summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorBernhard Schmidt <Bernhard.Schmidt@lrz.de>2018-03-04 22:55:51 +0100
committerBernhard Schmidt <Bernhard.Schmidt@lrz.de>2018-03-04 22:55:51 +0100
commit528d142b4be4618a00d506414c95485d679f7297 (patch)
tree118c2b9adb156a129bd0a04d980f00ba01fc8264 /doc
parentbd24a09dcb08e98bba26e316fd46e1b5d0590afb (diff)
parent4afa7ed562410a1170223a7bc06efb3708af6a36 (diff)
Update upstream source from tag 'upstream/2.4.5'
Update to upstream version '2.4.5' with Debian dir bfadc11012753514e3836a4dc88a94fd7d0f8314
Diffstat (limited to 'doc')
-rw-r--r--doc/Makefile.am2
-rw-r--r--doc/Makefile.in28
-rw-r--r--doc/management-notes.txt9
-rw-r--r--doc/openvpn.8141
4 files changed, 117 insertions, 63 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am
index dedd1fa..f3a24a7 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -5,7 +5,7 @@
# packet encryption, packet authentication, and
# packet compression.
#
-# Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
+# Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com>
#
diff --git a/doc/Makefile.in b/doc/Makefile.in
index d3269cd..4ac438e 100644
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -21,12 +21,22 @@
# packet encryption, packet authentication, and
# packet compression.
#
-# Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
+# Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com>
#
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -91,8 +101,6 @@ build_triplet = @build@
host_triplet = @host@
@WIN32_TRUE@am__append_1 = openvpn.8
subdir = doc
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
- $(dist_man_MANS) $(dist_doc_DATA) $(am__dist_noinst_DATA_DIST)
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/m4/ax_socklen_t.m4 \
@@ -103,6 +111,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(dist_doc_DATA) \
+ $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h \
$(top_builddir)/include/openvpn-plugin.h
@@ -162,6 +172,7 @@ MANS = $(dist_man_MANS)
am__dist_noinst_DATA_DIST = README.plugins openvpn.8
DATA = $(dist_doc_DATA) $(dist_noinst_DATA) $(nodist_html_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -210,6 +221,7 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
LZ4_CFLAGS = @LZ4_CFLAGS@
LZ4_LIBS = @LZ4_LIBS@
LZO_CFLAGS = @LZO_CFLAGS@
@@ -330,6 +342,7 @@ plugindir = @plugindir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
+runstatedir = @runstatedir@
sampledir = @sampledir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
@@ -366,7 +379,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign doc/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@@ -637,6 +649,8 @@ uninstall-man: uninstall-man8
ps ps-am tags-am uninstall uninstall-am uninstall-dist_docDATA \
uninstall-man uninstall-man8 uninstall-nodist_htmlDATA
+.PRECIOUS: Makefile
+
@WIN32_TRUE@openvpn.8.html: $(srcdir)/openvpn.8
@WIN32_TRUE@ $(MAN2HTML) < $(srcdir)/openvpn.8 > openvpn.8.html
diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index 29c3aad..908b981 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -317,6 +317,11 @@ COMMAND -- password and username
>PASSWORD:Verification Failed: 'custom server-generated string'
+ Example 6: If server pushes --auth-token to the client, the OpenVPN
+ will produce a real-time PASSWORD message:
+
+ >PASSWORD:Auth-Token:foobar
+
COMMAND -- forget-passwords
---------------------------
@@ -357,6 +362,8 @@ ADD_ROUTES -- Adding routes to system.
CONNECTED -- Initialization Sequence Completed.
RECONNECTING -- A restart has occurred.
EXITING -- A graceful exit is in progress.
+RESOLVE -- (Client only) DNS lookup
+TCP_CONNECT -- (Client only) Connecting to TCP server
Command examples:
@@ -420,7 +427,7 @@ info on verbosity levels.
Command examples:
verb 4 -- change the verb parameter to 4
- mute -- show the current verb setting
+ verb -- show the current verb setting
COMMAND -- version
------------------
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 0b3e1ad..f8627ab 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4,7 +4,7 @@
.\" packet encryption, packet authentication, and
.\" packet compression.
.\"
-.\" Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
+.\" Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License version 2
@@ -33,7 +33,15 @@
.\" .ft -- normal face
.\" .in +|-{n} -- indent
.\"
-.TH openvpn 8 "25 August 2016"
+.\" Support macros - this is not present on all platforms
+.\" Continuation line for .TP header.
+.de TQ
+. br
+. ns
+. TP \\$1\" no doublequotes around argument!
+..
+.\" End of TQ macro
+.TH openvpn 8 "28 February 2018"
.\"*********************************************************
.SH NAME
openvpn \- secure IP tunnel daemon.
@@ -1621,7 +1629,7 @@ and
.B \-\-ping\-restart.
This option can be used on both client and server side, but it is
-in enough to add this on the server side as it will push appropriate
+enough to add this on the server side as it will push appropriate
.B \-\-ping
and
.B \-\-ping\-restart
@@ -2547,54 +2555,52 @@ the compression efficiency will be very low, triggering openvpn to disable
compression for a period of time until the next re\-sample test.
.\"*********************************************************
.TP
+.B \-\-management socket\-name unix [pw\-file] \ \ \ \ \ (recommended)
+.TQ
.B \-\-management IP port [pw\-file]
-Enable a TCP server on
-.B IP:port
-to handle daemon management functions.
