From 20c8675ba46bda97330a4117c459a59a9f1c465e Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Iniesta Date: Mon, 21 Nov 2016 09:37:33 +0100 Subject: New upstream version 2.4~beta1 --- doc/Makefile.in | 51 ++- doc/management-notes.txt | 46 ++- doc/openvpn.8 | 922 ++++++++++++++++++++++++++++++----------------- 3 files changed, 659 insertions(+), 360 deletions(-) (limited to 'doc') diff --git a/doc/Makefile.in b/doc/Makefile.in index cb2e2c2..8e37bca 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -26,17 +26,7 @@ # VPATH = @srcdir@ -am__is_gnu_make = { \ - if test -z '$(MAKELEVEL)'; then \ - false; \ - elif test -n '$(MAKE_HOST)'; then \ - true; \ - elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ - true; \ - else \ - false; \ - fi; \ -} +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -101,6 +91,8 @@ build_triplet = @build@ host_triplet = @host@ @WIN32_TRUE@am__append_1 = openvpn.8 subdir = doc +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(dist_man_MANS) $(dist_doc_DATA) $(am__dist_noinst_DATA_DIST) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ @@ -111,10 +103,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(dist_doc_DATA) \ - $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_HEADER = $(top_builddir)/config.h \ + $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) @@ -171,7 +162,6 @@ MANS = $(dist_man_MANS) am__dist_noinst_DATA_DIST = README.plugins openvpn.8 DATA = $(dist_doc_DATA) $(dist_noinst_DATA) $(nodist_html_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -185,6 +175,7 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -219,25 +210,31 @@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ -LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +LZ4_CFLAGS = @LZ4_CFLAGS@ +LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ +MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ -OPENSSL_CRYPTO_CFLAGS = @OPENSSL_CRYPTO_CFLAGS@ -OPENSSL_CRYPTO_LIBS = @OPENSSL_CRYPTO_LIBS@ -OPENSSL_SSL_CFLAGS = @OPENSSL_SSL_CFLAGS@ -OPENSSL_SSL_LIBS = @OPENSSL_SSL_LIBS@ +OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ +OPENSSL_LIBS = @OPENSSL_LIBS@ +OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ +OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ +OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ +OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ +OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ @@ -263,8 +260,6 @@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ -POLARSSL_CFLAGS = @POLARSSL_CFLAGS@ -POLARSSL_LIBS = @POLARSSL_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ @@ -279,6 +274,11 @@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ +TEST_CFLAGS = @TEST_CFLAGS@ +TEST_LDFLAGS = @TEST_LDFLAGS@ +VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ +VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ +VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ @@ -361,6 +361,7 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign doc/Makefile +.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -631,8 +632,6 @@ uninstall-man: uninstall-man8 ps ps-am tags-am uninstall uninstall-am uninstall-dist_docDATA \ uninstall-man uninstall-man8 uninstall-nodist_htmlDATA -.PRECIOUS: Makefile - @WIN32_TRUE@openvpn.8.html: $(srcdir)/openvpn.8 @WIN32_TRUE@ $(MAN2HTML) < $(srcdir)/openvpn.8 > openvpn.8.html diff --git a/doc/management-notes.txt b/doc/management-notes.txt index ef39b85..dd870eb 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -168,9 +168,12 @@ be reset by restarts. OpenVPN will indicate that it is in a hold state by sending a real-time notification to the management -client: +client, the parameter indicates how long OpenVPN would +wait without UI (as influenced by connect-retry exponential +backoff). The UI needs to wait for releasing the hold if it +wants similar behavior: - >HOLD:Waiting for hold release + >HOLD:Waiting for hold release:10 Command examples: @@ -366,14 +369,23 @@ Command examples: same time enable real-time state notification of future state transitions. -The output format consists of 4 comma-separated parameters: +The output format consists of up to 9 comma-separated parameters: (a) the integer unix date/time, (b) the state name, (c) optional descriptive string (used mostly on RECONNECTING and EXITING to show the reason for the disconnect), - (d) optional TUN/TAP local IP address (shown for ASSIGN_IP - and CONNECTED), and - (e) optional address of remote server (OpenVPN 2.1 or higher). + (d) optional TUN/TAP local IPv4 address + (e) optional address of remote server, + (f) optional port of remote server, + (g) optional local address, + (h) optional local port, and + (i) optional TUN/TAP local IPv6 address. + +Fields (e)-(h) are shown for CONNECTED state, +(d) and (i) are shown for ASSIGN_IP and CONNECTED states. + +(e) is available starting from OpenVPN 2.1 +(f)-(i) are available starting from OpenVPN 2.4 Real-time state notifications will have a ">STATE:" prefix prepended to them. @@ -777,6 +789,28 @@ correct signature. This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. +COMMAND -- certificate (OpenVPN 2.4 or higher) +---------------------------------------------- +Provides support for external storage of the certificate. Requires the +--management-external-cert option. This option can be used instead of "cert" +in client mode. On SSL protocol initialization a notification will be sent +to the management interface with a hint as follows: + +>NEED-CERTIFICATE:macosx-keychain:subject:o=OpenVPN-TEST + +The management interface client should use the hint to obtain the specific +SSL certificate and then return base64 encoded certificate as follows: + +certificate +[BASE64_CERT_LINE] +. +. +. +END + +This capability is intended to allow the use of certificates +stored outside of the filesystem (e.g. in Mac OS X Keychain) +with OpenVPN via the management interface. OUTPUT FORMAT ------------- diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 1cad9be..e997b09 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -21,13 +21,13 @@ .\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA .\" .\" Manual page for openvpn -.\ +.\" .\" SH section heading .\" SS subsection heading .\" LP paragraph .\" IP indented paragraph .\" TP hanging label -.\ +.\" .\" .nf -- no formatting .\" .fi -- resume formatting .\" .ft 3 -- boldface @@ -37,7 +37,7 @@ .TH openvpn 8 "17 November 2008" .\"********************************************************* .SH NAME -openvpn - secure IP tunnel daemon. +openvpn \- secure IP tunnel daemon. .\"********************************************************* .SH SYNOPSIS .ft 3 @@ -221,6 +221,9 @@ options. indicates the protocol to use when connecting with the remote, and may be "tcp" or "udp". +For forcing IPv4 or IPv6 connection suffix tcp or udp +with 4/6 like udp4/udp6/tcp4/tcp6. + The client will move on to the next host in the list, in the event of connection failure. Note that at any given time, the OpenVPN client @@ -265,9 +268,11 @@ not match If .B host is a DNS name which resolves to multiple IP addresses, -the first address returned by the system getaddrinfo() function -will be used (no DNS randomization inside OpenVPN 2.3.x, and -it will not try multiple addresses). +OpenVPN will try them in the order that the system getaddrinfo() +presents them, so priorization and DNS randomization is done +by the system library. Unless an IP version is forced by the +protocol specification (4/6 suffix), OpenVPN will try both IPv4 +and IPv6 addresses, in the order getaddrinfo() returns them. .