summaryrefslogtreecommitdiff
path: root/doc/openvpn.8
diff options
context:
space:
mode:
Diffstat (limited to 'doc/openvpn.8')
-rw-r--r--doc/openvpn.8112
1 files changed, 63 insertions, 49 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 203dd46..25ea9f9 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1119,8 +1119,8 @@ When used with
.B \-\-client
or
.B \-\-pull,
-accept options pushed by server EXCEPT for routes and dhcp options
-like DNS servers.
+accept options pushed by server EXCEPT for routes, block-outside-dns and dhcp
+options like DNS servers.
When used on the client, this option effectively bars the
server from adding routes to the client's routing table,
@@ -1412,12 +1412,12 @@ connection problems) with the following options:
.TP
.B \-\-sndbuf size
Set the TCP/UDP socket send buffer size.
-Currently defaults to 65536 bytes.
+Defaults to operation system default.
.\"*********************************************************
.TP
.B \-\-rcvbuf size
Set the TCP/UDP socket receive buffer size.
-Currently defaults to 65536 bytes.
+Defaults to operation system default.
.\"*********************************************************
.TP
.B \-\-mark value
@@ -3683,10 +3683,8 @@ over the client's routing table.
.B \-\-auth\-user\-pass [up]
Authenticate with server using username/password.
.B up
-is a file containing username/password on 2 lines (Note: OpenVPN
-will only read passwords from a file if it has been built
-with the \-\-enable\-password\-save configure option, or on Windows
-by defining ENABLE_PASSWORD_SAVE in win/settings.in).
+is a file containing username/password on 2 lines. If the
+password line is missing, OpenVPN will prompt for one.
If
.B up
@@ -4775,10 +4773,7 @@ is specified, read the password from the first line of
.B file.
Keep in mind that storing your password in a file
to a certain extent invalidates the extra security provided by
-using an encrypted key (Note: OpenVPN
-will only read passwords from a file if it has been built
-with the \-\-enable\-password\-save configure option, or on Windows
-by defining ENABLE_PASSWORD_SAVE in win/settings.in).
+using an encrypted key.
.\"*********************************************************
.TP
.B \-\-auth\-nocache
@@ -5453,6 +5448,14 @@ adapter list to the syslog or log file after the TUN/TAP adapter
has been brought up and any routes have been added.
.\"*********************************************************
.TP
+.B \-\-block\-outside\-dns
+Block DNS servers on other network adapters to prevent
+DNS leaks. This option prevents any application from accessing
+TCP or UDP port 53 except one inside the tunnel. It uses
+Windows Filtering Platform (WFP) and works on Windows Vista or
+later.
+.\"*********************************************************
+.TP
.B \-\-dhcp\-renew
Ask Windows to renew the TAP adapter lease on startup.
This option is normally unnecessary, as Windows automatically
@@ -5818,6 +5821,17 @@ or
script execution.
.\"*********************************************************
.TP
+.B dev_idx
+On Windows, the device index of the TUN/TAP adapter (to
+be used in netsh.exe calls which sometimes just do not work
+right with interface names).
+Set prior to
+.B \-\-up
+or
+.B \-\-down
+script execution.
+.\"*********************************************************
+.TP
.B foreign_option_{n}
An option pushed via
.B \-\-push
@@ -6454,13 +6468,13 @@ for use with OpenVPN.
.SS VPN Address Setup:
For purposes
of our example, our two machines will be called
-.B may.kg
+.B bob.example.com
and
-.B june.kg.
+.B alice.example.com.
If you are constructing a VPN over the internet, then replace
-.B may.kg
+.B bob.example.com
and
-.B june.kg
+.B alice.example.com
with the internet hostname or IP address that each machine will use
to contact the other over the internet.
@@ -6468,8 +6482,8 @@ Now we will choose the tunnel endpoints. Tunnel endpoints are
private IP addresses that only have meaning in the context of
the VPN. Each machine will use the tunnel endpoint of the other
machine to access it over the VPN. In our example,
-the tunnel endpoint for may.kg
-will be 10.4.0.1 and for june.kg, 10.4.0.2.
+the tunnel endpoint for bob.example.com
+will be 10.4.0.1 and for alice.example.com, 10.4.0.2.
Once the VPN is established, you have essentially
created a secure alternate path between the two hosts
@@ -6478,16 +6492,16 @@ control which network
traffic passes between the hosts
(a) over the VPN or (b) independently of the VPN, by choosing whether to use
(a) the VPN endpoint address or (b) the public internet address,
-to access the remote host. For example if you are on may.kg and you wish to connect to june.kg
+to access the remote host. For example if you are on bob.example.com and you wish to connect to alice.example.com
via
.B ssh
without using the VPN (since
.B ssh
has its own built-in security) you would use the command
-.B ssh june.kg.
+.B ssh alice.example.com.
