1 Connman configuration file format for VPN
2 *****************************************
4 Connman VPN uses configuration files to provision existing providers.
5 vpnd will be looking for its configuration files at VPN_STORAGEDIR
6 which by default points to /var/lib/connman-vpn. Configuration file names
7 must not include other characters than letters or numbers and must have
8 a .config suffix. Those configuration files are text files with a simple
9 key-value pair format organized into sections. Values do not comprise leading
10 trailing whitespace. We typically have one file per provisioned network.
12 If the config file is removed, then vpnd tries to remove the
13 provisioned service. If an individual service entry inside a config is removed,
14 then the corresponding provisioned service is removed. If a service
15 section is changed, then the corresponding service is removed and immediately
19 Global section [global]
20 =======================
22 These files can have an optional global section describing the actual file.
23 The two allowed fields for this section are:
24 - Name: Name of the network.
25 - Description: Description of the network.
28 Provider section [provider_*]
29 =============================
31 Each provisioned provider must start with the [provider_*] tag.
32 Replace * with an identifier unique to the config file.
35 - Type: Provider type. Value of OpenConnect, OpenVPN, VPNC, L2TP or PPTP
37 VPN related parameters (M = mandatory, O = optional):
38 - Name: A user defined name for the VPN (M)
39 - Host: VPN server IP address (M)
40 - Domain: Domain name for the VPN service (M)
41 - Networks: The networks behind the VPN link can be defined here. This can
42 be missing if all traffic should go via VPN tunnel. If there are more
43 than one network, then separate them by comma. Format of the entry
44 is network/netmask/gateway. The gateway can be left out. (O)
45 Example: 192.168.100.0/24/10.1.0.1,192.168.200.0/255.255.255.0/10.1.0.2
46 For IPv6 addresses only prefix length is accepted like this 2001:db8::1/64
48 OpenConnect VPN supports following options (see openconnect(8) for details):
49 Option name OpenConnect option Description
50 OpenConnect.ServerCert --servercert SHA1 certificate fingerprint of the
51 final VPN server after possible web
52 authentication login, selection and
54 OpenConnect.CACert --cafile File containing other Certificate
55 Authorities in addition to the ones
56 in the system trust database (O)
57 OpenConnect.ClientCert --certificate Client certificate file, if needed
58 by web authentication (O)
59 VPN.MTU --mtu Request MTU from server as the MTU
61 OpenConnect.Cookie --cookie-on-stdin Cookie received as a result of the
62 web authentication. As the cookie
63 lifetime can be very limited, it
64 does not usually make sense to add
65 it into the configuration file (O)
66 OpenConnect.VPNHost The final VPN server to use after
67 completing the web authentication.
68 Only usable for extremely simple VPN
69 configurations and should normally
70 be set only via the VPN Agent API.
71 If OpenConnect.Cookie or OpenConnect.ServerCert are missing, the VPN Agent will
72 be contacted to supply the information.
74 OpenVPN VPN supports following options (see openvpn(8) for details):
75 Option name OpenVPN option Description
76 OpenVPN.CACert --ca Certificate authority file (M)
77 OpenVPN.Cert --cert Local peer's signed certificate (M)
78 OpenVPN.Key --key Local peer's private key (M)
79 OpenVPN.MTU --mtu MTU of the tunnel (O)
80 OpenVPN.NSCertType --ns-cert-type Peer certificate type, value of
81 either server or client (O)
82 OpenVPN.Proto --proto Use protocol (O)
83 OpenVPN.Port --port TCP/UDP port number (O)
84 OpenVPN.AuthUserPass --auth-user-pass Authenticate with server using
86 OpenVPN.AskPass --askpass Get certificate password from file (O)
87 OpenVPN.AuthNoCache --auth-nocache Don't cache --askpass or
88 --auth-user-pass value (O)
89 OpenVPN.TLSRemote --tls-remote Accept connections only from a host
90 with X509 name or common name equal
91 to name parameter (O). Deprecated in
93 OpenVPN.TLSAuth sub-option of --tls-remote (O)
94 OpenVPN.TLSAuthDir sub-option of --tls-remote (O)
95 OpenVPN.Cipher --cipher Encrypt packets with cipher algorithm
96 given as parameter (O)
97 OpenVPN.Auth --auth Authenticate packets with HMAC using
98 message digest algorithm alg (O)
99 OpenVPN.CompLZO --comp-lzo Use fast LZO compression. Value can
100 be "yes", "no", or "adaptive". Default
102 OpenVPN.RemoteCertTls --remote-cert-tls Require that peer certificate was
103 signed based on RFC3280 TLS rules.
