New upstream version 2.5.1upstream/2.5.1

author: Bernhard Schmidt <berni@debian.org> 2021-02-24 19:54:12 +0100
committer: Bernhard Schmidt <berni@debian.org> 2021-02-24 19:54:12 +0100
commit: 4ee98f284a93c3b855092d35ac21371d9dcad65b (patch)
tree: dc5a9759b8165b50d028db416367767b82f42f49 /doc/man-sections/vpn-network-options.rst
parent: 0816f633cec4254ccfd98901252eefe84b0e2648 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst
index 2668278..029834a 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -21,7 +21,8 @@ routing.
   For this option to make sense you actually have to route traffic to the
   tun interface. The following example config block would send all IPv6
   traffic to OpenVPN and answer all requests with no route to host,
-  effectively blocking IPv6.
+  effectively blocking IPv6 (to avoid IPv6 connections from dual-stacked
+  clients leaking around IPv4-only VPN services).
 
   **Client config**
     ::
@@ -38,6 +39,12 @@ routing.
        --push "redirect-gateway ipv6"
        --block-ipv6
 
+  Note: this option does not influence traffic sent from the server
+  towards the client (neither on the server nor on the client side).
+  This is not seen as necessary, as such traffic can be most easily
+  avoided by not configuring IPv6 on the server tun, or setting up a
+  server-side firewall rule.
+
 --dev device
   TUN/TAP virtual network device which can be :code:`tunX`, :code:`tapX`,
   :code:`null` or an arbitrary name string (:code:`X` can be omitted for
author	Bernhard Schmidt <berni@debian.org>	2021-02-24 19:54:12 +0100
committer	Bernhard Schmidt <berni@debian.org>	2021-02-24 19:54:12 +0100
commit	4ee98f284a93c3b855092d35ac21371d9dcad65b (patch)
tree	dc5a9759b8165b50d028db416367767b82f42f49 /doc/man-sections/vpn-network-options.rst
parent	0816f633cec4254ccfd98901252eefe84b0e2648 (diff)