1 Connman configuration file format for VPN
2 *****************************************
4 Connman VPN uses configuration files to provision existing providers.
5 vpnd will be looking for its configuration files at VPN_STORAGEDIR
6 which by default points to /var/lib/connman-vpn. Configuration file names
7 must not include other characters than letters or numbers and must have
8 a .config suffix. Those configuration files are text files with a simple
9 key-value pair format organized into sections. Values do not comprise leading
10 trailing whitespace. We typically have one file per provisioned network.
12 If the config file is removed, then vpnd tries to remove the
13 provisioned service. If an individual service entry inside a config is removed,
14 then the corresponding provisioned service is removed. If a service
15 section is changed, then the corresponding service is removed and immediately
19 Global section [global]
20 =======================
22 These files can have an optional global section describing the actual file.
23 The two allowed fields for this section are:
24 - Name: Name of the network.
25 - Description: Description of the network.
28 Provider section [provider_*]
29 =============================
31 Each provisioned provider must start with the [provider_*] tag.
32 Replace * with an identifier unique to the config file.
35 - Type: Provider type. Value of OpenConnect, OpenVPN, VPNC, L2TP or PPTP
37 VPN related parameters (M = mandatory, O = optional):
38 - Name: A user defined name for the VPN (M)
39 - Host: VPN server IP address (M)
40 - Domain: Domain name for the VPN service (M)
41 - Networks: The networks behind the VPN link can be defined here. This can
42 be missing if all traffic should go via VPN tunnel. If there are more
43 than one network, then separate them by comma. Format of the entry
44 is network/netmask/gateway. The gateway can be left out. (O)
45 Example: 192.168.100.0/24/10.1.0.1,192.168.200.0/255.255.255.0/10.1.0.2
46 For IPv6 addresses only prefix length is accepted like this 2001:db8::1/64
48 OpenConnect VPN supports following options (see openconnect(8) for details):
49 Option name OpenConnect option Description
50 OpenConnect.ServerCert --servercert SHA1 certificate fingerprint of the
51 final VPN server after possible web
52 authentication login, selection and
54 OpenConnect.CACert --cafile File containing other Certificate
55 Authorities in addition to the ones
56 in the system trust database (O)
57 OpenConnect.ClientCert --certificate Client certificate file, if needed
58 by web authentication (O)
59 VPN.MTU --mtu Request MTU from server as the MTU
61 OpenConnect.Cookie --cookie-on-stdin Cookie received as a result of the
62 web authentication. As the cookie
63 lifetime can be very limited, it
64 does not usually make sense to add
65 it into the configuration file (O)
66 OpenConnect.VPNHost The final VPN server to use after
67 completing the web authentication.
68 Only usable for extremely simple VPN
69 configurations and should normally
70 be set only via the VPN Agent API.
71 If OpenConnect.Cookie or OpenConnect.ServerCert are missing, the VPN Agent will
72 be contacted to supply the information.
74 OpenVPN VPN supports following options (see openvpn(8) for details):
75 Option name OpenVPN option Description
76 OpenVPN.CACert --ca Certificate authority file (M)
77 OpenVPN.Cert --cert Local peer's signed certificate (M)
78 OpenVPN.Key --key Local peer's private key (M)
79 OpenVPN.MTU --mtu MTU of the tunnel (O)
80 OpenVPN.NSCertType --ns-cert-type Peer certificate type, value of
81 either server or client (O)
82 OpenVPN.Proto --proto Use protocol (O)
83 OpenVPN.Port --port TCP/UDP port number (O)
84 OpenVPN.AuthUserPass --auth-user-pass Authenticate with server using
86 OpenVPN.AskPass --askpass Get certificate password from file (O)
87 OpenVPN.AuthNoCache --auth-nocache Don't cache --askpass or
88 --auth-user-pass value (O)
89 OpenVPN.TLSRemote --tls-remote Accept connections only from a host
90 with X509 name or common name equal
92 OpenVPN.TLSAuth sub-option of --tls-remote (O)
93 OpenVPN.TLSAuthDir sub-option of --tls-remote (O)
94 OpenVPN.Cipher --cipher Encrypt packets with cipher algorithm
95 given as parameter (O)
96 OpenVPN.Auth --auth Authenticate packets with HMAC using
97 message digest algorithm alg (O)
98 OpenVPN.CompLZO --comp-lzo Use fast LZO compression. Value can
99 be "yes", "no", or "adaptive". Default
101 OpenVPN.RemoteCertTls --remote-cert-tls Require that peer certificate was
102 signed based on RFC3280 TLS rules.