\"********************************************************* .TP .B \-\-remote\-random\-hostname @@ -311,20 +316,18 @@ remote 198.19.34.56 443 tcp remote 198.19.34.56 443 tcp -http-proxy 192.168.0.8 8080 -http-proxy-retry +http\-proxy 192.168.0.8 8080 remote 198.19.36.99 443 tcp -http-proxy 192.168.0.8 8080 -http-proxy-retry +http\-proxy 192.168.0.8 8080 -persist-key -persist-tun +persist\-key +persist\-tun pkcs12 client.p12 -ns-cert-type server +ns\-cert\-type server verb 3 .in -4 .ft @@ -343,30 +346,27 @@ a block: .B bind, -.B connect-retry, -.B connect-retry-max, -.B connect-timeout, -.B explicit-exit-notify, +.B connect\-retry, +.B connect\-retry\-max, +.B connect\-timeout, +.B explicit\-exit\-notify, .B float, .B fragment, -.B http-proxy, -.B http-proxy-option, -.B http-proxy-retry, -.B http-proxy-timeout, -.B link-mtu, +.B http\-proxy, +.B http\-proxy\-option, +.B link\-mtu, .B local, .B lport, .B mssfix, -.B mtu-disc, +.B mtu\-disc, .B nobind, .B port, .B proto, .B remote, .B rport, -.B socks-proxy, -.B socks-proxy-retry, -.B tun-mtu and -.B tun-mtu-extra. +.B socks\-proxy, +.B tun\-mtu and +.B tun\-mtu\-extra. A defaulting mechanism exists for specifying options to apply to all @@ -415,9 +415,9 @@ for communicating with remote host. .B p can be .B udp, -.B tcp-client, +.B tcp\-client, or -.B tcp-server. +.B tcp\-server. The default protocol is .B udp @@ -434,7 +434,7 @@ For TCP operation, one peer must use and the other must use .B \-\-proto tcp\-client. A peer started with -.B tcp-server +.B tcp\-server will wait indefinitely for an incoming connection. A peer started with .B tcp\-client @@ -462,31 +462,27 @@ application-level UDP protocols, or tunneling protocols which don't possess a built-in reliability layer. .\"********************************************************* .TP -.B \-\-connect\-retry n -For -.B \-\-proto tcp\-client, -take -.B n -as the -number of seconds to wait -between connection retries (default=5). -.\"********************************************************* -.TP -.B \-\-connect\-timeout n -For -.B \-\-proto tcp\-client, -set connection timeout to +.B \-\-connect\-retry n [max] +Wait .B n -seconds (default=10). +seconds between connection attempts (default=5). Repeated reconnection +attempts are slowed down after 5 retries per remote by doubling the wait +time after each unsuccessful attempt. The optional argument +.B max +specifies the maximum value of wait time in seconds at which it gets +capped (default=300). .\"********************************************************* .TP .B \-\-connect\-retry\-max n -For -.B \-\-proto tcp\-client, -take .B n -as the -number of retries of connection attempt (default=infinite). +specifies the number of times each +.B \-\-remote +or +.B +entry is tried. Specifying +.B n +as one would try each entry exactly once. A successful connection +resets the counter. (default=unlimited). .\"********************************************************* .TP .B \-\-show\-proxy\-settings @@ -502,9 +498,12 @@ and port If HTTP Proxy-Authenticate is required, .B authfile is a file containing a username and password on 2 lines, or -"stdin" to prompt from console. +"stdin" to prompt from console. Its content can also be specified +in the config file with the +.B \-\-http\-proxy\-user\-pass +option. (See section on inline files) -.B auth-method +.B auth\-method should be one of "none", "basic", or "ntlm". HTTP Digest authentication is supported as well, but only via @@ -517,7 +516,7 @@ flags (below). The .B auto flag causes OpenVPN to automatically determine the -.B auth-method +.B auth\-method and query stdin or the management interface for username/password credentials, if required. This flag exists on OpenVPN 2.1 or higher. @@ -529,17 +528,6 @@ determine the authentication method, but to reject weak authentication protocols such as HTTP Basic Authentication. .\"********************************************************* .TP -.B \-\-http\-proxy\-retry -Retry indefinitely on HTTP proxy errors. If an HTTP proxy error -occurs, simulate a SIGUSR1 reset. -.\"********************************************************* -.TP -.B \-\-http\-proxy\-timeout n -Set proxy timeout to -.B n -seconds, default=5. -.\"********************************************************* -.TP .B \-\-http\-proxy\-option type [parm] Set extended HTTP proxy options. Repeat to set multiple options. @@ -552,6 +540,13 @@ Set HTTP version number to .B AGENT user-agent -- Set HTTP "User-Agent" string to .B user-agent. + +.B CUSTOM\-HEADER name content -- +Adds the custom Header with +.B name +as name and +.B content +as the content of the custom HTTP header. .\"********************************************************* .TP .B \-\-socks\-proxy server [port] [authfile] @@ -565,11 +560,6 @@ and port "stdin" to prompt from console. .\"********************************************************* .TP -.B \-\-socks\-proxy\-retry -Retry indefinitely on Socks proxy errors. If a Socks proxy error -occurs, simulate a SIGUSR1 reset. -.\"********************************************************* -.TP .B \-\-resolv\-retry n If hostname resolve fails for .B \-\-remote, @@ -582,7 +572,7 @@ Set to "infinite" to retry indefinitely. By default, -.B \-\-resolv-retry infinite +.B \-\-resolv\-retry infinite is enabled. You can disable by setting n=0. .\"********************************************************* .TP @@ -685,7 +675,7 @@ option. The port can also be set directly using the option. .\"********************************************************* .TP -.B \-\-bind +.B \-\-bind [ipv6only] Bind to local address and port. This is the default unless any of .B \-\-proto tcp\-client , @@ -693,6 +683,12 @@ Bind to local address and port. This is the default unless any of or .B \-\-socks\-proxy are used. + +If the +.B ipv6only +keyword is present OpenVPN will bind only to IPv6 (as oposed +to IPv6 and IPv4) when a IPv6 socket is opened. + .\"********************************************************* .TP .B \-\-nobind @@ -760,13 +756,13 @@ directive, this directive must always be compatible between client and server. .B mode can be one of: -.B net30 -- +.B net30 \-\- Use a point-to-point topology, by allocating one /30 subnet per client. This is designed to allow point-to-point semantics when some or all of the connecting clients might be Windows systems. This is the default on OpenVPN 2.0. -.B p2p -- +.B p2p \-\- Use a point-to-point topology where the remote endpoint of the client's tun interface always points to the local endpoint of the server's tun interface. This mode allocates a single IP address per connecting client. @@ -776,7 +772,7 @@ is functionally equivalent to the .B \-\-ifconfig\-pool\-linear directive which is available in OpenVPN 2.0 and is now deprecated. -.B subnet -- +.B subnet \-\- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in @@ -801,18 +797,6 @@ changes the interpretation of the arguments of to mean "address netmask", no longer "local remote". .\"********************************************************* .TP -.B \-\-tun\-ipv6 -Build a tun link capable of forwarding IPv6 traffic. -Should be used in conjunction with -.B \-\-dev tun -or -.B \-\-dev tunX. -A warning will be displayed -if no specific IPv6 TUN support for your OS has been compiled into OpenVPN. - -See below for further IPv6-related configuration options. -.\"********************************************************* -.TP .B \-\-dev\-node node Explicitly set the device node rather than using /dev/net/tun, /dev/tun, /dev/tap, etc. If OpenVPN @@ -892,7 +876,7 @@ you will be pinging across the VPN. For TAP devices, which provide the ability to create virtual ethernet segments, or TUN devices in -.B \-\-topology subnet +.B --topology subnet mode (which create virtual "multipoint networks"), .B \-\-ifconfig is used to set an IP address and @@ -984,7 +968,7 @@ when is specified. .B metric -default \-\- taken from +default -- taken from .B \-\-route\-metric otherwise 0. @@ -1019,13 +1003,6 @@ table (not supported on all OSes). address if OpenVPN is being run in client mode, and is undefined in server mode. .\"********************************************************* .TP -.B \-\-max\-routes n -Allow a maximum number of n -.B \-\-route -options to be specified, either in the local configuration file, -or pulled from an OpenVPN server. By default, n=100. -.