From 4afa7ed562410a1170223a7bc06efb3708af6a36 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Sun, 4 Mar 2018 22:55:51 +0100 Subject: New upstream version 2.4.5 --- doc/Makefile.am | 2 +- doc/Makefile.in | 28 +++++++--- doc/management-notes.txt | 9 ++- doc/openvpn.8 | 141 +++++++++++++++++++++++++++++------------------ 4 files changed, 117 insertions(+), 63 deletions(-) (limited to 'doc') diff --git a/doc/Makefile.am b/doc/Makefile.am index dedd1fa..f3a24a7 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -5,7 +5,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2017 OpenVPN Technologies, Inc. +# Copyright (C) 2002-2018 OpenVPN Inc # Copyright (C) 2006-2012 Alon Bar-Lev # diff --git a/doc/Makefile.in b/doc/Makefile.in index d3269cd..4ac438e 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,12 +21,22 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2017 OpenVPN Technologies, Inc. +# Copyright (C) 2002-2018 OpenVPN Inc # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -91,8 +101,6 @@ build_triplet = @build@ host_triplet = @host@ @WIN32_TRUE@am__append_1 = openvpn.8 subdir = doc -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(dist_man_MANS) $(dist_doc_DATA) $(am__dist_noinst_DATA_DIST) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ @@ -103,6 +111,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_doc_DATA) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h @@ -162,6 +172,7 @@ MANS = $(dist_man_MANS) am__dist_noinst_DATA_DIST = README.plugins openvpn.8 DATA = $(dist_doc_DATA) $(dist_noinst_DATA) $(nodist_html_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -210,6 +221,7 @@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ @@ -330,6 +342,7 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ @@ -366,7 +379,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign doc/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -637,6 +649,8 @@ uninstall-man: uninstall-man8 ps ps-am tags-am uninstall uninstall-am uninstall-dist_docDATA \ uninstall-man uninstall-man8 uninstall-nodist_htmlDATA +.PRECIOUS: Makefile + @WIN32_TRUE@openvpn.8.html: $(srcdir)/openvpn.8 @WIN32_TRUE@ $(MAN2HTML) < $(srcdir)/openvpn.8 > openvpn.8.html diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 29c3aad..908b981 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -317,6 +317,11 @@ COMMAND -- password and username >PASSWORD:Verification Failed: 'custom server-generated string' + Example 6: If server pushes --auth-token to the client, the OpenVPN + will produce a real-time PASSWORD message: + + >PASSWORD:Auth-Token:foobar + COMMAND -- forget-passwords --------------------------- @@ -357,6 +362,8 @@ ADD_ROUTES -- Adding routes to system. CONNECTED -- Initialization Sequence Completed. RECONNECTING -- A restart has occurred. EXITING -- A graceful exit is in progress. +RESOLVE -- (Client only) DNS lookup +TCP_CONNECT -- (Client only) Connecting to TCP server Command examples: @@ -420,7 +427,7 @@ info on verbosity levels. Command examples: verb 4 -- change the verb parameter to 4 - mute -- show the current verb setting + verb -- show the current verb setting COMMAND -- version ------------------ diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 0b3e1ad..f8627ab 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4,7 +4,7 @@ .\" packet encryption, packet authentication, and .\" packet compression. .\" -.\" Copyright (C) 2002-2017 OpenVPN Technologies, Inc. +.\" Copyright (C) 2002-2018 OpenVPN Inc .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License version 2 @@ -33,7 +33,15 @@ .\" .ft -- normal face .\" .in +|-{n} -- indent .\" -.TH openvpn 8 "25 August 2016" +.\" Support macros - this is not present on all platforms +.\" Continuation line for .TP header. +.de TQ +. br +. ns +. TP \\$1\" no doublequotes around argument! +.. +.\" End of TQ macro +.TH openvpn 8 "28 February 2018" .\"********************************************************* .SH NAME openvpn \- secure IP tunnel daemon. @@ -1621,7 +1629,7 @@ and .B \-\-ping\-restart. This option can be used on both client and server side, but it is -in enough to add this on the server side as it will push appropriate +enough to add this on the server side as it will push appropriate .B \-\-ping and .B \-\-ping\-restart @@ -2547,54 +2555,52 @@ the compression efficiency will be very low, triggering openvpn to disable compression for a period of time until the next re\-sample test. .