[platform/upstream/connman.git] / doc / vpn-config-format.txt

Connman configuration file format for VPN
*****************************************

Connman VPN uses configuration files to provision existing providers.
vpnd will be looking for its configuration files at VPN_STORAGEDIR
which by default points to /var/lib/connman-vpn. Configuration file names
must not include other characters than letters or numbers and must have
a .config suffix. Those configuration files are text files with a simple
key-value pair format organized into sections. Values do not comprise leading
trailing whitespace. We typically have one file per provisioned network.

If the config file is removed, then vpnd tries to remove the
provisioned service. If an individual service entry inside a config is removed,
then the corresponding provisioned service is removed. If a service
section is changed, then the corresponding service is removed and immediately
re-provisioned.


Global section [global]
=======================

These files can have an optional global section describing the actual file.
The two allowed fields for this section are:
- Name: Name of the network.
- Description: Description of the network.


Provider section [provider_*]
=============================

Each provisioned provider must start with the [provider_*] tag.
Replace * with an identifier unique to the config file.

Allowed fields:
- Type: Provider type. Value of OpenConnect, OpenVPN, VPNC, L2TP or PPTP

VPN related parameters (M = mandatory, O = optional):
- Name: A user defined name for the VPN (M)
- Host: VPN server IP address (M)
- Domain: Domain name for the VPN service (M)
- Networks: The networks behind the VPN link can be defined here. This can
  be missing if all traffic should go via VPN tunnel. If there are more
  than one network, then separate them by comma. Format of the entry
  is network/netmask/gateway. The gateway can be left out. (O)
  Example: 192.168.100.0/24/10.1.0.1,192.168.200.0/255.255.255.0/10.1.0.2
  For IPv6 addresses only prefix length is accepted like this 2001:db8::1/64

OpenConnect VPN supports following options (see openconnect(8) for details):
 Option name            OpenConnect option Description
 OpenConnect.ServerCert --servercert       SHA1 certificate fingerprint of the
                                           final VPN server after possible web
                                           authentication login, selection and
                                           redirection (O)
 OpenConnect.CACert     --cafile           File containing other Certificate
                                           Authorities in addition to the ones
                                           in the system trust database (O)
 OpenConnect.ClientCert --certificate      Client certificate file, if needed
                                           by web authentication (O)
 VPN.MTU                --mtu              Request MTU from server as the MTU
                                           of the tunnel (O)
 OpenConnect.Cookie     --cookie-on-stdin  Cookie received as a result of the
                                           web authentication. As the cookie
                                           lifetime can be very limited, it
                                           does not usually make sense to add
                                           it into the configuration file (O)
 OpenConnect.VPNHost                       The final VPN server to use after
                                           completing the web authentication.
                                           Only usable for extremely simple VPN
                                           configurations and should normally
                                           be set only via the VPN Agent API.
If OpenConnect.Cookie or OpenConnect.ServerCert are missing, the VPN Agent will
be contacted to supply the information.

OpenVPN VPN supports following options (see openvpn(8) for details):
 Option name            OpenVPN option   Description
 OpenVPN.CACert         --ca             Certificate authority file (M)
 OpenVPN.Cert           --cert           Local peer's signed certificate (M)
 OpenVPN.Key            --key            Local peer's private key (M)
 OpenVPN.MTU            --mtu            MTU of the tunnel (O)
 OpenVPN.NSCertType     --ns-cert-type   Peer certificate type, value of
                                         either server or client (O)
 OpenVPN.Proto          --proto          Use protocol (O)
 OpenVPN.Port           --port           TCP/UDP port number (O)
 OpenVPN.AuthUserPass   --auth-user-pass Authenticate with server using
                                         username/password (O)
 OpenVPN.AskPass        --askpass        Get certificate password from file (O)
 OpenVPN.AuthNoCache    --auth-nocache   Don't cache --askpass or
                                         --auth-user-pass value (O)
 OpenVPN.TLSRemote      --tls-remote     Accept connections only from a host
                                         with X509 name or common name equal
                                         to name parameter (O). Deprecated in
                                         OpenVPN 2.3+.
 OpenVPN.TLSAuth        sub-option of --tls-remote (O)
 OpenVPN.TLSAuthDir     sub-option of --tls-remote (O)
 OpenVPN.Cipher         --cipher         Encrypt packets with cipher algorithm
                                         given as parameter (O)
 OpenVPN.Auth           --auth           Authenticate  packets with HMAC using
                                         message digest algorithm alg (O)
 OpenVPN.CompLZO        --comp-lzo       Use  fast  LZO compression. Value can
                                         be "yes", "no", or "adaptive". Default
                                         is adaptive (O)
 OpenVPN.RemoteCertTls  --remote-cert-tls Require that peer certificate was
                                          signed based on RFC3280 TLS rules.
                                          Value is "client" or "server" (O)
 OpenVPN.ConfigFile     --config         OpenVPN config file that can contain
                                         extra options not supported by OpenVPN
                                         plugin (O)
 OpenVPN.DeviceType     --dev-type       Whether the VPN should use a tun (OSI
                                         layer 3) or tap (OSI layer 2) device.
                                         Value is "tun" (default) or "tap" (O)

