~ubuntu-branches/ubuntu/oneiric/openvpn/oneiric : revision 27

1

Index: openvpn-2.1_rc9/openvpn.8

1

Index: openvpn-2.1_rc10/openvpn.8

2

===================================================================

3

--- openvpn-2.1_rc9.orig/openvpn.8 2008-07-26 08:54:34.000000000 +0200

4

+++ openvpn-2.1_rc9/openvpn.8 2008-08-01 22:21:58.539646368 +0200

5

@@ -360,25 +360,25 @@

3

--- openvpn-2.1_rc10.orig/openvpn.8 2008-09-04 21:58:34.000000000 +0200

4

+++ openvpn-2.1_rc10/openvpn.8 2008-09-11 17:22:58.341107821 +0200

5

@@ -361,25 +361,25 @@

6

.SH OPTIONS

7

OpenVPN allows any option to be placed either on the command line

8

or in a configuration file. Though all command line options are preceded

34

can be removed, and the command can be given as

35

.B openvpn file

36

37

@@ -455,25 +455,25 @@

37

@@ -456,25 +456,25 @@

38

.\"*********************************************************

39

.SS Tunnel Options:

40

.TP

65

options for this purpose is a special case of the more

66

general connection-profile feature. See the

67

.B <connection>

68

@@ -482,7 +482,7 @@

68

@@ -483,7 +483,7 @@

69

The OpenVPN client will try to connect to a server at

70

.B host:port

71

in the order specified by the list of

74

options.

75

76

.B proto

77

@@ -497,18 +497,18 @@

77

@@ -498,18 +498,18 @@

78

79

Note that since UDP is connectionless, connection failure

80

is defined by the

98

AND the client is running a non-Windows OS, if the client needs

99

to switch to a different server, and that server pushes

100

back different TUN/TAP or route settings, the client may lack

101

@@ -516,7 +516,7 @@

101

@@ -517,7 +517,7 @@

102

This could cause the client to exit with a fatal error.

103

104

If

107

is unspecified, OpenVPN will listen

108

for packets from any IP address, but will not act on those packets unless

109

they pass all authentication tests. This requirement for authentication

110

@@ -525,7 +525,7 @@

110

@@ -526,7 +526,7 @@

111

a UDP packet).

112

113

When used in TCP mode,

116

will act as a filter, rejecting connections from any host which does

117

not match

118

.B host.

119

@@ -551,7 +551,7 @@

119

@@ -552,7 +552,7 @@

120

An OpenVPN client will try each connection profile sequentially

121

until it achieves a successful connection.

122

125

can be used to initially "scramble" the connection

126

list.

127

128

@@ -651,15 +651,15 @@

128

@@ -652,15 +652,15 @@

129

130

.\"*********************************************************

131

.TP

144

Use protocol

145

.B p

146

for communicating with remote host.

147

@@ -673,17 +673,17 @@

147

@@ -674,17 +674,17 @@

148

The default protocol is

149

.B udp

150

when

166

A peer started with

167

.B tcp-server

168

will wait indefinitely for an incoming connection. A peer

169

@@ -691,9 +691,9 @@

169

@@ -692,9 +692,9 @@

170

.B tcp-client

171

will attempt to connect, and if that fails, will sleep for 5

172

seconds (adjustable via the

178

option). Both TCP client and server will simulate

179

a SIGUSR1 restart signal if either side resets the connection.

180

181

@@ -713,9 +713,9 @@

181

@@ -714,9 +714,9 @@

182

possess a built-in reliability layer.

183

.\"*********************************************************

184

.TP

190

take

191

.B n

192

as the

193

@@ -723,16 +723,16 @@

193

@@ -724,16 +724,16 @@

194

between connection retries (default=5).

195

.\"*********************************************************

196

.TP

210

Try to sense HTTP or SOCKS proxy settings automatically.

211

If no settings are present, a direct connection will be attempted.

212

If both HTTP and SOCKS settings are present, HTTP will be preferred.

213

@@ -744,7 +744,7 @@

213

@@ -745,7 +745,7 @@

214

This option exists in OpenVPN 2.1 or higher.

215

.\"*********************************************************

216

.TP

219

Connect to remote host through an HTTP proxy at address

220

.B server

221

and port

222

@@ -766,32 +766,32 @@

222

@@ -767,32 +767,32 @@

223

exists on OpenVPN 2.1 or higher.

224

.\"*********************************************************

225

.TP

258

Connect to remote host through a Socks5 proxy at address

259

.B server

260

and port

261

@@ -799,14 +799,14 @@

261

@@ -800,14 +800,14 @@

262

(default=1080).

263

.\"*********************************************************

264

.TP

276

retry resolve for

277

.B n

278

seconds before failing.

279

@@ -816,18 +816,18 @@

279

@@ -817,18 +817,18 @@

280

to "infinite" to retry indefinitely.

281

282

By default,

300

allows an OpenVPN session to initially connect to a peer

301

at a known address, however if packets arrive from a new

302

address and pass all authentication tests, the new address

303

@@ -836,14 +836,14 @@

303

@@ -837,14 +837,14 @@

304

such as a dial-in user or DHCP client.

305

306

Essentially,

318

Execute shell command

319

.B cmd

320

when our remote ip-address is initially authenticated or

321

@@ -854,11 +854,11 @@

321

@@ -855,11 +855,11 @@

322

.B cmd ip_address port_number

323

324

Don't use

333

script instead.

334

335

See the "Environmental Variables" section below for

336

@@ -893,41 +893,41 @@

336

@@ -894,41 +894,41 @@

337

peer on its new IP address.

338

.\"*********************************************************

339

.TP

385

TUN/TAP virtual network device (

386

.B X

387

can be omitted for a dynamic device.)

388

@@ -945,7 +945,7 @@

388

@@ -946,7 +946,7 @@

389

devices encapsulate Ethernet 802.3.

390

.\"*********************************************************

391

.TP

394

Which device type are we using?

395

.B device-type

396

should be

397

@@ -953,60 +953,60 @@

397

@@ -954,60 +954,60 @@

398

or

399

.B tap.

400

Use this option only if the TUN/TAP device used with

468

directive code. When used on Windows, requires version 8.2 or higher

469

of the TAP-Win32 driver. When used on *nix, requires that the tun

470

driver supports an

471

@@ -1016,26 +1016,26 @@

471

@@ -1017,26 +1017,26 @@

472

This option exists in OpenVPN 2.1 or higher.

473

.\"*********************************************************

474

.TP

501

502

On Windows systems, select the TAP-Win32 adapter which

503

is named

504

@@ -1043,24 +1043,24 @@

504

@@ -1044,24 +1044,24 @@

505

in the Network Connections Control Panel or the

506

raw GUID of the adapter enclosed by braces.

507

The

530

Set TUN/TAP adapter parameters.

531

.B l

532

is the IP address of the local VPN endpoint.

533

@@ -1075,7 +1075,7 @@

533

@@ -1076,7 +1076,7 @@

534

For TUN devices, which facilitate virtual

535

point-to-point IP connections,

536

the proper usage of

539

is to use two private IP addresses

540

which are not a member of any

541

existing subnet which is in use.

542

@@ -1089,7 +1089,7 @@

542

@@ -1090,7 +1090,7 @@

543

For TAP devices, which provide

544

the ability to create virtual

545

ethernet segments,

548

is used to set an IP address and

549

subnet mask just as a physical

550

ethernet adapter would be

551

@@ -1110,42 +1110,42 @@

551

@@ -1111,42 +1111,42 @@

552

ifconfig implementations on different

553

platforms.

554

600

on the local host.

601

602

This option will also silence warnings about potential

603

@@ -1153,7 +1153,7 @@

603

@@ -1154,7 +1154,7 @@

604

users by triggering "false positive" warnings.

605

.\"*********************************************************

606

.TP

609

Add route to routing table after connection is established.

610

Multiple routes can be specified. Routes will be

611

automatically torn down in reverse order prior to

612

@@ -1167,20 +1167,20 @@

612

@@ -1168,20 +1168,20 @@

613

across OpenVPN's platform space.

614

615

.B netmask

637

otherwise 0.

638

639

The default can be specified by leaving an option blank or setting

640

@@ -1195,39 +1195,39 @@

641

file resolvable name, or as one of three special keywords:

642

640

@@ -1198,11 +1198,11 @@

643

641

.B vpn_gateway

644

--- The remote VPN endpoint address

645

+\-\- The remote VPN endpoint address

642

-- The remote VPN endpoint address

646

643

(derived either from

647

644

-.B --route-gateway

648

645

+.B \-\-route-gateway

655

652

is specified).

656

653

657

654

.B net_gateway

658

--- The pre-existing IP default gateway, read from the routing

659

+\-\- The pre-existing IP default gateway, read from the routing

660

table (not supported on all OSes).

655

@@ -1211,15 +1211,15 @@

661

656

662

657

.B remote_host

663

--- The

658

-- The

664

659

-.B --remote

665

+\-\- The

666

660

+.B \-\-remote

667

661

address if OpenVPN is being run in client mode, and is undefined in server mode.