However in the same scenario, you could also use the command
.B telnet 10.4.0.2
-to create a telnet session with june.kg over the VPN, that would
+to create a telnet session with alice.example.com over the VPN, that would
use the VPN to secure the session rather than
.B ssh.
@@ -6502,21 +6516,21 @@ you will get a weird feedback loop.
.\"*********************************************************
.SS Example 1: A simple tunnel without security
.LP
-On may:
+On bob:
.IP
-.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 9
+.B openvpn \-\-remote alice.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 9
.LP
-On june:
+On alice:
.IP
-.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 9
+.B openvpn \-\-remote bob.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 9
.LP
Now verify the tunnel is working by pinging across the tunnel.
.LP
-On may:
+On bob:
.IP
.B ping 10.4.0.2
.LP
-On june:
+On alice:
.IP
.B ping 10.4.0.1
.LP
@@ -6529,7 +6543,7 @@ program. Omit the
option to have OpenVPN run quietly.
.\"*********************************************************
.SS Example 2: A tunnel with static-key security (i.e. using a pre-shared secret)
-First build a static key on may.
+First build a static key on bob.
.IP
.B openvpn \-\-genkey \-\-secret key
.LP
@@ -6538,39 +6552,39 @@ This command will build a random key file called
(in ascii format).
Now copy
.B key
-to june over a secure medium such as by
+to alice over a secure medium such as by
using the
.BR scp (1)
program.
.LP
-On may:
+On bob:
.IP
-.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 5 \-\-secret key
+.B openvpn \-\-remote alice.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 5 \-\-secret key
.LP
-On june:
+On alice:
.IP
-.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 5 \-\-secret key
+.B openvpn \-\-remote bob.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 5 \-\-secret key
.LP
Now verify the tunnel is working by pinging across the tunnel.
.LP
-On may:
+On bob:
.IP
.B ping 10.4.0.2
.LP
-On june:
+On alice:
.IP
.B ping 10.4.0.1
.\"*********************************************************
.SS Example 3: A tunnel with full TLS-based security
For this test, we will designate
-.B may
+.B bob
as the TLS client and
-.B june
+.B alice
as the TLS server.
.I Note that client or server designation only has meaning for the TLS subsystem. It has no bearing on OpenVPN's peer-to-peer, UDP-based communication model.
First, build a separate certificate/key pair
-for both may and june (see above where
+for both bob and alice (see above where
.B \-\-cert
is discussed for more info). Then construct
Diffie Hellman parameters (see above where
@@ -6585,21 +6599,21 @@ client.crt and server.crt. For Diffie Hellman
parameters you can use the included file dh1024.pem.
.I Note that all client, server, and certificate authority certificates and keys included in the OpenVPN distribution are totally insecure and should be used for testing only.
.LP
-On may:
+On bob:
.IP
-.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-tls\-client \-\-ca ca.crt \-\-cert client.crt \-\-key client.key \-\-reneg\-sec 60 \-\-verb 5
+.B openvpn \-\-remote alice.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-tls\-client \-\-ca ca.crt \-\-cert client.crt \-\-key client.key \-\-reneg\-sec 60 \-\-verb 5
.LP
-On june:
+On alice:
.IP
-.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-tls\-server \-\-dh dh1024.pem \-\-ca ca.crt \-\-cert server.crt \-\-key server.key \-\-reneg\-sec 60 \-\-verb 5
+.B openvpn \-\-remote bob.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-tls\-server \-\-dh dh1024.pem \-\-ca ca.crt \-\-cert server.crt \-\-key server.key \-\-reneg\-sec 60 \-\-verb 5
.LP
Now verify the tunnel is working by pinging across the tunnel.
.LP
-On may:
+On bob:
.IP
.B ping 10.4.0.2
.LP
-On june:
+On alice:
.IP
.B ping 10.4.0.1
.LP
@@ -6619,12 +6633,12 @@ option to use OpenVPN's default key renegotiation interval of one hour.
.SS Routing:
Assuming you can ping across the tunnel,
the next step is to route a real subnet over
-the secure tunnel. Suppose that may and june have two network
+the secure tunnel. Suppose that bob and alice have two network
interfaces each, one connected
to the internet, and the other to a private
network. Our goal is to securely connect
-both private networks. We will assume that may's private subnet
-is 10.0.0.0/24 and june's is 10.0.1.0/24.
+both private networks. We will assume that bob's private subnet
+is 10.0.0.0/24 and alice's is 10.0.1.0/24.
.LP
First, ensure that IP forwarding is enabled on both peers.
On Linux, enable routing:
@@ -6635,11 +6649,11 @@ and enable TUN packet forwarding through the firewall:
.IP
.B iptables \-A FORWARD \-i tun+ \-j ACCEPT
.LP
-On may:
+On bob:
.IP
.B route add \-net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
.LP
-On june:
+On alice:
.IP
.B route add \-net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
.LP