\"********************************************************* -.TP .B \-\-route\-gateway gw|'dhcp' Specify a default gateway .B gw @@ -1193,7 +1170,7 @@ that the original default route is restored. Option flags: -.B local -- +.B local \-\- Add the .B local flag if both OpenVPN servers are directly connected via a common subnet, @@ -1203,7 +1180,7 @@ flag will cause step .B 1 above to be omitted. -.B autolocal -- +.B autolocal \-\- Try to automatically determine whether to enable .B local flag above. @@ -1230,6 +1207,17 @@ on non-Windows clients). Block access to local LAN when the tunnel is active, except for the LAN gateway itself. This is accomplished by routing the local LAN (except for the LAN gateway address) into the tunnel. + +.B ipv6 -- +Redirect IPv6 routing into the tunnel. This works similar to the +.B def1 +flag, that is, more specific IPv6 routes are added (2000::/4, 3000::/4), +covering the whole IPv6 unicast space. + +.B !ipv4 -- +Do not redirect IPv4 traffic - typically used in the flag pair +.B "ipv6 !ipv4" +to redirect IPv6-only. .\"********************************************************* .TP .B \-\-link\-mtu n @@ -1626,16 +1614,25 @@ and are mutually exclusive and cannot be used together. .\"********************************************************* .TP -.B \-\-keepalive n m +.B \-\-keepalive interval timeout A helper directive designed to simplify the expression of .B \-\-ping and +.B \-\-ping\-restart. + +This option can be used on both client and server side, but it is +in enough to add this on the server side as it will push appropriate +.B \-\-ping +and .B \-\-ping\-restart -in server mode configurations. +options to the client. If used on both server and client, +the values pushed from server will override the client local values. -The server timeout is set twice the value of the second argument. -This ensures that a timeout is detected on client side -before the server side drops the connection. +The +.B timeout +argument will be twice as long on the server side. This ensures that +a timeout is detected on client side before the server side drops +the connection. For example, .B \-\-keepalive 10 60 @@ -1645,13 +1642,13 @@ expands as follows: .ft 3 .in +4 if mode server: - ping 10 - ping-restart 120 - push "ping 10" - push "ping-restart 60" + ping 10 # Argument: interval + ping\-restart 120 # Argument: timeout*2 + push "ping 10" # Argument: interval + push "ping\-restart 60" # Argument: timeout else - ping 10 - ping-restart 60 + ping 10 # Argument: interval + ping\-restart 60 # Argument: timeout .in -4 .ft .fi @@ -1979,16 +1976,16 @@ and scripts. Lower values are more restrictive, higher values are more permissive. Settings for .B level: -.B 0 -- +.B 0 \-\- Strictly no calling of external programs. .br -.B 1 -- +.B 1 \-\- (Default) Only call built-in executables such as ifconfig, ip, route, or netsh. .br -.B 2 -- +.B 2 \-\- Allow calling of built-in executables and user-defined scripts. .br -.B 3 -- +.B 3 \-\- Allow passwords to be passed to scripts via environmental variables (potentially unsafe). OpenVPN releases before v2.3 also supported a @@ -2320,6 +2317,12 @@ otherwise would be prepended. In particular, this applies to log messages sent to stdout. .\"********************************************************* .TP +.B \-\-machine\-readable\-output +Always write timestamps and message flags to log messages, even when they +otherwise would not be prefixed. In particular, this applies to +log messages sent to stdout. +.\"********************************************************* +.TP .B \-\-writepid file Write OpenVPN's main process ID to .B file. @@ -2420,13 +2423,13 @@ Set output verbosity to Level 3 is recommended if you want a good summary of what's happening without being swamped by output. -.B 0 -- +.B 0 \-\- No output except fatal errors. .br -.B 1 to 4 -- +.B 1 to 4 \-\- Normal usage range. .br -.B 5 -- +.B 5 \-\- Output .B R and @@ -2434,7 +2437,7 @@ and characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets. .br -.B 6 to 11 -- +.B 6 to 11 \-\- Debug info range (see errlevel.h for additional information on debug levels). .\"********************************************************* @@ -2464,12 +2467,34 @@ consecutive messages in the same category. This is useful to limit repetitive logging of similar message types. .\"********************************************************* .TP +.B \-\-compress [algorithm] +Enable a compression algorithm. + +The +.B algorithm +parameter may be "lzo", "lz4", or empty. LZO and LZ4 +are different compression algorithms, with LZ4 generally +offering the best performance with least CPU usage. +For backwards compatibility with OpenVPN versions before 2.4, use "lzo" +(which is identical to the older option "\-\-comp\-lzo yes"). + +If the +.B algorithm +parameter is empty, compression will be turned off, but the packet +framing for compression will still be enabled, allowing a different +setting to be pushed later. +.\"********************************************************* +.TP .B \-\-comp\-lzo [mode] -Use fast LZO compression -- may add up to 1 byte per +Use LZO compression -- may add up to 1 byte per packet for incompressible data. .B mode may be "yes", "no", or "adaptive" (default). +This option is deprecated in favor of the newer +.B --compress +option. + In a server mode setup, it is possible to selectively turn compression on or off for individual clients. @@ -2491,14 +2516,14 @@ for example: .nf .ft 3 .in +4 -comp-lzo yes +comp\-lzo yes push "comp\-lzo yes" .in -4 .ft .fi The first line sets the -.B comp-lzo +.B comp\-lzo setting for the server side of the link, the second sets the client side. .\"********************************************************* @@ -2558,7 +2583,7 @@ to the port, using a telnet client in "raw" mode. Once connected, type "help" for a list of commands. For detailed documentation on the management interface, see -the management-notes.txt file in the +the management\-notes.txt file in the .B management folder of the OpenVPN source distribution. @@ -2599,12 +2624,23 @@ Allow management interface to override .B \-\-remote directives (client-only). .\"********************************************************* +.TP .B \-\-management\-external\-key Allows usage for external private key file instead of .B \-\-key option (client-only). .\"********************************************************* .TP +.B \-\-management\-external\-cert certificate-hint +Allows usage for external certificate instead of +.B \-\-cert +option (client-only). +.B certificate-hint +is an arbitrary string which is passed to a management +interface client as an argument of NEED-CERTIFICATE notification. +Requires \-\-management\-external\-key. +.\"********************************************************* +.TP .B \-\-management\-forget\-disconnect Make OpenVPN forget passwords when management session disconnects. @@ -2650,7 +2686,7 @@ distribution for detailed notes. .TP .B \-\-management\-client\-pf Management interface clients must specify a packet -filter file for each connecting client. See management-notes.txt +filter file for each connecting client. See management\-notes.txt in OpenVPN distribution for detailed notes. .\"********************************************************* .TP @@ -2694,11 +2730,23 @@ OpenVPN in the order that they are declared in the config file. If both a plugin and script are configured for the same callback, the script will be called last. If the return code of the module/script controls an authentication -function (such as tls-verify, auth-user-pass-verify, or -client-connect), then +function (such as tls\-verify, auth\-user\-pass\-verify, or +client\-connect), then every module and script must return success (0) in order for the connection to be authenticated. .\"********************************************************* +.TP +.B \-\-keying-material-exporter label len +Save Exported Keying Material [RFC5705] of len bytes (must be +between 16 and 4095 bytes) using label in environment +(exported_keying_material) for use by plugins in +OPENVPN_PLUGIN_TLS_FINAL callback. + +Note that exporter labels have the potential to collide with existing PRF +labels. In order to prevent this, labels MUST begin with "EXPORTER". + +This option requires OpenSSL 1.0.1 or newer. +.