668

662

.\"*********************************************************

669

663

.TP

670

-.B --route-gateway gw

671

+.B \-\-route-gateway gw

664

-.B --route-gateway gw|'dhcp'

665

+.B \-\-route-gateway gw|'dhcp'

672

666

Specify a default gateway

673

667

.B gw

674

668

for use with

675

669

-.B --route.

676

670

+.B \-\-route.

671

672

If

673

.B dhcp

674

@@ -1228,14 +1228,14 @@

675

negotiation with the OpenVPN server-side LAN.

676

.\"*********************************************************

677

.TP

678

-.B --route-metric m

679

+.B \-\-route-metric m

689

Delay

690

.B n

691

seconds (default=0) after connection

692

@@ -1235,16 +1235,16 @@

692

@@ -1243,16 +1243,16 @@

693

.B n

694

is 0, routes will be added immediately upon connection

695

establishment. If

711

execution.)

712

713

This option is designed to be useful in scenarios where DHCP is

714

@@ -1253,18 +1253,18 @@

714

@@ -1261,18 +1261,18 @@

715

time to complete before routes are added.

716

717

On Windows,

733

734

See the "Environmental Variables" section below for

735

additional parameters passed as environmental variables.

736

@@ -1274,17 +1274,17 @@

736

@@ -1282,17 +1282,17 @@

737

can be a shell command with multiple arguments.

738

.\"*********************************************************

739

.TP

756

accept options pushed by server EXCEPT for routes.

757

758

When used on the client, this option effectively bars the

759

@@ -1293,7 +1293,7 @@

759

@@ -1301,16 +1301,16 @@

760

to set the TCP/IP properties of the client's TUN/TAP interface.

761

.\"*********************************************************

762

.TP

763

-.B --allow-pull-fqdn

764

+.B \-\-allow-pull-fqdn

765

Allow client to pull DNS names from server (rather than being limited

766

to IP address) for

767

-.B --ifconfig,

768

-.B --route,

769

+.B \-\-ifconfig,

770

+.B \-\-route,

771

and

772

-.B --route-gateway.

773

+.B \-\-route-gateway.

774

.\"*********************************************************

775

.TP

763

776

-.B --redirect-gateway flags...

764

777

+.B \-\-redirect-gateway flags...

765

778

(Experimental) Automatically execute routing commands to cause all outgoing IP traffic

766

779

to be redirected over the VPN.

767

780

768

@@ -1301,7 +1301,7 @@

781

@@ -1318,7 +1318,7 @@

769

782

770

783

.B (1)

771

784

Create a static route for the

774

787

address which forwards to the pre-existing default gateway.

775

788

This is done so that

776

789

.B (3)

777

@@ -1312,11 +1312,11 @@

790

@@ -1329,11 +1329,11 @@

778

791

779

792

.B (3)

780

793

Set the new default gateway to be the VPN endpoint address (derived either from

789

802

is specified).

790

803

791

804

When the tunnel is torn down, all of the above steps are reversed so

792

@@ -1324,7 +1324,7 @@

805

@@ -1341,7 +1341,7 @@

793

806

794

807

Option flags:

795

808

798

811

Add the

799

812

.B local

800

813

flag if both OpenVPN servers are directly connected via a common subnet,

801

@@ -1334,19 +1334,19 @@

814

@@ -1351,19 +1351,19 @@

802

815

.B 1

803

816

above to be omitted.

804

817

821

834

Add a direct route to the DNS server(s) (if they are non-local) which

822

835

bypasses the tunnel

823

836

(Available on Windows clients, may not be available

824

@@ -1355,13 +1355,13 @@

837

@@ -1372,13 +1372,13 @@

825

838

Using the def1 flag is highly recommended.

826

839

.\"*********************************************************

827

840

.TP

837

850

Take the TUN device MTU to be

838

851

.B n

839

852

and derive the link MTU

840

@@ -1377,17 +1377,17 @@

853

@@ -1394,17 +1394,17 @@

841

854

hang during periods of active usage.

842

855

843

856

It's best to use the

859

872

size on read. This parameter defaults to 0, which is sufficient for

860

873

most TUN devices. TAP devices may introduce additional overhead in excess

861

874

of the MTU size, and a setting of 32 is the default when TAP devices are used.

862

@@ -1395,34 +1395,34 @@

875

@@ -1412,34 +1412,34 @@

863

876

so there is no transmission overhead associated with using a larger value.

864

877

.\"*********************************************************

865

878

.TP

902

915

Enable internal datagram fragmentation so

903

916

that no UDP datagrams are sent which

904

917

are larger than

905

@@ -1432,24 +1432,24 @@

918

@@ -1449,24 +1449,24 @@

906

919

The

907

920

.B max

908

921

parameter is interpreted in the same way as the

933

946

934

947

It should also be noted that this option is not meant to replace

935

948

UDP fragmentation at the IP stack level. It is only meant as a

936

@@ -1462,7 +1462,7 @@

949

@@ -1479,7 +1479,7 @@

937

950

as tunneling a UDP multicast stream which requires fragmentation.

938

951

.\"*********************************************************

939

952

.TP

942

955

Announce to TCP sessions running over the tunnel that they should limit

943

956

their send packet sizes such that after OpenVPN has encapsulated them,

944

957

the resulting UDP packet size that OpenVPN sends to its peer will not

945

@@ -1473,33 +1473,33 @@

958

@@ -1490,33 +1490,33 @@

946

959

The

947

960

.B max

948

961

parameter is interpreted in the same way as the

985

998

are designed to work around cases where Path MTU discovery

986

999

is broken on the network path between OpenVPN peers.

987

1000

988

@@ -1508,35 +1508,35 @@

1001

@@ -1525,35 +1525,35 @@

989

1002

during active usage.

990

1003

991

1004

If

1029

1042

Apply the given flags to the OpenVPN transport socket.

1030

1043

Currently, only

1031

1044

.B TCP_NODELAY

1032

@@ -1553,12 +1553,12 @@

1045

@@ -1570,12 +1570,12 @@

1033

1046

on both client and server for maximum effect.

1034

1047

.\"*********************************************************

1035

1048

.TP

1044

1057

Limit bandwidth of outgoing tunnel data to

1045

1058

.B n

1046

1059

bytes per second on the TCP/UDP port.

1047

@@ -1594,7 +1594,7 @@

1060

@@ -1611,7 +1611,7 @@

1048

1061

to be between 100 bytes/sec and 100 Mbytes/sec.

1049

1062

.\"*********************************************************

1050

1063

.TP

1053

1066

Causes OpenVPN to exit after

1054

1067

.B n

1055

1068

seconds of inactivity on the TUN/TAP device. The time length

1056

@@ -1608,18 +1608,18 @@

1069

@@ -1625,18 +1625,18 @@

1057

1070

.B bytes.

1058

1071

.\"*********************************************************

1059

1072

.TP

1076

1089

is specified), the ping packet

1077

1090

will be cryptographically secure.

1078

1091

1079

@@ -1632,33 +1632,33 @@

1092

@@ -1649,33 +1649,33 @@

1080

1093

1081

1094

(2) To provide a basis for the remote to test the existence

1082

1095

of its peer using the

1117

1130

but trigger a

1118

1131

.B SIGUSR1

1119

1132

restart after

1120

@@ -1677,13 +1677,13 @@

1133

@@ -1694,13 +1694,13 @@

1121

1134

1122

1135

If the peer cannot be reached, a restart will be triggered, causing

1123

1136

the hostname used with

1134

1147

or any other type of internally generated signal will always be

1135

1148

applied to

1136

1149

individual client instance objects, never to whole server itself.

1137

@@ -1692,14 +1692,14 @@

1150

@@ -1709,14 +1709,14 @@

1138

1151

of the client instance object instead.

1139

1152

1140

1153

In client mode, the

1152

1165

on the client.

1153

1166

1154

1167

See the signals section below for more information

1155

@@ -1709,27 +1709,27 @@

1168

@@ -1726,27 +1726,27 @@

1156

1169

Note that the behavior of

1157

1170

.B SIGUSR1

1158

1171

can be modified by the

1188

1201

expands as follows:

1189

1202

1190

1203

.RS

1191

@@ -1750,24 +1750,24 @@

1204

@@ -1767,24 +1767,24 @@

1192

1205

.fi

1193

1206

.\"*********************************************************

1194

1207

.TP

1219

1232

restarts.

1220

1233

1221

1234

.B SIGUSR1

1222

@@ -1777,14 +1777,14 @@

1235

@@ -1794,14 +1794,14 @@

1223

1236

reset options.

1224

1237

.\"*********************************************************

1225

1238

.TP

1237

1250

to allow restarts triggered by the

1238

1251

.B SIGUSR1

1239

1252

signal.

1240

@@ -1797,29 +1797,29 @@

1253

@@ -1814,29 +1814,29 @@

1241

1254

resets, so they don't need to be re-read.

1242

1255

.\"*********************************************************

1243

1256

.TP

1273

1286

option).

