1 Connman configuration file format for VPN
2 *****************************************
4 Connman VPN uses configuration files to provision existing providers.
5 vpnd will be looking for its configuration files at VPN_STORAGEDIR
6 which by default points to /var/lib/connman-vpn. Configuration file names
7 must not include other characters than letters or numbers and must have
8 a .config suffix. Those configuration files are text files with a simple
9 format and we typically have one file per provisioned network.
11 If the config file is removed, then vpnd tries to remove the
12 provisioned service. If individual service entry inside config is removed,
13 then the corresponding provisioned service is removed. If service
14 entry is changed, then corresponding service is removed and then
15 immediately re-provisioned.
21 These files can have an optional global entry describing the actual file.
22 The 2 allowed fields for that entry are:
23 - Name: Name of the network.
24 - Description: Description of the network.
27 Provider entry [provider_*]
28 ===========================
30 Each provisioned provider must start with the [provider_*] tag.
31 Replace * with an identifier unique to the config file.
34 - Type: Provider type. Value of OpenConnect, OpenVPN, VPNC, L2TP or PPTP
36 VPN related parameters (M = mandatory, O = optional):
37 - Name: A user defined name for the VPN (M)
38 - Host: VPN server IP address (M)
39 - Domain: Domain name for the VPN service (M)
40 - Networks: The networks behind the VPN link can be defined here. This can
41 be missing if all traffic should go via VPN tunnel. If there are more
42 than one network, then separate them by comma. Format of the entry
43 is network/netmask/gateway. The gateway can be left out. (O)
44 Example: 192.168.100.0/24/10.1.0.1,192.168.200.0/255.255.255.0/10.1.0.2
45 For IPv6 addresses only prefix length is accepted like this 2001:db8::1/64
47 OpenConnect VPN supports following options (see openconnect(8) for details):
48 Option name OpenConnect option Description
49 OpenConnect.ServerCert --servercert Accept server's SSL certificate
50 only if its fingerprint matches
52 OpenConnect.CACert --cafile Cert file for server
54 VPN.MTU --mtu Request MTU from server as the
57 OpenVPN VPN supports following options (see openvpn(8) for details):
58 Option name OpenVPN option Description
59 OpenVPN.CACert --ca Certificate authority file (M)
60 OpenVPN.Cert --cert Local peer's signed certificate (M)
61 OpenVPN.Key --key Local peer's private key (M)
62 OpenVPN.MTU --mtu MTU of the tunnel (O)
63 OpenVPN.NSCertType --ns-cert-type Peer certificate type, value of
64 either server or client (O)
65 OpenVPN.Proto --proto Use protocol (O)
66 OpenVPN.Port --port TCP/UDP port number (O)
67 OpenVPN.AuthUserPass --auth-user-pass Authenticate with server using
69 OpenVPN.AskPass --askpass Get certificate password from file (O)
70 OpenVPN.AuthNoCache --auth-nocache Don't cache --askpass or
71 --auth-user-pass value (O)
72 OpenVPN.TLSRemote --tls-remote Accept connections only from a host
73 with X509 name or common name equal
75 OpenVPN.TLSAuth sub-option of --tls-remote (O)
76 OpenVPN.TLSAuthDir sub-option of --tls-remote (O)
77 OpenVPN.Cipher --cipher Encrypt packets with cipher algorithm
78 given as parameter (O)
79 OpenVPN.Auth --auth Authenticate packets with HMAC using
80 message digest algorithm alg (O)
81 OpenVPN.CompLZO --comp-lzo Use fast LZO compression. Value can
82 be "yes", "no", or "adaptive". Default
84 OpenVPN.RemoteCertTls --remote-cert-tls Require that peer certificate was
85 signed based on RFC3280 TLS rules.
86 Value is "client" or "server" (O)
88 VPNC VPN supports following options (see vpnc(8) for details):
89 Option name VPNC config value Description
90 VPNC.IPSec.ID IPSec ID your group username (M)
91 VPNC.IPSec.Secret IPSec secret your group password (cleartext) (O)
92 VPNC.Xauth.Username Xauth username your username (O)
93 VPNC.Xauth.Password Xauth password your password (cleartext) (O)
94 VPNC.IKE.Authmode IKE Authmode IKE Authentication mode (O)
95 VPNC.IKE.DHGroup IKE DH Group name of the IKE DH Group (O)
96 VPNC.PFS Perfect Forward Secrecy Diffie-Hellman group to use for PFS (O)
97 VPNC.Domain Domain Domain name for authentication (O)
98 VPNC.Vendor Vendor vendor of your IPSec gateway (O)
99 VPNC.LocalPort Local Port local ISAKMP port number to use
100 VPNC.CiscoPort Cisco UDP Encapsulation Port Local UDP port number to use (O)
101 VPNC.AppVersion Application Version Application Version to report (O)
102 VPNC.NATTMode NAT Traversal Mode Which NAT-Traversal Method to use (O)
