From d53dba59e78da865c4fe820386ff2f4f76925f3b Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Iniesta Date: Wed, 7 Dec 2016 13:14:25 +0100 Subject: New upstream version 2.4~rc1 --- doc/Makefile.in | 2 +- doc/openvpn.8 | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 82 insertions(+), 10 deletions(-) (limited to 'doc') diff --git a/doc/Makefile.in b/doc/Makefile.in index 8e37bca..1282a54 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. diff --git a/doc/openvpn.8 b/doc/openvpn.8 index e997b09..e61b6bb 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4,7 +4,7 @@ .\" packet encryption, packet authentication, and .\" packet compression. .\" -.\" Copyright (C) 2002-2010 OpenVPN Technologies, Inc. +.\" Copyright (C) 2002-2016 OpenVPN Technologies, Inc. .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License version 2 @@ -34,7 +34,7 @@ .\" .ft -- normal face .\" .in +|-{n} -- indent .\" -.TH openvpn 8 "17 November 2008" +.TH openvpn 8 "25 August 2016" .\"********************************************************* .SH NAME openvpn \- secure IP tunnel daemon. @@ -2928,6 +2928,7 @@ This is a partial list of options which can currently be pushed: .B \-\-ip\-win32, \-\-dhcp\-option, .B \-\-inactive, \-\-ping, \-\-ping\-exit, \-\-ping\-restart, .B \-\-setenv, +.B \-\-auth\-token, .B \-\-persist\-key, \-\-persist\-tun, \-\-echo, .B \-\-comp\-lzo, .B \-\-socket\-flags, @@ -4147,9 +4148,9 @@ to disable encryption. As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by .B \-\-cipher\fR. See -.B \-\-ncp-ciphers +.B \-\-ncp\-ciphers and -.B \-\-ncp-disable +.B \-\-ncp\-disable for more on NCP. .\"********************************************************* @@ -4177,6 +4178,16 @@ If both peers support and do not disable NCP, the negotiated cipher will override the cipher specified by .B \-\-cipher\fR. +Additionally, to allow for more smooth transition, if NCP is enabled, OpenVPN +will inherit the cipher of the peer if that cipher is different from the local +.B \-\-cipher +setting, but the peer cipher is one of the ciphers specified in +.B \-\-ncp\-ciphers\fR. +E.g. a non-NCP client (<=2.3, or with \-\-ncp\-disabled set) connecting to a +NCP server (2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers +AES-256-GCM:AES-256-CBC" set can either specify "\-\-cipher BF-CBC" or +"\-\-cipher AES-256-CBC" and both will work. + .\"********************************************************* .TP .B \-\-ncp\-disable @@ -5089,6 +5100,57 @@ This directive does not affect the username/password. It is always cached. .\"********************************************************* .TP +.B \-\-auth\-token token +This is not an option to be used directly in any configuration files, +but rather push this option from a +.B \-\-client\-connect +script or a +.B \-\-plugin +which hooks into the OPENVPN_PLUGIN_CLIENT_CONNECT or +OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls. This option provides +a possibility to replace the clients password with an authentication +token during the lifetime of the OpenVPN client. + +Whenever the connection is renegotiated and the +.B \-\-auth\-user\-pass\-verify +script or +.B \-\-plugin +making use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is +triggered, it will pass over this token as the password +instead of the password the user provided. The authentication +token can only be reset by a full reconnect where the server +can push new options to the client. The password the user entered +is never preserved once an authentication token have been set. If +the OpenVPN server side rejects the authentication token, the +client will receive an AUTH_FAIL and disconnect. + +The purpose of this is to enable two factor authentication +methods, such as HOTP or TOTP, to be used without needing to +retrieve a new OTP code each time the connection is renegotiated. +Another use case is to cache authentication data on the client +without needing to have the users password cached in memory +during the life time of the session. + +To make use of this feature, the +.B \-\-client\-connect +script or +.B \-\-plugin +needs to put + +.nf +.ft 3 +.in +4 +push "auth\-token UNIQUE_TOKEN_VALUE" +.in -4 +.ft +.fi + +into the file/buffer for dynamic configuration data. This +will then make the OpenVPN server to push this value to the +client, which replaces the local password with the +UNIQUE_TOKEN_VALUE. +.\"********************************************************* +.TP .B \-\-tls\-verify cmd Run command .B cmd @@ -5627,9 +5689,20 @@ across the VPN. Set Connection-specific DNS Suffix. .B DNS addr \-\- -Set primary domain name server address. Repeat +Set primary domain name server IPv4 address. Repeat this option to set secondary DNS server addresses. +.B DNS6 addr \-\- +Set primary domain name server IPv6 address. Repeat +this option to set secondary DNS server IPv6 addresses. + +Note: currently this is handled using netsh (the +existing DHCP code can only do IPv4 DHCP, and that protocol only +permits IPv4 addresses anywhere). The option will be put into the +environment, so an +.B \-\-up +script could act upon it if needed. + .B WINS addr \-\- Set primary WINS server address (NetBIOS over TCP/IP Name Server). Repeat this option to set secondary WINS server addresses. @@ -5738,8 +5811,7 @@ above. .\"********************************************************* .TP .B \-\-register\-dns -Run net stop dnscache, net start dnscache, ipconfig /flushdns -and ipconfig /registerdns on connection initiation. +Run ipconfig /flushdns and ipconfig /registerdns on connection initiation. This is known to kick Windows into recognizing pushed DNS servers. .\"********************************************************* @@ -6613,9 +6685,9 @@ X509_1_C=KG .SH INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the .B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret, -.B \-\-crl\-verify, \-\-http\-proxy\-user\-pass +.B \-\-crl\-verify, \-\-http\-proxy\-user\-pass, \-\-tls-auth and -.B \-\-tls\-auth +.B \-\-tls\-crypt options. Each inline file started by the line -- cgit v1.2.3