summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorJörg Frings-Fürst <debian@jff.email>2022-02-09 16:35:02 +0100
committerJörg Frings-Fürst <debian@jff.email>2022-02-09 16:35:02 +0100
commit8e924e2c919e6fbeae0045b67ac54b9697306d7d (patch)
tree2ddb2a40fd70018ada5fbab576002199771f67c5 /doc
parentf2b3dda12a731c2e0971cb7889728edaf23f6cb0 (diff)
New upstream version 2.5.5upstream/2.5.5upstream
Diffstat (limited to 'doc')
-rw-r--r--doc/man-sections/client-options.rst69
-rw-r--r--doc/man-sections/link-options.rst2
-rw-r--r--doc/man-sections/server-options.rst65
-rw-r--r--doc/man-sections/vpn-network-options.rst2
-rw-r--r--doc/man-sections/windows-options.rst2
-rw-r--r--doc/openvpn.8156
-rw-r--r--doc/openvpn.8.html128
7 files changed, 219 insertions, 205 deletions
diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
index c5b7ad9..92a02e2 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -251,6 +251,75 @@ configuration.
next remote succeeds. To silently ignore an option pushed by the server,
use :code:`ignore`.
+--push-peer-info
+ Push additional information about the client to server. The following
+ data is always pushed to the server:
+
+ :code:`IV_VER=<version>`
+ The client OpenVPN version
+
+ :code:`IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]`
+ The client OS platform
+
+ :code:`IV_LZO_STUB=1`
+ If client was built with LZO stub capability
+
+ :code:`IV_LZ4=1`
+ If the client supports LZ4 compressions.
+
+ :code:`IV_PROTO`
+ Details about protocol extensions that the peer supports. The
+ variable is a bitfield and the bits are defined as follows
+ (starting a bit 0 for the first (unused) bit:
+
+ - bit 1: The peer supports peer-id floating mechanism
+ - bit 2: The client expects a push-reply and the server may
+ send this reply without waiting for a push-request first.
+ - bit 3: The client is capable of doing key derivation using
+ RFC5705 key material exporter.
+ - bit 4: The client is capable of accepting additional arguments
+ to the `AUTH_PENDING` message.
+
+ :code:`IV_NCP=2`
+ Negotiable ciphers, client supports ``--cipher`` pushed by
+ the server, a value of 2 or greater indicates client supports
+ *AES-GCM-128* and *AES-GCM-256*.
+
+ :code:`IV_CIPHERS=<ncp-ciphers>`
+ The client announces the list of supported ciphers configured with the
+ ``--data-ciphers`` option to the server.
+
+ :code:`IV_GUI_VER=<gui_id> <version>`
+ The UI version of a UI if one is running, for example
+ :code:`de.blinkt.openvpn 0.5.47` for the Android app.
+
+ :code:`IV_SSO=[crtext,][openurl,][proxy_url]`
+ Additional authentication methods supported by the client.
+ This may be set by the client UI/GUI using ``--setenv``
+
+ When ``--push-peer-info`` is enabled the additional information consists
+ of the following data:
+
+ :code:`IV_HWADDR=<string>`
+ This is intended to be a unique and persistent ID of the client.
+ The string value can be any readable ASCII string up to 64 bytes.
+ OpenVPN 2.x and some other implementations use the MAC address of
+ the client's interface used to reach the default gateway. If this
+ string is generated by the client, it should be consistent and
+ preserved across independent session and preferably
+ re-installations and upgrades.
+
+ :code:`IV_SSL=<version string>`
+ The ssl version used by the client, e.g.
+ :code:`OpenSSL 1.0.2f 28 Jan 2016`.
+
+ :code:`IV_PLAT_VER=x.y`
+ The version of the operating system, e.g. 6.1 for Windows 7.
