From 8e924e2c919e6fbeae0045b67ac54b9697306d7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Wed, 9 Feb 2022 16:35:02 +0100 Subject: New upstream version 2.5.5 --- doc/man-sections/client-options.rst | 69 ++++++++++++++ doc/man-sections/link-options.rst | 2 +- doc/man-sections/server-options.rst | 65 ------------- doc/man-sections/vpn-network-options.rst | 2 +- doc/man-sections/windows-options.rst | 2 +- doc/openvpn.8 | 156 ++++++++++++++++--------------- doc/openvpn.8.html | 128 +++++++++++++------------ 7 files changed, 219 insertions(+), 205 deletions(-) (limited to 'doc') diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index c5b7ad9..92a02e2 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -251,6 +251,75 @@ configuration. next remote succeeds. To silently ignore an option pushed by the server, use :code:`ignore`. +--push-peer-info + Push additional information about the client to server. The following + data is always pushed to the server: + + :code:`IV_VER=` + The client OpenVPN version + + :code:`IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]` + The client OS platform + + :code:`IV_LZO_STUB=1` + If client was built with LZO stub capability + + :code:`IV_LZ4=1` + If the client supports LZ4 compressions. + + :code:`IV_PROTO` + Details about protocol extensions that the peer supports. The + variable is a bitfield and the bits are defined as follows + (starting a bit 0 for the first (unused) bit: + + - bit 1: The peer supports peer-id floating mechanism + - bit 2: The client expects a push-reply and the server may + send this reply without waiting for a push-request first. + - bit 3: The client is capable of doing key derivation using + RFC5705 key material exporter. + - bit 4: The client is capable of accepting additional arguments + to the `AUTH_PENDING` message. + + :code:`IV_NCP=2` + Negotiable ciphers, client supports ``--cipher`` pushed by + the server, a value of 2 or greater indicates client supports + *AES-GCM-128* and *AES-GCM-256*. + + :code:`IV_CIPHERS=` + The client announces the list of supported ciphers configured with the + ``--data-ciphers`` option to the server. + + :code:`IV_GUI_VER= ` + The UI version of a UI if one is running, for example + :code:`de.blinkt.openvpn 0.5.47` for the Android app. + + :code:`IV_SSO=[crtext,][openurl,][proxy_url]` + Additional authentication methods supported by the client. + This may be set by the client UI/GUI using ``--setenv`` + + When ``--push-peer-info`` is enabled the additional information consists + of the following data: + + :code:`IV_HWADDR=` + This is intended to be a unique and persistent ID of the client. + The string value can be any readable ASCII string up to 64 bytes. + OpenVPN 2.x and some other implementations use the MAC address of + the client's interface used to reach the default gateway. If this + string is generated by the client, it should be consistent and + preserved across independent session and preferably + re-installations and upgrades. + + :code:`IV_SSL=` + The ssl version used by the client, e.g. + :code:`OpenSSL 1.0.2f 28 Jan 2016`. + + :code:`IV_PLAT_VER=x.y` + The version of the operating system, e.g. 6.1 for Windows 7. + + :code:`UV_=` + Client environment variables whose names start with + :code:`UV_` + --remote args Remote host name or IP address, port and protocol. diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index c132a62..ff581cf 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -213,7 +213,7 @@ the local and the remote host. This option is useful in cases where the remote peer has a dynamic IP address and a low-TTL DNS name is used to track the IP address using a - service such as http://dyndns.org/ + a dynamic DNS client such as + service such as https://www.nsupdate.info/ + a dynamic DNS client such as ``ddclient``. If the peer cannot be reached, a restart will be triggered, causing the diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index ac0df55..55c2c30 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -449,71 +449,6 @@ fast hardware. SSL/TLS authentication must be used in this mode. ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf`` ---push-peer-info - Push additional information about the client to server. The following - data is always pushed to the server: - - :code:`IV_VER=` - The client OpenVPN version - - :code:`IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]` - The client OS platform - - :code:`IV_LZO_STUB=1` - If client was built with LZO stub capability - - :code:`IV_LZ4=1` - If the client supports LZ4 compressions. - - :code:`IV_PROTO` - Details about protocol extensions that the peer supports. The - variable is a bitfield and the bits are defined as follows - (starting a bit 0 for the first (unused) bit: - - - bit 1: The peer supports peer-id floating mechanism - - bit 2: The client expects a push-reply and the server may - send this reply without waiting for a push-request first. - - :code:`IV_NCP=2` - Negotiable ciphers, client supports ``--cipher`` pushed by - the server, a value of 2 or greater indicates client supports - *AES-GCM-128* and *AES-GCM-256*. - - :code:`IV_CIPHERS=` - The client announces the list of supported ciphers configured with the - ``--data-ciphers`` option to the server. - - :code:`IV_GUI_VER= ` - The UI version of a UI if one is running, for example - :code:`de.blinkt.openvpn 0.5.47` for the Android app. - - :code:`IV_SSO=[crtext,][openurl,][proxy_url]` - Additional authentication methods supported by the client. - This may be set by the client UI/GUI using ``--setenv`` - - When ``--push-peer-info`` is enabled the additional information consists - of the following data: - - :code:`IV_HWADDR=` - This is intended to be a unique and persistent ID of the client. - The string value can be any readable ASCII string up to 64 bytes. - OpenVPN 2.x and some other implementations use the MAC address of - the client's interface used to reach the default gateway. If this - string is generated by the client, it should be consistent and - preserved across independent session and preferably - re-installations and upgrades. - - :code:`IV_SSL=` - The ssl version used by the client, e.g. - :code:`OpenSSL 1.0.2f 28 Jan 2016`. - - :code:`IV_PLAT_VER=x.y` - The version of the operating system, e.g. 6.1 for Windows 7. - - :code:`UV_=` - Client environment variables whose names start with - :code:`UV_` - --push-remove opt Selectively remove all ``--push`` options matching "opt" from the option list for a client. ``opt`` is matched as a substring against the whole diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 029834a..25a26b3 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -107,7 +107,7 @@ routing. ``OpenVPN for Android`` client also handles them internally. On all other platforms these options are only saved in the client's - environment under the name :code:`foreign_options_{n}` before the + environment under the name :code:`foreign_option_{n}` before the ``--up`` script is called. A plugin or an ``--up`` script must be used to pick up and interpret these as required. Many Linux distributions include such scripts and some third-party user interfaces such as tunnelblick also diff --git a/doc/man-sections/windows-options.rst b/doc/man-sections/windows-options.rst index eacb9af..c389fbc 100644 --- a/doc/man-sections/windows-options.rst +++ b/doc/man-sections/windows-options.rst @@ -93,7 +93,7 @@ Windows-Specific Options server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is an integer which is > :code:`-256` - and < :code:`256` and which defaults to -1. If offset is positive, + and < :code:`256` and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset. diff --git a/doc/openvpn.8 b/doc/openvpn.8 index ceb6348..6eb6167 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -1282,6 +1282,84 @@ reconnect, unless multiple remotes are specified and connection to the next remote succeeds. To silently ignore an option pushed by the server, use \fBignore\fP\&. .TP +.B \-\-push\-peer\-info +Push additional information about the client to server. The following +data is always pushed to the server: +.INDENT 7.0 +.TP +.B \fBIV_VER=\fP +The client OpenVPN version +.TP +.B \fBIV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]\fP +The client OS platform +.TP +.B \fBIV_LZO_STUB=1\fP +If client was built with LZO stub capability +.TP +.B \fBIV_LZ4=1\fP +If the client supports LZ4 compressions. +.TP +.B \fBIV_PROTO\fP +Details about protocol extensions that the peer supports. The +variable is a bitfield and the bits are defined as follows +(starting a bit 0 for the first (unused) bit: +.INDENT 7.0 +.IP \(bu 2 +bit 1: The peer supports peer\-id floating mechanism +.IP \(bu 2 +bit 2: The client expects a push\-reply and the server may +send this reply without waiting for a push\-request first. +.IP \(bu 2 +bit 3: The client is capable of doing key derivation using +RFC5705 key material exporter. +.IP \(bu 2 +bit 4: The client is capable of accepting additional arguments +to the \fIAUTH_PENDING\fP message. +.UNINDENT +.TP +.B \fBIV_NCP=2\fP +Negotiable ciphers, client supports \fB\-\-cipher\fP pushed by +the server, a value of 2 or greater indicates client supports +\fIAES\-GCM\-128\fP and \fIAES\-GCM\-256\fP\&. +.TP +.B \fBIV_CIPHERS=\fP +The client announces the list of supported ciphers configured with the +\fB\-\-data\-ciphers\fP option to the server. +.TP +.B \fBIV_GUI_VER= \fP +The UI version of a UI if one is running, for example +\fBde.blinkt.openvpn 0.5.47\fP for the Android app. +.TP +.B \fBIV_SSO=[crtext,][openurl,][proxy_url]\fP +Additional authentication methods supported by the client. +This may be set by the client UI/GUI using \fB\-\-setenv\fP +.UNINDENT +.sp +When \fB\-\-push\-peer\-info\fP is enabled the additional information consists +of the following data: +.INDENT 7.0 +.TP +.B \fBIV_HWADDR=\fP +This is intended to be a unique and persistent ID of the client. +The string value can be any readable ASCII string up to 64 bytes. +OpenVPN 2.x and some other