chroot-dir = /var/reactance/ocserv
auth = "certificate"
tcp-port = {{ ocserv_port | default("4430") }}
run-as-user = _vpn
run-as-group = _vpn

socket-file = run/ocserv-socket
server-cert = /var/reactance/ocserv/certs/server-cert.pem
server-key = /var/reactance/ocserv/certs/server-key.pem
ca-cert = /var/reactance/ocserv/certs/ca-cert.pem
crl = /var/reactance/ocserv/certs/crl.pem

max-clients = 10000
max-same-clients = 2
rate-limit-ms = 100
server-stats-reset-time = 604800
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
cert-user-oid = 0.9.2342.19200300.100.1.1
compression = true
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/reactance/ocserv/run/ocserv.pid
log-level = 3
device = vpns
predictable-ips = true
ipv4-network = {{ ocserv_network | default("172.16.16.0/24") }}
tunnel-all-dns = true
{% if not lookup('vars', 'disable_dns', default=false) %}
dns = {{ (ocserv_network|default("172.16.16.0/24"))|ansible.utils.nthhost(2) }}
{% else %}
dns = 9.9.9.9
{% endif %}
ping-leases = false
route = default
cisco-client-compat = true
max-ban-score = 20