--- doc/sample.config.orig 2018-04-15 19:13:39 UTC
+++ doc/sample.config
@@ -19,7 +19,7 @@
# This enabled PAM authentication of the user. The gid-min option is used
# by auto-select-group option, in order to select the minimum valid group ID.
#
-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
+# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname1,groupname2:encoded-password"
@@ -102,8 +102,8 @@ udp-port = 443
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
-run-as-user = nobody
-run-as-group = daemon
+run-as-user = _ocserv
+run-as-group = _ocserv
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
@@ -172,16 +172,6 @@ ca-cert = ../tests/certs/ca.pem
### failures during the reloading time.
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
-# system calls allowed to a worker process, in order to reduce damage from a
-# bug in the worker process. It is available on Linux systems at a performance cost.
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
-# Note however, that process isolation is restricted to the specific libc versions
-# the isolation was tested at. If you get random failures on worker processes, try
-# disabling that option and report the failures you, along with system and debugging
-# information at: https://gitlab.com/ocserv/ocserv/issues
-isolate-workers = true
-
# A banner to be displayed on clients
#banner = "Welcome"
@@ -530,15 +520,15 @@ no-route = 192.168.5.0/255.255.255.0
# Note the that following two firewalling options currently are available
# in Linux systems with iptables software.
-# If set, the script /usr/bin/ocserv-fw will be called to restrict
+# If set, the script /usr/local/bin/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing
# any other routes. In case of defaultroute, the no-routes are restricted.
-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
+# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
-# script /usr/bin/ocserv-fw will be called to restrict the user to
+# script /usr/local/bin/ocserv-fw will be called to restrict the user to
# access specific ports in the network. This option can be set globally
# or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
@@ -586,13 +576,13 @@ no-route = 192.168.5.0/255.255.255.0
# hostname to override any proposed by the user. Note also, that, any
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
-#config-per-user = /etc/ocserv/config-per-user/
-#config-per-group = /etc/ocserv/config-per-group/
+#config-per-user = /usr/local/etc/ocserv/config-per-user/
+#config-per-group = /usr/local/etc/ocserv/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
-#default-user-config = /etc/ocserv/defaults/user.conf
-#default-group-config = /etc/ocserv/defaults/group.conf
+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf
+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