+
+ :code:`UV_<name>=<value>`
+ Client environment variables whose names start with
+ :code:`UV_`
+
--remote args
Remote host name or IP address, port and protocol.
diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst
index c132a62..ff581cf 100644
--- a/doc/man-sections/link-options.rst
+++ b/doc/man-sections/link-options.rst
@@ -213,7 +213,7 @@ the local and the remote host.
This option is useful in cases where the remote peer has a dynamic IP
address and a low-TTL DNS name is used to track the IP address using a
- service such as http://dyndns.org/ + a dynamic DNS client such as
+ service such as https://www.nsupdate.info/ + a dynamic DNS client such as
``ddclient``.
If the peer cannot be reached, a restart will be triggered, causing the
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index ac0df55..55c2c30 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -449,71 +449,6 @@ fast hardware. SSL/TLS authentication must be used in this mode.
``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``,
``--rcvbuf``
---push-peer-info
- Push additional information about the client to server. The following
- data is always pushed to the server:
-
- :code:`IV_VER=<version>`
- The client OpenVPN version
-
- :code:`IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]`
- The client OS platform
-
- :code:`IV_LZO_STUB=1`
- If client was built with LZO stub capability
-
- :code:`IV_LZ4=1`
- If the client supports LZ4 compressions.
-
- :code:`IV_PROTO`
- Details about protocol extensions that the peer supports. The
- variable is a bitfield and the bits are defined as follows
- (starting a bit 0 for the first (unused) bit:
-
- - bit 1: The peer supports peer-id floating mechanism
- - bit 2: The client expects a push-reply and the server may
- send this reply without waiting for a push-request first.
-
- :code:`IV_NCP=2`
- Negotiable ciphers, client supports ``--cipher`` pushed by
- the server, a value of 2 or greater indicates client supports
- *AES-GCM-128* and *AES-GCM-256*.
-
- :code:`IV_CIPHERS=<ncp-ciphers>`
- The client announces the list of supported ciphers configured with the
- ``--data-ciphers`` option to the server.
-
- :code:`IV_GUI_VER=<gui_id> <version>`
- The UI version of a UI if one is running, for example
- :code:`de.blinkt.openvpn 0.5.47` for the Android app.
-
- :code:`IV_SSO=[crtext,][openurl,][proxy_url]`
- Additional authentication methods supported by the client.
- This may be set by the client UI/GUI using ``--setenv``
-
- When ``--push-peer-info`` is enabled the additional information consists
- of the following data:
-
- :code:`IV_HWADDR=<string>`
- This is intended to be a unique and persistent ID of the client.
- The string value can be any readable ASCII string up to 64 bytes.
- OpenVPN 2.x and some other implementations use the MAC address of
- the client's interface used to reach the default gateway. If this
- string is generated by the client, it should be consistent and
- preserved across independent session and preferably
- re-installations and upgrades.
-
- :code:`IV_SSL=<version string>`
- The ssl version used by the client, e.g.
- :code:`OpenSSL 1.0.2f 28 Jan 2016`.
-
- :code:`IV_PLAT_VER=x.y`
- The version of the operating system, e.g. 6.1 for Windows 7.
-
- :code:`UV_<name>=<value>`
- Client environment variables whose names start with
- :code:`UV_`
-
--push-remove opt
Selectively remove all ``--push`` options matching "opt" from the option
list for a client. ``opt`` is matched as a substring against the whole
diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst
index 029834a..25a26b3 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -107,7 +107,7 @@ routing.
``OpenVPN for Android`` client also handles them internally.
On all other platforms these options are only saved in the client's
- environment under the name :code:`foreign_options_{n}` before the
+ environment under the name :code:`foreign_option_{n}` before the
``--up`` script is called. A plugin or an ``--up`` script must be used to
pick up and interpret these as required. Many Linux distributions include
such scripts and some third-party user interfaces such as tunnelblick also
diff --git a/doc/man-sections/windows-options.rst b/doc/man-sections/windows-options.rst
index eacb9af..c389fbc 100644
--- a/doc/man-sections/windows-options.rst
+++ b/doc/man-sections/windows-options.rst
@@ -93,7 +93,7 @@ Windows-Specific Options
server to masquerade as if it were coming from the remote endpoint.
