ocserv.conf

gistfile1.txt

auth = "certificate"
#use-dbus=true
#Added @05-10-2014
#加入这个后就可以使用occtl了
#occtl reload && occtl stop now 
use-occtl = true
occtl-socket-file = /var/run/occtl.socket
# seccomp default : true
#关闭这个可以提高性能，牺牲一丁点安全，更可以避免无法启动的情况（遇到过的都知道那痛苦）
use-seccomp = false

#
listen-host = 0.0.0.0
max-clients = 36
max-same-clients = 4
tcp-port = 443
udp-port = 443
keepalive = 32400
dpd = 60
mobile-dpd = 1800
#故意为空
mobile-idle-timeout =
deny-roaming = false

try-mtu-discovery = true
server-cert = server-cert.pem
server-key = server-key.pem
ca-cert = ca-cert.pem
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
auth-timeout = 40
rekey-time = 172800
rekey-method = ssl
use-utmp = true
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
user-profile = /usr/local/etc/ocserv/profile.xml
run-as-user = nobody
run-as-group = nogroup
net-priority = 5
cgroup = "cpuset,cpu:test"
device = CiscoSSL
predictable-ips = true
default-domain = 你的默认域名（与你的证书里的一定要一样，否则奇葩bug）
ipv4-network = 192.168.100.1
ipv4-netmask = 255.255.255.0
dns = 208.67.222.222
ping-leases = false
cisco-client-compat = true