summaryrefslogtreecommitdiff
path: root/doc/openvpn.8
diff options
context:
space:
mode:
authorJörg Frings-Fürst <debian@jff-webhosting.net>2017-06-27 13:56:16 +0200
committerJörg Frings-Fürst <debian@jff-webhosting.net>2017-06-27 13:56:16 +0200
commit749384a154025e268b53cf3cc79eaeddde2b3ceb (patch)
tree27baa9e6aec76635d750405d90cd461440a656d1 /doc/openvpn.8
parentdb4f04c584f7d4e828b5d317cf40962b9d854ac5 (diff)
initial stretch branch release 2.4.0-6
Diffstat (limited to 'doc/openvpn.8')
-rw-r--r--doc/openvpn.8128
1 files changed, 28 insertions, 100 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 56c0f7a..7bd6d9d 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -15,9 +15,10 @@
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" GNU General Public License for more details.
.\"
-.\" You should have received a copy of the GNU General Public License along
-.\" with this program; if not, write to the Free Software Foundation, Inc.,
-.\" 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program (see the file COPYING included with this
+.\" distribution); if not, write to the Free Software Foundation, Inc.,
+.\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
.\"
.\" Manual page for openvpn
.\"
@@ -326,7 +327,7 @@ http\-proxy 192.168.0.8 8080
persist\-key
persist\-tun
pkcs12 client.p12
-remote\-cert\-tls server
+ns\-cert\-type server
verb 3
.in -4
.ft
@@ -2711,34 +2712,6 @@ to the module initialization function. Multiple
plugin modules may be loaded into one OpenVPN
process.
-The
-.B module-pathname
-argument can be just a filename or a filename with a relative
-or absolute path. The format of the filename and path defines
-if the plug-in will be loaded from a default plug-in directory
-or outside this directory.
-
-.nf
-.ft 3
-.in +4
-.B \-\-plugin path\ \ \ \ \ \ \ \ Effective directory used
-====================================================
- myplug.so DEFAULT_DIR/myplug.so
- subdir/myplug.so DEFAULT_DIR/subdir/myplug.so
- ./subdir/myplug.so CWD/subdir/myplug.so
- /usr/lib/my/plug.so /usr/lib/my/plug.so
-.in -4
-.fi
-
-DEFAULT_DIR is replaced by the default plug-in directory,
-which is configured at the build time of OpenVPN. CWD is the
-current directory where OpenVPN was started or the directory
-OpenVPN have swithed into via the
-.B \-\-cd
-option before the
-.B \-\-plugin
-option.
-
For more information and examples on how to build OpenVPN
plug-in modules, see the README file in the
.B plugin
@@ -3996,8 +3969,9 @@ See management\-notes.txt in the OpenVPN distribution for a
description of the OpenVPN challenge/response protocol.
.\"*********************************************************
.TP
-\fB\-\-server\-poll\-timeout n\fR, \fB\-\-connect\-timeout n\fR
-When connecting to a remote server do not wait for more than
+.B \-\-server\-poll\-timeout n
+.B \-\-connect\-timeout n
+when connecting to a remote server do not wait for more than
.B n
seconds waiting for a response before trying the next server.
The default value is 120s. This timeout includes proxy and TCP
@@ -4694,27 +4668,15 @@ and
Not available with PolarSSL.
.\"*********************************************************
.TP
-.B \-\-verify\-hash hash [algo]
-Specify SHA1 or SHA256 fingerprint for level-1 cert. The level-1 cert is the
+.B \-\-verify\-hash hash
+Specify SHA1 fingerprint for level-1 cert. The level-1 cert is the
CA (or intermediate cert) that signs the leaf certificate, and is
one removed from the leaf certificate in the direction of the root.
When accepting a connection from a peer, the level-1 cert
fingerprint must match
.B hash
or certificate verification will fail. Hash is specified
-as XX:XX:... For example:
-
-.nf
-.ft 3
-.in +4
-AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16
-.in -4
-.ft
-.fi
-
-The
-.B algo
-flag can be either SHA1 or SHA256. If not provided, it defaults to SHA1.
+as XX:XX:... For example: AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16
.\"*********************************************************
.TP
.B \-\-pkcs11\-cert\-private [0|1]...
@@ -5102,29 +5064,6 @@ In contrast to
.B \-\-tls\-crypt
does *not* require the user to set
.B \-\-key\-direction\fR.