The optional offset parameter is an integer which is > :code:`-256`
- and < :code:`256` and which defaults to -1. If offset is positive,
+ and < :code:`256` and which defaults to 0. If offset is positive,
the DHCP server will masquerade as the IP address at network
address + offset. If offset is negative, the DHCP server will
masquerade as the IP address at broadcast address + offset.
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index ceb6348..6eb6167 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1282,6 +1282,84 @@ reconnect, unless multiple remotes are specified and connection to the
next remote succeeds. To silently ignore an option pushed by the server,
use \fBignore\fP\&.
.TP
+.B \-\-push\-peer\-info
+Push additional information about the client to server. The following
+data is always pushed to the server:
+.INDENT 7.0
+.TP
+.B \fBIV_VER=<version>\fP
+The client OpenVPN version
+.TP
+.B \fBIV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]\fP
+The client OS platform
+.TP
+.B \fBIV_LZO_STUB=1\fP
+If client was built with LZO stub capability
+.TP
+.B \fBIV_LZ4=1\fP
+If the client supports LZ4 compressions.
+.TP
+.B \fBIV_PROTO\fP
+Details about protocol extensions that the peer supports. The
+variable is a bitfield and the bits are defined as follows
+(starting a bit 0 for the first (unused) bit:
+.INDENT 7.0
+.IP \(bu 2
+bit 1: The peer supports peer\-id floating mechanism
+.IP \(bu 2
+bit 2: The client expects a push\-reply and the server may
+send this reply without waiting for a push\-request first.
+.IP \(bu 2
+bit 3: The client is capable of doing key derivation using
+RFC5705 key material exporter.
+.IP \(bu 2
+bit 4: The client is capable of accepting additional arguments
+to the \fIAUTH_PENDING\fP message.
+.UNINDENT
+.TP
+.B \fBIV_NCP=2\fP
+Negotiable ciphers, client supports \fB\-\-cipher\fP pushed by
+the server, a value of 2 or greater indicates client supports
+\fIAES\-GCM\-128\fP and \fIAES\-GCM\-256\fP\&.
+.TP
+.B \fBIV_CIPHERS=<ncp\-ciphers>\fP
+The client announces the list of supported ciphers configured with the
+\fB\-\-data\-ciphers\fP option to the server.
+.TP
+.B \fBIV_GUI_VER=<gui_id> <version>\fP
+The UI version of a UI if one is running, for example
+\fBde.blinkt.openvpn 0.5.47\fP for the Android app.
+.TP
+.B \fBIV_SSO=[crtext,][openurl,][proxy_url]\fP
+Additional authentication methods supported by the client.
+This may be set by the client UI/GUI using \fB\-\-setenv\fP
+.UNINDENT
+.sp
+When \fB\-\-push\-peer\-info\fP is enabled the additional information consists
+of the following data:
+.INDENT 7.0
+.TP
+.B \fBIV_HWADDR=<string>\fP
+This is intended to be a unique and persistent ID of the client.
+The string value can be any readable ASCII string up to 64 bytes.
+OpenVPN 2.x and some other implementations use the MAC address of
+the client\(aqs interface used to reach the default gateway. If this
+string is generated by the client, it should be consistent and
+preserved across independent session and preferably
+re\-installations and upgrades.
+.TP
+.B \fBIV_SSL=<version string>\fP
+The ssl version used by the client, e.g.
+\fBOpenSSL 1.0.2f 28 Jan 2016\fP\&.
+.TP
+.B \fBIV_PLAT_VER=x.y\fP
+The version of the operating system, e.g. 6.1 for Windows 7.
+.TP
+.B \fBUV_<name>=<value>\fP
+Client environment variables whose names start with
+\fBUV_\fP
+.UNINDENT
+.TP
.BI \-\-remote \ args
Remote host name or IP address, port and protocol.
