--- doc/sample.config.orig 2020-04-09 20:56:20 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used # by auto-select-group option, in order to select the minimum valid group ID. # -# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] +# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" @@ -106,8 +106,8 @@ udp-port = 443 # The user the worker processes will be run as. It should be # unique (no other services run as this user). -run-as-user = nobody -run-as-group = daemon +run-as-user = _ocserv +run-as-group = _ocserv # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. @@ -176,15 +176,9 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. -# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of -# system calls allowed to a worker process, in order to reduce damage from a -# bug in the worker process. It is available on Linux systems at a performance cost. -# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). -# Note however, that process isolation is restricted to the specific libc versions -# the isolation was tested at. If you get random failures on worker processes, try -# disabling that option and report the failures you, along with system and debugging -# information at: https://gitlab.com/ocserv/ocserv/issues -isolate-workers = true +# ocserv 1.0.1 on FreeBSD does not currently support process isolation, +# because ocserv only supports Linux's seccomp system, but not capsicum(4). +#isolate-workers = false # A banner to be displayed on clients #banner = "Welcome" @@ -535,15 +529,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available # in Linux systems with iptables software. -# If set, the script /usr/bin/ocserv-fw will be called to restrict +# If set, the script /usr/local/bin/ocserv-fw will be called to restrict # the user to its allowed routes and prevent him from accessing # any other routes. In case of defaultroute, the no-routes are restricted. -# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw +# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the -# script /usr/bin/ocserv-fw will be called to restrict the user to +# script /usr/local/bin/ocserv-fw will be called to restrict the user to # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" @@ -591,13 +585,13 @@ no-route = 192.168.5.0/255.255.255.0 # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. -#config-per-user = /etc/ocserv/config-per-user/ -#config-per-group = /etc/ocserv/config-per-group/ +#config-per-user = /usr/local/etc/ocserv/config-per-user/ +#config-per-group = /usr/local/etc/ocserv/config-per-group/ # When config-per-xxx is specified and there is no group or user that # matches, then utilize the following configuration. -#default-user-config = /etc/ocserv/defaults/user.conf -#default-group-config = /etc/ocserv/defaults/group.conf +#default-user-config = /usr/local/etc/ocserv/defaults/user.conf +#default-group-config = /usr/local/etc/ocserv/defaults/group.conf # The system command to use to setup a route. %{R} will be replaced with the # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.