summaryrefslogtreecommitdiff
path: root/doc/vpn-config-format.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/vpn-config-format.txt')
-rw-r--r--doc/vpn-config-format.txt137
1 files changed, 103 insertions, 34 deletions
diff --git a/doc/vpn-config-format.txt b/doc/vpn-config-format.txt
index cb0f16a8..91e2a636 100644
--- a/doc/vpn-config-format.txt
+++ b/doc/vpn-config-format.txt
@@ -32,7 +32,8 @@ Each provisioned provider must start with the [provider_*] tag.
Replace * with an identifier unique to the config file.
Allowed fields:
-- Type: Provider type. Value of OpenConnect, OpenVPN, VPNC, L2TP or PPTP
+- Type: Provider type. Value of OpenConnect, OpenVPN, VPNC, L2TP, PPTP or
+ WireGuard
VPN related parameters (M = mandatory, O = optional):
- Name: A user defined name for the VPN (M)
@@ -54,8 +55,9 @@ OpenConnect VPN supports following options (see openconnect(8) for details):
OpenConnect.CACert --cafile File containing other Certificate
Authorities in addition to the ones
in the system trust database (O)
- OpenConnect.ClientCert --certificate Client certificate file, if needed
- by web authentication (O)
+ OpenConnect.ClientCert --certificate Client certificate file, needed
+ by web authentication when AuthType
+ is set as "publickey" (O)
VPN.MTU --mtu Request MTU from server as the MTU
of the tunnel (O)
OpenConnect.Cookie --cookie-on-stdin Cookie received as a result of the
@@ -68,8 +70,73 @@ OpenConnect VPN supports following options (see openconnect(8) for details):
Only usable for extremely simple VPN
configurations and should normally
be set only via the VPN Agent API.
-If OpenConnect.Cookie or OpenConnect.ServerCert are missing, the VPN Agent will
-be contacted to supply the information.
+ OpenConnect.AllowSelfSignedCert none Additional option to define if self
+ signed server certificates are
+ allowed. Boolean string and defaults
+ to false, value "true" enables the
+ option. Affects to the OpenConnect
+ internal function only: --servercert
+ is not added to startup parameters
+ and receiving self signed cert from
+ server terminates the connection if
+ set as false (or omitted) (O)
+ OpenConnect.AuthType Type of authentication used with
+ OpenConnect. Applicable values are
+ "cookie", "cookie_with_userpass",
+ "userpass", "publickey" and
+ "pkcs". Value "cookie" is basic
+ cookie based authentication. Value
+ "cookie_with_userpass" means that
+ credentials are used to retrieve the
+ connection cookie, which hides the
+ username from commandline. With
+ value "userpass" username and
+ password are used. Value "publickey"
+ requires CACert and UserPrivateKey
+ to be set. Value "pkcs" uses the
+ PKCSClientCert and requests password
+ input. Defaults to "cookie" (O)
+ cookie --cookie-on-stdin Default cookie based authentication
+ cookie_with_userpass Two phased connection, first
+ authentication: --cookieonly authenticate with credentials then
+ --passwd-on-stdin use cookie for connection. Username
+ --user is hidden from commandline during
+ connection: --cookie-on-stdin connection.
+ userpass --passwd-on-stdin Credential based authentication,
+ --user username is visible on commandline.
+ publickey --clientcert Non-encrypted client certificate and
+ --sslkey private key file is used for auth.
+ pkcs --cliencert Authenticate with PKCS#1/PKCS#8/
+ PKCS#12 client certificate.
+ OpenConnect.DisableIPv6 --disable-ipv6 Do not ask for IPv6 connectivity.
+ Boolean string and defaults to
+ false, value "true" enables the
+ option (O)
+ OpenConnect.NoDTLS --no-dtls Disable DTLS and ESP (O)
+ OpenConnect.NoHTTPKeepalive --no-http-keepalive Disable HTTP connection
+ re-use to workaround issues with
+ some servers. Boolean string and
+ defaults to false, value "true"
+ enables the option (O)
+ OpenConnect.PKCSClientCert --certificate Certificate and private key in
+ a PKCS#1/PKCS#8/PKCS#12 structure.
+ Needed when AuthType is "pkcs" (O)
+ OpenConnect.Usergroup --usergroup Set login usergroup on remote server
+ (O)
+ OpenConnect.UserPrivateKey --sslkey SSL private key file needed by web
+ authentication when AuthType is set
+ as "publickey" (O)
+
+The VPN agent will be contacted to supply the information based on the
+authentication type as follows:
+ Authentication type Information requested Saved with name
+ cookie OpenConnect.Cookie OpenConnect.Cookie
+ cookie_with_userpass Username OpenConnect.Username
+ Password OpenConnect.Password
+ userpass Username OpenConnect.Username
+ Password OpenConnect.Password
+ publickey <none>
+ pkcs OpenConnect.PKCSPassword OpenConnect.PKCSPassword
OpenVPN VPN supports following options (see openvpn(8) for details):
Option name OpenVPN option Description
@@ -92,6 +159,11 @@ OpenVPN VPN supports following options (see openvpn(8) for details):
OpenVPN 2.3+.