1274

1287

1275

1288

Using this option ensures that key material and tunnel

1276

@@ -1831,33 +1831,33 @@

1289

@@ -1848,33 +1848,33 @@

1277

1290

recover previously used

1278

1291

ephemeral keys, which are used for a period of time

1279

1292

governed by the

1313

1326

execute as:

1314

1327

1315

1328

.B cmd tap_dev tap_mtu link_mtu ifconfig_local_ip ifconfig_netmask [ init | restart ]

1316

@@ -1882,62 +1882,62 @@

1329

@@ -1899,62 +1899,62 @@

1317

1330

will be

1318

1331

.I init.

1319

1332

If the

1392

1405

to allow connection initiation to be sensed in the absence

1393

1406

of tunnel data, since UDP is a "connectionless" protocol.

1394

1407

1395

@@ -1946,50 +1946,50 @@

1408

@@ -1963,50 +1963,50 @@

1396

1409

i.e. the receipt of the first authenticated packet from the peer.

1397

1410

.\"*********************************************************

1398

1411

.TP

1458

1471

Set a custom environmental variable

1459

1472

.B OPENVPN_name=value

1460

1473

to pass to script.

1461

@@ -2000,7 +2000,7 @@

1474

@@ -2017,7 +2017,7 @@

1462

1475

from a malicious or compromised server.

1463

1476

.\"*********************************************************

1464

1477

.TP

1467

1480

This directive offers policy-level control over OpenVPN's usage of external programs

1468

1481

and scripts. Lower values are more restrictive, higher values are more permissive. Settings for

1469

1482

.B level:

1470

@@ -2018,19 +2018,19 @@

1483

@@ -2035,19 +2035,19 @@

1471

1484

Allow passwords to be passed to scripts via environmental variables (potentially unsafe).

1472

1485

.\"*********************************************************

1473

1486

.TP

1491

1504

Change the user ID of the OpenVPN process to

1492

1505

.B user

1493

1506

after initialization, dropping privileges in the process.

1494

@@ -2052,7 +2052,7 @@

1507

@@ -2069,7 +2069,7 @@

1495

1508

signal

1496

1509

(for example in response

1497

1510

to a DHCP reset), you should make use of one or more of the

1500

1513

options to ensure that OpenVPN doesn't need to execute any privileged

1501

1514

operations in order to restart (such as re-reading key files

1502

1515

or running

1503

@@ -2060,16 +2060,16 @@

1516

@@ -2077,16 +2077,16 @@

1504

1517

on the TUN device).

1505

1518

.\"*********************************************************

1506

1519

.TP

1520

1533

Change directory to

1521

1534

.B dir

1522

1535

prior to reading any files such as

1523

@@ -2081,16 +2081,16 @@

1536

@@ -2098,16 +2098,16 @@

1524

1537

1525

1538

This option is useful when you are running

1526

1539

OpenVPN in

1540

1553

essentially redefines

1541

1554

.B dir

1542

1555

as being the top

1543

@@ -2109,7 +2109,7 @@

1556

@@ -2126,7 +2126,7 @@

1544

1557

are executed after the chroot operation.

1545

1558

.\"*********************************************************

1546

1559

.TP

1549

1562

Become a daemon after all initialization functions are completed.

1550

1563

This option will cause all message and error output to

1551

1564

be sent to the syslog file (such as /var/log/messages),

1552

@@ -2118,10 +2118,10 @@

1565

@@ -2135,10 +2135,10 @@

1553

1566

which will go to /dev/null unless otherwise redirected.

1554

1567

The syslog redirection occurs immediately at the point

1555

1568

that

1562

1575

options is present, it will supercede syslog

1563

1576

redirection.

1564

1577

1565

@@ -2137,7 +2137,7 @@

1578

@@ -2154,7 +2154,7 @@

1566

1579

defaults to "openvpn".

1567

1580

1568

1581

When OpenVPN is run with the

1571

1584

option, it will try to delay daemonization until the majority of initialization

1572

1585

functions which are capable of generating fatal errors are complete. This means

1573

1586

that initialization scripts can test the return status of the

1574

@@ -2147,20 +2147,20 @@

1587

@@ -2164,20 +2164,20 @@

1575

1588

In OpenVPN, the vast majority of errors which occur after initialization are non-fatal.

1576

1589

.\"*********************************************************

1577

1590

.TP

1596

1609

Use this option when OpenVPN is being run from the inetd or

1597

1610

.BR xinetd(8)

1598

1611

server.

1599

@@ -2171,7 +2171,7 @@

1612

@@ -2188,7 +2188,7 @@

1600

1613

config file. The

1601

1614

.B nowait

1602

1615

mode can only be used with

1605

1618

The default is

1606

1619

.B wait.

1607

1620

The

1608

@@ -2183,16 +2183,16 @@

1621

@@ -2200,16 +2200,16 @@

1609

1622

.I http://openvpn.net/faq.html#oneport

1610

1623

1611

1624

This option precludes the use of

1626

1639

1627

1640

Also note that in

1628

1641

.B wait

1629

@@ -2202,7 +2202,7 @@

1642

@@ -2219,7 +2219,7 @@

1630

1643

.I http://openvpn.net/1xhowto.html

1631

1644

.\"*********************************************************

1632

1645

.TP

1635

1648

Output logging messages to

1636

1649

.B file,

1637

1650

including output to stdout/stderr which

1638

@@ -2213,44 +2213,44 @@

1651

@@ -2230,44 +2230,44 @@

1639

1652

This option takes effect

1640

1653

immediately when it is parsed in the command line

1641

1654

and will supercede syslog output if

1688

1701

Change process priority after initialization

1689

1702

(

1690

1703

.B n

1691

@@ -2259,14 +2259,14 @@

1704

@@ -2276,14 +2276,14 @@

1692

1705

less than zero is higher priority).

1693

1706

.\"*********************************************************

1694

1707

.\".TP

1706

1719

.\"specified).

1707

1720

.\"

1708

1721

.\"Using a TLS thread offloads the CPU-intensive process of SSL/TLS-based

1709

@@ -2276,12 +2276,12 @@

1722

@@ -2293,12 +2293,12 @@

1710

1723

.\"The parameter

1711

1724

.\".B n

1712

1725

.\"is interpreted exactly as with the

1721

1734

(Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding

1722

1735

a call to poll/epoll/select prior to the write operation. The purpose

1723

1736

of such a call would normally be to block until the device

1724

@@ -2292,13 +2292,13 @@

1737

@@ -2309,13 +2309,13 @@

1725

1738

by 5% to 10%.

1726

1739

1727

1740

This option can only be used on non-Windows systems, when

1738

1751

Echo

1739

1752

.B parms

1740

1753

to log output.

1741

@@ -2307,7 +2307,7 @@

1754

@@ -2324,7 +2324,7 @@

1742

1755

which is receiving the OpenVPN log output.

1743

1756

.\"*********************************************************

1744

1757

.TP

1747

1760

Control whether internally or externally

1748

1761

generated SIGUSR1 signals are remapped to

1749

1762

SIGHUP (restart without persisting state) or

1750

@@ -2318,20 +2318,20 @@

1763

@@ -2335,20 +2335,20 @@

1751

1764

occurs.

1752

1765

.\"*********************************************************

1753

1766

.TP

1772

1785

Output

1773

1786

.B R

1774

1787

and

1775

@@ -2339,12 +2339,12 @@

1788

@@ -2356,12 +2356,12 @@

1776

1789

characters to the console for each packet read and write, uppercase is

1777

1790

used for TCP/UDP packets and lowercase is used for TUN/TAP packets.

1778

1791

.br

1787

1800

Write operational status to

1788

1801

.B file

1789

1802

every

1790

@@ -2356,21 +2356,21 @@

1803

@@ -2373,21 +2373,21 @@

1791

1804

signal.

1792

1805

.\"*********************************************************

1793

1806

.TP

1813

1826

packet for incompressible data.

1814

1827

.B mode

1815

1828

may be "yes", "no", or "adaptive" (default).

1816

@@ -2380,16 +2380,16 @@

1829

@@ -2397,16 +2397,16 @@

1817

1830

1818

1831

First, make sure the client-side config file enables selective

1819

1832

compression by having at least one

1833

1846

file, specify the compression setting for the client,

1834

1847

for example:

1835

1848

1836

@@ -2410,12 +2410,12 @@

1849

@@ -2427,12 +2427,12 @@

1837

1850

side of the link, the second sets the client side.

1838

1851

.\"*********************************************************

1839

1852

.TP

1849

1862

1850

1863

Adaptive compression tries to optimize the case where you have

1851

1864

compression enabled, but you are sending predominantly uncompressible

1852

@@ -2427,7 +2427,7 @@

1865

@@ -2444,7 +2444,7 @@

1853

1866

compression for a period of time until the next re-sample test.

1854

1867

.\"*********************************************************

1855

1868

.TP

1858

1871

Enable a TCP server on

1859

1872

.B IP:port

1860

1873

to handle daemon management functions.

1861

@@ -2464,24 +2464,24 @@

1874

@@ -2481,24 +2481,24 @@

1862

1875

server to local clients.

1863

1876

.\"*********************************************************

1864

1877

.TP

1888

1901

Start OpenVPN in a hibernating state, until a client

1889

1902

of the management interface explicitly starts it

1890

1903

with the

1891

@@ -2489,33 +2489,33 @@

1904

@@ -2506,33 +2506,33 @@

1892

1905

command.