103 Value is "client" or "server" (O)
104 OpenVPN.ConfigFile --config OpenVPN config file that can contain
105 extra options not supported by OpenVPN
108 VPNC VPN supports following options (see vpnc(8) for details):
109 Option name VPNC config value Description
110 VPNC.IPSec.ID IPSec ID your group username (M)
111 VPNC.IPSec.Secret IPSec secret your group password (cleartext) (O)
112 VPNC.Xauth.Username Xauth username your username (O)
113 VPNC.Xauth.Password Xauth password your password (cleartext) (O)
114 VPNC.IKE.Authmode IKE Authmode IKE Authentication mode (O)
115 VPNC.IKE.DHGroup IKE DH Group name of the IKE DH Group (O)
116 VPNC.PFS Perfect Forward Secrecy Diffie-Hellman group to use for PFS (O)
117 VPNC.Domain Domain Domain name for authentication (O)
118 VPNC.Vendor Vendor vendor of your IPSec gateway (O)
119 VPNC.LocalPort Local Port local ISAKMP port number to use
120 VPNC.CiscoPort Cisco UDP Encapsulation Port Local UDP port number to use (O)
121 VPNC.AppVersion Application Version Application Version to report (O)
122 VPNC.NATTMode NAT Traversal Mode Which NAT-Traversal Method to use (O)
123 VPNC.DPDTimeout DPD idle timeout (our side) Send DPD packet after timeout (O)
124 VPNC.SingleDES Enable Single DES enables single DES encryption (O)
125 VPNC.NoEncryption Enable no encryption enables using no encryption for data traffic (O)
127 L2TP VPN supports following options (see xl2tpd.conf(5) and pppd(8) for details)
128 Option name xl2tpd config value Description
129 L2TP.User - L2TP user name, asked from the user
131 L2TP.Password - L2TP password, asked from the user
133 L2TP.BPS bps Max bandwith to use (O)
134 L2TP.TXBPS tx bps Max transmit bandwith to use (O)
135 L2TP.RXBPS rx bps Max receive bandwith to use (O)
136 L2TP.LengthBit length bit Use length bit (O)
137 L2TP.Challenge challenge Use challenge authentication (O)
138 L2TP.DefaultRoute defaultroute Default route (O)
139 L2TP.FlowBit flow bit Use seq numbers (O)
140 L2TP.TunnelRWS tunnel rws Window size (O)
141 L2TP.Exclusive exclusive Use only one control channel (O)
142 L2TP.Redial redial Redial if disconnected (O)
143 L2TP.RedialTimeout redial timeout Redial timeout (O)
144 L2TP.MaxRedials max redials How many times to try redial (O)
145 L2TP.RequirePAP require pap Need pap (O)
146 L2TP.RequireCHAP require chap Need chap (O)
147 L2TP.ReqAuth require authentication Need auth (O)
148 L2TP.AccessControl access control Accept only these peers (O)
149 L2TP.AuthFile auth file Authentication file location (O)
150 L2TP.ListenAddr listen-addr Listen address (O)
151 L2TP.IPsecSaref ipsec saref Use IPSec SA (O)
152 L2TP.Port port What UDP port is used (O)
154 Option name pppd config value Description
155 PPPD.EchoFailure lcp-echo-failure Dead peer check count (O)
156 PPPD.EchoInterval lcp-echo-interval Dead peer check interval (O)
157 PPPD.Debug debug Debug level (O)
158 PPPD.RefuseEAP refuse-eap Deny eap auth (O)
159 PPPD.RefusePAP refuse-pap Deny pap auth (O)
160 PPPD.RefuseCHAP refuse-chap Deny chap auth (O)
161 PPPD.RefuseMSCHAP refuse-mschap Deny mschap auth (O)
162 PPPD.RefuseMSCHAP2 refuse-mschapv2 Deny mschapv2 auth (O)
163 PPPD.NoBSDComp nobsdcomp Disables BSD compression (O)
164 PPPD.NoPcomp nopcomp Disable protocol compression (O)
165 PPPD.UseAccomp accomp Disable address/control compression (O)
166 PPPD.NoDeflate nodeflate Disable deflate compression (O)
167 PPPD.ReqMPPE require-mppe Require the use of MPPE (O)
168 PPPD.ReqMPPE40 require-mppe-40 Require the use of MPPE 40 bit (O)
169 PPPD.ReqMPPE128 require-mppe-128 Require the use of MPPE 128 bit (O)
170 PPPD.ReqMPPEStateful mppe-stateful Allow MPPE to use stateful mode (O)
171 PPPD.NoVJ no-vj-comp No Van Jacobson compression (O)
174 PPTP VPN supports following options (see pptp(8) and pppd(8) for details)
