74a3d776b3
- Update to version 0.12.0 * Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP. * Increased possibilities of allowed combinations of authentication methods. * Corrected regression since 0.11.8 with OTP authentication. * Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port. * Rename the tun device on BSD systems which support SIOCSIFNAME ioctl. * Correctly handle proxy-protocol’s health commands. That eliminates few connection drops when proxy protocol is in use. * Corrected crash on certain cases when proxy protocol is in use. - Update ocserv.config.patch due to upstream changes OBS-URL: https://build.opensuse.org/request/show/606481 OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=18
138 lines
4.5 KiB
Diff
138 lines
4.5 KiB
Diff
Index: ocserv-0.12.0/doc/sample.config
|
|
===================================================================
|
|
--- ocserv-0.12.0.orig/doc/sample.config
|
|
+++ ocserv-0.12.0/doc/sample.config
|
|
@@ -48,7 +48,7 @@
|
|
#auth = "pam"
|
|
#auth = "pam[gid-min=1000]"
|
|
#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
|
|
-auth = "plain[passwd=./sample.passwd]"
|
|
+auth = "plain[passwd=/etc/ocserv/ocpasswd]"
|
|
#auth = "certificate"
|
|
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
|
|
|
|
@@ -83,8 +83,8 @@ auth = "plain[passwd=./sample.passwd]"
|
|
#listen-host-is-dyndns = true
|
|
|
|
# TCP and UDP port number
|
|
-tcp-port = 443
|
|
-udp-port = 443
|
|
+tcp-port = 9000
|
|
+udp-port = 9001
|
|
|
|
# Accept connections using a socket file. It accepts HTTP
|
|
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
|
|
@@ -132,8 +132,8 @@ socket-file = /var/run/ocserv-socket
|
|
|
|
#server-cert = /etc/ocserv/server-cert.pem
|
|
#server-key = /etc/ocserv/server-key.pem
|
|
-server-cert = ../tests/certs/server-cert.pem
|
|
-server-key = ../tests/certs/server-key.pem
|
|
+server-cert = /etc/ocserv/certificates/server-cert.pem
|
|
+server-key = /etc/ocserv/certificates/server-key.pem
|
|
|
|
# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
|
|
# versions of GnuTLS for supporting DHE ciphersuites.
|
|
@@ -160,7 +160,7 @@ server-key = ../tests/certs/server-key.pem
|
|
# client certificates (public keys) if certificate authentication
|
|
# is set.
|
|
#ca-cert = /etc/ocserv/ca.pem
|
|
-ca-cert = ../tests/certs/ca.pem
|
|
+ca-cert = /etc/ocserv/certificates/ca-cert.pem
|
|
|
|
|
|
### All configuration options below this line are reloaded on a SIGHUP.
|
|
@@ -180,7 +180,7 @@ ca-cert = ../tests/certs/ca.pem
|
|
# the isolation was tested at. If you get random failures on worker processes, try
|
|
# disabling that option and report the failures you, along with system and debugging
|
|
# information at: https://gitlab.com/ocserv/ocserv/issues
|
|
-isolate-workers = true
|
|
+isolate-workers = false
|
|
|
|
# A banner to be displayed on clients
|
|
#banner = "Welcome"
|
|
@@ -243,7 +243,7 @@ mobile-dpd = 1800
|
|
switch-to-tcp-timeout = 25
|
|
|
|
# MTU discovery (DPD must be enabled)
|
|
-try-mtu-discovery = false
|
|
+try-mtu-discovery = true
|
|
|
|
# If you have a certificate from a CA that provides an OCSP
|
|
# service you may provide a fresh OCSP status response within
|
|
@@ -407,8 +407,8 @@ rekey-method = ssl
|
|
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
|
|
# output from the tun device, and the duration of the session in seconds.
|
|
|
|
-#connect-script = /usr/bin/myscript
|
|
-#disconnect-script = /usr/bin/myscript
|
|
+#connect-script = /usr/bin/ocserv-script
|
|
+#disconnect-script = /usr/bin/ocserv-script
|
|
|
|
# UTMP
|
|
# Register the connected clients to utmp. This will allow viewing
|
|
@@ -478,7 +478,8 @@ ipv4-netmask = 255.255.255.0
|
|
# The advertized DNS server. Use multiple lines for
|
|
# multiple servers.
|
|
# dns = fc00::4be0
|
|
-dns = 192.168.1.2
|
|
+dns = 8.8.8.8
|
|
+dns = 8.8.4.4
|
|
|
|
# The NBNS server (if any)
|
|
#nbns = 192.168.1.3
|
|
@@ -517,8 +518,8 @@ ping-leases = false
|
|
# comment out all routes from the server, or use the special keyword
|
|
# 'default'.
|
|
|
|
-route = 10.10.10.0/255.255.255.0
|
|
-route = 192.168.0.0/255.255.0.0
|
|
+#route = 10.10.10.0/255.255.255.0
|
|
+#route = 192.168.0.0/255.255.0.0
|
|
#route = fef4:db8:1000:1001::/64
|
|
#route = default
|
|
|
|
@@ -682,18 +683,18 @@ dtls-legacy = true
|
|
# An example virtual host with different authentication methods serviced
|
|
# by this server.
|
|
|
|
-[vhost:www.example.com]
|
|
-auth = "certificate"
|
|
+#[vhost:www.example.com]
|
|
+#auth = "certificate"
|
|
|
|
-ca-cert = ../tests/certs/ca.pem
|
|
+#ca-cert = ../tests/certs/ca.pem
|
|
|
|
# The certificate set here must include a 'dns_name' corresponding to
|
|
# the virtual host name.
|
|
|
|
-server-cert = ../tests/certs/server-cert-secp521r1.pem
|
|
-server-key = ../tests/certs/server-key-secp521r1.pem
|
|
+#server-cert = ../tests/certs/server-cert-secp521r1.pem
|
|
+#server-key = ../tests/certs/server-key-secp521r1.pem
|
|
|
|
-ipv4-network = 192.168.2.0
|
|
-ipv4-netmask = 255.255.255.0
|
|
+#ipv4-network = 192.168.2.0
|
|
+#ipv4-netmask = 255.255.255.0
|
|
|
|
-cert-user-oid = 0.9.2342.19200300.100.1.1
|
|
+#cert-user-oid = 0.9.2342.19200300.100.1.1
|
|
|
|
Index: ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket
|
|
===================================================================
|
|
--- ocserv-0.12.0.orig/doc/systemd/socket-activated/ocserv.socket
|
|
+++ ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket
|
|
@@ -2,8 +2,8 @@
|
|
Description=OpenConnect SSL VPN server Socket
|
|
|
|
[Socket]
|
|
-ListenStream=443
|
|
-ListenDatagram=443
|
|
+ListenStream=9000
|
|
+ListenDatagram=9001
|
|
BindIPv6Only=default
|
|
Accept=false
|
|
ReusePort=true
|