.sp
@@ -2043,78 +2121,6 @@ This is a partial list of options which can currently be pushed:
\fB\-\-echo\fP, \fB\-\-comp\-lzo\fP, \fB\-\-socket\-flags\fP, \fB\-\-sndbuf\fP,
\fB\-\-rcvbuf\fP
.TP
-.B \-\-push\-peer\-info
-Push additional information about the client to server. The following
-data is always pushed to the server:
-.INDENT 7.0
-.TP
-.B \fBIV_VER=<version>\fP
-The client OpenVPN version
-.TP
-.B \fBIV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]\fP
-The client OS platform
-.TP
-.B \fBIV_LZO_STUB=1\fP
-If client was built with LZO stub capability
-.TP
-.B \fBIV_LZ4=1\fP
-If the client supports LZ4 compressions.
-.TP
-.B \fBIV_PROTO\fP
-Details about protocol extensions that the peer supports. The
-variable is a bitfield and the bits are defined as follows
-(starting a bit 0 for the first (unused) bit:
-.INDENT 7.0
-.IP \(bu 2
-bit 1: The peer supports peer\-id floating mechanism
-.IP \(bu 2
-bit 2: The client expects a push\-reply and the server may
-send this reply without waiting for a push\-request first.
-.UNINDENT
-.TP
-.B \fBIV_NCP=2\fP
-Negotiable ciphers, client supports \fB\-\-cipher\fP pushed by
-the server, a value of 2 or greater indicates client supports
-\fIAES\-GCM\-128\fP and \fIAES\-GCM\-256\fP\&.
-.TP
-.B \fBIV_CIPHERS=<ncp\-ciphers>\fP
-The client announces the list of supported ciphers configured with the
-\fB\-\-data\-ciphers\fP option to the server.
-.TP
-.B \fBIV_GUI_VER=<gui_id> <version>\fP
-The UI version of a UI if one is running, for example
-\fBde.blinkt.openvpn 0.5.47\fP for the Android app.
-.TP
-.B \fBIV_SSO=[crtext,][openurl,][proxy_url]\fP
-Additional authentication methods supported by the client.
-This may be set by the client UI/GUI using \fB\-\-setenv\fP
-.UNINDENT
-.sp
-When \fB\-\-push\-peer\-info\fP is enabled the additional information consists
-of the following data:
-.INDENT 7.0
-.TP
-.B \fBIV_HWADDR=<string>\fP
-This is intended to be a unique and persistent ID of the client.
-The string value can be any readable ASCII string up to 64 bytes.
-OpenVPN 2.x and some other implementations use the MAC address of
-the client\(aqs interface used to reach the default gateway. If this
-string is generated by the client, it should be consistent and
-preserved across independent session and preferably
-re\-installations and upgrades.
-.TP
-.B \fBIV_SSL=<version string>\fP
-The ssl version used by the client, e.g.
-\fBOpenSSL 1.0.2f 28 Jan 2016\fP\&.
-.TP
-.B \fBIV_PLAT_VER=x.y\fP
-The version of the operating system, e.g. 6.1 for Windows 7.
-.TP
-.B \fBUV_<name>=<value>\fP
-Client environment variables whose names start with
-\fBUV_\fP
-.UNINDENT
-.TP
.BI \-\-push\-remove \ opt
Selectively remove all \fB\-\-push\fP options matching "opt" from the option
list for a client. \fBopt\fP is matched as a substring against the whole
@@ -3988,7 +3994,7 @@ remote.
.sp
This option is useful in cases where the remote peer has a dynamic IP
address and a low\-TTL DNS name is used to track the IP address using a
-service such as \fI\%http://dyndns.org/\fP + a dynamic DNS client such as
+service such as \fI\%https://www.nsupdate.info/\fP + a dynamic DNS client such as
\fBddclient\fP\&.
