### generated by vpn_openconnect.py ###

tcp-port = {{ listen_ports.tcp }}
udp-port = {{ listen_ports.udp }}

run-as-user = nobody
run-as-group = daemon

{% if "radius" in authentication.mode %}
auth = "radius [config=/run/ocserv/radiusclient.conf]"
{% else %}
auth = "plain[/run/ocserv/ocpasswd]"
{% endif %}

{% if ssl.cert_file %}
server-cert = {{  ssl.cert_file }}
{% endif %}

{% if ssl.key_file %}
server-key = {{  ssl.key_file }}
{% endif %}

{% if ssl.ca_cert_file %}
ca-cert = {{  ssl.ca_cert_file }}
{% endif %}

socket-file = /run/ocserv/ocserv.socket
occtl-socket-file = /run/ocserv/occtl.socket
use-occtl = true
isolate-workers = true
keepalive = 300
dpd = 60
mobile-dpd = 300
switch-to-tcp-timeout = 30
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
auth-timeout = 240
idle-timeout = 1200
mobile-idle-timeout = 1800
min-reauth-time = 3
cookie-timeout = 300
rekey-method = ssl
try-mtu-discovery = true
cisco-client-compat = true
dtls-legacy = true


# The name to use for the tun device
device = sslvpn

# An alternative way of specifying the network:
{% if network_settings %}
# DNS settings
{%   if network_settings.name_server is string %}
dns = {{ network_settings.name_server }}
{%   else %}
{%     for dns in network_settings.name_server %}
dns = {{ dns }}
{%     endfor %}
{%   endif %}
# IPv4 network pool
{%   if network_settings.client_ip_settings %}
{%     if network_settings.client_ip_settings.subnet %}
ipv4-network = {{ network_settings.client_ip_settings.subnet }}
{%     endif %}
{%   endif %}
# IPv6 network pool
{%   if network_settings.client_ipv6_pool %}
{%     if network_settings.client_ipv6_pool.prefix %}
ipv6-network = {{ network_settings.client_ipv6_pool.prefix }}
ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }}
{%     endif %}
{%   endif %}
{% endif %}

{% if network_settings.push_route is string %}
route = {{ network_settings.push_route }}
{% else %}
{%   for route in network_settings.push_route %}
route = {{ route }}
{%   endfor %}
{% endif %}