1893

1906

.\"*********************************************************

1894

1907

.TP

1927

1940

Load plug-in module from the file

1928

1941

.B module-pathname,

1929

1942

passing

1930

@@ -2551,7 +2551,7 @@

1943

@@ -2568,7 +2568,7 @@

1931

1944

.SS Server Mode

1932

1945

Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode

1933

1946

is supported, and can be enabled with the

1936

1949

option. In server mode, OpenVPN will listen on a single

1937

1950

port for incoming client connections. All client

1938

1951

connections will be routed through a single tun or tap

1939

@@ -2561,7 +2561,7 @@

1952

@@ -2578,7 +2578,7 @@

1940

1953

be used in this mode.

1941

1954

.\"*********************************************************

1942

1955

.TP

1945

1958

A helper directive designed to simplify the configuration

1946

1959

of OpenVPN's server mode. This directive will set up an

1947

1960

OpenVPN server which will allocate addresses to clients

1948

@@ -2571,7 +2571,7 @@

1961

@@ -2588,7 +2588,7 @@

1949

1962

TUN/TAP interface.

1950

1963

1951

1964

For example,

1954

1967

expands as follows:

1955

1968

1956

1969

.RS

1957

@@ -2601,16 +2601,16 @@

1970

@@ -2618,21 +2618,21 @@

1958

1971

.fi

1959

1972

1960

1973

Don't use

1966

1979

instead.

1967

1980

.\"*********************************************************

1968

1981

.TP

1969

-.B --server-bridge gateway netmask pool-start-IP pool-end-IP

1970

+.B \-\-server-bridge gateway netmask pool-start-IP pool-end-IP

1982

-.B --server-bridge [ gateway netmask pool-start-IP pool-end-IP ]

1983

+.B \-\-server-bridge [ gateway netmask pool-start-IP pool-end-IP ]

1971

1984

1972

1985

A helper directive similar to

1973

1986

-.B --server

1975

1988

which is designed to simplify the configuration

1976

1989

of OpenVPN's server mode in ethernet bridging configurations.

1977

1990

1978

@@ -2630,7 +2630,7 @@

1991

If

1992

-.B --server-bridge

1993

+.B \-\-server-bridge

1994

is used without any parameters, it will enable a DHCP-proxy

1995

mode, where connecting OpenVPN clients will receive an IP

1996

address for their TAP adapter from the DHCP server running

1997

@@ -2657,7 +2657,7 @@

1979

1998

and

1980

1999

.B netmask

1981

2000

parameters to

1984

2003

can be set to either the IP/netmask of the

1985

2004

bridge interface, or the IP/netmask of the

1986

2005

default gateway/router on the bridged

1987

@@ -2664,13 +2664,13 @@

2006

@@ -2691,7 +2691,7 @@

2007

.fi

2008

2009

In another example,

2010

-.B --server-bridge

2011

+.B \-\-server-bridge

2012

(without parameters) expands as follows:

2013

2014

.RS

2015

@@ -2708,13 +2708,13 @@

1988

2016

.fi

1989

2017

.\"*********************************************************

1990

2018

.TP

2000

2028

in its config file. The set of options which can be

2001

2029

pushed is limited by both feasibility and security.

2002

2030

Some options such as those which would execute scripts

2003

@@ -2681,44 +2681,44 @@

2031

@@ -2725,44 +2725,44 @@

2004

2032

them before the connection to the server can be initiated.

2005

2033

2006

2034

This is a partial list of options which can currently be pushed:

2061

2089

Set aside a pool of subnets to be

2062

2090

dynamically allocated to connecting clients, similar

2063

2091

to a DHCP server. For tun-style

2064

@@ -2731,7 +2731,7 @@

2092

@@ -2775,7 +2775,7 @@

2065

2093

2066

2094

.\"*********************************************************

2067

2095

.TP

2070

2098

Persist/unpersist ifconfig-pool

2071

2099

data to

2072

2100

.B file,

2073

@@ -2746,7 +2746,7 @@

2101

@@ -2790,7 +2790,7 @@

2074

2102

Maintaining a long-term

2075

2103

association is good for clients because it allows them

2076

2104

to effectively use the

2079

2107

option.

2080

2108

2081

2109

.B file

2082

@@ -2767,32 +2767,32 @@

2110

@@ -2811,32 +2811,32 @@

2083

2111

a common name and IP address. They do not guarantee that the given common

2084

2112

name will always receive the given IP address. If you want guaranteed

2085

2113

assignment, use

2119

2147

directive which you want to execute on the client machine to

2120

2148

configure the remote end of the tunnel. Note that the parameters

2121

2149

.B local

2122

@@ -2805,13 +2805,13 @@

2150

@@ -2849,13 +2849,13 @@

2123

2151

This option must be associated with a specific client instance,

2124

2152

which means that it must be specified either in a client

2125

2153

instance config file using

2136

2164

directive in the main OpenVPN config file which encloses

2137

2165

.B local,

2138

2166

so that the kernel will know to route it

2139

@@ -2821,23 +2821,23 @@

2167

@@ -2865,23 +2865,23 @@

2140

2168

follows:

2141

2169

2142

2170

.B 1

2167

2195

Generate an internal route to a specific

2168

2196

client. The

2169

2197

.B netmask

2170

@@ -2848,36 +2848,36 @@

2198

@@ -2892,36 +2892,36 @@

2171

2199

of where the client is connecting from. Remember

2172

2200

that you must also add the route to the system

2173

2201

routing table as well (such as by using the

2214

2242

to effect this. In order for all clients to see

2215

2243

A's subnet, OpenVPN must push this route to all clients

2216

2244

EXCEPT for A, since the subnet is already owned by A.

2217

@@ -2886,11 +2886,11 @@

2245

@@ -2930,11 +2930,11 @@

2218

2246

if it matches one of the client's iroutes.

2219

2247

.\"*********************************************************

2220

2248

.TP

2228

2256

flag tells OpenVPN to internally route client-to-client

2229

2257

traffic rather than pushing all client-originating traffic

2230

2258

to the TUN/TAP interface.

2231

@@ -2902,13 +2902,13 @@

2259

@@ -2946,13 +2946,13 @@

2232

2260

custom, per-client rules.

2233

2261

.\"*********************************************************

2234

2262

.TP

2244

2272

Run

2245

2273

.B script

2246

2274

on client connection. The script is passed the common name

2247

@@ -2924,7 +2924,7 @@

2275

@@ -2968,7 +2968,7 @@

2248

2276

it should write it to the file named by $1.

2249

2277

2250

2278

See the

2253

2281

option below for options which

2254

2282

can be legally used in a dynamically generated config file.

2255

2283

2256

@@ -2936,18 +2936,18 @@

2284

@@ -2980,18 +2980,18 @@

2257

2285

to be disconnected.

2258

2286

.\"*********************************************************

2259

2287

.TP

2276

2304

script or plugins are cascaded, and at least one client-connect

2277

2305

function succeeded, then ALL of the client-disconnect functions for

2278

2306

scripts and plugins will be called on client instance object deletion,

2279

@@ -2956,7 +2956,7 @@

2307

@@ -3000,7 +3000,7 @@

2280

2308

.B

2281

2309

.\"*********************************************************

2282

2310

.TP

2285

2313

Specify a directory

2286

2314

.B dir

2287

2315

for custom client config files. After

2288

@@ -2970,9 +2970,9 @@

2316

@@ -3014,9 +3014,9 @@

2289

2317

2290

2318

This file can specify a fixed IP address for a given

2291

2319

client using

2297

2325

2298

2326

One of the useful properties of this option is that it

2299

2327

allows client configuration files to be conveniently

2300

@@ -2981,28 +2981,28 @@

2328

@@ -3025,28 +3025,28 @@

2301

2329

2302

2330

The following

2303

2331

options are legal in a client-specific context:

2333

2361

Set the size of the real address hash table to

2334

2362

.B r

2335

2363

and the virtual address table to

2336

@@ -3010,13 +3010,13 @@

2364

@@ -3054,13 +3054,13 @@

2337

2365

By default, both tables are sized at 256 buckets.

2338

2366

.\"*********************************************************

2339

2367

.TP

2349

2377

Maximum number of output packets queued before TCP (default=64).

2350

2378

2351

2379

When OpenVPN is tunneling data from a TUN/TAP device to a

2352

@@ -3028,13 +3028,13 @@

2380

@@ -3072,13 +3072,13 @@

2353

2381

at this client.

2354

2382

.\"*********************************************************

2355

2383

.TP

2365

2393

Allow a maximum of

2366

2394

.B n

2367

2395

internal routes per client (default=256).

2368

@@ -3044,9 +3044,9 @@

2396

@@ -3088,9 +3088,9 @@

2369

2397

forcing the server to deplete

2370

2398

virtual memory as its internal routing table expands.

2371

2399

This directive can be used in a

2377

2405

script to override the global value for a particular client.

2378

2406

2379

2407

Note that this

2380

@@ -3054,7 +3054,7 @@

2408

@@ -3098,7 +3098,7 @@

2381

2409

kernel routing table.

