~fkooman/vpn-user-portal

ref: cc452cbd571f1e45ac50ffc38662dbd3fc6c3e8a vpn-user-portal/config/config.php.example -rw-r--r-- 14.8 KiB
cc452cbdFrançois Kooman update dependencies 2 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
<?php

return [
    // override default branding style (templates/CSS) with custom style.
    // NOTE: the styling/branding MUST be installed for this to work!
    // DEFAULT = null
    //'styleName' => 'eduVPN',
    //'styleName' => 'LC',

    // DEFAULT = DbAuthModule
    //'authModule' => 'DbAuthModule',         // PDO (database)
    //'authModule' => 'BasicAuthModule',      // HTTP Basic Auth
    //'authModule' => 'LdapAuthModule',       // LDAP
    //'authModule' => 'ClientCertAuthModule', // TLS Client Cert
    //'authModule' => 'RadiusAuthModule',     // RADIUS
    //'authModule' => 'PhpSamlSpAuthModule',  // SAML (php-saml-sp)
    //'authModule' => 'MellonAuthModule',     // SAML (mod_auth_mellon)
    //'authModule' => 'ShibAuthModule',       // SAML (Shibboleth)

    // Default Session Expiry
    // The session expiry will be used to determine the "Not After" of the
    // issued X.509 certificates and the moment at which to start rejecting
    // the OAuth tokens.
    // DEFAULT = P90D
    //'sessionExpiry' => 'P90D',      // 90 days
    //'sessionExpiry' => 'PT12H',   // 12 hours
    //'sessionExpiry' => 'P1D',     // 1 day

    // Database
//    'Db' => [
//        'dbDsn' => 'mysql:host=localhost;port=3307;dbname=testdb',
//        'dbUser' => 'user',
//        'dbPass' => 'pass',
//    ],

//    // LDAP
//    'LdapAuthModule' => [
//        // *** FreeIPA ***
//        // -H ldap://ipa.tuxed.example
//        'ldapUri' => 'ldap://ipa.tuxed.example',
//        // -D "uid=fkooman,cn=users,cn=accounts,dc=tuxed,dc=example"
//        'bindDnTemplate' => 'uid={{UID}},cn=users,cn=accounts,dc=tuxed,dc=example',
//        // (if -b is the same -D we do NOT specify baseDn...)
//        // to normalize the entered user ID, specify the attribute you want to
//        // use to identify the user in the VPN server
//        'userIdAttribute' => 'uid',

//        // *** AD (NetBIOS domain name) ***
//        // -H ldap://ad.example.org \
//        'ldapUri' => 'ldap://ad.example.org',
//        // -D "DOMAIN\fkooman" \
//        'bindDnTemplate' => 'DOMAIN\{{UID}}',
//        // -b "dc=example,dc=org" \
//        'baseDn' => 'dc=example,dc=org',
//        // "(sAMAccountName=fkooman)"
//        'userFilterTemplate' => '(sAMAccountName={{UID}})',
//        // to normalize the entered user ID, specify the attribute you want to
//        // use to identify the user in the VPN server
//        'userIdAttribute' => 'sAMAccountName',

//        // *** AD (userPrincipalName) ***
//        // -H ldap://ad.example.org \
//        'ldapUri' => 'ldap://ad.example.org',
//        // -D "fkooman@example.org" \
//        'bindDnTemplate' => '{{UID}}',

//        // when the user does NOT specify the realm, e.g. only "fkooman", this
//        // option will add "@example.org" to the "User Name" as specified on
//        // the login page. If and only if there is no "@" in the provided
//        // "User Name".!
//        'addRealm' => 'example.org',
//        // -b "dc=example,dc=org" \
//        'baseDn' => 'dc=example,dc=org',
//        // "(userPrincipalName=fkooman@example.org)"
//        'userFilterTemplate' => '(userPrincipalName={{UID}})',
//        // to normalize the entered user ID, specify the attribute you want to
//        // use to identify the user in the VPN server
//        'userIdAttribute' => 'userPrincipalName',
//
//        // *** Search First ***
//        // -H ldap://server.ipa.test \
//        'ldapUri' => 'ldap://server.ipa.test',
//        // -b "cn=users,cn=accounts,dc=ipa,dc=test" \
//        'baseDn' => 'cn=users,cn=accounts,dc=ipa,dc=test',
//        // "(uidNumber=572600001)" \
//        'userFilterTemplate' => '(uidNumber={{UID}})',
//        // to normalize the entered user ID, specify the attribute you want to
//        // use to identify the user in the VPN server
//        'userIdAttribute' => 'uidNumber',
//        // in vpn-user-portal >= 2.3.8 you can also perform a bind before
//        // searching as not all LDAP servers allow anonymous bind to search the
//        // directory. If at all possible, allow anonymous bind on your LDAP
//        // server from the VPN server. NEVER USE THE LDAP ADMIN ACCOUNT HERE!
//        //'searchBindDn' => 'cn=Anonymous Search User,dc=example,dc=org',
//        //'searchBindPass' => 's3r3t',
//
//        //'permissionAttributeList' => [],
//    ],