\"********************************************************* .SS Server Mode Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode is supported, and can be enabled with the @@ -2729,15 +2777,15 @@ expands as follows: .ft 3 .in +4 mode server - tls-server + tls\-server push "topology [topology]" if dev tun AND (topology == net30 OR topology == p2p): ifconfig 10.8.0.1 10.8.0.2 if !nopool: - ifconfig-pool 10.8.0.4 10.8.0.251 + ifconfig\-pool 10.8.0.4 10.8.0.251 route 10.8.0.0 255.255.255.0 - if client-to-client: + if client\-to\-client: push "route 10.8.0.0 255.255.255.0" else if topology == net30: push "route 10.8.0.1" @@ -2745,10 +2793,10 @@ expands as follows: if dev tap OR (dev tun AND topology == subnet): ifconfig 10.8.0.1 255.255.255.0 if !nopool: - ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 - push "route-gateway 10.8.0.1" - if route-gateway unset: - route-gateway 10.8.0.2 + ifconfig\-pool 10.8.0.2 10.8.0.254 255.255.255.0 + push "route\-gateway 10.8.0.1" + if route\-gateway unset: + route\-gateway 10.8.0.2 .in -4 .ft @@ -2815,17 +2863,17 @@ for OpenVPN to allocate to connecting clients. For example, -.B server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 +.B server\-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows: .nf .ft 3 .in +4 mode server -tls-server +tls\-server -ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 -push "route-gateway 10.8.0.4" +ifconfig\-pool 10.8.0.128 10.8.0.254 255.255.255.0 +push "route\-gateway 10.8.0.4" .in -4 .ft .fi @@ -2838,9 +2886,9 @@ In another example, .ft 3 .in +4 mode server -tls-server +tls\-server -push "route-gateway dhcp" +push "route\-gateway dhcp" .in -4 .ft .fi @@ -2853,7 +2901,7 @@ expands as follows: .ft 3 .in +4 mode server -tls-server +tls\-server .in -4 .ft .fi @@ -2894,18 +2942,76 @@ as with a configuration file. This option will ignore .B \-\-push options at the global config file level. +.\"********************************************************* +.TP +.B \-\-push\-remove opt +selectively remove all +.B \-\-push +options matching "opt" from the option list for a client. "opt" is matched +as a substring against the whole option string to-be-pushed to the client, so +.B \-\-push\-remove route +would remove all +.B \-\-push route ... +and +.B \-\-push route-ipv6 ... +statements, while +.B \-\-push\-remove 'route-ipv6 2001:' +would only remove IPv6 routes for 2001:... networks. + +.B \-\-push\-remove +can only be used in a client-specific context, like in a +.B \-\-client\-config\-dir +file, or +.B \-\-client\-connect +script or plugin -- similar to +.B \-\-push\-reset, +just more selective. + +NOTE: to +.I change +an option, +.B \-\-push\-remove +can be used to first remove the old value, and then add a new +.B \-\-push +option with the new value. +.\"********************************************************* .TP .B \-\-push\-peer\-info -Push additional information about the client to server. The additional information -consists of the following data: +Push additional information about the client to server. +The following data is always pushed to the server: IV_VER= -- the client OpenVPN version IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win] -- the client OS platform +IV_LZO_STUB=1 -- if client was built with LZO stub capability + +IV_LZ4=1 -- if the client supports LZ4 compressions. + +IV_RGI6=1 -- if the client supports +.B \-\-redirect\-gateway +for ipv6 + +IV_PROTO=2 -- if the client supports peer-id floating mechansim + +IV_NCP=2 -- negotiable ciphers, client supports +.B \-\-cipher +pushed by the server, a value of 2 or greater indicates client +supports AES-GCM-128 and AES-GCM-256. + +IV_UI_VER= -- the UI version of a UI if one is +running, for example "de.blinkt.openvpn 0.5.47" for the +Android app. + +When +.B \-\-push\-peer\-info +is enabled the additional information consists of the following data: + IV_HWADDR= -- the MAC address of clients default gateway -IV_LZO_STUB=1 -- if client was built with LZO stub capability +IV_SSL= -- the ssl version used by the client, e.g. "OpenSSL 1.0.2f 28 Jan 2016". + +IV_PLAT_VER=x.y - the version of the operating system, e.g. 6.1 for Windows 7. UV_= -- client environment variables whose names start with "UV_" .\"********************************************************* @@ -2941,7 +3047,7 @@ parameter will also be pushed to clients. .\"********************************************************* .TP .B \-\-ifconfig\-pool\-persist file [seconds] -Persist/unpersist ifconfig-pool +Persist/unpersist ifconfig\-pool data to .B file, at @@ -2992,14 +3098,14 @@ This option is deprecated, and should be replaced with which is functionally equivalent. .\"********************************************************* .TP -.B \-\-ifconfig\-push local remote-netmask [alias] +.B \-\-ifconfig\-push local remote\-netmask [alias] Push virtual IP endpoints for client tunnel, overriding the \-\-ifconfig\-pool dynamic allocation. The parameters .B local and -.B remote-netmask +.B remote\-netmask are set according to the .B \-\-ifconfig directive which you want to execute on the client machine to @@ -3015,9 +3121,9 @@ The optional .B alias parameter may be used in cases where NAT causes the client view of its local endpoint to differ from the server view. In this case -.B local/remote-netmask +.B local/remote\-netmask will refer to the server view while -.B alias/remote-netmask +.B alias/remote\-netmask will refer to the client view. This option must be associated with a specific client instance, @@ -3218,7 +3324,7 @@ without needing to restart the server. The following options are legal in a client-specific context: -.B \-\-push, \-\-push\-reset, \-\-iroute, \-\-ifconfig\-push, +.B \-\-push, \-\-push\-reset, \-\-push\-remove, \-\-iroute, \-\-ifconfig\-push, and .B \-\-config. .\"********************************************************* @@ -3298,8 +3404,8 @@ The macro expands as follows: .ft 3 .in +4 if mode server: - socket-flags TCP_NODELAY - push "socket-flags TCP_NODELAY" + socket\-flags TCP_NODELAY + push "socket\-flags TCP_NODELAY" .in -4 .ft .fi @@ -3365,8 +3471,10 @@ DoS scenario, legitimate connections might also be refused. For the best protection against DoS attacks in server mode, use .B \-\-proto udp -and -.B \-\-tls\-auth. +and either +.B \-\-tls\-auth +or +.B \-\-tls\-crypt\fR. .\"********************************************************* .TP .B \-\-learn\-address cmd @@ -3383,19 +3491,19 @@ Three arguments will be appended to any arguments in .B cmd as follows: -.B [1] operation -- +.B [1] operation \-\- "add", "update", or "delete" based on whether or not the address is being added to, modified, or deleted from OpenVPN's internal routing table. .br -.B [2] address -- +.B [2] address \-\- The address being learned or unlearned. This can be an IPv4 address such as "198.162.10.14", an IPv4 subnet such as "198.162.10.0/24", or an ethernet MAC address (when .B \-\-dev tap is being used) such as "00:FF:01:02:03:04". .br -.B [3] common name -- +.B [3] common name \-\- The common name on the certificate associated with the client linked to this address. Only present for "add" or "update" operations, not "delete". @@ -3431,7 +3539,7 @@ and/or escaped using a backslash, and should be separated by one or more spaces. If .B method -is set to "via-env", OpenVPN will call +is set to "via\-env", OpenVPN will call .B script with the environmental variables .B username @@ -3444,7 +3552,7 @@ unprivileged processes. If .B method -is set to "via-file", OpenVPN will write the username and +is set to "via\-file", OpenVPN will write the username and password to the first two lines of a temporary file. The filename will be passed as an argument to .B script, @@ -3482,18 +3590,40 @@ strings are handled. Never use these strings in such a way that they might be escaped or evaluated by a shell interpreter. For a sample script that performs PAM authentication, see -.B sample-scripts/auth-pam.pl +.B sample\-scripts/auth\-pam.pl in the OpenVPN source distribution. .