2382

2410

.\"*********************************************************

2383

2411

.TP

2386

2414

Allow a maximum of

2387

2415

.B n

2388

2416

new connections per

2389

@@ -3068,12 +3068,12 @@

2417

@@ -3112,12 +3112,12 @@

2390

2418

2391

2419

For the best protection against DoS attacks in server mode,

2392

2420

use

2402

2430

Run script or shell command

2403

2431

.B cmd

2404

2432

to validate client virtual addresses or routes.

2405

@@ -3081,19 +3081,19 @@

2433

@@ -3125,19 +3125,19 @@

2406

2434

.B cmd

2407

2435

will be executed with 3 parameters:

2408

2436

2426

2454

The common name on the certificate associated with the

2427

2455

client linked to this address. Only present for "add"

2428

2456

or "update" operations, not "delete".

2429

@@ -3113,7 +3113,7 @@

2457

@@ -3157,7 +3157,7 @@

2430

2458

rather than the low level client virtual addresses.

2431

2459

.\"*********************************************************

2432

2460

.TP

2435

2463

Require the client to provide a username/password (possibly

2436

2464

in addition to a client certificate) for authentication.

2437

2465

2438

@@ -3144,10 +3144,10 @@

2466

@@ -3188,10 +3188,10 @@

2439

2467

and the file will be automatically deleted by OpenVPN after

2440

2468

the script returns. The location of the temporary file is

2441

2469

controlled by the

2448

2476

to a volatile storage medium such as

2449

2477

.B /dev/shm

2450

2478

(if available) to prevent the username/password file from touching the hard drive.

2451

@@ -3179,35 +3179,35 @@

2479

@@ -3223,35 +3223,35 @@

2452

2480

in the OpenVPN source distribution.

2453

2481

.\"*********************************************************

2454

2482

.TP

2491

2519

When run in TCP server mode, share the OpenVPN port with

2492

2520

another application, such as an HTTPS server. If OpenVPN

2493

2521

senses a connection to its port which is using a non-OpenVPN

2494

@@ -3222,13 +3222,13 @@

2522

@@ -3266,13 +3266,13 @@

2495

2523

.SS Client Mode

2496

2524

Use client mode when connecting to an OpenVPN server

2497

2525

which has

2508

2536

A helper directive designed to simplify the configuration

2509

2537

of OpenVPN's client mode. This directive is equivalent to:

2510

2538

2511

@@ -3244,33 +3244,33 @@

2539

@@ -3288,33 +3288,33 @@

2512

2540

.fi

2513

2541

.\"*********************************************************

2514

2542

.TP

2550

2578

by defining ENABLE_PASSWORD_SAVE in config-win32.h).

2551

2579

2552

2580

If

2553

@@ -3279,12 +3279,12 @@

2581

@@ -3323,12 +3323,12 @@

2554

2582

console.

2555

2583

2556

2584

The server configuration must specify an

2565

2593

Controls how OpenVPN responds to username/password verification

2566

2594

errors such as the client-side response to an AUTH_FAILED message from the server

2567

2595

or verification failure of the private key password.

2568

@@ -3295,33 +3295,33 @@

2596

@@ -3339,33 +3339,33 @@

2569

2597

2570

2598

An AUTH_FAILED message is generated by the server if the client

2571

2599

fails

2607

2635

In UDP client mode or point-to-point mode, send server/peer an exit notification

2608

2636

if tunnel is restarted or OpenVPN process is exited. In client mode, on

2609

2637

exit/restart, this

2610

@@ -3336,12 +3336,12 @@

2638

@@ -3380,12 +3380,12 @@

2611

2639

(must be compatible between peers).

2612

2640

.\"*********************************************************

2613

2641

.TP

2622

2650

2623

2651

The optional

2624

2652

.B direction

2625

@@ -3372,7 +3372,7 @@

2653

@@ -3416,7 +3416,7 @@

2626

2654

.B direction

2627

2655

parameter, will also support 2048 bit key file generation

2628

2656

using the

2631

2659

option.

2632

2660

2633

2661

Static key encryption mode has certain advantages,

2634

@@ -3402,7 +3402,7 @@

2662

@@ -3446,7 +3446,7 @@

2635

2663

but random-looking data.

2636

2664

.\"*********************************************************

2637

2665

.TP

2640

2668

Authenticate packets with HMAC using message

2641

2669

digest algorithm

2642

2670

.B alg.

2643

@@ -3417,7 +3417,7 @@

2671

@@ -3461,7 +3461,7 @@

2644

2672

2645

2673

In static-key encryption mode, the HMAC key

2646

2674

is included in the key file generated by

2649

2677

In TLS mode, the HMAC key is dynamically generated and shared

2650

2678

between peers via the TLS control channel. If OpenVPN receives a packet with

2651

2679

a bad HMAC it will drop the packet.

2652

@@ -3430,7 +3430,7 @@

2680

@@ -3474,7 +3474,7 @@

2653

2681

.I http://www.cs.ucsd.edu/users/mihir/papers/hmac.html

2654

2682

.\"*********************************************************

2655

2683

.TP

2658

2686

Encrypt packets with cipher algorithm

2659

2687

.B alg.

2660

2688

The default is

2661

@@ -3445,7 +3445,7 @@

2689

@@ -3489,7 +3489,7 @@

2662

2690

2663

2691

To see other ciphers that are available with

2664

2692

OpenVPN, use the

2667

2695

option.

2668

2696

2669

2697

OpenVPN supports the CBC, CFB, and OFB cipher modes.

2670

@@ -3455,10 +3455,10 @@

2698

@@ -3499,10 +3499,10 @@

2671

2699

to disable encryption.

2672

2700

.\"*********************************************************

2673

2701

.TP

2680

2708

option (see below) shows all available OpenSSL ciphers,

2681

2709

their default key sizes, and whether the key size can

2682

2710

be changed. Use care in changing a cipher's default

2683

@@ -3468,19 +3468,19 @@

2711

@@ -3512,19 +3512,19 @@

2684

2712

security, or may even reduce security.

2685

2713

.\"*********************************************************

2686

2714

.TP

2703

2731

Disable OpenVPN's protection against replay attacks.

2704

2732

Don't use this option unless you are prepared to make

2705

2733

a tradeoff of greater efficiency in exchange for less

2706

@@ -3524,7 +3524,7 @@

2734

@@ -3568,7 +3568,7 @@

2707

2735

by IPSec.

2708

2736

.\"*********************************************************

2709

2737

.TP

2712

2740

Use a replay protection sliding-window of size

2713

2741

.B n

2714

2742

and a time window of

2715

@@ -3539,9 +3539,9 @@

2743

@@ -3583,9 +3583,9 @@

2716

2744

2717

2745

This option is only relevant in UDP mode, i.e.

2718

2746

when either

2724

2752

option is specified.

2725

2753

2726

2754

When OpenVPN tunnels IP packets over UDP, there is the possibility that

2727

@@ -3553,7 +3553,7 @@

2755

@@ -3597,7 +3597,7 @@

2728

2756

2729

2757

.B (a)

2730

2758

The packet cannot be a replay (unless

2733

2761

is specified, which disables replay protection altogether).

2734

2762

2735

2763

.B (b)

2736

@@ -3575,7 +3575,7 @@

2764

@@ -3619,7 +3619,7 @@

2737

2765

Satellite links in particular often require this.

2738

2766

2739

2767

If you run OpenVPN at

2742

2770

you will see the message "Replay-window backtrack occurred [x]"

2743

2771

every time the maximum sequence number backtrack seen thus far

2744

2772

increases. This can be used to calibrate

2745

@@ -3611,7 +3611,7 @@

2773

@@ -3655,7 +3655,7 @@

2746

2774

is easily fixed by simply using TCP as the VPN transport layer.

2747

2775

.\"*********************************************************

2748

2776

.TP

2751

2779

Silence the output of replay warnings, which are a common

2752

2780

false alarm on WiFi networks. This option preserves

2753

2781

the security of the replay protection code without

2754

@@ -3619,7 +3619,7 @@

2782

@@ -3663,7 +3663,7 @@

2755

2783

packets.

2756

2784

.\"*********************************************************

2757

2785

.TP

2760

2788

Persist replay-protection state across sessions using

2761

2789

.B file

2762

2790

to save and reload the state.

2763

@@ -3627,7 +3627,7 @@

2791

@@ -3671,7 +3671,7 @@

2764

2792

This option will strengthen protection against replay attacks,

2765

2793

especially when you are using OpenVPN in a dynamic context (such

2766

2794

as with

2769

2797

when OpenVPN sessions are frequently started and stopped.

2770

2798

2771

2799

This option will keep a disk copy of the current replay protection

2772

@@ -3638,12 +3638,12 @@

2800

@@ -3682,12 +3682,12 @@

2773

2801

2774

2802

This option only makes sense when replay protection is enabled

2775

2803

(the default) and you are using either

2785

2813

Disable OpenVPN's use of IV (cipher initialization vector).

2786

2814

Don't use this option unless you are prepared to make

2787

2815

a tradeoff of greater efficiency in exchange for less

2788

@@ -3664,24 +3664,24 @@

2816

@@ -3708,24 +3708,24 @@

2789

2817

datagram replay protection as the IV.

