forked from TommyLau/docker-ocserv
-
Notifications
You must be signed in to change notification settings - Fork 1
/
ocserv.init
116 lines (81 loc) · 2.6 KB
/
ocserv.init
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# User authentication method.
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
# TCP and UDP port number
tcp-port = PORT
udp-port = PORT
# The user the worker processes will be run as.
run-as-user = nobody
run-as-group = daemon
# socket file used for server IPC (worker-main).
socket-file = /var/run/ocserv-socket
# The key and the certificates of the server
server-cert = /etc/ocserv/certs/server-cert.pem
server-key = /etc/ocserv/certs/server-key.pem
# Whether to enable seccomp/Linux namespaces worker isolation.
isolate-workers = true
# Limit the number of clients.
max-clients = 16
# Limit the number of identical clients.
max-same-clients = 6
# Stats reset time.
server-stats-reset-time = 604800
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds.
dpd = 90
# Dead peer detection for mobile clients.
mobile-dpd = 1800
switch-to-tcp-timeout = 25
# MTU discovery (DPD must be enabled)
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
# compression negotiation (LZS, LZ4).
#compression = true
# Set the minimum size under which a packet will not be compressed.
#no-compress-limit = 256
# GnuTLS priority string.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 240
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
min-reauth-time = 300
# Banning clients in ocserv works with a point system.
max-ban-score = 80
# The time (in seconds) that all score kept for a client is reset.
ban-reset-time = 1200
# Cookie timeout (in seconds)
cookie-timeout = 300
# Whether roaming is allowed
deny-roaming = false
# ReKey time (in seconds)
rekey-time = 172800
# ReKey method
rekey-method = ssl
# Whether to enable support for the occtl tool.
use-occtl = true
# PID file.
pid-file = /var/run/ocserv.pid
# The name to use for the tun device
device = vpns
# Whether the generated IPs will be predictable
predictable-ips = false
# The default domain to be advertised
default-domain = example.com
# The pool of addresses that leases will be given from.
ipv4-network = IPV4
ipv4-netmask = IPV4MASK
# The advertized DNS server.
dns = DNS
ping-leases = false
# It must be set to true to support legacy CISCO clients.
cisco-client-compat = true
#dtls-psk = false
dtls-legacy = true
# Group Settings
select-group = Surf[仅海外代理 Exclude CN]
select-group = All[全局代理 All Proxy]
default-select-group = 默认模式 Default
auto-select-group = false
config-per-group = /etc/ocserv/config-per-group