\"********************************************************* .TP +.B \-\-auth\-gen\-token [lifetime] +After successful user/password authentication, the OpenVPN +server will with this option generate a temporary +authentication token and push that to client. On the following +renegotiations, the OpenVPN client will pass this token instead +of the users password. On the server side the server will do +the token authentication internally and it will NOT do any +additional authentications against configured external +user/password authentication mechanisms. + +The +.B lifetime +argument defines how long the generated token is valid. The +lifetime is defined in seconds. If lifetime is not set +or it is set to 0, the token will never expire. + +This feature is useful for environments which is configured +to use One Time Passwords (OTP) as part of the user/password +authentications and that authentication mechanism does not +implement any auth-token support. +.\"********************************************************* +.TP .B \-\-opt\-verify Clients that connect with options that are incompatible with those of the server will be disconnected. Options that will be compared for compatibility include -dev-type, link-mtu, tun-mtu, proto, tun-ipv6, ifconfig, -comp-lzo, fragment, keydir, cipher, auth, keysize, secret, -no-replay, no-iv, tls-auth, key-method, tls-server, and tls-client. +dev\-type, link\-mtu, tun\-mtu, proto, ifconfig, +comp\-lzo, fragment, keydir, cipher, auth, keysize, secret, +no\-replay, no\-iv, tls\-auth, key\-method, tls\-server, and tls\-client. This option requires that .B \-\-disable\-occ @@ -3518,18 +3648,63 @@ to empty strings (""). The authentication module/script MUST have logic to detect this condition and respond accordingly. .\"********************************************************* .TP -.B \-\-client\-cert\-not\-required +.B \-\-client\-cert\-not\-required (DEPRECATED) Don't require client certificate, client will authenticate using username/password only. Be aware that using this directive is less secure than requiring certificates from all clients. + +.B Please note: +This option is now deprecated and will be removed in OpenVPN v2.5. +It is replaced by +.B \-\-verify\-client\-cert +which allows for more flexibility. The option +.B \-\-verify\-client\-cert none +is functionally equivalent to +.B \-\-client\-cert\-not\-required +. + +.\"********************************************************* +.TP +.B \-\-verify\-client\-cert none|optional|require +Specify whether the client is required to supply a valid certificate. + +Possible options are + +.B none +: a client certificate is not required. the client need to authenticate +using username/password only. Be aware that using this directive +is less secure than requiring certificates from all clients. + If you use this directive, the entire responsibility of authentication will rest on your .B \-\-auth\-user\-pass\-verify script, so keep in mind that bugs in your script could potentially compromise the security of your VPN. -If you don't use this directive, but you also specify an +.B \-\-verify\-client\-cert none +is functionally equivalent to +.B \-\-client\-cert\-not\-required. + +.B optional +: a client may present a certificate but it is not required to do so. +When using this directive, you should also use a +.B \-\-auth\-user\-pass\-verify +script to ensure that clients are authenticated using a +certificate, a username and password, or possibly even both. + +Again, the entire responsibility of authentication will rest on your +.B \-\-auth\-user\-pass\-verify +script, so keep in mind that bugs in your script +could potentially compromise the security of your VPN. + +.B require +: this is the default option. A client is required to present a +certificate, otherwise VPN access is refused. + +If you don't use this directive (or use +.B \-\-verify\-client\-cert require +) but you also specify an .B \-\-auth\-user\-pass\-verify script, then OpenVPN will perform double authentication. The client certificate verification AND the @@ -3591,11 +3766,7 @@ carriage-return. no-remapping is only available on the server side. .B Please note: This option is immediately deprecated. It is only implemented to make the transition to the new formatting less intrusive. It will be -removed either in OpenVPN v2.4 or v2.5. So please make sure you use the -.B \-\-verify\-x509\-name -option instead of -.B \-\-tls\-remote -as soon as possible and update your scripts where necessary. +removed in OpenVPN v2.5. So please update your scripts/plug-ins where necessary. .\"********************************************************* .TP .B \-\-no\-name\-remapping (DEPRECATED) @@ -3608,8 +3779,8 @@ It ensures compatibility with server configurations using the option. .B Please note: -This option is now deprecated. It will be removed either in OpenVPN v2.4 -or v2.5. So please make sure you support the new X.509 name formatting +This option is now deprecated. It will be removed in OpenVPN v2.5. +So please make sure you support the new X.509 name formatting described with the .B \-\-compat\-names option as soon as possible. @@ -3654,7 +3825,7 @@ of OpenVPN's client mode. This directive is equivalent to: .ft 3 .in +4 pull - tls-client + tls\-client .in -4 .ft .fi @@ -3681,6 +3852,57 @@ in situations where you don't trust the server to have control over the client's routing table. .\"********************************************************* .TP +.B \-\-pull\-filter accept|ignore|reject \fItext\fR +Filter options received from the server if the option starts with +\fItext\fR. Runs on client. The action flag +.B accept +allows the option, +.B ignore +removes it and +.B reject +flags an error and triggers a SIGUSR1 restart. +The filters may be specified multiple times, and each filter is +applied in the order it is specified. The filtering of each +option stops as soon as a match is found. Unmatched options are accepted +by default. + +Prefix comparison is used to match \fItext\fR against the +received option so that + +.nf +.ft 3 +.in +4 +\-\-pull\-filter ignore "route" +.in -4 +.ft +.fi + +would remove all pushed options starting with +.B route +which would include, for example, +.B route\-gateway. +Enclose \fItext\fR in quotes to embed spaces. + +.nf +.ft 3 +.in +4 +\-\-pull\-filter accept "route 192.168.1." +\-\-pull\-filter ignore "route " +.in -4 +.ft +.fi + +would remove all routes that do not start with 192.168.1. + +This option may be used only on clients. +Note that +.B reject +may result in a repeated cycle of failure and reconnect, +unless multiple remotes are specified and connection to the next remote +succeeds. To silently ignore an option pushed by the server, use +.B ignore. +.\"********************************************************* +.TP .B \-\-auth\-user\-pass [up] Authenticate with server using username/password. .B up @@ -3718,15 +3940,15 @@ tries to connect. .B type can be one of: -.B none -- +.B none \-\- Client will exit with a fatal error (this is the default). .br -.B nointeract -- +.B nointeract \-\- Client will retry the connection without requerying for an .B \-\-auth\-user\-pass username/password. Use this option for unattended clients. .br -.B interact -- +.B interact \-\- Client will requery for an .B \-\-auth\-user\-pass username/password and/or private key password before attempting a reconnection. @@ -3751,14 +3973,12 @@ description of the OpenVPN challenge/response protocol. .\"********************************************************* .TP .B \-\-server\-poll\-timeout n -when polling possible remote servers to connect to -in a round-robin fashion, spend no more than +.B \-\-connect\-timeout n +when connecting to a remote server do not wait for more than .B n seconds waiting for a response before trying the next server. -As this only makes sense in client-to-server setups, it cannot -be used in point-to-point setups using -.B \-\-secret -symmetrical key mode. +The default value is 120s. This timeout includes proxy and TCP +connect timeouts. .