1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
|
Connman configuration file format for VPN
*****************************************
Connman VPN uses configuration files to provision existing providers.
vpnd will be looking for its configuration files at VPN_STORAGEDIR
which by default points to /var/lib/connman-vpn. Configuration file names
must not include other characters than letters or numbers and must have
a .config suffix. Those configuration files are text files with a simple
key-value pair format organized into sections. Values do not comprise leading
trailing whitespace. We typically have one file per provisioned network.
If the config file is removed, then vpnd tries to remove the
provisioned service. If an individual service entry inside a config is removed,
then the corresponding provisioned service is removed. If a service
section is changed, then the corresponding service is removed and immediately
re-provisioned.
Global section [global]
=======================
These files can have an optional global section describing the actual file.
The two allowed fields for this section are:
- Name: Name of the network.
- Description: Description of the network.
Provider section [provider_*]
=============================
Each provisioned provider must start with the [provider_*] tag.
Replace * with an identifier unique to the config file.
Allowed fields:
- Type: Provider type. Value of OpenConnect, OpenVPN, VPNC, L2TP or PPTP
VPN related parameters (M = mandatory, O = optional):
- Name: A user defined name for the VPN (M)
- Host: VPN server IP address (M)
- Domain: Domain name for the VPN service (M)
- Networks: The networks behind the VPN link can be defined here. This can
be missing if all traffic should go via VPN tunnel. If there are more
than one network, then separate them by comma. Format of the entry
is network/netmask/gateway. The gateway can be left out. (O)
Example: 192.168.100.0/24/10.1.0.1,192.168.200.0/255.255.255.0/10.1.0.2
For IPv6 addresses only prefix length is accepted like this 2001:db8::1/64
OpenConnect VPN supports following options (see openconnect(8) for details):
Option name OpenConnect option Description
OpenConnect.ServerCert --servercert SHA1 certificate fingerprint of the
final VPN server after possible web
authentication login, selection and
redirection (O)
OpenConnect.CACert --cafile File containing other Certificate
Authorities in addition to the ones
in the system trust database (O)
OpenConnect.ClientCert --certificate Client certificate file, if needed
by web authentication (O)
VPN.MTU --mtu Request MTU from server as the MTU
of the tunnel (O)
OpenConnect.Cookie --cookie-on-stdin Cookie received as a result of the
web authentication. As the cookie
lifetime can be very limited, it
does not usually make sense to add
it into the configuration file (O)
OpenConnect.VPNHost The final VPN server to use after
completing the web authentication.
Only usable for extremely simple VPN
configurations and should normally
be set only via the VPN Agent API.
If OpenConnect.Cookie or OpenConnect.ServerCert are missing, the VPN Agent will
be contacted to supply the information.
OpenVPN VPN supports following options (see openvpn(8) for details):
Option name OpenVPN option Description
OpenVPN.CACert --ca Certificate authority file (M)
OpenVPN.Cert --cert Local peer's signed certificate (M)
OpenVPN.Key --key Local peer's private key (M)
OpenVPN.MTU --mtu MTU of the tunnel (O)
OpenVPN.NSCertType --ns-cert-type Peer certificate type, value of
either server or client (O)
OpenVPN.Proto --proto Use protocol (O)
OpenVPN.Port --port TCP/UDP port number (O)
OpenVPN.AuthUserPass --auth-user-pass Authenticate with server using
username/password (O)
OpenVPN.AskPass --askpass Get certificate password from file (O)
OpenVPN.AuthNoCache --auth-nocache Don't cache --askpass or
--auth-user-pass value (O)
OpenVPN.TLSRemote --tls-remote Accept connections only from a host
with X509 name or common name equal
to name parameter (O)
OpenVPN.TLSAuth sub-option of --tls-remote (O)
OpenVPN.TLSAuthDir sub-option of --tls-remote (O)
OpenVPN.Cipher --cipher Encrypt packets with cipher algorithm
given as parameter (O)
OpenVPN.Auth --auth Authenticate packets with HMAC using
message digest algorithm alg (O)
OpenVPN.CompLZO --comp-lzo Use fast LZO compression. Value can
be "yes", "no", or "adaptive". Default
is adaptive (O)
OpenVPN.RemoteCertTls --remote-cert-tls Require that peer certificate was
signed based on RFC3280 TLS rules.