implementations use the MAC address of +the client\(aqs interface used to reach the default gateway. If this +string is generated by the client, it should be consistent and +preserved across independent session and preferably +re\-installations and upgrades. +.TP +.B \fBIV_SSL=\fP +The ssl version used by the client, e.g. +\fBOpenSSL 1.0.2f 28 Jan 2016\fP\&. +.TP +.B \fBIV_PLAT_VER=x.y\fP +The version of the operating system, e.g. 6.1 for Windows 7. +.TP +.B \fBUV_=\fP +Client environment variables whose names start with +\fBUV_\fP +.UNINDENT +.TP .BI \-\-remote \ args Remote host name or IP address, port and protocol. .sp @@ -2043,78 +2121,6 @@ This is a partial list of options which can currently be pushed: \fB\-\-echo\fP, \fB\-\-comp\-lzo\fP, \fB\-\-socket\-flags\fP, \fB\-\-sndbuf\fP, \fB\-\-rcvbuf\fP .TP -.B \-\-push\-peer\-info -Push additional information about the client to server. The following -data is always pushed to the server: -.INDENT 7.0 -.TP -.B \fBIV_VER=\fP -The client OpenVPN version -.TP -.B \fBIV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]\fP -The client OS platform -.TP -.B \fBIV_LZO_STUB=1\fP -If client was built with LZO stub capability -.TP -.B \fBIV_LZ4=1\fP -If the client supports LZ4 compressions. -.TP -.B \fBIV_PROTO\fP -Details about protocol extensions that the peer supports. The -variable is a bitfield and the bits are defined as follows -(starting a bit 0 for the first (unused) bit: -.INDENT 7.0 -.IP \(bu 2 -bit 1: The peer supports peer\-id floating mechanism -.IP \(bu 2 -bit 2: The client expects a push\-reply and the server may -send this reply without waiting for a push\-request first. -.UNINDENT -.TP -.B \fBIV_NCP=2\fP -Negotiable ciphers, client supports \fB\-\-cipher\fP pushed by -the server, a value of 2 or greater indicates client supports -\fIAES\-GCM\-128\fP and \fIAES\-GCM\-256\fP\&. -.TP -.B \fBIV_CIPHERS=\fP -The client announces the list of supported ciphers configured with the -\fB\-\-data\-ciphers\fP option to the server. -.TP -.B \fBIV_GUI_VER= \fP -The UI version of a UI if one is running, for example -\fBde.blinkt.openvpn 0.5.47\fP for the Android app. -.TP -.B \fBIV_SSO=[crtext,][openurl,][proxy_url]\fP -Additional authentication methods supported by the client. -This may be set by the client UI/GUI using \fB\-\-setenv\fP -.UNINDENT -.sp -When \fB\-\-push\-peer\-info\fP is enabled the additional information consists -of the following data: -.INDENT 7.0 -.TP -.B \fBIV_HWADDR=\fP -This is intended to be a unique and persistent ID of the client. -The string value can be any readable ASCII string up to 64 bytes. -OpenVPN 2.x and some other implementations use the MAC address of -the client\(aqs interface used to reach the default gateway. If this -string is generated by the client, it should be consistent and -preserved across independent session and preferably -re\-installations and upgrades. -.TP -.B \fBIV_SSL=\fP -The ssl version used by the client, e.g. -\fBOpenSSL 1.0.2f 28 Jan 2016\fP\&. -.TP -.B \fBIV_PLAT_VER=x.y\fP -The version of the operating system, e.g. 6.1 for Windows 7. -.TP -.B \fBUV_=\fP -Client environment variables whose names start with -\fBUV_\fP -.UNINDENT -.TP .BI \-\-push\-remove \ opt Selectively remove all \fB\-\-push\fP options matching "opt" from the option list for a client. \fBopt\fP is matched as a substring against the whole @@ -3988,7 +3994,7 @@ remote. .sp This option is useful in cases where the remote peer has a dynamic IP address and a low\-TTL DNS name is used to track the IP address using a -service such as \fI\%http://dyndns.org/\fP + a dynamic DNS client such as +service such as \fI\%https://www.nsupdate.info/\fP + a dynamic DNS client such as \fBddclient\fP\&. .sp If the peer cannot be reached, a restart will be triggered, causing the @@ -4333,7 +4339,7 @@ if dhcp is disabled or the \fBwintun\fP driver is in use. The \fBOpenVPN for Android\fP client also handles them internally. .sp On all other platforms these options are only saved in the client\(aqs -environment under the name \fBforeign_options_{n}\fP before the +environment under the name \fBforeign_option_{n}\fP before the \fB\-\-up\fP script is called. A plugin or an \fB\-\-up\fP script must be used to pick up and interpret these as required. Many Linux distributions include such scripts and some third\-party user interfaces such as tunnelblick also @@ -6190,7 +6196,7 @@ server address. In \fB\-\-dev tun\fP mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. .sp The optional offset parameter is an integer which is > \fB\-256\fP -and < \fB256\fP and which defaults to \-1. If offset is positive, +and < \fB256\fP and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset. diff --git a/doc/openvpn.8.html b/doc/openvpn.8.html index 1c0c65e..1dec6f7 100644 --- a/doc/openvpn.8.html +++ b/doc/openvpn.8.html @@ -1436,6 +1436,69 @@ reconnect, unless multiple remotes are specified and connection to the next remote succeeds. To silently ignore an option pushed by the server, use ignore.