\"********************************************************* .TP .B \-\-explicit\-exit\-notify [n] @@ -3769,8 +3989,23 @@ option will tell the server to immediately close its client instance object rather than waiting for a timeout. The .B n parameter (default=1) controls the maximum number of attempts that the client -will try to resend the exit notification message. OpenVPN will not send any exit +will try to resend the exit notification message. + +In UDP server mode, send RESTART control channel command to connected clients. The +.B n +parameter (default=1) controls client behavior. With +.B n += 1 client will attempt to reconnect +to the same server, with +.B n += 2 client will advance to the next server. + +OpenVPN will not send any exit notifications unless this option is enabled. +.TP +.B \-\-allow\-recursive\-routing +When this option is set, OpenVPN will not drop incoming tun packets +with same destination as host. .\"********************************************************* .SS Data Channel Encryption Options: These options are meaningful for both Static & TLS-negotiated key modes @@ -3852,8 +4087,9 @@ options. Useful when using inline files (See section on inline files). .\"********************************************************* .TP .B \-\-auth alg -Authenticate packets with HMAC using message -digest algorithm +Authenticate data channel packets and (if enabled) +.B tls-auth +control channel packets with HMAC using message digest algorithm .B alg. (The default is .B SHA1 @@ -3862,7 +4098,17 @@ HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. -OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC the resulting ciphertext. +The OpenVPN data channel protocol uses encrypt-then-mac (i.e. first encrypt a +packet, then HMAC the resulting ciphertext), which prevents padding oracle +attacks. + +If an AEAD cipher mode (e.g. GCM) is chosen, the specified +.B \-\-auth +algorithm is ignored for the data channel, and the authentication method of the +AEAD cipher is used instead. Note that +.B alg +still specifies the digest used for +.B tls-auth\fR. In static-key encryption mode, the HMAC key is included in the key file generated by @@ -3885,25 +4131,57 @@ Encrypt data channel packets with cipher algorithm The default is .B BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. -Blowfish has the advantages of being fast, very secure, and allowing key sizes -of up to 448 bits. Blowfish is designed to be used in situations where -keys are changed infrequently. -For more information on blowfish, see -.I http://www.counterpane.com/blowfish.html +Using BF-CBC is no longer recommended, because of it's 64-bit block size. This +small block size allows attacks based on collisions, as demonstrated by SWEET32. +See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. -To see other ciphers that are available with -OpenVPN, use the +To see other ciphers that are available with OpenVPN, use the .B \-\-show\-ciphers option. -OpenVPN supports the CBC, CFB, and OFB cipher modes, -however CBC is recommended and CFB and OFB should -be considered advanced modes. - Set .B alg=none to disable encryption. + +As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by +.B \-\-cipher\fR. +See +.B \-\-ncp-ciphers +and +.B \-\-ncp-disable +for more on NCP. + +.\"********************************************************* +.TP +.B \-\-ncp\-ciphers cipher_list +Restrict the allowed ciphers to be negotiated to the ciphers in +.B cipher_list\fR. +.B cipher_list +is a colon-separated list of ciphers, and defaults to +"AES-256-GCM:AES-128-GCM". + +For servers, the first cipher from +.B cipher_list +will be pushed to clients that support cipher negotiation. + +Cipher negotiation is enabled in client-server mode only. I.e. if +.B \-\-mode +is set to 'server' (server-side, implied by setting +.B \-\-server +), or if +.B \-\-pull +is specified (client-side, implied by setting \-\-client). + +If both peers support and do not disable NCP, the negotiated cipher will +override the cipher specified by +.B \-\-cipher\fR. + +.\"********************************************************* +.TP +.B \-\-ncp\-disable +Disable "negotiable crypto parameters". This completely disables cipher +negotiation. .\"********************************************************* .TP .B \-\-keysize n @@ -4006,7 +4284,7 @@ is 15 seconds. This option is only relevant in UDP mode, i.e. when either .B \-\-proto udp -is specifed, or no +is specified, or no .B \-\-proto option is specified. @@ -4202,14 +4480,9 @@ will succeed, both OpenVPN peers will exchange temporary session keys, and the tunnel will begin passing data. -The OpenVPN distribution contains a set of scripts for -managing RSA certificates & keys, -located in the -.I easy-rsa -subdirectory. - -The easy-rsa package is also rendered in web form here: -.I http://openvpn.net/easyrsa.html +The OpenVPN project provides a set of scripts for +managing RSA certificates & keys: +.I https://github.com/OpenVPN/easy-rsa .\"********************************************************* .TP .B \-\-tls\-server @@ -4247,7 +4520,6 @@ they are distributed with OpenVPN, they are totally insecure. .TP .B \-\-capath dir Directory containing trusted certificates (CAs and CRLs). -Available with OpenSSL version >= 0.9.7 dev. Not available with PolarSSL. When using the @@ -4271,13 +4543,25 @@ for more information. File containing Diffie Hellman parameters in .pem format (required for .B \-\-tls\-server -only). Use +only). -.B openssl dhparam \-out dh1024.pem 1024 +Set +.B file=none +to disable Diffie Hellman key exchange (and use ECDH only). Note that this +requires peers to be using an SSL library that supports ECDH TLS cipher suites +(e.g. OpenSSL 1.0.1+, or PolarSSL 1.3+). -to generate your own, or use the existing dh1024.pem file -included with the OpenVPN distribution. Diffie Hellman parameters -may be considered public. +Use +.B openssl dhparam \-out dh2048.pem 2048 +to generate 2048-bit DH parameters. Diffie Hellman parameters may be considered +public. +.\"********************************************************* +.TP +.B \-\-ecdh\-curve name +Specify the curve to use for elliptic curve Diffie Hellman. Available +curves can be listed with +.B \-\-show\-curves +. The specified curve will only be used for ECDH TLS-ciphers. .\"********************************************************* .TP .B \-\-cert file @@ -4348,26 +4632,17 @@ above). .\"********************************************************* .TP .B \-\-tls\-version\-min version ['or\-highest'] -Enable TLS version negotiation, and set the minimum +Sets the minimum TLS version we will accept from the peer (default is "1.0"). Examples for version include "1.0", "1.1", or "1.2". If 'or-highest' is specified and version is not recognized, we will only accept the highest TLS version supported by the local SSL implementation. - -Also see -.B \-\-tls\-version\-max -below, for information on compatibility. .\"********************************************************* .TP .B \-\-tls\-version\-max version Set the maximum TLS version we will use (default is the highest version supported). Examples for version include "1.0", "1.1", or "1.2". - -If and only if this is set to 1.0, and OpenSSL is used (not PolarSSL), -then OpenVPN will set up OpenSSL to use a fixed TLSv1 handshake. All -other configurations will autonegotiate in the given limits, and the -choice of handshake versions is left to the SSL implementation. .