OpenVPN.TLSAuth sub-option of --tls-remote (O)
OpenVPN.TLSAuthDir sub-option of --tls-remote (O)
+ OpenVPN.TLSCipher --tls-cipher Add an additional layer of HMAC
+ authentication on top of the TLS
+ control channel to mitigate DoS attacks
+ and attacks on the TLS stack. Static
+ key file given as parameter (0)
OpenVPN.Cipher --cipher Encrypt packets with cipher algorithm
given as parameter (O)
OpenVPN.Auth --auth Authenticate packets with HMAC using
@@ -182,7 +254,6 @@ L2TP VPN supports following options (see xl2tpd.conf(5) and pppd(8) for details)
PPPD.ReqMPPEStateful mppe-stateful Allow MPPE to use stateful mode (O)
PPPD.NoVJ novj No Van Jacobson compression (O)
-
PPTP VPN supports following options (see pptp(8) and pppd(8) for details)
Option name pptp config value Description
PPTP.User - PPTP user name, asked from the user
@@ -207,35 +278,19 @@ PPTP VPN supports following options (see pptp(8) and pppd(8) for details)
PPPD.RequirMPPEStateful mppe-stateful Allow MPPE to use stateful mode (O)
PPPD.NoVJ novj No Van Jacobson compression (O)
-IPsec VPN supports following options (see swanctl.conf(5) for details):
- Option name IPSec config value Description
- IPsec.Version Version IKE major version to use for connection (M)
- IPsec.LeftAddrs local_addrs Local address(es) to use for IKE communication (M)
- IPsec.RightAddrs remote_addrs Remote address(es) to use for IKE communication (M)
-
-
- IPsec.LocalAuth local.auth Authentication to perform locally (M)
- IPsec.LocalCerts local.certs Certificate candidate to use for authentication (O)
- IPsec.LocalID local.id IKE identity to use for authentication round (O)
- IPsec.LocalXauthID local.xauth_id Client XAuth username used in the XAuth exchange (O)
- IPsec.LocalXauthAuth local-xauth.auth Xauth round authentication to perform locally (O)
- IPsec.LocalXauthXauthID local-xauth.xauth_id Xauth round client XAuth username used in the XAuth exchange (O)
-
- IPsec.RemoteAuth remote.auth Authentication to expect from remote (M)
- IPsec.RemoteCerts remote.certs Certificate candidate to use for authentication (O)
- IPsec.RemoteID remote.id IKE identity to use for authentication round (O)
- IPsec.RemoteXauthAuth remote-xauth.auth Xauth round authentication to expect from remote (O)
- IPsec.ChildrenLocalTs children.local_ts local selectors to include in CHILD_SA (O)
- IPsec.ChildrenRemoteTs children.remote_ts Remote selectors to include in CHILD_SA (O)
+WireGuard VPN supports following options
+ Option name Description
+ WireGuard.Address Internal IP address (local/netmask/peer)
+ WireGuard.ListPort Local listen port (optional)
+ WireGuard.DNS List of nameservers separated
+ by comma (optional)
+ WireGuard.PrivateKey Private key of interface
+ WireGuard.PublicKey Public key of peer
+ WireGuard.PresharedKey Preshared key of peer (optional)
+ WireGuard.AllowedIPs See Cryptokey Routing
+ WireGuard.EndpointPort Endpoint listen port (optional)
+ WireGuard.PersistentKeepalive Keep alive in seconds (optional)
- IPsec.IKEData secret.data IKE PSK raw shared key data
- IPsec.IKEOwners secret.Owners list of shared key owner identities
- IPsec.XauthData secret.data XAUTH raw shared key data
- IPsec.XauthOwners secret.Owners list of shared key owner identities
-
- IPsec.CertType cert.type certificate type, X509|X509_AC|X509_CRL
- IPsec.CertFlag cert.flag X.509 certificate flag, NONE|CA|AA|OCSP
- IPsec.CertData cert.data PEM or DER encoded certificate data
Example
=======
@@ -259,6 +314,7 @@ L2TP.User = username
[provider_openconnect]
Type = OpenConnect
+AuthType = pkcs
Name = Connection to corporate network using Cisco VPN
Host = 7.6.5.4
Domain = corporate.com
@@ -274,3 +330,16 @@ Domain = my.home.network
OpenVPN.CACert = /etc/certs/cacert.pem
OpenVPN.Cert = /etc/certs/cert.pem
OpenVPN.Key = /etc/certs/cert.key
+
+[provider_wireguard]
+Type = WireGuard
+Name = Wireguard VPN Tunnel
+Host = 3.2.5.6
+Domain = my.home.network
+WireGuard.Address = 10.2.0.2/24
+WireGuard.ListenPort = 47824
+WireGuard.DNS = 10.2.0.1
+WireGuard.PrivateKey = qKIj010hDdWSjQQyVCnEgthLXusBgm3I6HWrJUaJymc=
+WireGuard.PublicKey = zzqUfWGIil6QxrAGz77HE5BGUEdD2PgHYnCg3CDKagE=
+WireGuard.AllowedIPs = 0.0.0.0/0, ::/0
+WireGuard.EndpointPort = 51820
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-23 22:10:03 +0000