103 VPNC.DPDTimeout DPD idle timeout (our side) Send DPD packet after timeout (O)
104 VPNC.SingleDES Enable Single DES enables single DES encryption (O)
105 VPNC.NoEncryption Enable no encryption enables using no encryption for data traffic (O)
107 L2TP VPN supports following options (see xl2tpd.conf(5) and pppd(8) for details)
108 Option name xl2tpd config value Description
109 L2TP.User - L2TP user name, asked from the user
111 L2TP.Password - L2TP password, asked from the user
113 L2TP.BPS bps Max bandwith to use (O)
114 L2TP.TXBPS tx bps Max transmit bandwith to use (O)
115 L2TP.RXBPS rx bps Max receive bandwith to use (O)
116 L2TP.LengthBit length bit Use length bit (O)
117 L2TP.Challenge challenge Use challenge authentication (O)
118 L2TP.DefaultRoute defaultroute Default route (O)
119 L2TP.FlowBit flow bit Use seq numbers (O)
120 L2TP.TunnelRWS tunnel rws Window size (O)
121 L2TP.Exclusive exclusive Use only one control channel (O)
122 L2TP.Redial redial Redial if disconnected (O)
123 L2TP.RedialTimeout redial timeout Redial timeout (O)
124 L2TP.MaxRedials max redials How many times to try redial (O)
125 L2TP.RequirePAP require pap Need pap (O)
126 L2TP.RequireCHAP require chap Need chap (O)
127 L2TP.ReqAuth require authentication Need auth (O)
128 L2TP.AccessControl access control Accept only these peers (O)
129 L2TP.AuthFile auth file Authentication file location (O)
130 L2TP.ListenAddr listen-addr Listen address (O)
131 L2TP.IPsecSaref ipsec saref Use IPSec SA (O)
132 L2TP.Port port What UDP port is used (O)
134 Option name pppd config value Description
135 PPPD.EchoFailure lcp-echo-failure Dead peer check count (O)
136 PPPD.EchoInterval lcp-echo-interval Dead peer check interval (O)
137 PPPD.Debug debug Debug level (O)
138 PPPD.RefuseEAP refuse-eap Deny eap auth (O)
139 PPPD.RefusePAP refuse-pap Deny pap auth (O)
140 PPPD.RefuseCHAP refuse-chap Deny chap auth (O)
141 PPPD.RefuseMSCHAP refuse-mschap Deny mschap auth (O)
142 PPPD.RefuseMSCHAP2 refuse-mschapv2 Deny mschapv2 auth (O)
143 PPPD.NoBSDComp nobsdcomp Disables BSD compression (O)
144 PPPD.NoPcomp nopcomp Disable protocol compression (O)
145 PPPD.UseAccomp accomp Disable address/control compression (O)
146 PPPD.NoDeflate nodeflate Disable deflate compression (O)
147 PPPD.ReqMPPE require-mppe Require the use of MPPE (O)
148 PPPD.ReqMPPE40 require-mppe-40 Require the use of MPPE 40 bit (O)
149 PPPD.ReqMPPE128 require-mppe-128 Require the use of MPPE 128 bit (O)
150 PPPD.ReqMPPEStateful mppe-stateful Allow MPPE to use stateful mode (O)
151 PPPD.NoVJ no-vj-comp No Van Jacobson compression (O)
154 PPTP VPN supports following options (see pptp(8) and pppd(8) for details)
155 Option name pptp config value Description
156 PPTP.User - PPTP user name, asked from the user
158 PPTP.Password - PPTP password, asked from the user
161 Option name pppd config value Description
162 PPPD.EchoFailure lcp-echo-failure Dead peer check count (O)
163 PPPD.EchoInterval lcp-echo-interval Dead peer check interval (O)
164 PPPD.Debug debug Debug level (O)
165 PPPD.RefuseEAP refuse-eap Deny eap auth (O)
166 PPPD.RefusePAP refuse-pap Deny pap auth (O)
167 PPPD.RefuseCHAP refuse-chap Deny chap auth (O)
168 PPPD.RefuseMSCHAP refuse-mschap Deny mschap auth (O)
169 PPPD.RefuseMSCHAP2 refuse-mschapv2 Deny mschapv2 auth (O)
170 PPPD.NoBSDComp nobsdcomp Disables BSD compression (O)
171 PPPD.NoDeflate nodeflate Disable deflate compression (O)
172 PPPD.RequirMPPE require-mppe Require the use of MPPE (O)
173 PPPD.RequirMPPE40 require-mppe-40 Require the use of MPPE 40 bit (O)
174 PPPD.RequirMPPE128 require-mppe-128 Require the use of MPPE 128 bit (O)
175 PPPD.RequirMPPEStateful mppe-stateful Allow MPPE to use stateful mode (O)
176 PPPD.NoVJ no-vj-comp No Van Jacobson compression (O)
182 This is a configuration file for a VPN providing L2TP, OpenVPN and
183 OpenConnect services.
186 example@example:[~]$ cat /var/lib/connman/vpn/example.config
189 Description = Example VPN configuration
193 Name = Connection to corporate network
195 Domain = corporate.com
196 Networks = 10.10.30.0/24
199 [provider_openconnect]
201 Name = Connection to corporate network using Cisco VPN
203 Domain = corporate.com
204 Networks = 10.10.20.0/255.255.255.0/10.20.1.5,192.168.99.1/24,2001:db8::1/64
205 OpenConnect.ServerCert = 263AFAB4CB2E6621D12E90182008AEF44AEFA031
206 OpenConnect.CACert = /etc/certs/certificate.p12
210 Name = Connection to corporate network using OpenVPN
212 Domain = my.home.network
213 OpenVPN.CACert = /etc/certs/cacert.pem
214 OpenVPN.Cert = /etc/certs/cert.pem
215 OpenVPN.Key = /etc/certs/cert.key