\"********************************************************* .TP .B \-\-pkcs12 file @@ -4429,7 +4704,7 @@ and .B \-\-pkcs12. If p11-kit is present on the system, its -.B p11-kit-proxy.so +.B p11\-kit\-proxy.so module will be loaded by default if either the .B \-\-pkcs11\-id or @@ -4505,7 +4780,10 @@ exchanged over the TLS session. In method 1 (the default for OpenVPN 1.x), both sides generate random encrypt and HMAC-send keys which are forwarded to -the other host over the TLS channel. +the other host over the TLS channel. Method 1 is +.B deprecated in OpenVPN 2.4 +, and +.B will be removed in OpenVPN 2.5\fR. In method 2, (the default for OpenVPN 2.0) the client generates a random key. Both client @@ -4556,7 +4834,8 @@ your VPN connection. But it is also easy to unwittingly use it to carefully align a gun with your foot, or just break your connection. Use with care! The default for \-\-tls\-cipher is to use PolarSSL's default cipher list -when using PolarSSL or "DEFAULT:!EXP:!LOW:!MEDIUM:!PSK:!SRP:!kRSA" when using +when using PolarSSL or +"DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" when using OpenSSL. .\"********************************************************* .TP @@ -4657,8 +4936,8 @@ Exit on TLS negotiation failure. .\"********************************************************* .TP .B \-\-tls\-auth file [direction] -Add an additional layer of HMAC authentication on top of the TLS -control channel to protect against DoS attacks. +Add an additional layer of HMAC authentication on top of the TLS control channel +to mitigate DoS attacks and attacks on the TLS stack. In a nutshell, .B \-\-tls\-auth @@ -4668,27 +4947,11 @@ bearing an incorrect HMAC signature can be dropped immediately without response. .B file -(required) is a key file which can be in one of two formats: - -.B (1) -An OpenVPN static key file generated by +(required) is a file in OpenVPN static key format which can be generated by .B \-\-genkey -(required if -.B direction -parameter is used). -.B (2) DEPRECATED -A freeform passphrase file. In this case the HMAC key will -be derived by taking a secure hash of this file, similar to -the -.BR md5sum (1) -or -.BR sha1sum (1) -commands. This option is deprecated and will stop working in OpenVPN 2.4 and -newer releases. - -OpenVPN will first try format (1), and if the file fails to parse as -a static key file, format (2) will be used. +Older versions (up to 2.3) supported a freeform passphrase file. +This is no longer supported in newer versions (2.4+). See the .B \-\-secret @@ -4745,12 +5008,39 @@ option which will keep OpenVPN's replay protection state in a file so that it is not lost across restarts. It should be emphasized that this feature is optional and that the -passphrase/key file used with +key file used with .B \-\-tls\-auth gives a peer nothing more than the power to initiate a TLS handshake. It is not used to encrypt or authenticate any tunnel data. .\"********************************************************* .TP +.B \-\-tls\-crypt keyfile + +Encrypt and authenticate all control channel packets with the key from +.B keyfile. +(See +.B \-\-tls\-auth +for more background.) + +Encrypting (and authenticating) control channel packets: +.RS +.IP \[bu] 2 +provides more privacy by hiding the certificate used for the TLS connection, +.IP \[bu] +makes it harder to identify OpenVPN traffic as such, +.IP \[bu] +provides "poor-man's" post-quantum security, against attackers who will never +know the pre-shared key (i.e. no forward secrecy). +.RE + +.IP +In contrast to +.B \-\-tls\-auth\fR, +.B \-\-tls\-crypt +does *not* require the user to set +.B \-\-key\-direction\fR. +.\"********************************************************* +.TP .B \-\-askpass [file] Get certificate password from console or .B file @@ -4837,7 +5127,7 @@ peer certificate you will accept. This feature allows you to write a script which will test the X509 name on a certificate and decide whether or not it should be accepted. For a simple perl script which will test the common name field on the certificate, see the file -.B verify-cn +.B verify\-cn in the OpenVPN distribution. See the "Environmental Variables" section below for @@ -4848,7 +5138,7 @@ additional parameters passed as environmental variables. Store the certificates the clients uses upon connection to this directory. This will be done before \-\-tls\-verify is called. The certificates will use a temporary name and will be deleted when -the tls-verify script returns. The file name used for the certificate +the tls\-verify script returns. The file name used for the certificate is available via the peer_cert environment variable. .\"********************************************************* .TP @@ -4892,49 +5182,6 @@ prefix will be left as-is. This automatic upcasing feature is deprecated and will be removed in a future release. .\"********************************************************* .TP -.B \-\-tls\-remote name (DEPRECATED) -Accept connections only from a host with X509 name -or common name equal to -.B name. -The remote host must also pass all other tests -of verification. - -.B NOTE: -Because tls-remote may test against a common name prefix, -only use this option when you are using OpenVPN with a custom CA -certificate that is under your control. -Never use this option when your client certificates are signed by -a third party, such as a commercial web CA. - -Name can also be a common name prefix, for example if you -want a client to only accept connections to "Server-1", -"Server-2", etc., you can simply use -.B \-\-tls\-remote Server - -Using a common name prefix is a useful alternative to managing -a CRL (Certificate Revocation List) on the client, since it allows the client -to refuse all certificates except for those associated -with designated servers. - -.B \-\-tls\-remote -is a useful replacement for the -.B \-\-tls\-verify -option to verify the remote host, because -.B \-\-tls\-remote -works in a -.B \-\-chroot -environment too. - -.B Please also note: -This option is now deprecated. It will be removed either in OpenVPN v2.4 -or v2.5. So please make sure you support the new X.509 name formatting -described with the -.B \-\-compat\-names -option as soon as possible by updating your configurations to use -.B \-\-verify\-x509\-name -instead. -.\"********************************************************* -.TP .B \-\-verify\-x509\-name name type Accept connections only if a host's X.509 name is equal to .B name. @@ -4951,11 +5198,11 @@ Which RDN is verified as name depends on the option. But it defaults to the common name (CN), e.g. a certificate with a subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by: -.B \-\-verify\-x509\-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' +.B \-\-verify\-x509\-name 'C=KG, ST=NA, L=Bishkek, CN=Server\-1' and -.B \-\-verify\-x509\-name Server-1 name +.B \-\-verify\-x509\-name Server\-1 name or you could use -.B \-\-verify\-x509\-name Server- name-prefix +.B \-\-verify\-x509\-name Server -name-prefix if you want a client to only accept connections to "Server-1", "Server-2", etc. .B \-\-verify\-x509\-name @@ -4989,7 +5236,6 @@ to save values from full cert chain. Values will be encoded as X509__=. Multiple .B \-\-x509\-track options can be defined to track multiple attributes. -Not available with PolarSSL. .\"********************************************************* .TP .B \-\-ns\-cert\-type client|server @@ -5000,7 +5246,7 @@ designation of "client" or "server". This is a useful security option for clients, to ensure that the host they connect with is a designated server. -See the easy-rsa/build-key-server script for an example +See the easy\-rsa/build\-key\-server script for an example of how to generate a certificate with the .B nsCertType field set to "server". @@ -5143,6 +5389,13 @@ an ECDSA cipher suite will not work if you are using an RSA certificate, etc.). Show currently available hardware-based crypto acceleration engines supported by the OpenSSL library. .\"********************************************************* +.TP +.B \-\-show\-curves +(Standalone) +Show all available elliptic curves to use with the +.B \-\-ecdh\-curve +option. +.\"********************************************************* .SS Generate a random key: Used only for non-TLS static key encryption mode. .