2790

2818

.\"*********************************************************

2791

2819

.TP

2816

2844

2817

2845

This option is very useful to test OpenVPN after it has been ported to

2818

2846

a new platform, or to isolate problems in the compiler, OpenSSL

2819

@@ -3705,17 +3705,17 @@

2847

@@ -3749,17 +3749,17 @@

2820

2848

2821

2849

To use TLS mode, each peer that runs OpenVPN should have its own local

2822

2850

certificate/key pair (

2838

2866

2839

2867

If that check on both peers succeeds, then the TLS negotiation

2840

2868

will succeed, both OpenVPN

2841

@@ -3732,18 +3732,18 @@

2869

@@ -3776,18 +3776,18 @@

2842

2870

.I http://openvpn.net/easyrsa.html

2843

2871

.\"*********************************************************

2844

2872

.TP

2860

2888

Certificate authority (CA) file in .pem format, also referred to as the

2861

2889

.I root

2862

2890

certificate. This file can have multiple

2863

@@ -3765,10 +3765,10 @@

2891

@@ -3809,10 +3809,10 @@

2864

2892

they are distributed with OpenVPN, they are totally insecure.

2865

2893

.\"*********************************************************

2866

2894

.TP

2873

2901

only). Use

2874

2902

2875

2903

.B openssl dhparam -out dh1024.pem 1024

2876

@@ -3778,15 +3778,15 @@

2904

@@ -3822,15 +3822,15 @@

2877

2905

may be considered public.

2878

2906

.\"*********************************************************

2879

2907

.TP

2893

2921

certificate authority file.

2894

2922

You can easily make your own certificate authority (see above) or pay money

2895

2923

to use a commercial service such as thawte.com (in which case you will be

2896

@@ -3811,7 +3811,7 @@

2924

@@ -3855,7 +3855,7 @@

2897

2925

command reads the location of the certificate authority key from its

2898

2926

configuration file such as

2899

2927

.B /usr/share/ssl/openssl.cnf

2902

2930

that for certificate authority functions, you must set up the files

2903

2931

.B index.txt

2904

2932

(may be empty) and

2905

@@ -3822,61 +3822,61 @@

2933

@@ -3866,61 +3866,61 @@

2906

2934

).

2907

2935

.\"*********************************************************

2908

2936

.TP

2978

3006

Specify which method to use in order to perform private key operations.

2979

3007

A different mode can be specified for each provider.

2980

3008

Mode is encoded as hex number, and can be a mask one of the following:

2981

@@ -3898,14 +3898,14 @@

3009

@@ -3942,14 +3942,14 @@

2982

3010

.br

2983

3011

.\"*********************************************************

2984

3012

.TP

2996

3024

2997

3025

This makes

2998

3026

it possible to use any smart card, supported by Windows, but also any

2999

@@ -3931,7 +3931,7 @@

3027

@@ -3975,7 +3975,7 @@

3000

3028

3001

3029

.\"*********************************************************

3002

3030

.TP

3005

3033

Use data channel key negotiation method

3006

3034

.B m.

3007

3035

The key method must match on both sides of the connection.

3008

@@ -3959,16 +3959,16 @@

3036

@@ -4003,16 +4003,16 @@

3009

3037

of the connection producing certificates and verifying the certificate

3010

3038

(or other authentication info provided) of

3011

3039

the other side. The

3025

3053

A list

3026

3054

.B l

3027

3055

of allowable TLS ciphers delimited by a colon (":").

3028

@@ -3978,11 +3978,11 @@

3056

@@ -4022,11 +4022,11 @@

3029

3057

to force two peers to negotiate to the lowest level

3030

3058

of security they both support.

3031

3059

Use

3039

3067

Packet retransmit timeout on TLS control channel

3040

3068

if no acknowledgment from remote within

3041

3069

.B n

3042

@@ -3999,7 +3999,7 @@

3070

@@ -4043,7 +4043,7 @@

3043

3071

such as TCP expect this role to be left to them.

3044

3072

.\"*********************************************************

3045

3073

.TP

3048

3076

Renegotiate data channel key after

3049

3077

.B n

3050

3078

bytes sent or received (disabled by default).

3051

@@ -4009,13 +4009,13 @@

3079

@@ -4053,13 +4053,13 @@

3052

3080

if any of these three criteria are met by either peer.

3053

3081

.\"*********************************************************

3054

3082

.TP

3064

3092

Renegotiate data channel key after

3065

3093

.B n

3066

3094

seconds (default=3600).

3067

@@ -4026,16 +4026,16 @@

3095

@@ -4070,16 +4070,16 @@

3068

3096

Also, keep in mind that this option can be used on both the client and server,

3069

3097

and whichever uses the lower value will be the one to trigger the renegotiation.

3070

3098

A common mistake is to set

3085

3113

.B n

3086

3114

seconds

3087

3115

of handshake initiation by any peer (default = 60 seconds).

3088

@@ -4043,47 +4043,47 @@

3116

@@ -4087,47 +4087,47 @@

3089

3117

we will attempt to reset our connection with our peer and try again.

3090

3118

Even in the event of handshake failure we will still use

3091

3119

our expiring key for up to

3144

3172

enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port,

3145

3173

where TLS control channel packets

3146

3174

bearing an incorrect HMAC signature can be dropped immediately without

3147

@@ -4094,7 +4094,7 @@

3175

@@ -4138,7 +4138,7 @@

3148

3176

3149

3177

.B (1)

3150

3178

An OpenVPN static key file generated by

3153

3181

(required if

3154

3182

.B direction

3155

3183

parameter is used).

3156

@@ -4112,19 +4112,19 @@

3184

@@ -4156,19 +4156,19 @@

3157

3185

a static key file, format (2) will be used.

3158

3186

3159

3187

See the

3178

3206

3179

3207

The rationale for

3180

3208

this feature is as follows. TLS requires a multi-packet exchange

3181

@@ -4151,7 +4151,7 @@

3209

@@ -4195,7 +4195,7 @@

3182

3210

minimize the amount of resources a potential, but as yet unauthenticated,

3183

3211

client is able to consume.

3184

3212

3187

3215

does this by signing every TLS control channel packet with an HMAC signature,

3188

3216

including packets which are sent before the TLS level has had a chance

3189

3217

to authenticate the peer.

3190

@@ -4159,20 +4159,20 @@

3218

@@ -4203,20 +4203,20 @@

3191

3219

the correct signature can be dropped immediately upon reception,

3192

3220

before they have a chance to consume additional system resources

3193

3221

such as by initiating a TLS handshake.

3212

3240

Get certificate password from console or

3213

3241

.B file

3214

3242

before we daemonize.

3215

@@ -4181,7 +4181,7 @@

3243

@@ -4225,7 +4225,7 @@

3216

3244

security conscious, it is possible to protect your private key with

3217

3245

a password. Of course this means that every time the OpenVPN

3218

3246

daemon is started you must be there to type the password. The

3221

3249

option allows you to start OpenVPN from the command line. It will

3222

3250

query you for a password before it daemonizes. To protect a private

3223

3251

key with a password you should omit the

3224

@@ -4198,15 +4198,15 @@

3252

@@ -4242,15 +4242,15 @@

3225

3253

to a certain extent invalidates the extra security provided by

3226

3254

using an encrypted key (Note: OpenVPN

3227

3255

will only read passwords from a file if it has been built

3241

3269

username/passwords in virtual memory.

3242

3270

3243

3271

If specified, this directive will cause OpenVPN to immediately

3244

@@ -4216,19 +4216,19 @@

3272

@@ -4260,19 +4260,19 @@

3245

3273

OpenVPN session.

3246

3274

3247

3275

This directive does not affect the

3265

3293

test).

3266

3294

3267

3295

.B cmd

3268

@@ -4261,7 +4261,7 @@

3296

@@ -4305,7 +4305,7 @@

3269

3297

to build a command line which will be passed to the script.

3270

3298

.\"*********************************************************

3271

3299

.TP

3274

3302

Accept connections only from a host with X509 name

3275

3303

or common name equal to

3276

3304

.B name.

3277

@@ -4271,24 +4271,24 @@

3305

@@ -4315,24 +4315,24 @@

3278

3306

Name can also be a common name prefix, for example if you

3279

3307

want a client to only accept connections to "Server-1",

3280

3308

"Server-2", etc., you can simply use

3305

3333

Require that peer certificate was signed with an explicit

3306

3334

.B nsCertType

3307

3335

designation of "client" or "server".

3308

@@ -4303,19 +4303,19 @@

3336

@@ -4347,19 +4347,19 @@

3309

3337

3310

3338

If the server certificate's nsCertType field is set

3311

3339

to "server", then the clients can verify this with

3329

3357

Require that peer certificate was signed with an explicit

3330

3358

.B key usage.

3331

3359

3332

@@ -4326,7 +4326,7 @@

3360

@@ -4370,7 +4370,7 @@

3333

3361

usage can be specified.

3334

3362

.\"*********************************************************

3335

3363

.TP

3338

3366

Require that peer certificate was signed with an explicit

3339

3367

.B extended key usage.

3340

3368

3341

@@ -4337,7 +4337,7 @@

3369

@@ -4381,7 +4381,7 @@

3342

3370

OpenSSL symbolic representation.

