summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/Makefile.am2
-rw-r--r--doc/Makefile.in4
-rw-r--r--doc/management-notes.txt9
-rw-r--r--doc/openvpn.838
4 files changed, 34 insertions, 19 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am
index d33e1ed..dedd1fa 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -5,7 +5,7 @@
# packet encryption, packet authentication, and
# packet compression.
#
-# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+# Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com>
#
diff --git a/doc/Makefile.in b/doc/Makefile.in
index 1282a54..b0998a0 100644
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.13.4 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -21,7 +21,7 @@
# packet encryption, packet authentication, and
# packet compression.
#
-# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+# Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com>
#
diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index dd870eb..29c3aad 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -773,8 +773,9 @@ via a notification as follows:
>RSA_SIGN:[BASE64_DATA]
-The management interface client should then sign BASE64_DATA
-using the private key and return the SSL signature as follows:
+The management interface client should then create a PKCS#1 v1.5 signature of
+the (decoded) BASE64_DATA using the private key and return the SSL signature as
+follows:
rsa-sig
[BASE64_SIG_LINE]
@@ -783,8 +784,8 @@ rsa-sig
.
END
-Base64 encoded output of RSA_sign(NID_md5_sha1,... will provide a
-correct signature.
+Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign()
+(mbed TLS) will provide a correct signature.
This capability is intended to allow the use of arbitrary cryptographic
service providers with OpenVPN via the management interface.
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index e61b6bb..7bd6d9d 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4,7 +4,7 @@
.\" packet encryption, packet authentication, and
.\" packet compression.
.\"
-.\" Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <sales@openvpn.net>
+.\" Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License version 2
@@ -2793,7 +2793,7 @@ expands as follows:
if dev tap OR (dev tun AND topology == subnet):
ifconfig 10.8.0.1 255.255.255.0
if !nopool:
- ifconfig\-pool 10.8.0.2 10.8.0.254 255.255.255.0
+ ifconfig\-pool 10.8.0.2 10.8.0.253 255.255.255.0
push "route\-gateway 10.8.0.1"
if route\-gateway unset:
route\-gateway 10.8.0.2
@@ -2989,10 +2989,6 @@ IV_LZO_STUB=1 -- if client was built with LZO stub capability
IV_LZ4=1 -- if the client supports LZ4 compressions.
-IV_RGI6=1 -- if the client supports
-.B \-\-redirect\-gateway
-for ipv6
-
IV_PROTO=2 -- if the client supports peer-id floating mechansim
IV_NCP=2 -- negotiable ciphers, client supports
@@ -4399,6 +4395,10 @@ This option only makes sense when replay protection is enabled
.\"*********************************************************
.TP
.B \-\-no\-iv
+
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5.
+
(Advanced) Disable OpenVPN's use of IV (cipher initialization vector).
Don't use this option unless you are prepared to make
a tradeoff of greater efficiency in exchange for less
@@ -4571,8 +4571,10 @@ public.
.B \-\-ecdh\-curve name
Specify the curve to use for elliptic curve Diffie Hellman. Available
curves can be listed with
-.B \-\-show\-curves
-. The specified curve will only be used for ECDH TLS-ciphers.
+.BR \-\-show\-curves .
+The specified curve will only be used for ECDH TLS-ciphers.
+
+This option is not supported in mbed TLS builds of OpenVPN.
.\"*********************************************************
.TP
.B \-\-cert file
@@ -4870,11 +4872,18 @@ such as TCP expect this role to be left to them.
.B \-\-reneg\-bytes n
Renegotiate data channel key after
.B n
-bytes sent or received (disabled by default).
+bytes sent or received (disabled by default with an exception, see below).
OpenVPN allows the lifetime of a key
-to be expressed as a number of bytes encrypted/decrypted, a number of packets, or
-a number of seconds. A key renegotiation will be forced
+to be expressed as a number of bytes encrypted/decrypted, a number of packets,
+or a number of seconds. A key renegotiation will be forced
if any of these three criteria are met by either peer.
+
+If using ciphers with cipher block sizes less than 128-bits, \-\-reneg\-bytes is
+set to 64MB by default, unless it is explicitly disabled by setting the value to
+0, but this is
+.B HIGHLY DISCOURAGED
+as this is designed to add some protection against the SWEET32 attack vector.
+For more information see the \-\-cipher option.
.\"*********************************************************
.TP
.B \-\-reneg\-pkts n
@@ -5023,6 +5032,11 @@ key file used with
.B \-\-tls\-auth
gives a peer nothing more than the power to initiate a TLS
handshake. It is not used to encrypt or authenticate any tunnel data.
+
+Use
+.B \-\-tls\-crypt
+instead if you want to use the key file to not only authenticate, but also
+encrypt the TLS control channel.
.\"*********************************************************
.TP
.B \-\-tls\-crypt keyfile
@@ -5594,7 +5608,7 @@ virtual DHCP server address. In
.B \-\-dev tun
mode, OpenVPN will cause the DHCP server to masquerade as if it were
coming from the remote endpoint. The optional offset parameter is
-an integer which is > \-256 and < 256 and which defaults to 0.
+an integer which is > \-256 and < 256 and which defaults to -1.
If offset is positive, the DHCP server will masquerade as the IP
address at network address + offset.
If offset is negative, the DHCP server will masquerade as the IP