summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2016-12-07 13:14:25 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2016-12-07 13:14:25 +0100
commit820804a01d365f6d4f9305b9e072f8393f443fcb (patch)
treefa122587cf4af5ccd339fa4c127c5374ea9fe3b3 /doc
parent354d158b7ea85b6e60c0de67000b1673361904a0 (diff)
parentd53dba59e78da865c4fe820386ff2f4f76925f3b (diff)
Merge tag 'upstream/2.4_rc1'
Upstream version 2.4~rc1
Diffstat (limited to 'doc')
-rw-r--r--doc/Makefile.in2
-rw-r--r--doc/openvpn.890
2 files changed, 82 insertions, 10 deletions
diff --git a/doc/Makefile.in b/doc/Makefile.in
index 8e37bca..1282a54 100644
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index e997b09..e61b6bb 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4,7 +4,7 @@
.\" packet encryption, packet authentication, and
.\" packet compression.
.\"
-.\" Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+.\" Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <sales@openvpn.net>
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License version 2
@@ -34,7 +34,7 @@
.\" .ft -- normal face
.\" .in +|-{n} -- indent
.\"
-.TH openvpn 8 "17 November 2008"
+.TH openvpn 8 "25 August 2016"
.\"*********************************************************
.SH NAME
openvpn \- secure IP tunnel daemon.
@@ -2928,6 +2928,7 @@ This is a partial list of options which can currently be pushed:
.B \-\-ip\-win32, \-\-dhcp\-option,
.B \-\-inactive, \-\-ping, \-\-ping\-exit, \-\-ping\-restart,
.B \-\-setenv,
+.B \-\-auth\-token,
.B \-\-persist\-key, \-\-persist\-tun, \-\-echo,
.B \-\-comp\-lzo,
.B \-\-socket\-flags,
@@ -4147,9 +4148,9 @@ to disable encryption.
As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by
.B \-\-cipher\fR.
See
-.B \-\-ncp-ciphers
+.B \-\-ncp\-ciphers
and
-.B \-\-ncp-disable
+.B \-\-ncp\-disable
for more on NCP.
.\"*********************************************************
@@ -4177,6 +4178,16 @@ If both peers support and do not disable NCP, the negotiated cipher will
override the cipher specified by
.B \-\-cipher\fR.
+Additionally, to allow for more smooth transition, if NCP is enabled, OpenVPN
+will inherit the cipher of the peer if that cipher is different from the local
+.B \-\-cipher
+setting, but the peer cipher is one of the ciphers specified in
+.B \-\-ncp\-ciphers\fR.
+E.g. a non-NCP client (<=2.3, or with \-\-ncp\-disabled set) connecting to a
+NCP server (2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers
+AES-256-GCM:AES-256-CBC" set can either specify "\-\-cipher BF-CBC" or
+"\-\-cipher AES-256-CBC" and both will work.
+
.\"*********************************************************
.TP
.B \-\-ncp\-disable
@@ -5089,6 +5100,57 @@ This directive does not affect the
username/password. It is always cached.
.\"*********************************************************
.TP
+.B \-\-auth\-token token
+This is not an option to be used directly in any configuration files,
+but rather push this option from a
+.B \-\-client\-connect
+script or a
+.B \-\-plugin
+which hooks into the OPENVPN_PLUGIN_CLIENT_CONNECT or
+OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls. This option provides
+a possibility to replace the clients password with an authentication
+token during the lifetime of the OpenVPN client.
+
+Whenever the connection is renegotiated and the
+.B \-\-auth\-user\-pass\-verify
+script or
+.B \-\-plugin
+making use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is
+triggered, it will pass over this token as the password
+instead of the password the user provided. The authentication
+token can only be reset by a full reconnect where the server
+can push new options to the client. The password the user entered
+is never preserved once an authentication token have been set. If
+the OpenVPN server side rejects the authentication token, the
+client will receive an AUTH_FAIL and disconnect.
+
+The purpose of this is to enable two factor authentication
+methods, such as HOTP or TOTP, to be used without needing to
+retrieve a new OTP code each time the connection is renegotiated.
+Another use case is to cache authentication data on the client
+without needing to have the users password cached in memory
+during the life time of the session.
+
+To make use of this feature, the
+.B \-\-client\-connect
+script or
+.B \-\-plugin
+needs to put
+
+.nf
+.ft 3
+.in +4
+push "auth\-token UNIQUE_TOKEN_VALUE"
+.in -4
+.ft
+.fi
+
+into the file/buffer for dynamic configuration data. This
+will then make the OpenVPN server to push this value to the
+client, which replaces the local password with the
+UNIQUE_TOKEN_VALUE.
+.\"*********************************************************
+.TP
.B \-\-tls\-verify cmd
Run command
.B cmd
@@ -5627,9 +5689,20 @@ across the VPN.
Set Connection-specific DNS Suffix.
.B DNS addr \-\-
-Set primary domain name server address. Repeat
+Set primary domain name server IPv4 address. Repeat
this option to set secondary DNS server addresses.
+.B DNS6 addr \-\-
+Set primary domain name server IPv6 address. Repeat
+this option to set secondary DNS server IPv6 addresses.
+
+Note: currently this is handled using netsh (the
+existing DHCP code can only do IPv4 DHCP, and that protocol only
+permits IPv4 addresses anywhere). The option will be put into the
+environment, so an
+.B \-\-up
+script could act upon it if needed.
+
.B WINS addr \-\-
Set primary WINS server address (NetBIOS over TCP/IP Name Server).
Repeat this option to set secondary WINS server addresses.
@@ -5738,8 +5811,7 @@ above.
.\"*********************************************************
.TP
.B \-\-register\-dns
-Run net stop dnscache, net start dnscache, ipconfig /flushdns
-and ipconfig /registerdns on connection initiation.
+Run ipconfig /flushdns and ipconfig /registerdns on connection initiation.
This is known to kick Windows into
recognizing pushed DNS servers.
.\"*********************************************************
@@ -6613,9 +6685,9 @@ X509_1_C=KG
.SH INLINE FILE SUPPORT
OpenVPN allows including files in the main configuration for the
.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret,
-.B \-\-crl\-verify, \-\-http\-proxy\-user\-pass
+.B \-\-crl\-verify, \-\-http\-proxy\-user\-pass, \-\-tls-auth
and
-.B \-\-tls\-auth
+.B \-\-tls\-crypt
options.
Each inline file started by the line