3343

3371

.\"*********************************************************

3344

3372

.TP

3347

3375

Require that peer certificate was signed with an explicit

3348

3376

.B key usage

3349

3377

and

3350

@@ -4348,18 +4348,18 @@

3378

@@ -4392,18 +4392,18 @@

3351

3379

the host they connect to is a designated server.

3352

3380

3353

3381

The

3370

3398

3371

3399

The key usage is digitalSignature and ( keyEncipherment or keyAgreement ).

3372

3400

3373

@@ -4368,12 +4368,12 @@

3401

@@ -4412,12 +4412,12 @@

3374

3402

attempts to connect to another client by impersonating the server.

3375

3403

The attack is easily prevented by having clients verify

3376

3404

the server certificate using any one of

3386

3414

Check peer certificate against the file

3387

3415

.B crl

3388

3416

in PEM format.

3389

@@ -4393,28 +4393,28 @@

3417

@@ -4437,28 +4437,28 @@

3390

3418

.SS SSL Library information:

3391

3419

.\"*********************************************************

3392

3420

.TP

3421

3449

(Standalone)

3422

3450

Show currently available hardware-based crypto acceleration

3423

3451

engines supported by the OpenSSL library.

3424

@@ -4423,18 +4423,18 @@

3452

@@ -4467,18 +4467,18 @@

3425

3453

Used only for non-TLS static key encryption mode.

3426

3454

.\"*********************************************************

3427

3455

.TP

3443

3471

Write key to

3444

3472

.B file.

3445

3473

.\"*********************************************************

3446

@@ -4443,7 +4443,7 @@

3474

@@ -4487,7 +4487,7 @@

3447

3475

of OpenVPN which can be used to create and delete persistent tunnels.

3448

3476

.\"*********************************************************

3449

3477

.TP

3452

3480

(Standalone)

3453

3481

Create a persistent tunnel on platforms which support them such

3454

3482

as Linux. Normally TUN/TAP tunnels exist only for

3455

@@ -4454,9 +4454,9 @@

3483

@@ -4498,9 +4498,9 @@

3456

3484

3457

3485

One of the advantages of persistent tunnels is that they eliminate the

3458

3486

need for separate

3464

3492

scripts to run the appropriate

3465

3493

.BR ifconfig (8)

3466

3494

and

3467

@@ -4468,40 +4468,40 @@

3495

@@ -4512,40 +4512,40 @@

3468

3496

will not be reset if the OpenVPN peer restarts. This can be useful to

3469

3497

provide uninterrupted connectivity through the tunnel in the event of a DHCP

3470

3498

reset of the peer's public IP address (see the

3513

3541

Set the Windows system directory pathname to use when looking for system

3514

3542

executables such as

3515

3543

.B route.exe

3516

@@ -4517,14 +4517,14 @@

3544

@@ -4561,14 +4561,14 @@

3517

3545

environmental variable.

3518

3546

.\"*********************************************************

3519

3547

.TP

3531

3559

3532

3560

.B manual --

3533

3561

Don't set the IP address or netmask automatically.

3534

@@ -4543,13 +4543,13 @@

3562

@@ -4587,13 +4587,13 @@

3535

3563

adapter must be set to "Obtain an IP address automatically," and

3536

3564

(2) OpenVPN needs to claim an IP address in the subnet for use

3537

3565

as the virtual DHCP server address. By default in

3547

3575

mode, OpenVPN will cause the DHCP server to masquerade as if it were

3548

3576

coming from the remote endpoint. The optional offset parameter is

3549

3577

an integer which is > -256 and < 256 and which defaults to 0.

3550

@@ -4571,13 +4571,13 @@

3578

@@ -4615,13 +4615,13 @@

3551

3579

being lost when the system goes to sleep. The default

3552

3580

lease time is one year.

3553

3581

3563

3591

Automatically set the IP address and netmask using the

3564

3592

Windows IP Helper API. This approach

3565

3593

does not have ideal semantics, though testing has indicated

3566

@@ -4586,7 +4586,7 @@

3594

@@ -4630,7 +4630,7 @@

3567

3595

adapter in their default state, i.e. "Obtain an IP address

3568

3596

automatically."

3569

3597

3572

3600

(Default) Try

3573

3601

.B dynamic

3574

3602

method initially and fail over to

3575

@@ -4616,55 +4616,55 @@

3603

@@ -4660,55 +4660,55 @@

3576

3604

to a DHCP configuration.

3577

3605

.\"*********************************************************

3578

3606

.TP

3641

3669

Set NetBIOS over TCP/IP Node type. Possible options:

3642

3670

.B 1

3643

3671

= b-node (broadcasts),

3644

@@ -4677,7 +4677,7 @@

3672

@@ -4721,7 +4721,7 @@

3645

3673

.B 8

3646

3674

= h-node (query name server, then broadcast).

3647

3675

3650

3678

Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended

3651

3679

naming service for the NetBIOS over TCP/IP (Known as NBT) module. The

3652

3680

primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on

3653

@@ -4689,19 +4689,19 @@

3681

@@ -4733,19 +4733,19 @@

3654

3682

scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.

3655

3683

(This description of NetBIOS scopes courtesy of NeonSurge@abyss.com)

3656

3684

3674

3702

Cause OpenVPN to sleep for

3675

3703

.B n

3676

3704

seconds immediately after the TAP-Win32 adapter state

3677

@@ -4709,21 +4709,21 @@

3705

@@ -4753,21 +4753,21 @@

3678

3706

3679

3707

This option is intended to be used to troubleshoot problems

3680

3708

with the

3700

3728

Ask Windows to renew the TAP adapter lease on startup.

3701

3729

This option is normally unnecessary, as Windows automatically

3702

3730

triggers a DHCP renegotiation on the TAP adapter when it

3703

@@ -4732,21 +4732,21 @@

3731

@@ -4776,21 +4776,21 @@

3704

3732

flag.

3705

3733

.\"*********************************************************

3706

3734

.TP

3726

3754

Should be used when OpenVPN is being automatically executed by another

3727

3755

program in such

3728

3756

a context that no interaction with the user via display or keyboard

3729

@@ -4769,26 +4769,26 @@

3757

@@ -4813,26 +4813,26 @@

3730

3758

causing all such OpenVPN processes to exit.

3731

3759

3732

3760

When executing an OpenVPN process using the

3759

3787

(Standalone)

3760

3788

Set

3761

3789

.B TAP-adapter

3762

@@ -4803,10 +4803,10 @@

3790

@@ -4847,10 +4847,10 @@

3763

3791

This directive can only be used by an administrator.

3764

3792

.\"*********************************************************

3765

3793

.TP

3772

3800

emulation. Since the TAP-Win32 driver

3773

3801

exports an ethernet interface to Windows, and since TUN devices are

3774

3802

point-to-point in nature, it is necessary for the TAP-Win32 driver

3775

@@ -4816,7 +4816,7 @@

3803

@@ -4860,7 +4860,7 @@

3776

3804

must be the middle two addresses of a /30 subnet (netmask 255.255.255.252).

3777

3805

.\"*********************************************************

3778

3806

.TP

3781

3809

(Standalone)

3782

3810

Show OpenVPN's view of the system routing table and network

3783

3811

adapter list.

3784

@@ -4824,12 +4824,12 @@

3812

@@ -4868,12 +4868,12 @@

3785

3813

.SS PKCS#11 Standalone Options:

3786

3814

.\"*********************************************************

3787

3815

.TP

3796

3824

option can be used BEFORE this option to produce debugging information.

3797

3825

.\"*********************************************************

3798

3826

.SH SCRIPTING AND ENVIRONMENTAL VARIABLES

3799

@@ -4839,52 +4839,52 @@

3827

@@ -4883,52 +4883,52 @@

3800

3828

.SS Script Order of Execution

3801

3829

.\"*********************************************************

3802

3830

.TP

3863

3891

mode on new client connections, when the client is

3864

3892

still untrusted.

3865

3893

.\"*********************************************************

3866

@@ -4916,17 +4916,17 @@

3894

@@ -4960,17 +4960,17 @@

3867

3895

Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at

3868

3896

('@').

3869

3897

3884

3912

Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or

3885

3913

".." as standalone strings. As of 2.0.1-rc6, the at ('@') character has

3886

3914

been added as well for compatibility with the common name character class.

3887

@@ -4956,45 +4956,45 @@

3915

@@ -5000,45 +5000,45 @@

3888

3916

.B bytes_received

3889

3917

Total number of bytes received from client during VPN session.

3890

3918

Set prior to execution of the

3938

3966

directives are specified, or "0" otherwise.

3939

3967

Set on program initiation and reset on SIGHUP.

3940

3968

.\"*********************************************************

3941

@@ -5003,30 +5003,30 @@

3969

@@ -5047,30 +5047,30 @@

3942

3970

The actual name of the TUN/TAP device, including

3943

3971

a unit number if it exists.

3944

3972

Set prior to

3976

4004

is used.

3977

4005

Set prior to OpenVPN calling the

3978

4006

.I ifconfig

3979

@@ -5034,13 +5034,13 @@

4007

@@ -5078,13 +5078,13 @@

3980

4008

.I netsh

3981

4009

(windows version of ifconfig) commands which

3982

4010

normally occurs prior to

3992

4020

option (first parameter).

