diff options
Diffstat (limited to 'doc/openvpn.8')
| -rw-r--r-- | doc/openvpn.8 | 38 |
1 files changed, 26 insertions, 12 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8 index e61b6bb..7bd6d9d 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4,7 +4,7 @@ .\" packet encryption, packet authentication, and .\" packet compression. .\" -.\" Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <sales@openvpn.net> +.\" Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License version 2 @@ -2793,7 +2793,7 @@ expands as follows: if dev tap OR (dev tun AND topology == subnet): ifconfig 10.8.0.1 255.255.255.0 if !nopool: - ifconfig\-pool 10.8.0.2 10.8.0.254 255.255.255.0 + ifconfig\-pool 10.8.0.2 10.8.0.253 255.255.255.0 push "route\-gateway 10.8.0.1" if route\-gateway unset: route\-gateway 10.8.0.2 @@ -2989,10 +2989,6 @@ IV_LZO_STUB=1 -- if client was built with LZO stub capability IV_LZ4=1 -- if the client supports LZ4 compressions. -IV_RGI6=1 -- if the client supports -.B \-\-redirect\-gateway -for ipv6 - IV_PROTO=2 -- if the client supports peer-id floating mechansim IV_NCP=2 -- negotiable ciphers, client supports @@ -4399,6 +4395,10 @@ This option only makes sense when replay protection is enabled .\"********************************************************* .TP .B \-\-no\-iv + +.B DEPRECATED +This option will be removed in OpenVPN 2.5. + (Advanced) Disable OpenVPN's use of IV (cipher initialization vector). Don't use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less @@ -4571,8 +4571,10 @@ public. .B \-\-ecdh\-curve name Specify the curve to use for elliptic curve Diffie Hellman. Available curves can be listed with -.B \-\-show\-curves -. The specified curve will only be used for ECDH TLS-ciphers. +.BR \-\-show\-curves . +The specified curve will only be used for ECDH TLS-ciphers. + +This option is not supported in mbed TLS builds of OpenVPN. .\"********************************************************* .TP .B \-\-cert file @@ -4870,11 +4872,18 @@ such as TCP expect this role to be left to them. .B \-\-reneg\-bytes n Renegotiate data channel key after .B n -bytes sent or received (disabled by default). +bytes sent or received (disabled by default with an exception, see below). OpenVPN allows the lifetime of a key -to be expressed as a number of bytes encrypted/decrypted, a number of packets, or -a number of seconds. A key renegotiation will be forced +to be expressed as a number of bytes encrypted/decrypted, a number of packets, +or a number of seconds. A key renegotiation will be forced if any of these three criteria are met by either peer. + +If using ciphers with cipher block sizes less than 128-bits, \-\-reneg\-bytes is +set to 64MB by default, unless it is explicitly disabled by setting the value to +0, but this is +.B HIGHLY DISCOURAGED +as this is designed to add some protection against the SWEET32 attack vector. +For more information see the \-\-cipher option. .\"********************************************************* .TP .B \-\-reneg\-pkts n @@ -5023,6 +5032,11 @@ key file used with .B \-\-tls\-auth gives a peer nothing more than the power to initiate a TLS handshake. It is not used to encrypt or authenticate any tunnel data. + +Use +.B \-\-tls\-crypt +instead if you want to use the key file to not only authenticate, but also +encrypt the TLS control channel. .\"********************************************************* .TP .B \-\-tls\-crypt keyfile @@ -5594,7 +5608,7 @@ virtual DHCP server address. In .B \-\-dev tun mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is -an integer which is > \-256 and < 256 and which defaults to 0. +an integer which is > \-256 and < 256 and which defaults to -1. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP |