From 4ee98f284a93c3b855092d35ac21371d9dcad65b Mon Sep 17 00:00:00 2001
From: Bernhard Schmidt The effective --reneg-sec value used is per session
pseudo-uniform-randomized between min and max. With the default value of When using dual-factor authentication, note that this default value may
cause the end user to be challenged to reauthorize once per hour.3600
this results in an effective per
-session value in the range of 3240
..:code:3600 seconds for
+session value in the range of 3240
.. 3600
seconds for
servers, or just 3600 for clients.
For OpenSSL, the --tls-cipher is used for TLS 1.2 and below.
Use --show-tls to see a list of TLS ciphers supported by your crypto library.
-The default for --tls-cipher is to use mbed TLS's default cipher list +
The default for --tls-cipher is to use mbed TLS's default cipher list
when using mbed TLS or
DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA
when
using OpenSSL.
The default for --tls-ciphersuites is to use the crypto library's -default.
Same as --tls-cipher but for TLS 1.3 and up. mbed TLS has no +TLS 1.3 support yet and only the --tls-cipher setting is used.
+The default for --tls-ciphersuites is to use the crypto library's +default.
+fe80::7
as source address.
For this option to make sense you actually have to route traffic to the tun interface. The following example config block would send all IPv6 traffic to OpenVPN and answer all requests with no route to host, -effectively blocking IPv6.
---ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1 @@ -3801,6 +3803,11 @@ effectively blocking IPv6.
Note: this option does not influence traffic sent from the server +towards the client (neither on the server nor on the client side). +This is not seen as necessary, as such traffic can be most easily +avoided by not configuring IPv6 on the server tun, or setting up a +server-side firewall rule.