3993

4021

Set prior to OpenVPN calling the

3994

4022

.I ifconfig

3995

@@ -5048,15 +5048,15 @@

4023

@@ -5092,15 +5092,15 @@

3996

4024

.I netsh

3997

4025

(windows version of ifconfig) commands which

3998

4026

normally occurs prior to

4011

4039

is used.

4012

4040

Set prior to OpenVPN calling the

4013

4041

.I ifconfig

4014

@@ -5064,16 +5064,16 @@

4042

@@ -5108,16 +5108,16 @@

4015

4043

.I netsh

4016

4044

(windows version of ifconfig) commands which

4017

4045

normally occurs prior to

4031

4059

is being used.

4032

4060

Set prior to OpenVPN calling the

4033

4061

.I ifconfig

4034

@@ -5081,61 +5081,61 @@

4062

@@ -5125,61 +5125,61 @@

4035

4063

.I netsh

4036

4064

(windows version of ifconfig) commands which

4037

4065

normally occurs prior to

4108

4136

scripts.

4109

4137

.\"*********************************************************

4110

4138

.TP

4111

@@ -5143,31 +5143,31 @@

4139

@@ -5187,31 +5187,31 @@

4112

4140

The maximum packet size (not including the IP header)

4113

4141

of tunnel data in UDP tunnel transport mode.

4114

4142

Set prior to

4146

4174

script execution only when the

4147

4175

.B via-env

4148

4176

modifier is specified, and deleted from the environment

4149

@@ -5176,23 +5176,23 @@

4177

@@ -5220,23 +5220,23 @@

4150

4178

.TP

4151

4179

.B proto

4152

4180

The

4174

4202

Set on program initiation and reset on SIGHUP.

4175

4203

.\"*********************************************************

4176

4204

.TP

4177

@@ -5200,29 +5200,29 @@

4205

@@ -5244,29 +5244,29 @@

4178

4206

The pre-existing default IP gateway in the system routing

4179

4207

table.

4180

4208

Set prior to

4211

4239

script execution.

4212

4240

4213

4241

.B parm

4214

@@ -5241,7 +5241,7 @@

4242

@@ -5285,7 +5285,7 @@

4215

4243

Set to "init" or "restart" prior to up/down script execution.

4216

4244

For more information, see

4217

4245

documentation for

4220

4248

.\"*********************************************************

4221

4249

.TP

4222

4250

.B script_type

4223

@@ -5257,15 +5257,15 @@

4251

@@ -5301,15 +5301,15 @@

4224

4252

The reason for exit or restart. Can be one of

4225

4253

.B sigusr1, sighup, sigterm, sigint, inactive

4226

4254

(controlled by

4239

4267

option),

4240

4268

.B connection-reset

4241

4269

(triggered on TCP connection reset),

4242

@@ -5279,7 +5279,7 @@

4270

@@ -5323,7 +5323,7 @@

4243

4271

Client connection timestamp, formatted as a human-readable

4244

4272

time string.

4245

4273

Set prior to execution of the

4248

4276

script.

4249

4277

.\"*********************************************************

4250

4278

.TP

4251

@@ -5287,7 +5287,7 @@

4279

@@ -5331,7 +5331,7 @@

4252

4280

The duration (in seconds) of the client session which is now

4253

4281

disconnecting.

4254

4282

Set prior to execution of the

4257

4285

script.

4258

4286

.\"*********************************************************

4259

4287

.TP

4260

@@ -5295,7 +5295,7 @@

4288

@@ -5339,7 +5339,7 @@

4261

4289

Client connection timestamp, formatted as a unix integer

4262

4290

date/time value.

4263

4291

Set prior to execution of the

4266

4294

script.

4267

4295

.\"*********************************************************

4268

4296

.TP

4269

@@ -5305,7 +5305,7 @@

4297

@@ -5349,7 +5349,7 @@

4270

4298

.B n

4271

4299

is the verification level. Only set for TLS connections. Set prior

4272

4300

to execution of

4275

4303

script.

4276

4304

.\"*********************************************************

4277

4305

.TP

4278

@@ -5315,34 +5315,34 @@

4306

@@ -5359,34 +5359,34 @@

4279

4307

.B n

4280

4308

is the verification level. Only set for TLS connections. Set prior

4281

4309

to execution of

4317

4345

scripts.

4318

4346

.\"*********************************************************

4319

4347

.TP

4320

@@ -5351,12 +5351,12 @@

4348

@@ -5395,12 +5395,12 @@

4321

4349

yet. Sometimes used to

4322

4350

.B nmap

4323

4351

the connecting host in a

4333

4361

scripts.

4334

4362

.\"*********************************************************

4335

4363

.TP

4336

@@ -5364,16 +5364,16 @@

4364

@@ -5408,16 +5408,16 @@

4337

4365

Actual port number of connecting client or peer which has not been authenticated

4338

4366

yet.

4339

4367

Set prior to execution of

4353

4381

script execution only when the

4354

4382

.B via-env

4355

4383

modifier is specified.

4356

@@ -5393,30 +5393,30 @@

4384

@@ -5437,30 +5437,30 @@

4357

4385

except don't re-read configuration file, and possibly don't close and reopen TUN/TAP

4358

4386

device, re-read key files, preserve local IP address/port, or preserve most recently authenticated

4359

4387

remote IP address/port based on

4390

4418

is used, or stdout otherwise).

4391

4419

.\"*********************************************************

4392

4420

.TP

4393

@@ -5471,7 +5471,7 @@

4421

@@ -5515,7 +5515,7 @@

4394

4422

the two machines, they should be set to forward UDP port 1194

4395

4423

in both directions. If you do not have control over the firewalls

4396

4424

between the two machines, you may still be able to use OpenVPN by adding

4399

4427

to each of the

4400

4428

.B openvpn

4401

4429

commands used below in the examples (this will cause each peer to send out

4402

@@ -5540,11 +5540,11 @@

4430

@@ -5584,11 +5584,11 @@

4403

4431

.LP

4404

4432

On may:

4405

4433

.IP

4413

4441

.LP

4414

4442

Now verify the tunnel is working by pinging across the tunnel.

4415

4443

.LP

4416

@@ -5557,17 +5557,17 @@

4444

@@ -5601,17 +5601,17 @@

4417

4445

.B ping 10.4.0.1

4418

4446

.LP

4419

4447

The

4434

4462

.LP

4435

4463

This command will build a random key file called

4436

4464

.B key

4437

@@ -5581,11 +5581,11 @@

4465

@@ -5625,11 +5625,11 @@

4438

4466

.LP

4439

4467

On may:

4440

4468

.IP

4448

4476

.LP

4449

4477

Now verify the tunnel is working by pinging across the tunnel.

4450

4478

.LP

4451

@@ -5607,10 +5607,10 @@

4479

@@ -5651,10 +5651,10 @@

4452

4480

4453

4481

First, build a separate certificate/key pair

4454

4482

for both may and june (see above where

4461

4489

is discussed for more info). You can also use the

4462

4490

included test files client.crt, client.key,

4463

4491

server.crt, server.key and ca.crt.

4464

@@ -5623,11 +5623,11 @@

4492

@@ -5667,11 +5667,11 @@

4465

4493

.LP

4466

4494

On may:

4467

4495

.IP

4475

4503

.LP

4476

4504

Now verify the tunnel is working by pinging across the tunnel.

4477

4505

.LP

4478

@@ -5640,16 +5640,16 @@

4506

@@ -5684,16 +5684,16 @@

4479

4507

.B ping 10.4.0.1

4480

4508

.LP

4481

4509

Notice the

4495

4523

option to use OpenVPN's default key renegotiation interval of one hour.

4496

4524

.\"*********************************************************

4497

4525

.SS Routing:

4498

@@ -5685,7 +5685,7 @@

4526

@@ -5729,7 +5729,7 @@

4499

4527

4500

4528

In a production environment, you could put the route command(s)

4501

4529

in a shell script and execute with the

4504

4532

option.

4505

4533

.\"*********************************************************

4506

4534

.SH FIREWALLS

4507

@@ -5693,7 +5693,7 @@

4535

@@ -5737,7 +5737,7 @@

4508

4536

You should add an entry to your firewall rules to allow incoming OpenVPN

4509

4537

packets. On Linux 2.4+:

4510

4538

.IP

4513

4541

.LP

4514

4542

This will allow incoming packets on UDP port 1194 (OpenVPN's default UDP port)

4515

4543

from an OpenVPN peer at 1.2.3.4.

4516

@@ -5704,7 +5704,7 @@

4544

@@ -5748,7 +5748,7 @@

4517

4545

is a much more secure method of verifying the authenticity of

4518

4546

a packet source. In that case:

4519

4547

.IP

4522

4550

.LP

4523

4551

would be adequate and would not render the host inflexible with

4524

4552

respect to its peer having a dynamic IP address.

4525

@@ -5713,7 +5713,7 @@

4553

@@ -5757,7 +5757,7 @@

4526

4554

not need to add any static rules to the firewall list if you are

4527

4555

using a stateful firewall that knows how to track UDP connections.

4528

4556

If you specify