diff options
Diffstat (limited to 'doc/openvpn.8')
-rw-r--r-- | doc/openvpn.8 | 156 |
1 files changed, 81 insertions, 75 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8 index ceb6348..6eb6167 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -1282,6 +1282,84 @@ reconnect, unless multiple remotes are specified and connection to the next remote succeeds. To silently ignore an option pushed by the server, use \fBignore\fP\&. .TP +.B \-\-push\-peer\-info +Push additional information about the client to server. The following +data is always pushed to the server: +.INDENT 7.0 +.TP +.B \fBIV_VER=<version>\fP +The client OpenVPN version +.TP +.B \fBIV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]\fP +The client OS platform +.TP +.B \fBIV_LZO_STUB=1\fP +If client was built with LZO stub capability +.TP +.B \fBIV_LZ4=1\fP +If the client supports LZ4 compressions. +.TP +.B \fBIV_PROTO\fP +Details about protocol extensions that the peer supports. The +variable is a bitfield and the bits are defined as follows +(starting a bit 0 for the first (unused) bit: +.INDENT 7.0 +.IP \(bu 2 +bit 1: The peer supports peer\-id floating mechanism +.IP \(bu 2 +bit 2: The client expects a push\-reply and the server may +send this reply without waiting for a push\-request first. +.IP \(bu 2 +bit 3: The client is capable of doing key derivation using +RFC5705 key material exporter. +.IP \(bu 2 +bit 4: The client is capable of accepting additional arguments +to the \fIAUTH_PENDING\fP message. +.UNINDENT +.TP +.B \fBIV_NCP=2\fP +Negotiable ciphers, client supports \fB\-\-cipher\fP pushed by +the server, a value of 2 or greater indicates client supports +\fIAES\-GCM\-128\fP and \fIAES\-GCM\-256\fP\&. +.TP +.B \fBIV_CIPHERS=<ncp\-ciphers>\fP +The client announces the list of supported ciphers configured with the +\fB\-\-data\-ciphers\fP option to the server. +.TP +.B \fBIV_GUI_VER=<gui_id> <version>\fP +The UI version of a UI if one is running, for example +\fBde.blinkt.openvpn 0.5.47\fP for the Android app. +.TP +.B \fBIV_SSO=[crtext,][openurl,][proxy_url]\fP +Additional authentication methods supported by the client. +This may be set by the client UI/GUI using \fB\-\-setenv\fP +.UNINDENT +.sp +When \fB\-\-push\-peer\-info\fP is enabled the additional information consists +of the following data: +.INDENT 7.0 +.TP +.B \fBIV_HWADDR=<string>\fP +This is intended to be a unique and persistent ID of the client. +The string value can be any readable ASCII string up to 64 bytes. +OpenVPN 2.x and some other implementations use the MAC address of +the client\(aqs interface used to reach the default gateway. If this +string is generated by the client, it should be consistent and +preserved across independent session and preferably +re\-installations and upgrades. +.TP +.B \fBIV_SSL=<version string>\fP +The ssl version used by the client, e.g. +\fBOpenSSL 1.0.2f 28 Jan 2016\fP\&. +.TP +.B \fBIV_PLAT_VER=x.y\fP +The version of the operating system, e.g. 6.1 for Windows 7. +.TP +.B \fBUV_<name>=<value>\fP +Client environment variables whose names start with +\fBUV_\fP +.UNINDENT +.TP .BI \-\-remote \ args Remote host name or IP address, port and protocol. .sp @@ -2043,78 +2121,6 @@ This is a partial list of options which can currently be pushed: \fB\-\-echo\fP, \fB\-\-comp\-lzo\fP, \fB\-\-socket\-flags\fP, \fB\-\-sndbuf\fP, \fB\-\-rcvbuf\fP .TP -.B \-\-push\-peer\-info -Push additional information about the client to server. The following -data is always pushed to the server: -.INDENT 7.0 -.TP -.B \fBIV_VER=<version>\fP -The client OpenVPN version -.TP -.B \fBIV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]\fP -The client OS platform -.TP -.B \fBIV_LZO_STUB=1\fP -If client was built with LZO stub capability -.TP -.B \fBIV_LZ4=1\fP -If the client supports LZ4 compressions. -.TP -.B \fBIV_PROTO\fP -Details about protocol extensions that the peer supports. The -variable is a bitfield and the bits are defined as follows -(starting a bit 0 for the first (unused) bit: -.INDENT 7.0 -.IP \(bu 2 -bit 1: The peer supports peer\-id floating mechanism -.IP \(bu 2 -bit 2: The client expects a push\-reply and the server may -send this reply without waiting for a push\-request first. -.UNINDENT -.TP -.B \fBIV_NCP=2\fP -Negotiable ciphers, client supports \fB\-\-cipher\fP pushed by -the server, a value of 2 or greater indicates client supports -\fIAES\-GCM\-128\fP and \fIAES\-GCM\-256\fP\&. -.TP -.B \fBIV_CIPHERS=<ncp\-ciphers>\fP -The client announces the list of supported ciphers configured with the -\fB\-\-data\-ciphers\fP option to the server. -.TP -.B \fBIV_GUI_VER=<gui_id> <version>\fP -The UI version of a UI if one is running, for example -\fBde.blinkt.openvpn 0.5.47\fP for the Android app. -.TP -.B \fBIV_SSO=[crtext,][openurl,][proxy_url]\fP -Additional authentication methods supported by the client. -This may be set by the client UI/GUI using \fB\-\-setenv\fP -.UNINDENT -.sp -When \fB\-\-push\-peer\-info\fP is enabled the additional information consists -of the following data: -.INDENT 7.0 -.TP -.B \fBIV_HWADDR=<string>\fP -This is intended to be a unique and persistent ID of the client. -The string value can be any readable ASCII string up to 64 bytes. -OpenVPN 2.x and some other implementations use the MAC address of -the client\(aqs interface used to reach the default gateway. If this -string is generated by the client, it should be consistent and -preserved across independent session and preferably -re\-installations and upgrades. -.TP -.B \fBIV_SSL=<version string>\fP -The ssl version used by the client, e.g. -\fBOpenSSL 1.0.2f 28 Jan 2016\fP\&. -.TP -.B \fBIV_PLAT_VER=x.y\fP -The version of the operating system, e.g. 6.1 for Windows 7. -.TP -.B \fBUV_<name>=<value>\fP -Client environment variables whose names start with -\fBUV_\fP -.UNINDENT -.TP .BI \-\-push\-remove \ opt Selectively remove all \fB\-\-push\fP options matching "opt" from the option list for a client. \fBopt\fP is matched as a substring against the whole @@ -3988,7 +3994,7 @@ remote. .sp This option is useful in cases where the remote peer has a dynamic IP address and a low\-TTL DNS name is used to track the IP address using a -service such as \fI\%http://dyndns.org/\fP + a dynamic DNS client such as +service such as \fI\%https://www.nsupdate.info/\fP + a dynamic DNS client such as \fBddclient\fP\&. .sp If the peer cannot be reached, a restart will be triggered, causing the @@ -4333,7 +4339,7 @@ if dhcp is disabled or the \fBwintun\fP driver is in use. The \fBOpenVPN for Android\fP client also handles them internally. .sp On all other platforms these options are only saved in the client\(aqs -environment under the name \fBforeign_options_{n}\fP before the +environment under the name \fBforeign_option_{n}\fP before the \fB\-\-up\fP script is called. A plugin or an \fB\-\-up\fP script must be used to pick up and interpret these as required. Many Linux distributions include such scripts and some third\-party user interfaces such as tunnelblick also @@ -6190,7 +6196,7 @@ server address. In \fB\-\-dev tun\fP mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. .sp The optional offset parameter is an integer which is > \fB\-256\fP -and < \fB256\fP and which defaults to \-1. If offset is positive, +and < \fB256\fP and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset. |