-
-.B Security Considerations
-
-All peers use the same
-.B \-\-tls-crypt
-pre-shared group key to authenticate and encrypt control channel messages. To
-ensure that IV collisions remain unlikely, this key should not be used to
-encrypt more than 2^48 client-to-server or 2^48 server-to-client control
-channel messages. A typical initial negotiation is about 10 packets in each
-direction. Assuming both initial negotiation and renegotiations are at most
-2^16 (65536) packets (to be conservative), and (re)negotiations happen each
-minute for each user (24/7), this limits the tls\-crypt key lifetime to 8171
-years divided by the number of users. So a setup with 1000 users should rotate
-the key at least once each eight years. (And a setup with 8000 users each
-year.)
-
-If IV collisions were to occur, this could result in the security of
-.B \-\-tls\-crypt
-degrading to the same security as using
-.B \-\-tls\-auth\fR.
-That is, the control channel still benefits from the extra protection against
-active man-in-the-middle-attacks and DoS attacks, but may no longer offer
-extra privacy and post-quantum security on top of what TLS itself offers.
.\"*********************************************************
.TP
.B \-\-askpass [file]
@@ -5308,8 +5247,6 @@ option will match against the chosen
.B fieldname
instead of the Common Name.
-Only the subjectAltName and issuerAltName X.509 extensions are supported.
-
.B Please note:
This option has a feature which will convert an all-lowercase
.B fieldname
@@ -5377,11 +5314,7 @@ as X509_<depth>_<attribute>=<value>. Multiple
options can be defined to track multiple attributes.
.\"*********************************************************
.TP
-.B \-\-ns\-cert\-type client|server (DEPRECATED)
-This option is deprecated. Use the more modern equivalent
-.B \-\-remote\-cert\-tls
-instead. This option will be removed in OpenVPN 2.5.
-
+.B \-\-ns\-cert\-type client|server
Require that peer certificate was signed with an explicit
.B nsCertType
designation of "client" or "server".
@@ -5408,25 +5341,15 @@ or
.B \-\-tls\-verify.
.\"*********************************************************
.TP
-.B \-\-remote\-cert\-ku [v...]
+.B \-\-remote\-cert\-ku v...
Require that peer certificate was signed with an explicit
.B key usage.
-If present in the certificate, the keyUsage value is validated by the TLS
-library during the TLS handshake. Specifying this option without arguments
-requires this extension to be present (so the TLS library will verify it).
-
-If the list
-.B v...
-is also supplied, the keyUsage field must have
-.B at least
-the same bits set as the bits in
-.B one of
-the values supplied in the list
-.B v...
+This is a useful security option for clients, to ensure that
+the host they connect to is a designated server.
-The key usage values in the list must be encoded in hex, e.g.
-"\-\-remote\-cert\-ku a0"
+The key usage should be encoded in hex, more than one key
+usage can be specified.
.\"*********************************************************
.TP
.B \-\-remote\-cert\-eku oid
@@ -5447,21 +5370,24 @@ and
.B extended key usage
based on RFC3280 TLS rules.
-This is a useful security option for clients, to ensure that the host they
-connect to is a designated server. Or the other way around; for a server to
-verify that only hosts with a client certificate can connect.
+This is a useful security option for clients, to ensure that
+the host they connect to is a designated server.
The
.B \-\-remote\-cert\-tls client
option is equivalent to
.B
-\-\-remote\-cert\-ku \-\-remote\-cert\-eku "TLS Web Client Authentication"
+\-\-remote\-cert\-ku 80 08 88 \-\-remote\-cert\-eku "TLS Web Client Authentication"
+
+The key usage is digitalSignature and/or keyAgreement.
The
.B \-\-remote\-cert\-tls server
option is equivalent to
.B
-\-\-remote\-cert\-ku \-\-remote\-cert\-eku "TLS Web Server Authentication"
+\-\-remote\-cert\-ku a0 88 \-\-remote\-cert\-eku "TLS Web Server Authentication"
+
+The key usage is digitalSignature and ( keyEncipherment or keyAgreement ).
This is an important security precaution to protect against
a man-in-the-middle attack where an authorized client
@@ -5893,7 +5819,9 @@ flag.
.TP
.B \-\-dhcp\-release
Ask Windows to release the TAP adapter lease on shutdown.
-This option has no effect now, as it is enabled by default starting with version 2.4.1.
+This option has the same caveats as
+.B \-\-dhcp\-renew
+above.
.\"*********************************************************
.TP
.B \-\-register\-dns