VPNC VPN supports following options (see vpnc(8) for details):
 Option name         VPNC config value     Description
 VPNC.IPSec.ID       IPSec ID              your group username (M)
 VPNC.IPSec.Secret   IPSec secret          your group password (cleartext) (O)
 VPNC.Xauth.Username Xauth username        your username (O)
 VPNC.Xauth.Password Xauth password        your password (cleartext) (O)
 VPNC.IKE.Authmode   IKE Authmode          IKE Authentication mode (O)
 VPNC.IKE.DHGroup    IKE DH Group          name of the IKE DH Group (O)
 VPNC.PFS            Perfect Forward Secrecy    Diffie-Hellman group to use for
                                                PFS (O)
 VPNC.Domain         Domain                Domain name for authentication (O)
 VPNC.Vendor         Vendor                vendor of your IPSec gateway (O)
 VPNC.LocalPort      Local Port            local ISAKMP port number to use
 VPNC.CiscoPort      Cisco UDP Encapsulation Port    Local UDP port number to
                                                     use (O)
 VPNC.AppVersion     Application version   Application Version to report (O)
 VPNC.NATTMode       NAT Traversal Mode    Which NAT-Traversal Method to use (O)
 VPNC.DPDTimeout     DPD idle timeout (our side)    Send DPD packet after
                                                    timeout (O)
 VPNC.SingleDES      Enable Single DES     enables single DES encryption (O)
 VPNC.NoEncryption   Enable no encryption  enables using no encryption for data
                                           traffic (O)
 VPNC.DeviceType     Interface mode        Whether the VPN should use a tun (OSI
                                           layer 3) or tap (OSI layer 2) device.
                                           Value is "tun" (default) or "tap" (O)

L2TP VPN supports following options (see xl2tpd.conf(5) and pppd(8) for details)
 Option name         xl2tpd config value    Description
 L2TP.User           -                      L2TP user name, asked from the user
                                            if not set here (O)
 L2TP.Password       -                      L2TP password, asked from the user
                                            if not set here (O)
 L2TP.BPS            bps                    Max bandwidth to use (O)
 L2TP.TXBPS          tx bps                 Max transmit bandwidth to use (O)
 L2TP.RXBPS          rx bps                 Max receive bandwidth to use (O)
 L2TP.LengthBit      length bit             Use length bit (O)
 L2TP.Challenge      challenge              Use challenge authentication (O)
 L2TP.DefaultRoute   defaultroute           Default route (O)
 L2TP.FlowBit        flow bit               Use seq numbers (O)
 L2TP.TunnelRWS      tunnel rws             Window size (O)
 L2TP.Exclusive      exclusive              Use only one control channel (O)
 L2TP.Redial         redial                 Redial if disconnected (O)
 L2TP.RedialTimeout  redial timeout         Redial timeout (O)
 L2TP.MaxRedials     max redials            How many times to try redial (O)
 L2TP.RequirePAP     require pap            Need pap (O)
 L2TP.RequireCHAP    require chap           Need chap (O)
 L2TP.ReqAuth        require authentication Need auth (O)
 L2TP.AccessControl  access control         Accept only these peers (O)
 L2TP.AuthFile       auth file              Authentication file location (O)
 L2TP.ListenAddr     listen-addr            Listen address (O)
 L2TP.IPsecSaref     ipsec saref            Use IPSec SA (O)
 L2TP.Port           port                   What UDP port is used (O)

 Option name         pppd config value      Description
 PPPD.EchoFailure    lcp-echo-failure       Dead peer check count (O)
 PPPD.EchoInterval   lcp-echo-interval      Dead peer check interval (O)
 PPPD.Debug          debug                  Debug level (O)
 PPPD.RefuseEAP      refuse-eap             Deny eap auth (O)
 PPPD.RefusePAP      refuse-pap             Deny pap auth (O)
 PPPD.RefuseCHAP     refuse-chap            Deny chap auth (O)
 PPPD.RefuseMSCHAP   refuse-mschap          Deny mschap auth (O)
 PPPD.RefuseMSCHAP2  refuse-mschapv2        Deny mschapv2 auth (O)
 PPPD.NoBSDComp      nobsdcomp              Disables BSD compression (O)
 PPPD.NoPcomp        nopcomp                Disable protocol compression (O)
 PPPD.UseAccomp      noaccomp               Disable address/control
                                            compression (O)
 PPPD.NoDeflate      nodeflate              Disable deflate compression (O)
 PPPD.ReqMPPE        require-mppe           Require the use of MPPE (O)
 PPPD.ReqMPPE40      require-mppe-40        Require the use of MPPE 40 bit (O)
 PPPD.ReqMPPE128     require-mppe-128       Require the use of MPPE 128 bit (O)
 PPPD.ReqMPPEStateful mppe-stateful         Allow MPPE to use stateful mode (O)
 PPPD.NoVJ           novj                   No Van Jacobson compression (O)


