1 files changed, 48 insertions, 0 deletions

diff --git a/roles/ocserv/templates/ocserv.conf.j2 b/roles/ocserv/templates/ocserv.conf.j2
new file mode 100644
index 00000000..4f722487
--- /dev/null
+++ b/roles/ocserv/templates/ocserv.conf.j2
@@ -0,0 +1,48 @@
+chroot-dir = /var/reactance/ocserv
+auth = "certificate"
+tcp-port = {{ ocserv_port | default("4430") }}
+run-as-user = _vpn
+run-as-group = _vpn
+
+socket-file = run/ocserv-socket
+server-cert = /var/reactance/ocserv/certs/server-cert.pem
+server-key = /var/reactance/ocserv/certs/server-key.pem
+ca-cert = /var/reactance/ocserv/certs/ca-cert.pem
+crl = /var/reactance/ocserv/certs/crl.pem
+
+max-clients = 10000
+max-same-clients = 2
+rate-limit-ms = 100
+server-stats-reset-time = 604800
+keepalive = 32400
+dpd = 90
+mobile-dpd = 1800
+switch-to-tcp-timeout = 25
+try-mtu-discovery = false
+cert-user-oid = 0.9.2342.19200300.100.1.1
+compression = true
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
+auth-timeout = 240
+min-reauth-time = 300
+max-ban-score = 80
+ban-reset-time = 1200
+cookie-timeout = 300
+deny-roaming = false
+rekey-time = 172800
+rekey-method = ssl
+use-occtl = true
+pid-file = /var/reactance/ocserv/run/ocserv.pid
+log-level = 3
+device = vpns
+predictable-ips = true
+ipv4-network = {{ ocserv_network | default("172.16.16.0/24") }}
+tunnel-all-dns = true
+{% if not lookup('vars', 'disable_dns', default=false) %}
+dns = {{ (ocserv_network|default("172.16.16.0/24"))|ansible.utils.nthhost(2) }}
+{% else %}
+dns = 9.9.9.9
+{% endif %}
+ping-leases = false
+route = default
+cisco-client-compat = true
+max-ban-score = 20