//    // RADIUS
//    'RadiusAuthModule' => [
//        'serverList' => [
//            [
//                'host' => 'radius.example.org',
//                'secret' => 'testing123',
//                //'port' => 1812,
//            ],
//        ],
//        //'addRealm' => 'example.org',
//        //'nasIdentifier' => 'vpn.example.org',
          //'permissionAttribute' => RADIUS_REPLY_MESSAGE,
          //'permissionAttribute' => 16,
//    ],

//    // SAML (php-saml-sp)
//    'PhpSamlSpAuthModule' => [
//        'userIdAttribute' => 'eduPersonTargetedID',
//        //'userIdAttribute' => 'eduPersonPrincipalName',

//        // ** AUTHORIZATION | PERMISSIONS **
//        //'permissionAttributeList' => [
//        //      'eduPersonEntitlement',
//        //      //'eduPersonAffiliation',
//        //],

//        // AuthnContext required for *all* users
//        //'authnContext' => ['urn:oasis:names:tc:SAML:2.0:ac:classes:TimesyncToken'],

//        // Users with certain permissions obtained through
//        // "permissionAttributeList" MUST also have ANY of the listed
//        // AuthnContexts. If they currently don't, a new authentication is
//        // triggered to obtain it
//        //'permissionAuthnContext' => [
//        //    'http://eduvpn.org/role/admin' => ['urn:oasis:names:tc:SAML:2.0:ac:classes:TimesyncToken'],
//        //],
//    ],

//    // SAML (mod_auth_mellon)
//    'MellonAuthModule' => [
//        // OID for eduPersonTargetedId
//        'userIdAttribute' => 'MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_10',
//        // OID for eduPersonPrincipalName
//        //'userIdAttribute' => 'MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_6',

//        // ** AUTHORIZATION | PERMISSIONS **
//        // OID for eduPersonEntitlement
//        //'permissionAttributeList' => ['MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7'],
//        // OID for eduPersonAffiliation
//        //'permissionAttributeList' => ['MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_1'],
//    ],

//    // SAML (Shibboleth)
//    'ShibAuthModule' => [
//        'userIdAttribute' => 'persistent-id',
//        //'userIdAttribute' => 'eppn',

//        // ** AUTHORIZATION | PERMISSIONS **
//        //'permissionAttributeList' => ['entitlement'],
//        //'permissionAttributeList' => ['affiliation'],
//    ],

    // the permission required to be able to access the "admin" portion of
    // the portal, see "permissionAttributeList" in the authentication
    // configuration sections
    //'adminPermissionList' => ['http://eduvpn.org/role/admin'],

    // list of userIds that have access to the admin
//    'adminUserIdList' => ['admin'],

    // the default language of the UI
    // DEFAULT: 'en-US'
    //'defaultLanguage' => 'en-US',

    // Hide the user's permissions obtained through the authentication backend
    // on the "Account" page
    // DEFAULT: false
    //'showPermissions' => false,
    
    // the supported UI languages
    // DEFAULT: ['en-US']
    //'enabledLanguages' => ['en-US', 'ar-MA', 'da-DK', 'de-DE', 'es-LA', 'et-EE', 'fr-FR', 'nb-NO', 'nl-NL', 'pl-PL', 'pt-PT', 'ro-RO', 'uk-UA'],

//    'Api' => [
//        // expire OAuth access tokens after 1 hour (default)
//        //'tokenExpiry' => 'PT1H',
//        // Enable Remote Access, i.e. users from other VPN servers listed in
//        // the below remoteAccessList files to access this VPN server through
//        // the OAuth API
//        // DEFAULT = false
//        //'remoteAccess' => false,
//    ],

    // Allow disabling manual configuration downloads from the portal.
    // DEFAULT: true
//    'enableConfigDownload' => true,
//    'enableConfigDownload' => false,

    // DEFAULT = true (for remote connections)
    // XXX make sure of this!
    //'vpnDaemonTls' => false,

    // List of VPN profiles
    'vpnProfiles' => [
        'default-ovpn' => [
            // The type of the VPN
            // REQUIRED
            'vpnType' => 'openvpn',
            //'vpnType' => 'wireguard',

            // The number of this profile, every profile per instance has a
            // unique number
            // REQUIRED
            'profileNumber' => 1,

            // The name of the profile as shown in the user and admin portals
            // REQUIRED
            'displayName' => 'Default (OpenVPN)',

            // The IPv4 range of the network that will be assigned to clients
            // REQUIRED
            'range' => '10.42.42.0/24',

            // The IPv6 range of the network that will be assigned to clients
            // REQUIRED
            'range6' => 'fd42::/64',

            // The hostname the VPN client(s) will connect to
            // REQUIRED
            'hostName' => 'vpn.example',

            // Whether or not to route all traffic from the client over the VPN
            // DEFAULT = true
            //'defaultGateway' => false,

            // IPv4 and IPv6 routes to push to the client, only used when
            // defaultGateway is false
            // DEFAULT = []
            //'routes' => [
            //    '192.168.1.0/24',
            //    'fd01:1:1:1::/64',
            //],