PPTP VPN supports following options (see pptp(8) and pppd(8) for details)
 Option name         pptp config value    Description
 PPTP.User           -                    PPTP user name, asked from the user
                                          if not set here (O)
 PPTP.Password       -                    PPTP password, asked from the user
                                          if not set here (O)

 Option name         pppd config value    Description
 PPPD.EchoFailure    lcp-echo-failure     Dead peer check count (O)
 PPPD.EchoInterval   lcp-echo-interval    Dead peer check interval (O)
 PPPD.Debug          debug                Debug level (O)
 PPPD.RefuseEAP      refuse-eap           Deny eap auth (O)
 PPPD.RefusePAP      refuse-pap           Deny pap auth (O)
 PPPD.RefuseCHAP     refuse-chap          Deny chap auth (O)
 PPPD.RefuseMSCHAP   refuse-mschap        Deny mschap auth (O)
 PPPD.RefuseMSCHAP2  refuse-mschapv2      Deny mschapv2 auth (O)
 PPPD.NoBSDComp      nobsdcomp            Disables BSD compression (O)
 PPPD.NoDeflate      nodeflate            Disable deflate compression (O)
 PPPD.RequirMPPE     require-mppe         Require the use of MPPE (O)
 PPPD.RequirMPPE40   require-mppe-40      Require the use of MPPE 40 bit (O)
 PPPD.RequirMPPE128  require-mppe-128     Require the use of MPPE 128 bit (O)
 PPPD.RequirMPPEStateful mppe-stateful    Allow MPPE to use stateful mode (O)
 PPPD.NoVJ           novj                 No Van Jacobson compression (O)

IPsec VPN supports following options (see swanctl.conf(5) for details):
 Option name                   IPSec config value    Description
 IPsec.Version                 Version               IKE major version to use for connection (M)
 IPsec.LeftAddrs               local_addrs           Local address(es) to use for IKE communication (M)
 IPsec.RightAddrs              remote_addrs          Remote address(es) to use for IKE communication (M)


 IPsec.LocalAuth               local.auth            Authentication to perform locally (M)
 IPsec.LocalCerts              local.certs           Certificate candidate to use for authentication (O)
 IPsec.LocalID                 local.id              IKE identity to use for authentication round (O)
 IPsec.LocalXauthID            local.xauth_id        Client XAuth username used in the XAuth exchange (O)
 IPsec.LocalXauthAuth          local-xauth.auth      Xauth round authentication to perform locally (O)
 IPsec.LocalXauthXauthID       local-xauth.xauth_id  Xauth round client XAuth username used in the XAuth exchange (O)

 IPsec.RemoteAuth              remote.auth           Authentication to expect from remote (M)
 IPsec.RemoteCerts             remote.certs          Certificate candidate to use for authentication (O)
 IPsec.RemoteID                remote.id             IKE identity to use for authentication round (O)
 IPsec.RemoteXauthAuth         remote-xauth.auth     Xauth round authentication to expect from remote (O)
 IPsec.ChildrenLocalTs         children.local_ts     local selectors to include in CHILD_SA (O)
 IPsec.ChildrenRemoteTs        children.remote_ts    Remote selectors to include in CHILD_SA (O)

 IPsec.IKEData                 secret.data           IKE PSK raw shared key data
 IPsec.IKEOwners               secret.Owners         list of shared key owner identities
 IPsec.XauthData               secret.data           XAUTH raw shared key data
 IPsec.XauthOwners             secret.Owners         list of shared key owner identities

 IPsec.CertType                cert.type             certificate type, X509|X509_AC|X509_CRL
 IPsec.CertFlag                cert.flag             X.509 certificate flag, NONE|CA|AA|OCSP
 IPsec.CertData                cert.data             PEM or DER encoded certificate data

Example
=======

This is a configuration file for a VPN providing L2TP, OpenVPN and
OpenConnect services.


example@example:[~]$ cat /var/lib/connman/vpn/example.config
[global]
Name = Example
Description = Example VPN configuration

[provider_l2tp]
Type = L2TP
Name = Connection to corporate network
Host = 1.2.3.4
Domain = corporate.com
Networks = 10.10.30.0/24
L2TP.User = username

[provider_openconnect]
Type = OpenConnect
Name = Connection to corporate network using Cisco VPN
Host = 7.6.5.4
Domain = corporate.com
Networks = 10.10.20.0/255.255.255.0/10.20.1.5,192.168.99.1/24,2001:db8::1/64
OpenConnect.ServerCert = 263AFAB4CB2E6621D12E90182008AEF44AEFA031
OpenConnect.CACert = /etc/certs/certificate.p12

[provider_openvpn]
Type = OpenVPN
Name = Connection to corporate network using OpenVPN
Host = 3.2.5.6
Domain = my.home.network
OpenVPN.CACert = /etc/certs/cacert.pem
OpenVPN.Cert = /etc/certs/cert.pem
OpenVPN.Key = /etc/certs/cert.key