summaryrefslogtreecommitdiff
path: root/doc/man-sections
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2020-09-01 16:53:26 +0200
committerBernhard Schmidt <berni@debian.org>2020-09-01 16:53:26 +0200
commit57f0b7b331088e489e93ae89ee0aed98381d8806 (patch)
treeb86439ebb9e98eb6b81bda4c47f67cd3959d182f /doc/man-sections
parent1079962e4c06f88a54e50d997c1b7e84303d30b4 (diff)
New upstream version 2.5~beta3upstream/2.5_beta3
Diffstat (limited to 'doc/man-sections')
-rw-r--r--doc/man-sections/cipher-negotiation.rst96
-rw-r--r--doc/man-sections/vpn-network-options.rst23
2 files changed, 17 insertions, 102 deletions
diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst
deleted file mode 100644
index f143305..0000000
--- a/doc/man-sections/cipher-negotiation.rst
+++ /dev/null
@@ -1,96 +0,0 @@
-Data channel cipher negotiation
-===============================
-
-OpenVPN 2.4 and higher have the capability to negotiate the data cipher that
-is used to encrypt data packets. This section describes the mechanism in more detail and the
-different backwards compatibility mechanism with older server and clients.
-
-OpenVPN 2.5 and higher behaviour
---------------------------------
-When both client and server are at least running OpenVPN 2.5, that the order of
-the ciphers of the server's ``--data-ciphers`` is used to pick the the data cipher.
-That means that the first cipher in that list that is also in the client's
-``--data-ciphers`` list is chosen. If no common cipher is found the client is rejected
-with a AUTH_FAILED message (as seen in client log):
-
- AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
-
-OpenVPN 2.5 will only allow the ciphers specified in ``--data-ciphers``. To ensure
-backwards compatibility also if a cipher is specified using the ``--cipher`` option
-it is automatically added to this list. If both options are unset the default is
-:code:`AES-256-GCM:AES-128-GCM`.
-
-OpenVPN 2.4 clients
--------------------
-The negotiation support in OpenVPN 2.4 was the first iteration of the implementation
-and still had some quirks. Its main goal was "upgrade to AES-256-GCM when possible".
-An OpenVPN 2.4 client that is built against a crypto library that supports AES in GCM
-mode and does not have ``--ncp-disable`` will always announce support for
-`AES-256-GCM` and `AES-128-GCM` to a server by sending :code:`IV_NCP=2`.
-
-This only causes a problem if ``--ncp-ciphers`` option has been changed from the
-default of :code:`AES-256-GCM:AES-128-GCM` to a value that does not include
-these two ciphers. When a OpenVPN servers try to use `AES-256-GCM` or
-`AES-128-GCM` the connection will then fail. It is therefore recommended to
-always have the `AES-256-GCM` and `AES-128-GCM` ciphers to the ``--ncp-ciphers``
-options to avoid this behaviour.
-
-OpenVPN 3 clients
------------------
-Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/)
-do not have a configurable ``--ncp-ciphers`` or ``--data-cipher`` option. Instead
-these clients will announce support for all their supported AEAD ciphers
-(`AES-256-GCM`, `AES-128-GCM` and in newer versions also `Chacha20-Poly1305`).
-
-To support OpenVPN 3.x based clients at least one of these ciphers needs to be
-included in the server's ``--data-ciphers`` option.
-
-
-OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``)
-------------------------------------------------------------------
-When a client without cipher negotiation support connects to a server the
-cipher specified with the ``--cipher`` option in the client configuration
-must be included in the ``--data-ciphers`` option of the server to allow
-the client to connect. Otherwise the client will be sent the ``AUTH_FAILED``
-message that indicates no shared cipher.
-
-If the client is 2.3 or older and has been configured with the
-``--enable-small`` :code:`./configure` argument, using
-``data-ciphers-fallback cipher`` in the server config file with the explicit
-cipher used by the client is necessary.
-
-OpenVPN 2.4 server
-------------------
-When a client indicates support for `AES-128-GCM` and `AES-256-GCM`
-(with ``IV_NCP=2``) an OpenVPN 2.4 server will send the first
-cipher of the ``--ncp-ciphers`` to the OpenVPN client regardless of what
-the cipher is. To emulate the behaviour of an OpenVPN 2.4 client as close
-as possible and have compatibility to a setup that depends on this quirk,
-adding `AES-128-GCM` and `AES-256-GCM` to the client's ``--data-ciphers``
-option is required. OpenVPN 2.5+ will only announce the ``IV_NCP=2`` flag if
-those ciphers are present.
-
-OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``)
-------------------------------------------------------------------
-The cipher used by the server must be included in ``--data-ciphers`` to
-allow the client connecting to a server without cipher negotiation
-support.
-(For compatibility OpenVPN 2.5 will also accept the cipher set with
-``--cipher``)
-
-If the server is 2.3 or older and has been configured with the
-``--enable-small`` :code:`./configure` argument, adding
-``data-ciphers-fallback cipher`` to the client config with the explicit
-cipher used by the server is necessary.
-
-Blowfish in CBC mode (BF-CBC) deprecation
-------------------------------------------
-The ``--cipher`` option defaulted to ``BF-CBC`` in OpenVPN 2.4 and older
-version. The default was never changed to ensure backwards compatibility.
-In OpenVPN 2.5 this behaviour has now been changed so that if the ``--cipher``
-is not explicitly set it does not allow the weak ``BF-CBC`` cipher any more
-and needs to explicitly added as ``--cipher BFC-CBC`` or added to
-``-data-ciphers``.
-
-We strongly recommend to switching away from BF-CBC to a
-more secure cipher as soon as possible instead.
diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst
index 7100c1a..825dd1c 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -93,12 +93,18 @@ routing.
or :code:`tap`.
--dhcp-option args
- Set additional network settings via DHCP. On Windows, this is parsed by
- the ``tap-windows6`` or ``wintun`` driver. On other platforms these
- options can be picked up by an ``--up`` script or plug-in if it has been
- pushed by the OpenVPN server. The option will then be saved in the
- client's environment before the ``--up`` script is called, under the name
- :code:`foreign_option_{n}`.
+ Set additional network parameters on supported platforms. May be specified
+ on the client or pushed from the server. On Windows these options are
+ handled by the ``tap-windows6`` driver by default or directly by OpenVPN
+ if dhcp is disabled or the ``wintun`` driver is in use. The
+ ``OpenVPN for Android`` client also handles them internally.
+
+ On all other platforms these options are only saved in the client's
+ environment under the name :code:`foreign_options_{n}` before the
+ ``--up`` script is called. A plugin or an ``--up`` script must be used to
+ pick up and interpret these as required. Many Linux distributions include
+ such scripts and some third-party user interfaces such as tunnelblick also
+ come with scripts that process these options.
Valid syntax:
::
@@ -108,6 +114,11 @@ routing.
:code:`DOMAIN` ``name``
Set Connection-specific DNS Suffix to :code:`name`.
+ :code:`DOMAIN-SEARCH` ``name``
+ Add :code:`name` to the domain search list.
+ Repeat this option to add more entries. Up to
+ 10 domains are supported.
+
:code:`DNS` ``address``
Set primary domain name server IPv4 or IPv6 address.
Repeat this option to set secondary DNS server addresses.