.sp
If the peer cannot be reached, a restart will be triggered, causing the
@@ -4333,7 +4339,7 @@ if dhcp is disabled or the \fBwintun\fP driver is in use. The
\fBOpenVPN for Android\fP client also handles them internally.
.sp
On all other platforms these options are only saved in the client\(aqs
-environment under the name \fBforeign_options_{n}\fP before the
+environment under the name \fBforeign_option_{n}\fP before the
\fB\-\-up\fP script is called. A plugin or an \fB\-\-up\fP script must be used to
pick up and interpret these as required. Many Linux distributions include
such scripts and some third\-party user interfaces such as tunnelblick also
@@ -6190,7 +6196,7 @@ server address. In \fB\-\-dev tun\fP mode, OpenVPN will cause the DHCP
server to masquerade as if it were coming from the remote endpoint.
.sp
The optional offset parameter is an integer which is > \fB\-256\fP
-and < \fB256\fP and which defaults to \-1. If offset is positive,
+and < \fB256\fP and which defaults to 0. If offset is positive,
the DHCP server will masquerade as the IP address at network
address + offset. If offset is negative, the DHCP server will
masquerade as the IP address at broadcast address + offset.
diff --git a/doc/openvpn.8.html b/doc/openvpn.8.html
index 1c0c65e..1dec6f7 100644
--- a/doc/openvpn.8.html
+++ b/doc/openvpn.8.html
@@ -1436,6 +1436,69 @@ reconnect, unless multiple remotes are specified and connection to the
next remote succeeds. To silently ignore an option pushed by the server,
use <code>ignore</code>.</p>
</td></tr>
+<tr><td class="option-group" colspan="2">
+<kbd><span class="option">--push-peer-info</span></kbd></td>
+</tr>
+<tr><td>&nbsp;</td><td><p class="first">Push additional information about the client to server. The following
+data is always pushed to the server:</p>
+<dl class="docutils">
+<dt><code>IV_VER=&lt;version&gt;</code></dt>
+<dd>The client OpenVPN version</dd>
+<dt><code>IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]</code></dt>
+<dd>The client OS platform</dd>
+<dt><code>IV_LZO_STUB=1</code></dt>
+<dd>If client was built with LZO stub capability</dd>
+<dt><code>IV_LZ4=1</code></dt>
+<dd>If the client supports LZ4 compressions.</dd>
+<dt><code>IV_PROTO</code></dt>
+<dd><p class="first">Details about protocol extensions that the peer supports. The
+variable is a bitfield and the bits are defined as follows
+(starting a bit 0 for the first (unused) bit:</p>
+<ul class="last simple">
+<li>bit 1: The peer supports peer-id floating mechanism</li>
+<li>bit 2: The client expects a push-reply and the server may
+send this reply without waiting for a push-request first.</li>
+<li>bit 3: The client is capable of doing key derivation using
+RFC5705 key material exporter.</li>
+<li>bit 4: The client is capable of accepting additional arguments
+to the <cite>AUTH_PENDING</cite> message.</li>
+</ul>
+</dd>
+<dt><code>IV_NCP=2</code></dt>
+<dd>Negotiable ciphers, client supports <tt class="docutils literal"><span class="pre">--cipher</span></tt> pushed by
+the server, a value of 2 or greater indicates client supports
+<em>AES-GCM-128</em> and <em>AES-GCM-256</em>.</dd>
+<dt><code>IV_CIPHERS=&lt;ncp-ciphers&gt;</code></dt>
+<dd>The client announces the list of supported ciphers configured with the
+<tt class="docutils literal"><span class="pre">--data-ciphers</span></tt> option to the server.</dd>
+<dt><code>IV_GUI_VER=&lt;gui_id&gt; &lt;version&gt;</code></dt>
+<dd>The UI version of a UI if one is running, for example
+<code>de.blinkt.openvpn 0.5.47</code> for the Android app.</dd>
+<dt><code>IV_SSO=[crtext,][openurl,][proxy_url]</code></dt>
+<dd>Additional authentication methods supported by the client.
