This page covers common configuration steps for ocserv deployments and adds a practical minimal production baseline.
If you followed the setup guide, your main configuration file is typically:
/etc/ocserv/ocserv.conf
ocserv.conf)# Listening
tcp-port = 443
udp-port = 443
listen-host = 10.0.0.10
# Certificates
server-cert = /etc/ocserv/certs/server.crt
server-key = /etc/ocserv/private/server.key
# Auth
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
max-clients = 128
max-same-clients = 2
# Tunnel network
ipv4-network = 10.80.0.0
ipv4-netmask = 255.255.255.0
route = default
# DNS pushed to clients
dns = 1.1.1.1
dns = 9.9.9.9
# Security
isolate-workers = true
cookie-timeout = 300
mobile-dpd = 1800
dpd = 60
# Logging
log-level = 1
Create user credentials with ocpasswd:
sudo ocpasswd -c /etc/ocserv/ocpasswd alice
Protect credential file permissions:
sudo chmod 600 /etc/ocserv/ocpasswd
sudo chown root:root /etc/ocserv/ocpasswd
auth, user file)ipv4-network, route)dpd, mobile-dpd)max-clients, max-same-clients)Restart ocserv after configuration changes:
sudo systemctl restart ocserv
Check service health and loaded config behavior:
sudo systemctl status ocserv
sudo journalctl -u ocserv -n 100 --no-pager
sudo ss -tulpn | rg ocserv
Verify client login and tunnel routing from a test client.
/etc/ocserv/ocserv.conf and /etc/ocserv/ocpasswd securely.