summaryrefslogtreecommitdiff
path: root/doc/man-sections
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2021-02-24 19:54:19 +0100
committerBernhard Schmidt <berni@debian.org>2021-02-24 19:54:19 +0100
commitd717dbfa8d0807202f5ad05f7db53925cf63a446 (patch)
treeff434c729e3d55979ee85983296c424e637a1124 /doc/man-sections
parent76fee93e6fe89e5575bae2840b585d2f025b9050 (diff)
parent4ee98f284a93c3b855092d35ac21371d9dcad65b (diff)
Update upstream source from tag 'upstream/2.5.1'
Update to upstream version '2.5.1' with Debian dir 7ffab8b9a1f4bee8b10a736ef58cdbac4bfd4b14
Diffstat (limited to 'doc/man-sections')
-rw-r--r--doc/man-sections/renegotiation.rst2
-rw-r--r--doc/man-sections/tls-options.rst6
-rw-r--r--doc/man-sections/vpn-network-options.rst9
3 files changed, 12 insertions, 5 deletions
diff --git a/doc/man-sections/renegotiation.rst b/doc/man-sections/renegotiation.rst
index b817cfa..c548440 100644
--- a/doc/man-sections/renegotiation.rst
+++ b/doc/man-sections/renegotiation.rst
@@ -35,7 +35,7 @@ separate ephemeral encryption key which is rotated at regular intervals.
pseudo-uniform-randomized between ``min`` and ``max``.
With the default value of :code:`3600` this results in an effective per
- session value in the range of :code:`3240`..:code:`3600` seconds for
+ session value in the range of :code:`3240` .. :code:`3600` seconds for
servers, or just 3600 for clients.
When using dual-factor authentication, note that this default value may
diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index 8c2db7c..f0b6d3d 100644
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -422,13 +422,13 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa
:code:`DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA` when
using OpenSSL.
- The default for `--tls-ciphersuites` is to use the crypto library's
- default.
-
--tls-ciphersuites l
Same as ``--tls-cipher`` but for TLS 1.3 and up. mbed TLS has no
TLS 1.3 support yet and only the ``--tls-cipher`` setting is used.
+ The default for `--tls-ciphersuites` is to use the crypto library's
+ default.
+
--tls-client
Enable TLS and assume client role during TLS handshake.
diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst
index 2668278..029834a 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -21,7 +21,8 @@ routing.
For this option to make sense you actually have to route traffic to the
tun interface. The following example config block would send all IPv6
traffic to OpenVPN and answer all requests with no route to host,
- effectively blocking IPv6.
+ effectively blocking IPv6 (to avoid IPv6 connections from dual-stacked
+ clients leaking around IPv4-only VPN services).
**Client config**
::
@@ -38,6 +39,12 @@ routing.
--push "redirect-gateway ipv6"
--block-ipv6
+ Note: this option does not influence traffic sent from the server
+ towards the client (neither on the server nor on the client side).
+ This is not seen as necessary, as such traffic can be most easily
+ avoided by not configuring IPv6 on the server tun, or setting up a
+ server-side firewall rule.
+
--dev device
TUN/TAP virtual network device which can be :code:`tunX`, :code:`tapX`,
:code:`null` or an arbitrary name string (:code:`X` can be omitted for