\"********************************************************* .TP +.B \-\-management socket\-name unix [pw\-file] \ \ \ \ \ (recommended) +.TQ .B \-\-management IP port [pw\-file] -Enable a TCP server on -.B IP:port -to handle daemon management functions. -.B pw\-file, -if specified, -is a password file (password on first line) -or "stdin" to prompt from standard input. The password -provided will set the password which TCP clients will need -to provide in order to access management functions. - -The management interface can also listen on a unix domain socket, -for those platforms that support it. To use a unix domain socket, specify -the unix socket pathname in place of -.B IP -and set -.B port -to 'unix'. While the default behavior is to create a unix domain socket -that may be connected to by any process, the +Enable a management server on a +.B socket\-name +Unix socket on those platforms supporting it, or on +a designated TCP port. + +.B pw\-file +, if specified, is a password file where the password must be on first line. +Instead of a filename it can use the keyword stdin which will prompt the user +for a password to use when OpenVPN is starting. + +For unix sockets, the default behaviour is to create a unix domain socket +that may be connected to by any process. Use the .B \-\-management\-client\-user and .B \-\-management\-client\-group -directives can be used to restrict access. - -The management interface provides a special mode where the TCP -management link can operate over the tunnel itself. To enable this mode, -set -.B IP -= "tunnel". Tunnel mode will cause the management interface -to listen for a TCP connection on the local VPN address of the -TUN/TAP interface. +directives to restrict access. + +The management interface provides a special mode where the TCP management link +can operate over the tunnel itself. To enable this mode, set IP to +.B tunnel. +Tunnel mode will cause the management interface to listen for a +TCP connection on the local VPN address of the TUN/TAP interface. + +.B BEWARE +of enabling the management interface over TCP. In these cases you should +.I ALWAYS +make use of +.B pw\-file +to password protect the management interface. Any user who can connect to this +TCP +.B IP:port +will be able to manage and control (and interfere with) the OpenVPN process. +It is also strongly recommended to set IP to 127.0.0.1 (localhost) to restrict +accessibility of the management server to local clients. -While the management port is designed for programmatic control -of OpenVPN by other applications, it is possible to telnet -to the port, using a telnet client in "raw" mode. Once connected, -type "help" for a list of commands. +While the management port is designed for programmatic control of OpenVPN by +other applications, it is possible to telnet to the port, using a telnet client +in "raw" mode. Once connected, type "help" for a list of commands. -For detailed documentation on the management interface, see -the management\-notes.txt file in the -.B management -folder of -the OpenVPN source distribution. +For detailed documentation on the management interface, see the +.I management\-notes.txt +file in the management folder of the OpenVPN source distribution. -It is strongly recommended that -.B IP -be set to 127.0.0.1 -(localhost) to restrict accessibility of the management -server to local clients. .TP .B \-\-management\-client Management interface will connect as a TCP/unix domain client to @@ -4918,6 +4924,37 @@ when using mbed TLS or OpenSSL. .\"********************************************************* .TP +.B \-\-tls\-cert\-profile profile +Set the allowed cryptographic algorithms for certificates according to +.B profile\fN. + +The following profiles are supported: + +.B legacy +(default): SHA1 and newer, RSA 2048-bit+, any elliptic curve. + +.B preferred +: SHA2 and newer, RSA 2048-bit+, any elliptic curve. + +.B suiteb +: SHA256/SHA384, ECDSA with P-256 or P-384. + +This option is only fully supported for mbed TLS builds. OpenSSL builds use +the following approximation: + +.B legacy +(default): sets "security level 1" + +.B preferred +: sets "security level 2" + +.B suiteb +: sets "security level 3" and \-\-tls\-cipher "SUITEB128". + +OpenVPN will migrate to 'preferred' as default in the future. Please ensure +that your keys already comply. +.\"********************************************************* +.TP .B \-\-tls\-timeout n Packet retransmit timeout on TLS control channel if no acknowledgment from remote within @@ -5806,17 +5843,13 @@ across the VPN. Set Connection\-specific DNS Suffix. .B DNS addr \-\- -Set primary domain name server IPv4 address. Repeat +Set primary domain name server IPv4 or IPv6 address. Repeat this option to set secondary DNS server addresses. -.B DNS6 addr \-\- -Set primary domain name server IPv6 address. Repeat -this option to set secondary DNS server IPv6 addresses. - -Note: currently this is handled using netsh (the -existing DHCP code can only do IPv4 DHCP, and that protocol only -permits IPv4 addresses anywhere). The option will be put into the -environment, so an +Note: DNS IPv6 servers are currently set using netsh (the existing +DHCP code can only do IPv4 DHCP, and that protocol only permits IPv4 +addresses anywhere). The option will be put into the environment, so +an .B \-\-up script could act upon it if needed. @@ -7238,7 +7271,7 @@ For more information on the LZO real\-time compression library see .I http://www.oberhumer.com/opensource/lzo/ .\"********************************************************* .SH COPYRIGHT -Copyright (C) 2002\-2017 OpenVPN Technologies, Inc. This program is free software; +Copyright (C) 2002\-2018 OpenVPN Inc This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. -- cgit v1.2.3