rpm/ocserv
SHA256
1
0
Fork 0
forked from pool/ocserv
Code Pull Requests Activity
6fda88b1c3
ocserv/ocserv.config.patch
Michael Du 08902fbc93 Accepting request 853618 from home:mnhauke:network 
- Update to version 1.1.2
  * Allow setup of new DTLS session concurrent with old session.
  * Fixed an infinite loop on sec-mod crash when server-drain-ms
    is set.
  * Don't apply BanIP checks to clients on the same subnet.
  * Don't attempt TLS if the client closes the connection with
    zero data sent.
  * Increased the maximum configuration line; this allows banner
    messages longer than 200 characters.
  * Removed the listen-clear-file config option. This option was
    incompatible with several clients, and thus is unusable for a
    generic server.

- Update to version 1.1.1:
  * Improved rate-limit-ms and made it dependent on secmod backlog.
    This makes the server more resilient (and prevents connection
    failures) on multiple concurrent connections
  - Added namespace support for listen address by introducing the
    listen-netns option.
  - Disable TLS1.3 when cisco client compatibility is enabled. New
    anyconnect clients seem to supporting TLS1.3 but are unable to
     handle a client with an RSA key.
  - Enable a race free user disconnection via occtl.
  - Added the config option of a pre-login-banner.
  - Ocserv siwtched to using multiple ocserv-sm processes to
    improve scale, with the number of ocserv-sm process dependent
    on maximum clients and number of CPUs. Configuration option
    sec-mod-scale can be used to override the heuristics.
  - Fixed issue with group selection on radius servers sending
    multiple group class attribute.

OBS-URL: https://build.opensuse.org/request/show/853618
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=37
2021-01-02 21:13:41 +00:00

137 lines
4.5 KiB
Diff
Raw Blame History

diff --git a/doc/sample.config b/doc/sample.config
index 6a677c9..1cd1d96 100644
--- a/doc/sample.config
+++ b/doc/sample.config
@@ -48,7 +48,7 @@
#auth = "pam"
#auth = "pam[gid-min=1000]"
#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
-auth = "plain[passwd=./sample.passwd]"
+auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
@@ -90,8 +90,8 @@ auth = "plain[passwd=./sample.passwd]"
# listen-netns = "foo"
# TCP and UDP port number
-tcp-port = 443
-udp-port = 443
+tcp-port = 9000
+udp-port = 9001
# The user the worker processes will be run as. This should be a dedicated
# unprivileged user (e.g., 'ocserv') and no other services should run as this
@@ -126,8 +126,8 @@ socket-file = /var/run/ocserv-socket
#server-cert = /etc/ocserv/server-cert.pem
#server-key = /etc/ocserv/server-key.pem
-server-cert = ../tests/certs/server-cert.pem
-server-key = ../tests/certs/server-key.pem
+server-cert = /etc/ocserv/certificates/server-cert.pem
+server-key = /etc/ocserv/certificates/server-key.pem
# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
# versions of GnuTLS for supporting DHE ciphersuites.
@@ -154,7 +154,7 @@ server-key = ../tests/certs/server-key.pem
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /etc/ocserv/ca.pem
-ca-cert = ../tests/certs/ca.pem
+ca-cert = /etc/ocserv/certificates/ca-cert.pem
### All configuration options below this line are reloaded on a SIGHUP.
@@ -174,7 +174,7 @@ ca-cert = ../tests/certs/ca.pem
# the isolation was tested at. If you get random failures on worker processes, try
# disabling that option and report the failures you, along with system and debugging
# information at: https://gitlab.com/ocserv/ocserv/issues
-isolate-workers = true
+isolate-workers = false
# A banner to be displayed on clients after connection
#banner = "Welcome"
@@ -242,7 +242,7 @@ mobile-dpd = 1800
switch-to-tcp-timeout = 25
# MTU discovery (DPD must be enabled)
-try-mtu-discovery = false
+try-mtu-discovery = true
# To enable load-balancer connection draining, set server-drain-ms to a value
# higher than your load-balancer health probe interval.
@@ -412,8 +412,8 @@ rekey-method = ssl
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
# output from the tun device, and the duration of the session in seconds.
-#connect-script = /usr/bin/myscript
-#disconnect-script = /usr/bin/myscript
+#connect-script = /usr/bin/ocserv-script
+#disconnect-script = /usr/bin/ocserv-script
# This script is to be called when the client's advertised hostname becomes
# available. It will contain REASON with "host-update" value and the
@@ -491,7 +491,8 @@ ipv4-netmask = 255.255.255.0
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
-dns = 192.168.1.2
+dns = 8.8.8.8
+dns = 8.8.4.4
# The NBNS server (if any)
#nbns = 192.168.1.3
@@ -530,8 +531,8 @@ ping-leases = false
# comment out all routes from the server, or use the special keyword
# 'default'.
-route = 10.10.10.0/255.255.255.0
-route = 192.168.0.0/255.255.0.0
+#route = 10.10.10.0/255.255.255.0
+#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#route = default
@@ -698,18 +699,18 @@ dtls-legacy = true
# An example virtual host with different authentication methods serviced
# by this server.
-[vhost:www.example.com]
-auth = "certificate"
+#[vhost:www.example.com]
+#auth = "certificate"
-ca-cert = ../tests/certs/ca.pem
+#ca-cert = ../tests/certs/ca.pem
# The certificate set here must include a 'dns_name' corresponding to
# the virtual host name.
-server-cert = ../tests/certs/server-cert-secp521r1.pem
-server-key = ../tests/certs/server-key-secp521r1.pem
+#server-cert = ../tests/certs/server-cert-secp521r1.pem
+#server-key = ../tests/certs/server-key-secp521r1.pem
-ipv4-network = 192.168.2.0
-ipv4-netmask = 255.255.255.0
+#ipv4-network = 192.168.2.0
+#ipv4-netmask = 255.255.255.0
-cert-user-oid = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
diff --git a/doc/systemd/socket-activated/ocserv.socket b/doc/systemd/socket-activated/ocserv.socket
index 9444f19..a0ac362 100644
--- a/doc/systemd/socket-activated/ocserv.socket
+++ b/doc/systemd/socket-activated/ocserv.socket
@@ -2,8 +2,8 @@
Description=OpenConnect SSL VPN server Socket
[Socket]
-ListenStream=443
-ListenDatagram=443
+ListenStream=9000
+ListenDatagram=9001
BindIPv6Only=default
Accept=false
ReusePort=true
View Git Blame Copy Permalink