Value is "client" or "server" (O)
OpenVPN.ConfigFile --config OpenVPN config file that can contain
extra options not supported by OpenVPN
plugin (O)
VPNC VPN supports following options (see vpnc(8) for details):
Option name VPNC config value Description
VPNC.IPSec.ID IPSec ID your group username (M)
VPNC.IPSec.Secret IPSec secret your group password (cleartext) (O)
VPNC.Xauth.Username Xauth username your username (O)
VPNC.Xauth.Password Xauth password your password (cleartext) (O)
VPNC.IKE.Authmode IKE Authmode IKE Authentication mode (O)
VPNC.IKE.DHGroup IKE DH Group name of the IKE DH Group (O)
VPNC.PFS Perfect Forward Secrecy Diffie-Hellman group to use for PFS (O)
VPNC.Domain Domain Domain name for authentication (O)
VPNC.Vendor Vendor vendor of your IPSec gateway (O)
VPNC.LocalPort Local Port local ISAKMP port number to use
VPNC.CiscoPort Cisco UDP Encapsulation Port Local UDP port number to use (O)
VPNC.AppVersion Application Version Application Version to report (O)
VPNC.NATTMode NAT Traversal Mode Which NAT-Traversal Method to use (O)
VPNC.DPDTimeout DPD idle timeout (our side) Send DPD packet after timeout (O)
VPNC.SingleDES Enable Single DES enables single DES encryption (O)
VPNC.NoEncryption Enable no encryption enables using no encryption for data traffic (O)
L2TP VPN supports following options (see xl2tpd.conf(5) and pppd(8) for details)
Option name xl2tpd config value Description
L2TP.User - L2TP user name, asked from the user
if not set here (O)
L2TP.Password - L2TP password, asked from the user
if not set here (O)
L2TP.BPS bps Max bandwith to use (O)
L2TP.TXBPS tx bps Max transmit bandwith to use (O)
L2TP.RXBPS rx bps Max receive bandwith to use (O)
L2TP.LengthBit length bit Use length bit (O)
L2TP.Challenge challenge Use challenge authentication (O)
L2TP.DefaultRoute defaultroute Default route (O)
L2TP.FlowBit flow bit Use seq numbers (O)
L2TP.TunnelRWS tunnel rws Window size (O)
L2TP.Exclusive exclusive Use only one control channel (O)
L2TP.Redial redial Redial if disconnected (O)
L2TP.RedialTimeout redial timeout Redial timeout (O)
L2TP.MaxRedials max redials How many times to try redial (O)
L2TP.RequirePAP require pap Need pap (O)
L2TP.RequireCHAP require chap Need chap (O)
L2TP.ReqAuth require authentication Need auth (O)
L2TP.AccessControl access control Accept only these peers (O)
L2TP.AuthFile auth file Authentication file location (O)
L2TP.ListenAddr listen-addr Listen address (O)
L2TP.IPsecSaref ipsec saref Use IPSec SA (O)
L2TP.Port port What UDP port is used (O)
Option name pppd config value Description
PPPD.EchoFailure lcp-echo-failure Dead peer check count (O)
PPPD.EchoInterval lcp-echo-interval Dead peer check interval (O)
PPPD.Debug debug Debug level (O)
PPPD.RefuseEAP refuse-eap Deny eap auth (O)
PPPD.RefusePAP refuse-pap Deny pap auth (O)
PPPD.RefuseCHAP refuse-chap Deny chap auth (O)
PPPD.RefuseMSCHAP refuse-mschap Deny mschap auth (O)
PPPD.RefuseMSCHAP2 refuse-mschapv2 Deny mschapv2 auth (O)
PPPD.NoBSDComp nobsdcomp Disables BSD compression (O)
PPPD.NoPcomp nopcomp Disable protocol compression (O)
PPPD.UseAccomp accomp Disable address/control compression (O)
PPPD.NoDeflate nodeflate Disable deflate compression (O)
PPPD.ReqMPPE require-mppe Require the use of MPPE (O)
PPPD.ReqMPPE40 require-mppe-40 Require the use of MPPE 40 bit (O)
PPPD.ReqMPPE128 require-mppe-128 Require the use of MPPE 128 bit (O)
PPPD.ReqMPPEStateful mppe-stateful Allow MPPE to use stateful mode (O)
PPPD.NoVJ no-vj-comp No Van Jacobson compression (O)
PPTP VPN supports following options (see pptp(8) and pppd(8) for details)
Option name pptp config value Description
PPTP.User - PPTP user name, asked from the user
