summaryrefslogtreecommitdiff
path: root/doc/man-sections/server-options.rst
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2020-09-30 21:10:56 +0200
committerBernhard Schmidt <berni@debian.org>2020-09-30 21:10:56 +0200
commitc3a748571ed19f9259b2e63cd7ba56abdb1b7747 (patch)
treeef419b35f5a1632a8b0c3ab6faa773eed9c6788a /doc/man-sections/server-options.rst
parentb97ad09a3b8c0017db0a677667a7215f1a98cccf (diff)
parent5246174f27866c0e9e22844d998f3c97cac54050 (diff)
Update upstream source from tag 'upstream/2.5_rc2'
Update to upstream version '2.5~rc2' with Debian dir 0cd2307abadc06f5064e4d5e7c23689a67b720c5
Diffstat (limited to 'doc/man-sections/server-options.rst')
-rw-r--r--doc/man-sections/server-options.rst36
1 files changed, 32 insertions, 4 deletions
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index f1f0667..5a68945 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -204,7 +204,8 @@ fast hardware. SSL/TLS authentication must be used in this mode.
ifconfig-ipv6-pool ipv6addr/bits
The pool starts at ``ipv6addr`` and matches the offset determined from
- the start of the IPv4 pool.
+ the start of the IPv4 pool. If the host part of the given IPv6
+ address is ``0``, the pool starts at ``ipv6addr`` +1.
--ifconfig-pool-persist args
Persist/unpersist ifconfig-pool data to ``file``, at ``seconds``
@@ -530,6 +531,14 @@ fast hardware. SSL/TLS authentication must be used in this mode.
``--client-config-dir`` configuration file. This option will ignore
``--push`` options at the global config file level.
+ *NOTE*: ``--push-reset`` is very thorough: it will remove almost
+ all options from the list of to-be-pushed options. In many cases,
+ some of these options will need to be re-configured afterwards -
+ specifically, ``--topology subnet`` and ``--route-gateway`` will get
+ lost and this will break client configs in many cases. Thus, for most
+ purposes, ``--push-remove`` is better suited to selectively remove
+ push options for individual clients.
+
--server args
A helper directive designed to simplify the configuration of OpenVPN's
server mode. This directive will set up an OpenVPN server which will
@@ -631,6 +640,19 @@ fast hardware. SSL/TLS authentication must be used in this mode.
mode server
tls-server
+--server-ipv6 args
+ Convenience-function to enable a number of IPv6 related options at once,
+ namely ``--ifconfig-ipv6``, ``--ifconfig-ipv6-pool`` and
+ ``--push tun-ipv6``.
+
+ Valid syntax:
+ ::
+
+ server-ipv6 ipv6addr/bits
+
+ Pushing of the ``--tun-ipv6`` directive is done for older clients which
+ require an explicit ``--tun-ipv6`` in their configuration.
+
--stale-routes-check args
Remove routes which haven't had activity for ``n`` seconds (i.e. the ageing
time). This check is run every ``t`` seconds (i.e. check interval).
@@ -646,9 +668,15 @@ fast hardware. SSL/TLS authentication must be used in this mode.
``--max-routes-per-client``
--username-as-common-name
- For ``--auth-user-pass-verify`` authentication, use the authenticated
- username as the common name, rather than the common name from the client
- cert.
+ Use the authenticated username as the common-name, rather than the
+ common-name from the client certificate. Requires that some form of
+ ``--auth-user-pass`` verification is in effect. As the replacement happens
+ after ``--auth-user-pass`` verification, the verification script or
+ plugin will still receive the common-name from the certificate.
+
+ The common_name environment variable passed to scripts and plugins invoked
+ after authentication (e.g, client-connect script) and file names parsed in
+ client-config directory will match the username.
--verify-client-cert mode
Specify whether the client is required to supply a valid certificate.