-.B pw\-file,
-if specified,
-is a password file (password on first line)
-or "stdin" to prompt from standard input. The password
-provided will set the password which TCP clients will need
-to provide in order to access management functions.
-
-The management interface can also listen on a unix domain socket,
-for those platforms that support it. To use a unix domain socket, specify
-the unix socket pathname in place of
-.B IP
-and set
-.B port
-to 'unix'. While the default behavior is to create a unix domain socket
-that may be connected to by any process, the
+Enable a management server on a
+.B socket\-name
+Unix socket on those platforms supporting it, or on
+a designated TCP port.
+
+.B pw\-file
+, if specified, is a password file where the password must be on first line.
+Instead of a filename it can use the keyword stdin which will prompt the user
+for a password to use when OpenVPN is starting.
+
+For unix sockets, the default behaviour is to create a unix domain socket
+that may be connected to by any process. Use the
.B \-\-management\-client\-user
and
.B \-\-management\-client\-group
-directives can be used to restrict access.
-
-The management interface provides a special mode where the TCP
-management link can operate over the tunnel itself. To enable this mode,
-set
-.B IP
-= "tunnel". Tunnel mode will cause the management interface
-to listen for a TCP connection on the local VPN address of the
-TUN/TAP interface.
+directives to restrict access.
+
+The management interface provides a special mode where the TCP management link
+can operate over the tunnel itself. To enable this mode, set IP to
+.B tunnel.
+Tunnel mode will cause the management interface to listen for a
+TCP connection on the local VPN address of the TUN/TAP interface.
+
+.B BEWARE
+of enabling the management interface over TCP. In these cases you should
+.I ALWAYS
+make use of
+.B pw\-file
+to password protect the management interface. Any user who can connect to this
+TCP
+.B IP:port
+will be able to manage and control (and interfere with) the OpenVPN process.
+It is also strongly recommended to set IP to 127.0.0.1 (localhost) to restrict
+accessibility of the management server to local clients.
-While the management port is designed for programmatic control
-of OpenVPN by other applications, it is possible to telnet
-to the port, using a telnet client in "raw" mode. Once connected,
-type "help" for a list of commands.
+While the management port is designed for programmatic control of OpenVPN by
+other applications, it is possible to telnet to the port, using a telnet client
+in "raw" mode. Once connected, type "help" for a list of commands.
-For detailed documentation on the management interface, see
-the management\-notes.txt file in the
-.B management
-folder of
-the OpenVPN source distribution.
+For detailed documentation on the management interface, see the
+.I management\-notes.txt
+file in the management folder of the OpenVPN source distribution.
-It is strongly recommended that
-.B IP
-be set to 127.0.0.1
-(localhost) to restrict accessibility of the management
-server to local clients.
.TP
.B \-\-management\-client
Management interface will connect as a TCP/unix domain client to
@@ -4918,6 +4924,37 @@ when using mbed TLS or
OpenSSL.
.\"*********************************************************
.TP
+.B \-\-tls\-cert\-profile profile
+Set the allowed cryptographic algorithms for certificates according to
+.B profile\fN.
+
+The following profiles are supported:
+
+.B legacy
+(default): SHA1 and newer, RSA 2048-bit+, any elliptic curve.
+
+.B preferred
+: SHA2 and newer, RSA 2048-bit+, any elliptic curve.
+
+.B suiteb
+: SHA256/SHA384, ECDSA with P-256 or P-384.
+
+This option is only fully supported for mbed TLS builds. OpenSSL builds use
+the following approximation:
+
+.B legacy
+(default): sets "security level 1"
+
+.B preferred
+: sets "security level 2"
+
+.B suiteb
+: sets "security level 3" and \-\-tls\-cipher "SUITEB128".
+
+OpenVPN will migrate to 'preferred' as default in the future. Please ensure
+that your keys already comply.
+.\"*********************************************************
+.TP
.B \-\-tls\-timeout n
Packet retransmit timeout on TLS control channel
if no acknowledgment from remote within
@@ -5806,17 +5843,13 @@ across the VPN.
Set Connection\-specific DNS Suffix.
.B DNS addr \-\-
-Set primary domain name server IPv4 address. Repeat
+Set primary domain name server IPv4 or IPv6 address. Repeat
this option to set secondary DNS server addresses.
-.B DNS6 addr \-\-
-Set primary domain name server IPv6 address. Repeat
-this option to set secondary DNS server IPv6 addresses.
-
-Note: currently this is handled using netsh (the
-existing DHCP code can only do IPv4 DHCP, and that protocol only
-permits IPv4 addresses anywhere). The option will be put into the
-environment, so an
+Note: DNS IPv6 servers are currently set using netsh (the existing
+DHCP code can only do IPv4 DHCP, and that protocol only permits IPv4
+addresses anywhere). The option will be put into the environment, so
+an
.B \-\-up
script could act upon it if needed.
@@ -7238,7 +7271,7 @@ For more information on the LZO real\-time compression library see
.I http://www.oberhumer.com/opensource/lzo/
.\"*********************************************************
.SH COPYRIGHT
-Copyright (C) 2002\-2017 OpenVPN Technologies, Inc. This program is free software;
+Copyright (C) 2002\-2018 OpenVPN Inc This program is free software;
you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2
as published by the Free Software Foundation.