if not set here (O)
PPTP.Password - PPTP password, asked from the user
if not set here (O)
Option name pppd config value Description
PPPD.EchoFailure lcp-echo-failure Dead peer check count (O)
PPPD.EchoInterval lcp-echo-interval Dead peer check interval (O)
PPPD.Debug debug Debug level (O)
PPPD.RefuseEAP refuse-eap Deny eap auth (O)
PPPD.RefusePAP refuse-pap Deny pap auth (O)
PPPD.RefuseCHAP refuse-chap Deny chap auth (O)
PPPD.RefuseMSCHAP refuse-mschap Deny mschap auth (O)
PPPD.RefuseMSCHAP2 refuse-mschapv2 Deny mschapv2 auth (O)
PPPD.NoBSDComp nobsdcomp Disables BSD compression (O)
PPPD.NoDeflate nodeflate Disable deflate compression (O)
PPPD.RequirMPPE require-mppe Require the use of MPPE (O)
PPPD.RequirMPPE40 require-mppe-40 Require the use of MPPE 40 bit (O)
PPPD.RequirMPPE128 require-mppe-128 Require the use of MPPE 128 bit (O)
PPPD.RequirMPPEStateful mppe-stateful Allow MPPE to use stateful mode (O)
PPPD.NoVJ no-vj-comp No Van Jacobson compression (O)
IPsec VPN supports following options (see swanctl.conf(5) for details):
Option name IPSec config value Description
IPsec.Version Version IKE major version to use for connection (M)
IPsec.LeftAddrs local_addrs Local address(es) to use for IKE communication (M)
IPsec.RightAddrs remote_addrs Remote address(es) to use for IKE communication (M)
IPsec.LocalAuth local.auth Authentication to perform locally (M)
IPsec.LocalCerts local.certs Certificate candidate to use for authentication (O)
IPsec.LocalID local.id IKE identity to use for authentication round (O)
IPsec.LocalXauthID local.xauth_id Client XAuth username used in the XAuth exchange (O)
IPsec.LocalXauthAuth local-xauth.auth Xauth round authentication to perform locally (O)
IPsec.LocalXauthXauthID local-xauth.xauth_id Xauth round client XAuth username used in the XAuth exchange (O)
IPsec.RemoteAuth remote.auth Authentication to expect from remote (M)
IPsec.RemoteCerts remote.certs Certificate candidate to use for authentication (O)
IPsec.RemoteID remote.id IKE identity to use for authentication round (O)
IPsec.RemoteXauthAuth remote-xauth.auth Xauth round authentication to expect from remote (O)
IPsec.ChildrenLocalTs children.local_ts local selectors to include in CHILD_SA (O)
IPsec.ChildrenRemoteTs children.remote_ts Remote selectors to include in CHILD_SA (O)
IPsec.IkeData secret.data IKE PSK raw shared key data
IPsec.IkeOwners secret.Owners list of shared key owner identities
IPsec.XauthData secret.data XAUTH raw shared key data
IPsec.XauthOwners secret.Owners list of shared key owner identities
IPsec.CertType cert.type certificate type, X509|X509_AC|X509_CRL
IPsec.CertFlag cert.flag X.509 certificate flag, NONE|CA|AA|OCSP
IPsec.CertData cert.data PEM or DER encoded certificate data
Example
=======
This is a configuration file for a VPN providing L2TP, OpenVPN and
OpenConnect services.
example@example:[~]$ cat /var/lib/connman/vpn/example.config
[global]
Name = Example
Description = Example VPN configuration
[provider_l2tp]
Type = L2TP
Name = Connection to corporate network
Host = 1.2.3.4
Domain = corporate.com
Networks = 10.10.30.0/24
L2TP.User = username
[provider_openconnect]
Type = OpenConnect
Name = Connection to corporate network using Cisco VPN
Host = 7.6.5.4
Domain = corporate.com
Networks = 10.10.20.0/255.255.255.0/10.20.1.5,192.168.99.1/24,2001:db8::1/64
OpenConnect.ServerCert = 263AFAB4CB2E6621D12E90182008AEF44AEFA031
OpenConnect.CACert = /etc/certs/certificate.p12
[provider_openvpn]
Type = OpenVPN
Name = Connection to corporate network using OpenVPN
Host = 3.2.5.6
Domain = my.home.network
OpenVPN.CACert = /etc/certs/cacert.pem
OpenVPN.Cert = /etc/certs/cert.pem
OpenVPN.Key = /etc/certs/cert.key
|