175 Option name pptp config value Description
176 PPTP.User - PPTP user name, asked from the user
178 PPTP.Password - PPTP password, asked from the user
181 Option name pppd config value Description
182 PPPD.EchoFailure lcp-echo-failure Dead peer check count (O)
183 PPPD.EchoInterval lcp-echo-interval Dead peer check interval (O)
184 PPPD.Debug debug Debug level (O)
185 PPPD.RefuseEAP refuse-eap Deny eap auth (O)
186 PPPD.RefusePAP refuse-pap Deny pap auth (O)
187 PPPD.RefuseCHAP refuse-chap Deny chap auth (O)
188 PPPD.RefuseMSCHAP refuse-mschap Deny mschap auth (O)
189 PPPD.RefuseMSCHAP2 refuse-mschapv2 Deny mschapv2 auth (O)
190 PPPD.NoBSDComp nobsdcomp Disables BSD compression (O)
191 PPPD.NoDeflate nodeflate Disable deflate compression (O)
192 PPPD.RequirMPPE require-mppe Require the use of MPPE (O)
193 PPPD.RequirMPPE40 require-mppe-40 Require the use of MPPE 40 bit (O)
194 PPPD.RequirMPPE128 require-mppe-128 Require the use of MPPE 128 bit (O)
195 PPPD.RequirMPPEStateful mppe-stateful Allow MPPE to use stateful mode (O)
196 PPPD.NoVJ no-vj-comp No Van Jacobson compression (O)
198 IPsec VPN supports following options (see swanctl.conf(5) for details):
199 Option name IPSec config value Description
200 IPsec.Version Version IKE major version to use for connection (M)
201 IPsec.LeftAddrs local_addrs Local address(es) to use for IKE communication (M)
202 IPsec.RightAddrs remote_addrs Remote address(es) to use for IKE communication (M)
205 IPsec.LocalAuth local.auth Authentication to perform locally (M)
206 IPsec.LocalCerts local.certs Certificate candidate to use for authentication (O)
207 IPsec.LocalID local.id IKE identity to use for authentication round (O)
208 IPsec.LocalXauthID local.xauth_id Client XAuth username used in the XAuth exchange (O)
209 IPsec.LocalXauthAuth local-xauth.auth Xauth round authentication to perform locally (O)
210 IPsec.LocalXauthXauthID local-xauth.xauth_id Xauth round client XAuth username used in the XAuth exchange (O)
212 IPsec.RemoteAuth remote.auth Authentication to expect from remote (M)
213 IPsec.RemoteCerts remote.certs Certificate candidate to use for authentication (O)
214 IPsec.RemoteID remote.id IKE identity to use for authentication round (O)
215 IPsec.RemoteXauthAuth remote-xauth.auth Xauth round authentication to expect from remote (O)
216 IPsec.ChildrenLocalTs children.local_ts local selectors to include in CHILD_SA (O)
217 IPsec.ChildrenRemoteTs children.remote_ts Remote selectors to include in CHILD_SA (O)
219 IPsec.IKEData secret.data IKE PSK raw shared key data
220 IPsec.IKEOwners secret.Owners list of shared key owner identities
221 IPsec.XauthData secret.data XAUTH raw shared key data
222 IPsec.XauthOwners secret.Owners list of shared key owner identities
224 IPsec.CertType cert.type certificate type, X509|X509_AC|X509_CRL
225 IPsec.CertFlag cert.flag X.509 certificate flag, NONE|CA|AA|OCSP
226 IPsec.CertData cert.data PEM or DER encoded certificate data
231 This is a configuration file for a VPN providing L2TP, OpenVPN and
232 OpenConnect services.
235 example@example:[~]$ cat /var/lib/connman/vpn/example.config
238 Description = Example VPN configuration
242 Name = Connection to corporate network
244 Domain = corporate.com
245 Networks = 10.10.30.0/24
248 [provider_openconnect]
250 Name = Connection to corporate network using Cisco VPN
252 Domain = corporate.com
253 Networks = 10.10.20.0/255.255.255.0/10.20.1.5,192.168.99.1/24,2001:db8::1/64
254 OpenConnect.ServerCert = 263AFAB4CB2E6621D12E90182008AEF44AEFA031
255 OpenConnect.CACert = /etc/certs/certificate.p12
259 Name = Connection to corporate network using OpenVPN
261 Domain = my.home.network
262 OpenVPN.CACert = /etc/certs/cacert.pem
263 OpenVPN.Cert = /etc/certs/cert.pem
264 OpenVPN.Key = /etc/certs/cert.key
projects / platform / upstream / connman.git / blob