104 Value is "client" or "server" (O)
105 OpenVPN.ConfigFile --config OpenVPN config file that can contain
106 extra options not supported by OpenVPN
108 OpenVPN.DeviceType --dev-type Whether the VPN should use a tun (OSI
109 layer 3) or tap (OSI layer 2) device.
110 Value is "tun" (default) or "tap" (O)
112 VPNC VPN supports following options (see vpnc(8) for details):
113 Option name VPNC config value Description
114 VPNC.IPSec.ID IPSec ID your group username (M)
115 VPNC.IPSec.Secret IPSec secret your group password (cleartext) (O)
116 VPNC.Xauth.Username Xauth username your username (O)
117 VPNC.Xauth.Password Xauth password your password (cleartext) (O)
118 VPNC.IKE.Authmode IKE Authmode IKE Authentication mode (O)
119 VPNC.IKE.DHGroup IKE DH Group name of the IKE DH Group (O)
120 VPNC.PFS Perfect Forward Secrecy Diffie-Hellman group to use for
122 VPNC.Domain Domain Domain name for authentication (O)
123 VPNC.Vendor Vendor vendor of your IPSec gateway (O)
124 VPNC.LocalPort Local Port local ISAKMP port number to use
125 VPNC.CiscoPort Cisco UDP Encapsulation Port Local UDP port number to
127 VPNC.AppVersion Application version Application Version to report (O)
128 VPNC.NATTMode NAT Traversal Mode Which NAT-Traversal Method to use (O)
129 VPNC.DPDTimeout DPD idle timeout (our side) Send DPD packet after
131 VPNC.SingleDES Enable Single DES enables single DES encryption (O)
132 VPNC.NoEncryption Enable no encryption enables using no encryption for data
134 VPNC.DeviceType Interface mode Whether the VPN should use a tun (OSI
135 layer 3) or tap (OSI layer 2) device.
136 Value is "tun" (default) or "tap" (O)
138 L2TP VPN supports following options (see xl2tpd.conf(5) and pppd(8) for details)
139 Option name xl2tpd config value Description
140 L2TP.User - L2TP user name, asked from the user
142 L2TP.Password - L2TP password, asked from the user
144 L2TP.BPS bps Max bandwidth to use (O)
145 L2TP.TXBPS tx bps Max transmit bandwidth to use (O)
146 L2TP.RXBPS rx bps Max receive bandwidth to use (O)
147 L2TP.LengthBit length bit Use length bit (O)
148 L2TP.Challenge challenge Use challenge authentication (O)
149 L2TP.DefaultRoute defaultroute Default route (O)
150 L2TP.FlowBit flow bit Use seq numbers (O)
151 L2TP.TunnelRWS tunnel rws Window size (O)
152 L2TP.Exclusive exclusive Use only one control channel (O)
153 L2TP.Redial redial Redial if disconnected (O)
154 L2TP.RedialTimeout redial timeout Redial timeout (O)
155 L2TP.MaxRedials max redials How many times to try redial (O)
156 L2TP.RequirePAP require pap Need pap (O)
157 L2TP.RequireCHAP require chap Need chap (O)
158 L2TP.ReqAuth require authentication Need auth (O)
159 L2TP.AccessControl access control Accept only these peers (O)
160 L2TP.AuthFile auth file Authentication file location (O)
161 L2TP.ListenAddr listen-addr Listen address (O)
162 L2TP.IPsecSaref ipsec saref Use IPSec SA (O)
163 L2TP.Port port What UDP port is used (O)
165 Option name pppd config value Description
166 PPPD.EchoFailure lcp-echo-failure Dead peer check count (O)
167 PPPD.EchoInterval lcp-echo-interval Dead peer check interval (O)
168 PPPD.Debug debug Debug level (O)
169 PPPD.RefuseEAP refuse-eap Deny eap auth (O)
170 PPPD.RefusePAP refuse-pap Deny pap auth (O)
171 PPPD.RefuseCHAP refuse-chap Deny chap auth (O)
172 PPPD.RefuseMSCHAP refuse-mschap Deny mschap auth (O)
173 PPPD.RefuseMSCHAP2 refuse-mschapv2 Deny mschapv2 auth (O)
174 PPPD.NoBSDComp nobsdcomp Disables BSD compression (O)
175 PPPD.NoPcomp nopcomp Disable protocol compression (O)
176 PPPD.UseAccomp noaccomp Disable address/control
178 PPPD.NoDeflate nodeflate Disable deflate compression (O)
179 PPPD.ReqMPPE require-mppe Require the use of MPPE (O)
180 PPPD.ReqMPPE40 require-mppe-40 Require the use of MPPE 40 bit (O)
181 PPPD.ReqMPPE128 require-mppe-128 Require the use of MPPE 128 bit (O)
182 PPPD.ReqMPPEStateful mppe-stateful Allow MPPE to use stateful mode (O)