+ +--push-peer-info + + 

Push additional information about the client to server. The following +data is always pushed to the server:

+
+
IV_VER=<version>
+
The client OpenVPN version
+
IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]
+
The client OS platform
+
IV_LZO_STUB=1
+
If client was built with LZO stub capability
+
IV_LZ4=1
+
If the client supports LZ4 compressions.
+
IV_PROTO
+

Details about protocol extensions that the peer supports. The +variable is a bitfield and the bits are defined as follows +(starting a bit 0 for the first (unused) bit:

+
    +
  • bit 1: The peer supports peer-id floating mechanism
    • +
  • bit 2: The client expects a push-reply and the server may +send this reply without waiting for a push-request first.
    • +
  • bit 3: The client is capable of doing key derivation using +RFC5705 key material exporter.
    • +
  • bit 4: The client is capable of accepting additional arguments +to the AUTH_PENDING message.
    • +
+
+
IV_NCP=2
+
Negotiable ciphers, client supports --cipher pushed by +the server, a value of 2 or greater indicates client supports +AES-GCM-128 and AES-GCM-256.
+
IV_CIPHERS=<ncp-ciphers>
+
The client announces the list of supported ciphers configured with the +--data-ciphers option to the server.
+
IV_GUI_VER=<gui_id> <version>
+
The UI version of a UI if one is running, for example +de.blinkt.openvpn 0.5.47 for the Android app.
+
IV_SSO=[crtext,][openurl,][proxy_url]
+
Additional authentication methods supported by the client. +This may be set by the client UI/GUI using --setenv
+
+

When --push-peer-info is enabled the additional information consists +of the following data:

