# Autorun ocserv
# Append '@reboot root bash /etc/ocserv/ocserv.d >/dev/null 2>&1 &' in /etc/crontab

# The default domain to be advertised
# Connection-specific DNS suffixes
default-domain = srv

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#auth = "certificate"
#enable-auth = "plain[passwd=/etc/ocserv/ocpasswd]"
enable-auth = "certificate"

# TCP and UDP port number
tcp-port = 443
#udp-port = 443

server-cert = /etc/ocserv/server.cert.pem
server-key = /etc/ocserv/server.key.pem
ca-cert = /etc/ocserv/ca.cert.pem
dh-params = /etc/ocserv/dh.pem

socket-file = /var/run/ocserv.socket
occtl-socket-file = /var/run/occtl.socket
pid-file = /var/run/ocserv.pid
#user-profile = /etc/ocserv/profile.xml
run-as-user = nobody
run-as-group = daemon
cert-user-oid = 2.5.4.3
cert-group-oid = 2.5.4.11
config-per-group = /etc/ocserv/group
default-group-config = /etc/ocserv/group/Default
default-select-group = Default
auto-select-group = false
net-priority = 6
max-clients = 0
max-same-clients = 0
#switch-to-tcp-timeout = 0
max-ban-score = 0
keepalive = 86400
dpd = 64
mobile-dpd = 72
#idle-timeout = 32
#mobile-idle-timeout = 32
auth-timeout = 48
cookie-timeout = 4
#mtu = 1420
try-mtu-discovery = false
#output-buffer = 64
compression = false
no-compress-limit = 512
persistent-cookies = false
deny-roaming = false
rekey-time = 86400
rekey-method = ssl
use-utmp = false
use-occtl = true
device = ocserv
predictable-ips = false
ping-leases = false
dtls-psk = false
cisco-client-compat = true
tunnel-all-dns = true
isolate-workers = false
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT:-VERS-TLS-ALL:-VERS-DTLS-ALL:-RSA:-VERS-SSL3.0:-ARCFOUR-128:+VERS-TLS1.2"
ipv4-network = 192.168.8.0
ipv4-netmask = 255.255.255.0
dns = 192.168.8.1