} key-pin = {{ ssl.passphrase }} {% endif %} {% endif %} {% if ssl.ca_certificate is vyos_defined %} ca-cert = /run/ocserv/ca.pem {% endif %} socket-file = /run/ocserv/ocserv.socket occtl-socket-file = /run/ocserv/occtl.socket use-occtl = true isolate-workers = true keepalive = 300 dpd = 60 mobile-dpd = 300 switch-to-tcp-timeout = 30 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" auth-timeout = 240 idle-timeout = 1200 mobile-idle-timeout = 1800 min-reauth-time = 3 cookie-timeout = 300 rekey-method = ssl try-mtu-discovery = true cisco-client-compat = true dtls-legacy = true max-ban-score = 80 ban-reset-time = 300 # The name to use for the tun device device = sslvpn # DNS settings {% if network_settings.name_server is vyos_defined %} {% for dns in network_settings.name_server %} dns = {{ dns }} {% endfor %} {% endif %} {% if network_settings.tunnel_all_dns is vyos_defined %} {% if "yes" in network_settings.tunnel_all_dns %} tunnel-all-dns = true {% else %} tunnel-all-dns = false {% endif %} {% endif %} # IPv4 network pool {% if network_settings.client_ip_settings.subnet is vyos_defined %} ipv4-network = {{ network_settings.client_ip_settings.subnet }} {% endif %} # IPv6 network pool {% if network_settings.client_ipv6_pool.prefix is vyos_defined %} ipv6-network = {{ network_settings.client_ipv6_pool.prefix }} ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }} {% endif %} {% if network_settings.push_route is vyos_defined %} {% for route in network_settings.push_route %} route = {{ route }} {% endfor %} {% endif %} {% if network_settings.split_dns is vyos_defined %} {% for tmp in network_settings.split_dns %} split-dns = {{ tmp }} {% endfor %} {% endif %} {% if authentication.group is vyos_defined %} # Group settings {% for grp in authentication.group %} select-group = {{ grp }} {% endfor %} {% endif %} {% if http_security_headers is vyos_defined %} # HTTP security headers included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains included-http-headers = X-Frame-Options: deny included-http-headers = X-Content-Type-Options: nosniff included-http-headers = Content-Security-Policy: default-src "none" included-http-headers = X-Permitted-Cross-Domain-Policies: none included-http-headers = Referrer-Policy: no-referrer included-http-headers = Clear-Site-Data: "cache","cookies","storage" included-http-headers = Cross-Origin-Embedder-Policy: require-corp included-http-headers = Cross-Origin-Opener-Policy: same-origin included-http-headers = Cross-Origin-Resource-Policy: same-origin included-http-headers = X-XSS-Protection: 0 included-http-headers = Pragma: no-cache included-http-headers = Cache-control: no-store, no-cache {% endif %}