+
+
IV_HWADDR=<string>
+
This is intended to be a unique and persistent ID of the client. +The string value can be any readable ASCII string up to 64 bytes. +OpenVPN 2.x and some other implementations use the MAC address of +the client's interface used to reach the default gateway. If this +string is generated by the client, it should be consistent and +preserved across independent session and preferably +re-installations and upgrades.
+
IV_SSL=<version string>
+
The ssl version used by the client, e.g. +OpenSSL 1.0.2f 28 Jan 2016.
+
IV_PLAT_VER=x.y
+
The version of the operating system, e.g. 6.1 for Windows 7.
+
UV_<name>=<value>
+
Client environment variables whose names start with +UV_
+
+ --remote args

Remote host name or IP address, port and protocol.

@@ -2058,65 +2121,6 @@ server can be initiated.

--rcvbuf

---push-peer-info - - 

Push additional information about the client to server. The following -data is always pushed to the server:

-
-
IV_VER=<version>
-
The client OpenVPN version
-
IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]
-
The client OS platform
-
IV_LZO_STUB=1
-
If client was built with LZO stub capability
-
IV_LZ4=1
-
If the client supports LZ4 compressions.
-
IV_PROTO
-

Details about protocol extensions that the peer supports. The -variable is a bitfield and the bits are defined as follows -(starting a bit 0 for the first (unused) bit:

-
    -
  • bit 1: The peer supports peer-id floating mechanism
    • -
  • bit 2: The client expects a push-reply and the server may -send this reply without waiting for a push-request first.
    • -
-
-
IV_NCP=2
-
Negotiable ciphers, client supports --cipher pushed by -the server, a value of 2 or greater indicates client supports -AES-GCM-128 and AES-GCM-256.
-
IV_CIPHERS=<ncp-ciphers>
-
The client announces the list of supported ciphers configured with the ---data-ciphers option to the server.
-
IV_GUI_VER=<gui_id> <version>
-
The UI version of a UI if one is running, for example -de.blinkt.openvpn 0.5.47 for the Android app.
-
IV_SSO=[crtext,][openurl,][proxy_url]
-
Additional authentication methods supported by the client. -This may be set by the client UI/GUI using --setenv
-
-

When --push-peer-info is enabled the additional information consists -of the following data:

-
-
IV_HWADDR=<string>
-
This is intended to be a unique and persistent ID of the client. -The string value can be any readable ASCII string up to 64 bytes. -OpenVPN 2.x and some other implementations use the MAC address of -the client's interface used to reach the default gateway. If this -string is generated by the client, it should be consistent and -preserved across independent session and preferably -re-installations and upgrades.
-
IV_SSL=<version string>
-
The ssl version used by the client, e.g. -OpenSSL 1.0.2f 28 Jan 2016.
-
IV_PLAT_VER=x.y
-
The version of the operating system, e.g. 6.1 for Windows 7.
-
UV_<name>=<value>
-
Client environment variables whose names start with -UV_
-
- - --push-remove opt  

Selectively remove all --push options matching "opt" from the option @@ -3602,7 +3606,7 @@ data is exchanged.

remote.

This option is useful in cases where the remote peer has a dynamic IP address and a low-TTL DNS name is used to track the IP address using a -service such as http://dyndns.org/ + a dynamic DNS client such as +service such as https://www.nsupdate.info/ + a dynamic DNS client such as ddclient.

If the peer cannot be reached, a restart will be triggered, causing the hostname used with --remote to be re-resolved (if --resolv-retry @@ -3888,7 +3892,7 @@ handled by the tap-windows6wintun driver is in use. The OpenVPN for Android client also handles them internally.

On all other platforms these options are only saved in the client's -environment under the name foreign_options_{n} before the +environment under the name foreign_option_{n} before the --up script is called. A plugin or an --up script must be used to pick up and interpret these as required. Many Linux distributions include such scripts and some third-party user interfaces such as tunnelblick also @@ -5415,7 +5419,7 @@ the IP address 192.168.4.0 to use as the virtual DHCP server address. In --dev tun mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint.

The optional offset parameter is an integer which is > -256 -and < 256 and which defaults to -1. If offset is positive, +and < 256 and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset.

-- cgit v1.2.3