\"********************************************************* @@ -5253,7 +5506,7 @@ IP address and netmask using Don't use this option unless you are also using .B \-\-ifconfig. -.B manual -- +.B manual \-\- Don't set the IP address or netmask automatically. Instead output a message to the console telling the user to configure the @@ -5279,7 +5532,7 @@ virtual DHCP server address. In .B \-\-dev tun mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is -an integer which is > -256 and < 256 and which defaults to 0. +an integer which is > \-256 and < 256 and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP @@ -5298,13 +5551,13 @@ because it prevents routes involving the TAP-Win32 adapter from being lost when the system goes to sleep. The default lease time is one year. -.B netsh -- +.B netsh \-\- Automatically set the IP address and netmask using the Windows command-line "netsh" command. This method appears to work correctly on Windows XP but not Windows 2000. -.B ipapi -- +.B ipapi \-\- Automatically set the IP address and netmask using the Windows IP Helper API. This approach does not have ideal semantics, though testing has indicated @@ -5313,7 +5566,7 @@ it is best to leave the TCP/IP properties for the TAP-Win32 adapter in their default state, i.e. "Obtain an IP address automatically." -.B adaptive -- +.B adaptive \-\- (Default) Try .B dynamic method initially and fail over to @@ -5370,28 +5623,28 @@ on the TAP-Win32 adapter, and is particularly useful for configuring an OpenVPN client to access a Samba server across the VPN. -.B DOMAIN name -- +.B DOMAIN name \-\- Set Connection-specific DNS Suffix. -.B DNS addr -- +.B DNS addr \-\- Set primary domain name server address. Repeat this option to set secondary DNS server addresses. -.B WINS addr -- +.B WINS addr \-\- Set primary WINS server address (NetBIOS over TCP/IP Name Server). Repeat this option to set secondary WINS server addresses. -.B NBDD addr -- +.B NBDD addr \-\- Set primary NBDD server address (NetBIOS over TCP/IP Datagram Distribution Server) Repeat this option to set secondary NBDD server addresses. -.B NTP addr -- +.B NTP addr \-\- Set primary NTP server address (Network Time Protocol). Repeat this option to set secondary NTP server addresses. -.B NBT type -- +.B NBT type \-\- Set NetBIOS over TCP/IP Node type. Possible options: .B 1 = b-node (broadcasts), @@ -5498,7 +5751,7 @@ Windows explorer when OpenVPN is run on a configuration file using the right-click explorer menu. .\"********************************************************* .TP -.B \-\-service exit\-event [0|1] +.B \-\-service exit-event [0|1] Should be used when OpenVPN is being automatically executed by another program in such a context that no interaction with the user via display or keyboard @@ -5540,7 +5793,7 @@ option. On non-Windows systems, the command provides similar functionality. .\"********************************************************* .TP -.B \-\-allow\-nonadmin [TAP-adapter] +.B \-\-allow\-nonadmin [TAP\-adapter] (Standalone) Set .B TAP-adapter @@ -5584,12 +5837,21 @@ if certificates are stored as private objects. If p11-kit is present on the system, the .B provider argument is optional; if omitted the default -.B p11-kit-proxy.so +.B p11\-kit\-proxy.so module will be queried. .B \-\-verb option can be used BEFORE this option to produce debugging information. .\"********************************************************* +.SS Standalone Debug Options: +.\"********************************************************* +.TP +.B \-\-show\-gateway [v6target] +(Standalone) +Show current IPv4 and IPv6 default gateway and interface towards the +gateway (if the protocol in question is enabled). If an IPv6 address +is passed as argument, the IPv6 route for this host is reported. +.\"********************************************************* .SS IPv6 Related Options .\"********************************************************* The following options exist to support IPv6 tunneling in peer-to-peer @@ -5608,24 +5870,28 @@ if no gateway is specified. .TP .B \-\-route\-ipv6 ipv6addr/bits [gateway] [metric] setup IPv6 routing in the system to send the specified IPv6 network -into OpenVPN's ``tun'' device +into OpenVPN's ``tun''. The gateway parameter is only used for +IPv6 routes across ``tap'' devices, and if missing, the ``ipv6remote'' +field from +.B \-\-ifconfig\-ipv6 +is used. .TP .B \-\-server\-ipv6 ipv6addr/bits convenience-function to enable a number of IPv6 related options at once, namely -.B \-\-ifconfig\-ipv6, \-\-ifconfig\-ipv6\-pool, \-\-tun\-ipv6 +.B \-\-ifconfig\-ipv6, \-\-ifconfig\-ipv6\-pool and .B \-\-push tun\-ipv6 -Is only accepted if ``\-\-mode server'' or ``\-\-server'' is set. +Is only accepted if ``\-\-mode server'' or ``\-\-server'' is set. Pushing of the +.B \-\-tun\-ipv6 +directive is done for older clients which require an explicit +``\-\-tun\-ipv6'' in their configuration. .TP .B \-\-ifconfig\-ipv6\-pool ipv6addr/bits Specify an IPv6 address pool for dynamic assignment to clients. The pool starts at .B ipv6addr -and increments by +1 for every new client (linear mode). The -.B /bits -setting controls the size of the pool. Due to implementation details, -the pool size must be between /64 and /112. +and matches the offset determined from the start of the IPv4 pool. .TP .B \-\-ifconfig\-ipv6\-push ipv6addr/bits ipv6remote for ccd/ per-client static IPv6 interface configuration, see @@ -6035,7 +6301,7 @@ Set on program initiation and reset on SIGHUP. .\"********************************************************* .TP .B local_port -The local port number, specified by +The local port number or name, specified by .B \-\-port or .B \-\-lport. @@ -6047,7 +6313,7 @@ The password provided by a connecting client. Set prior to .B \-\-auth\-user\-pass\-verify script execution only when the -.B via-env +.B via\-env modifier is specified, and deleted from the environment after the script returns. .\"********************************************************* @@ -6150,10 +6416,10 @@ documentation for .B script_type Prior to execution of any script, this variable is set to the type of script being run. It can be one of the following: -.B up, down, ipchange, route-up, tls-verify, auth-user-pass-verify, -.B client-connect, client-disconnect, +.B up, down, ipchange, route\-up, tls\-verify, auth\-user\-pass\-verify, +.B client\-connect, client\-disconnect, or -.B learn-address. +.B learn\-address. Set prior to execution of any script. .\"********************************************************* .TP @@ -6163,15 +6429,15 @@ The reason for exit or restart. Can be one of (controlled by .B \-\-inactive option), -.B ping-exit +.B ping\-exit (controlled by .B \-\-ping\-exit option), -.B ping-restart +.B ping\-restart (controlled by .B \-\-ping\-restart option), -.B connection-reset +.B connection\-reset (triggered on TCP connection reset), .B error, or @@ -6203,9 +6469,8 @@ Set prior to execution of the script. .\"********************************************************* .TP -.B tls_digest_{n} -Contains the certificate SHA1 fingerprint/digest hash value, -where +.B tls_digest_{n} / tls_digest_sha256_{n} +Contains the certificate SHA1 / SHA256 fingerprint, where .B n is the verification level. Only set for TLS connections. Set prior to execution of @@ -6306,7 +6571,7 @@ The username provided by a connecting client. Set prior to .B \-\-auth\-user\-pass\-verify script execution only when the -.B via-env +.B via\-env modifier is specified. .\"********************************************************* .TP @@ -6324,7 +6589,7 @@ no string remapping occurs on these field values (except for remapping of control characters to "_"). For example, the following variables would be set on the OpenVPN server using the sample client certificate -in sample-keys (client.crt). +in sample\-keys (client.crt). Note that the verification level is 0 for the client certificate and 1 for the CA certificate. @@ -6347,7 +6612,8 @@ X509_1_C=KG .\"********************************************************* .SH INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the -.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret +.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret, +.B \-\-crl\-verify, \-\-http\-proxy\-user\-pass and .B \-\-tls\-auth options. -- cgit v1.2.3