+This may be set by the client UI/GUI using <tt class="docutils literal"><span class="pre">--setenv</span></tt></dd>
+</dl>
+<p>When <tt class="docutils literal"><span class="pre">--push-peer-info</span></tt> is enabled the additional information consists
+of the following data:</p>
+<dl class="last docutils">
+<dt><code>IV_HWADDR=&lt;string&gt;</code></dt>
+<dd>This is intended to be a unique and persistent ID of the client.
+The string value can be any readable ASCII string up to 64 bytes.
+OpenVPN 2.x and some other implementations use the MAC address of
+the client's interface used to reach the default gateway. If this
+string is generated by the client, it should be consistent and
+preserved across independent session and preferably
+re-installations and upgrades.</dd>
+<dt><code>IV_SSL=&lt;version string&gt;</code></dt>
+<dd>The ssl version used by the client, e.g.
+<code>OpenSSL 1.0.2f 28 Jan 2016</code>.</dd>
+<dt><code>IV_PLAT_VER=x.y</code></dt>
+<dd>The version of the operating system, e.g. 6.1 for Windows 7.</dd>
+<dt><code>UV_&lt;name&gt;=&lt;value&gt;</code></dt>
+<dd>Client environment variables whose names start with
+<code>UV_</code></dd>
+</dl>
+</td></tr>
<tr><td class="option-group">
<kbd><span class="option">--remote <var>args</var></span></kbd></td>
<td><p class="first">Remote host name or IP address, port and protocol.</p>
@@ -2058,65 +2121,6 @@ server can be initiated.</p>
<tt class="docutils literal"><span class="pre">--rcvbuf</span></tt></p>
</td></tr>
<tr><td class="option-group" colspan="2">
-<kbd><span class="option">--push-peer-info</span></kbd></td>
-</tr>
-<tr><td>&nbsp;</td><td><p class="first">Push additional information about the client to server. The following
-data is always pushed to the server:</p>
-<dl class="docutils">
-<dt><code>IV_VER=&lt;version&gt;</code></dt>
-<dd>The client OpenVPN version</dd>
-<dt><code>IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]</code></dt>
-<dd>The client OS platform</dd>
-<dt><code>IV_LZO_STUB=1</code></dt>
-<dd>If client was built with LZO stub capability</dd>
-<dt><code>IV_LZ4=1</code></dt>
-<dd>If the client supports LZ4 compressions.</dd>
-<dt><code>IV_PROTO</code></dt>
-<dd><p class="first">Details about protocol extensions that the peer supports. The
-variable is a bitfield and the bits are defined as follows
-(starting a bit 0 for the first (unused) bit:</p>
-<ul class="last simple">
-<li>bit 1: The peer supports peer-id floating mechanism</li>
-<li>bit 2: The client expects a push-reply and the server may
-send this reply without waiting for a push-request first.</li>
-</ul>
-</dd>
-<dt><code>IV_NCP=2</code></dt>
-<dd>Negotiable ciphers, client supports <tt class="docutils literal"><span class="pre">--cipher</span></tt> pushed by
-the server, a value of 2 or greater indicates client supports
-<em>AES-GCM-128</em> and <em>AES-GCM-256</em>.</dd>
-<dt><code>IV_CIPHERS=&lt;ncp-ciphers&gt;</code></dt>
-<dd>The client announces the list of supported ciphers configured with the
-<tt class="docutils literal"><span class="pre">--data-ciphers</span></tt> option to the server.</dd>
-<dt><code>IV_GUI_VER=&lt;gui_id&gt; &lt;version&gt;</code></dt>
-<dd>The UI version of a UI if one is running, for example
-<code>de.blinkt.openvpn 0.5.47</code> for the Android app.</dd>
-<dt><code>IV_SSO=[crtext,][openurl,][proxy_url]</code></dt>
-<dd>Additional authentication methods supported by the client.
