@
Vicer @
webdev 改成了 OPENDNS 还是不行
# Network settings
#
# The name to use for the tun device
device = vpns
# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true
# The default domain to be advertised
default-domain = 163.44.150.201
# The pool of addresses that leases will be given from. If the leases
# are given via Radius, or via the explicit-ip? per-user config option then
# these network values should contain a network with at least a single
# address that will remain under the full control of ocserv (that is
# to be able to assign the local part of the tun device address).
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/64
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64
# Whether to tunnel all DNS queries via the VPN. This is the default
# when a default route is set.
tunnel-all-dns = true
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
dns = 208.67.222.222
# The NBNS server (if any)
#nbns = 192.168.1.3
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns =
example.com# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
# Only set to true, if there can be occupied addresses in the
# IP range for leases.
ping-leases = false
# Use this option to enforce an MTU value to the incoming
# connections. Unset to use the default MTU of the TUN device.
#mtu = 1420
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 23000
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server, or use the special keyword
# 'default'.
#route = 10.10.10.0/255.255.255.0
#route = 192.168.1.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#route = default
# Subsets of the routes above that will not be routed by
# the server.
#no-route = 192.168.5.0/255.255.255.0
# Note the that following two firewalling options currently are available
# in Linux systems with iptables software.
# If set, the script /usr/bin/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing
# any other routes. In case of defaultroute, the no-routes are restricted.
# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
# script /usr/bin/ocserv-fw will be called to restrict the user to
# access specific ports in the network. This option can be set globally
# or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
# You could also use negation, i.e., block the user from accessing these ports only.
#restrict-user-to-ports = "!(tcp(443), tcp(80))"
# When set to true, all client's iroutes are made visible to all
# connecting clients except for the ones offering them. This option
# only makes sense if config-per-user is set.
#expose-iroutes = true
# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
# The group may be followed by a user-friendly name in brackets.
#select-group = group1
#select-group = group2[My special group]
# The name of the (virtual) group that if selected it would assign the user
# to its default group.
#default-select-group = DEFAULT
# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list.
#auto-select-group = true
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
# restrict-user-to-routes, user-profile, cgroup, stats-report-time,
# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
# and session-timeout.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
# for that specific user or group. Note also, that, any DNS or NBNS servers
# present will overwrite the global ones, while any routes or no-routes set
# will be appended to the default set.
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask and %{D} with the (tun) device.
#
# The following example is from linux systems. %R should be something
# like 192.168.2.0/24 (the argument of iroute).
route-add-cmd = "ip route add 192.168.1.0 dev tun0"
route-del-cmd = "ip route delete 192.168.1.0 dev tun0"
# This option allows to forward a proxy. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url =
http://example.com/#proxy-url =
http://example.com/%{U}/
# This option allows you to specify a URL location where a client can
# post using MS-KKDCP, and the message will be forwarded to the provided
# KDC server. That is a translation URL between HTTP and Kerberos.
# In MIT kerberos you'll need to add in realms:
#
EXAMPLE.COM = {
# kdc =
https://ocserv.example.com/kerberos# http_anchors = FILE:/etc/ocserv-ca.pem
# }
# This option is available if ocserv is compiled with GSSAPI support.
#kkdcp = SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT
#kkdcp = /kerberos
EXAMPLE.COM udp@127.0.0.1:88
#kkdcp = /kerberos-tcp
EXAMPLE.COM tcp@127.0.0.1:88
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# This option must be set to true to support legacy CISCO clients.
# A side effect of this option is that it will no longer be required
# for clients to present their certificate on every connection.
# That is they may resume a cookie without presenting a certificate
# (when certificate authentication is used).
cisco-client-compat = true
# Client profile xml. A sample file exists in doc/profile.xml.
# It is required by some of the CISCO clients.
# This file must be accessible from inside the worker's chroot.
#user-profile = /etc/ocserv/profile.xml
# Binary files that may be downloaded by the CISCO client. Must
# be within any chroot environment. Normally you don't need
# to use this option.
#binary-files = /path/to/binaries
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment. You shouldn't
# need to use this option normally; if you do and you think that
# this may help others, please send your settings and reason to
# the openconnect mailing list. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#custom-header = "X-My-Header: hi there"