183 PPPD.NoVJ novj No Van Jacobson compression (O)
186 PPTP VPN supports following options (see pptp(8) and pppd(8) for details)
187 Option name pptp config value Description
188 PPTP.User - PPTP user name, asked from the user
190 PPTP.Password - PPTP password, asked from the user
193 Option name pppd config value Description
194 PPPD.EchoFailure lcp-echo-failure Dead peer check count (O)
195 PPPD.EchoInterval lcp-echo-interval Dead peer check interval (O)
196 PPPD.Debug debug Debug level (O)
197 PPPD.RefuseEAP refuse-eap Deny eap auth (O)
198 PPPD.RefusePAP refuse-pap Deny pap auth (O)
199 PPPD.RefuseCHAP refuse-chap Deny chap auth (O)
200 PPPD.RefuseMSCHAP refuse-mschap Deny mschap auth (O)
201 PPPD.RefuseMSCHAP2 refuse-mschapv2 Deny mschapv2 auth (O)
202 PPPD.NoBSDComp nobsdcomp Disables BSD compression (O)
203 PPPD.NoDeflate nodeflate Disable deflate compression (O)
204 PPPD.RequirMPPE require-mppe Require the use of MPPE (O)
205 PPPD.RequirMPPE40 require-mppe-40 Require the use of MPPE 40 bit (O)
206 PPPD.RequirMPPE128 require-mppe-128 Require the use of MPPE 128 bit (O)
207 PPPD.RequirMPPEStateful mppe-stateful Allow MPPE to use stateful mode (O)
208 PPPD.NoVJ novj No Van Jacobson compression (O)
210 IPsec VPN supports following options (see swanctl.conf(5) for details):
211 Option name IPSec config value Description
212 IPsec.Version Version IKE major version to use for connection (M)
213 IPsec.LeftAddrs local_addrs Local address(es) to use for IKE communication (M)
214 IPsec.RightAddrs remote_addrs Remote address(es) to use for IKE communication (M)
217 IPsec.LocalAuth local.auth Authentication to perform locally (M)
218 IPsec.LocalCerts local.certs Certificate candidate to use for authentication (O)
219 IPsec.LocalID local.id IKE identity to use for authentication round (O)
220 IPsec.LocalXauthID local.xauth_id Client XAuth username used in the XAuth exchange (O)
221 IPsec.LocalXauthAuth local-xauth.auth Xauth round authentication to perform locally (O)
222 IPsec.LocalXauthXauthID local-xauth.xauth_id Xauth round client XAuth username used in the XAuth exchange (O)
224 IPsec.RemoteAuth remote.auth Authentication to expect from remote (M)
225 IPsec.RemoteCerts remote.certs Certificate candidate to use for authentication (O)
226 IPsec.RemoteID remote.id IKE identity to use for authentication round (O)
227 IPsec.RemoteXauthAuth remote-xauth.auth Xauth round authentication to expect from remote (O)
228 IPsec.ChildrenLocalTs children.local_ts local selectors to include in CHILD_SA (O)
229 IPsec.ChildrenRemoteTs children.remote_ts Remote selectors to include in CHILD_SA (O)
231 IPsec.IKEData secret.data IKE PSK raw shared key data
232 IPsec.IKEOwners secret.Owners list of shared key owner identities
233 IPsec.XauthData secret.data XAUTH raw shared key data
234 IPsec.XauthOwners secret.Owners list of shared key owner identities
236 IPsec.CertType cert.type certificate type, X509|X509_AC|X509_CRL
237 IPsec.CertFlag cert.flag X.509 certificate flag, NONE|CA|AA|OCSP
238 IPsec.CertData cert.data PEM or DER encoded certificate data
243 This is a configuration file for a VPN providing L2TP, OpenVPN and
244 OpenConnect services.
247 example@example:[~]$ cat /var/lib/connman/vpn/example.config
250 Description = Example VPN configuration
254 Name = Connection to corporate network
256 Domain = corporate.com
257 Networks = 10.10.30.0/24
260 [provider_openconnect]
262 Name = Connection to corporate network using Cisco VPN
264 Domain = corporate.com
265 Networks = 10.10.20.0/255.255.255.0/10.20.1.5,192.168.99.1/24,2001:db8::1/64
266 OpenConnect.ServerCert = 263AFAB4CB2E6621D12E90182008AEF44AEFA031
267 OpenConnect.CACert = /etc/certs/certificate.p12
271 Name = Connection to corporate network using OpenVPN
273 Domain = my.home.network
274 OpenVPN.CACert = /etc/certs/cacert.pem
275 OpenVPN.Cert = /etc/certs/cert.pem
276 OpenVPN.Key = /etc/certs/cert.key
projects / platform / upstream / connman.git / blob