-This may be set by the client UI/GUI using <tt class="docutils literal"><span class="pre">--setenv</span></tt></dd>
-</dl>
-<p>When <tt class="docutils literal"><span class="pre">--push-peer-info</span></tt> is enabled the additional information consists
-of the following data:</p>
-<dl class="last docutils">
-<dt><code>IV_HWADDR=&lt;string&gt;</code></dt>
-<dd>This is intended to be a unique and persistent ID of the client.
-The string value can be any readable ASCII string up to 64 bytes.
-OpenVPN 2.x and some other implementations use the MAC address of
-the client's interface used to reach the default gateway. If this
-string is generated by the client, it should be consistent and
-preserved across independent session and preferably
-re-installations and upgrades.</dd>
-<dt><code>IV_SSL=&lt;version string&gt;</code></dt>
-<dd>The ssl version used by the client, e.g.
-<code>OpenSSL 1.0.2f 28 Jan 2016</code>.</dd>
-<dt><code>IV_PLAT_VER=x.y</code></dt>
-<dd>The version of the operating system, e.g. 6.1 for Windows 7.</dd>
-<dt><code>UV_&lt;name&gt;=&lt;value&gt;</code></dt>
-<dd>Client environment variables whose names start with
-<code>UV_</code></dd>
-</dl>
-</td></tr>
-<tr><td class="option-group" colspan="2">
<kbd><span class="option">--push-remove <var>opt</var></span></kbd></td>
</tr>
<tr><td>&nbsp;</td><td><p class="first">Selectively remove all <tt class="docutils literal"><span class="pre">--push</span></tt> options matching &quot;opt&quot; from the option
@@ -3602,7 +3606,7 @@ data is exchanged.</p>
remote.</p>
<p>This option is useful in cases where the remote peer has a dynamic IP
address and a low-TTL DNS name is used to track the IP address using a
-service such as <a class="reference external" href="http://dyndns.org/">http://dyndns.org/</a> + a dynamic DNS client such as
+service such as <a class="reference external" href="https://www.nsupdate.info/">https://www.nsupdate.info/</a> + a dynamic DNS client such as
<tt class="docutils literal">ddclient</tt>.</p>
<p>If the peer cannot be reached, a restart will be triggered, causing the
hostname used with <tt class="docutils literal"><span class="pre">--remote</span></tt> to be re-resolved (if <tt class="docutils literal"><span class="pre">--resolv-retry</span></tt>
@@ -3888,7 +3892,7 @@ handled by the <tt class="docutils literal"><span class="pre">tap-windows6</span
if dhcp is disabled or the <tt class="docutils literal">wintun</tt> driver is in use. The
<tt class="docutils literal">OpenVPN for Android</tt> client also handles them internally.</p>
<p>On all other platforms these options are only saved in the client's
-environment under the name <code>foreign_options_{n}</code> before the
+environment under the name <code>foreign_option_{n}</code> before the
<tt class="docutils literal"><span class="pre">--up</span></tt> script is called. A plugin or an <tt class="docutils literal"><span class="pre">--up</span></tt> script must be used to
pick up and interpret these as required. Many Linux distributions include
such scripts and some third-party user interfaces such as tunnelblick also
@@ -5415,7 +5419,7 @@ the IP address <code>192.168.4.0</code> to use as the virtual DHCP
server address. In <tt class="docutils literal"><span class="pre">--dev</span> tun</tt> mode, OpenVPN will cause the DHCP
server to masquerade as if it were coming from the remote endpoint.</p>
<p>The optional offset parameter is an integer which is &gt; <code>-256</code>
-and &lt; <code>256</code> and which defaults to -1. If offset is positive,
+and &lt; <code>256</code> and which defaults to 0. If offset is positive,
the DHCP server will masquerade as the IP address at network
address + offset. If offset is negative, the DHCP server will
masquerade as the IP address at broadcast address + offset.</p>