Timotej Lazar
cf6b682cf8
Create a self-signed CA, set up group configs, add script to allow new connections through the firewall. In the base debian role, drop the default nftables forward chain with drop policy because it clashes with this. If you enable forwarding on a debian host, make sure to configure the firewall.
27 lines
712 B
Django/Jinja
27 lines
712 B
Django/Jinja
listen-host = {{ dns_name }}
|
|
tcp-port = 443
|
|
server-cert = /etc/letsencrypt/live/{{ dns_name }}/fullchain.pem
|
|
server-key = /etc/letsencrypt/live/{{ dns_name }}/privkey.pem
|
|
|
|
run-as-user = ocserv
|
|
run-as-group = ocserv
|
|
socket-file = /run/ocserv-socket
|
|
chroot-dir = /var/lib/ocserv
|
|
connect-script = /usr/local/bin/ocserv-script
|
|
disconnect-script = /usr/local/bin/ocserv-script
|
|
|
|
device = vpns
|
|
cisco-client-compat = true
|
|
dtls-legacy = true
|
|
compression = true
|
|
isolate-workers = true
|
|
|
|
auth = certificate
|
|
ca-cert = /etc/ocserv/ca.crt
|
|
cert-user-oid = 2.5.4.3
|
|
cert-group-oid = 2.5.4.11
|
|
config-per-group = /etc/ocserv/config-per-group/
|
|
default-domain = {{ domain }}
|
|
ipv4-network = {{ vpn.network }}
|
|
route = {{ vpn.network }}
|