            // XXX think about DNS in default scenario, what about "split tunnel"?
            // IPv4 and IPv6 address of DNS server(s) to push to the client
            // default could be Quad9 when defaultGateway = true (default) and
            // default could be [] when defaultGateway = true, might be confusing?!
            // DEFAULT  = []
            // Quad9 (https://www.quad9.net)
            'dns' => ['9.9.9.9', '2620:fe::fe'],

            // The address the OpenVPN processes will listen on
            // DEFAULT = '::'
            //'listenIp' => '::',

            // The IP address to use for connecting to VPN node
            // DEFAULT = '127.0.0.1'
            //'nodeIp' => '127.0.0.1',

            // Block access to local LAN when VPN is active
            // DEFAULT = false
            //'blockLan' => false,

            // Whether or not to allow client-to-client traffic
            // DEFAULT = false
            //'clientToClient' => false,

            // Whether or not to enable OpenVPN logging
            // DEFAULT = false
            //'enableLog' => false,

            // Whether or not to enable ACLs for controlling who can connect
            // DEFAULT = false
            //'enableAcl' => false,

            // The list of permissions to allow access, requires enableAcl to
            // be true
            // DEFAULT  = []
            //'aclPermissionList' => [],

            // The protocols and ports the OpenVPN processes should use, MUST
            // be either 1, 2, 4, 8 or 16 proto/port combinations
            // DEFAULT = ['udp/1194', 'tcp/1194']
            //'vpnProtoPorts' => [
            //    'udp/1194',
            //    'tcp/1194',
            //],

            // List the protocols and ports exposed to the VPN clients. Useful
            // for OpenVPN port sharing. When empty (or missing), uses list
            // from vpnProtoPorts
            // DEFAULT = []
            //'exposedVpnProtoPorts' => [
            //    'udp/1194',
            //    'tcp/443'
            //],

            // DEFAULT = null
            //'dnsDomain' => 'example.org',

            // DEFAULT = []
            //'dnsDomainSearch' => ['a.example.org', 'b.example.org'],

            // Hide the profile from the user portal, i.e. do not allow the
            // user to choose it
            // DEFAULT = false
            //'hideProfile' => false,
        ],
        
        'default-wg' => [
            // The type of the VPN
            // REQUIRED
            'vpnType' => 'wireguard',
            //'vpnType' => 'openvpn',

            // The number of this profile, every profile per instance has a
            // unique number
            // REQUIRED
            'profileNumber' => 2,

            // The name of the profile as shown in the user and admin portals
            // REQUIRED
            'displayName' => 'Default (WireGuard)',

            // The IPv4 range of the network that will be assigned to clients
            // REQUIRED
            'range' => '10.43.43.0/24',

            // The IPv6 range of the network that will be assigned to clients
            // REQUIRED
            'range6' => 'fd43::/64',

            // The hostname the VPN client(s) will connect to
            // REQUIRED
            'hostName' => 'vpn.example',

            // Whether or not to route all traffic from the client over the VPN
            // DEFAULT = true
            //'defaultGateway' => false,

            // IPv4 and IPv6 routes to push to the client, only used when
            // defaultGateway is false
            // DEFAULT = []
            //'routes' => [
            //    '192.168.1.0/24',
            //    'fd01:1:1:1::/64',
            //],

            // XXX think about DNS in default scenario, what about "split tunnel"?
            // IPv4 and IPv6 address of DNS server(s) to push to the client
            // default could be Quad9 when defaultGateway = true (default) and
            // default could be [] when defaultGateway = true, might be confusing?!
            // DEFAULT  = []
            // Quad9 (https://www.quad9.net)
            'dns' => ['9.9.9.9', '2620:fe::fe'],

            // The address the OpenVPN processes will listen on
            // XXX WG?
            // DEFAULT = '::'
            //'listenIp' => '::',

            // The IP address to use for connecting to VPN node
            // DEFAULT = '127.0.0.1'
            //'nodeIp' => '127.0.0.1',

            // Block access to local LAN when VPN is active
            // XXX WG?!
            // DEFAULT = false
            //'blockLan' => false,

            // Whether or not to allow client-to-client traffic
            // XXX WG?!
            // DEFAULT = false
            //'clientToClient' => false,

            // Whether or not to enable OpenVPN logging
            // XXX WG?
            // DEFAULT = false
            //'enableLog' => false,

            // Whether or not to enable ACLs for controlling who can connect
            // DEFAULT = false
            //'enableAcl' => false,

            // The list of permissions to allow access, requires enableAcl to
            // be true
            // DEFAULT  = []
            //'aclPermissionList' => [],

            // XXX WG?
            // DEFAULT = null
            //'dnsDomain' => 'example.org',

            // XXX WG?
            // DEFAULT = []
            //'dnsDomainSearch' => ['a.example.org', 'b.example.org'],

            // Hide the profile from the user portal, i.e. do not allow the
            // user to choose it
            // DEFAULT = false
            //'hideProfile' => false,
        ],
    ],
];