Changes between Version 11 and Version 12 of Openvpn24ManPage
- Timestamp:
- 09/26/17 11:51:16 (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Openvpn24ManPage
v11 v12 73 73 using client & server certificates. 74 74 OpenVPN also 75 supports non-encrypted TCP/UDP tunnels. 75 supports non-encrypted TCP/UDP tunnels. 76 76 <P> 77 77 OpenVPN is designed to work with the … … 930 930 <B>--ifconfig-pool-linear</B> 931 931 932 directive which is available in OpenVPN 2.0 and is now deprecated. 932 directive which is available in OpenVPN 2.0, is deprecated and will be 933 removed in OpenVPN 2.5 933 934 <P> 934 935 <B>subnet --</B> … … 2466 2467 <B>system. </B> 2467 2468 2468 As of OpenVPN v2.3, this flag is no longer accepted. In most *nix environments the execve()2469 As of OpenVPN 2.3, this flag is no longer accepted. In most *nix environments the execve() 2469 2470 approach has been used without any issues. 2470 2471 <P> … … 2479 2480 <B>system</B> 2480 2481 2481 flag to run these scripts. As of OpenVPN v2.3 it is now a strict requirement to have2482 flag to run these scripts. As of OpenVPN 2.3 it is now a strict requirement to have 2482 2483 full path to the script interpreter when running non-executables files. 2483 2484 This is not needed for executable files, such as .exe, .com, .bat or .cmd files. For … … 2709 2710 2710 2711 option is used to tell OpenVPN to ask for the pass phrase (this 2711 requirement is new in 2.3.7, and is a consequence of calling daemon()2712 requirement is new in v2.3.7, and is a consequence of calling daemon() 2712 2713 before initializing the crypto layer). 2713 2714 <P> … … 3053 3054 are different compression algorithms, with LZ4 generally 3054 3055 offering the best performance with least CPU usage. 3055 For backwards compatibility with OpenVPN versions before 2.4, use "lzo"3056 For backwards compatibility with OpenVPN versions before v2.4, use "lzo" 3056 3057 (which is identical to the older option "--comp-lzo yes"). 3057 3058 <P> … … 3066 3067 3067 3068 <DD> 3069 <B>DEPRECATED</B> 3070 3071 This option will be removed in a future OpenVPN release. Use the 3072 newer 3073 <B>--compress</B> 3074 3075 instead. 3076 <P> 3068 3077 Use LZO compression -- may add up to 1 byte per 3069 3078 packet for incompressible data. … … 3071 3080 3072 3081 may be "yes", "no", or "adaptive" (default). 3073 <P>3074 This option is deprecated in favor of the newer3075 <B>--compress</B>3076 3077 option.3078 3082 <P> 3079 3083 In a server mode setup, it is possible to selectively turn … … 3797 3801 <B>--ifconfig-push</B> 3798 3802 3803 <P> 3799 3804 3800 3805 <DT><B>--ifconfig-pool-linear</B> 3801 3806 3802 3807 <DD> 3808 <B>DEPRECATED</B> 3809 3810 This option will be removed in OpenVPN 2.5 3811 <P> 3803 3812 Modifies the 3804 3813 <B>--ifconfig-pool</B> … … 4482 4491 to detect this condition and respond accordingly. 4483 4492 4484 <DT><B>--client-cert-not-required (DEPRECATED)</B> 4485 4486 <DD> 4493 <DT><B>--client-cert-not-required</B> 4494 4495 <DD> 4496 <B>DEPRECATED</B> 4497 4498 This option will be removed in OpenVPN 2.5 4499 <P> 4487 4500 Don't require client certificate, client will authenticate 4488 4501 using username/password only. Be aware that using this directive 4489 4502 is less secure than requiring certificates from all clients. 4490 4503 <P> 4491 <P>4492 4504 <B>Please note:</B> 4493 4505 4494 This option is now deprecated and will be removed in OpenVPN v2.5. 4495 It is replaced by 4506 This is replaced by 4496 4507 <B>--verify-client-cert</B> 4497 4508 … … 4573 4584 rather than the common name from the client cert. 4574 4585 4575 <DT><B>--compat-names [no-remapping] (DEPRECATED)</B> 4576 4577 <DD> 4586 <DT><B>--compat-names [no-remapping]</B> 4587 4588 <DD> 4589 <B>DEPRECATED</B> 4590 4591 This option will be removed in OpenVPN 2.5 4592 <P> 4578 4593 Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted 4579 4594 like this: … … 4596 4611 scripts which does not handle the new formatting or UTF-8 characters. 4597 4612 <DT><DD> 4598 In OpenVPN v2.3 the formatting of these fields changed into a more4613 In OpenVPN 2.3 the formatting of these fields changed into a more 4599 4614 standardised format. It now looks like: 4600 4615 <DT><DD> … … 4602 4617 4603 4618 <DT><DD> 4604 The new default format in OpenVPN v2.3 also does not do the character remapping4619 The new default format in OpenVPN 2.3 also does not do the character remapping 4605 4620 which happened earlier. This new format enables proper support for UTF-8 4606 4621 characters in the usernames, X.509 Subject fields and Common Name variables and … … 4624 4639 This option is immediately deprecated. It is only implemented 4625 4640 to make the transition to the new formatting less intrusive. It will be 4626 removed in OpenVPN v2.5. So please update your scripts/plug-ins where necessary. 4627 4628 <DT><B>--no-name-remapping (DEPRECATED)</B> 4629 4630 <DD> 4641 removed in OpenVPN 2.5. So please update your scripts/plug-ins where necessary. 4642 4643 <DT><B>--no-name-remapping</B> 4644 4645 <DD> 4646 <B>DEPRECATED</B> 4647 4648 This option will be removed in OpenVPN 2.5 4649 <P> 4631 4650 The 4632 4651 <B>--no-name-remapping</B> … … 4642 4661 <B>Please note:</B> 4643 4662 4644 This option is now deprecated. It will be removed in OpenVPN v2.5.4663 This option is now deprecated. It will be removed in OpenVPN 2.5. 4645 4664 So please make sure you support the new X.509 name formatting 4646 4665 described with the … … 4986 5005 <P> 4987 5006 Another advantageous aspect of Static Key encryption mode is that 4988 it is a handshake-free protocol 5007 it is a handshake-free protocol 4989 5008 without any distinguishing signature or feature 4990 5009 (such as a header or protocol handshake sequence) … … 5060 5079 <B>alg.</B> 5061 5080 5081 <P> 5062 5082 The default is 5063 5083 <B>BF-CBC,</B> 5064 5084 5065 an abbreviation for Blowfish in Cipher Block Chaining mode. 5066 <P> 5067 Using BF-CBC is no longer recommended, because of it's 64-bit block size. This 5085 an abbreviation for Blowfish in Cipher Block Chaining mode. When cipher 5086 negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server 5087 side will automatically upgrade to 5088 <B>AES-256-GCM.</B> 5089 5090 See 5091 <B>--ncp-ciphers</B> 5092 5093 and 5094 <B>--ncp-disable</B> 5095 5096 for more details on NCP. 5097 <P> 5098 Using 5099 <B>BF-CBC</B> 5100 5101 is no longer recommended, because of its 64-bit block size. This 5068 5102 small block size allows attacks based on collisions, as demonstrated by SWEET32. 5069 See <A HREF="https://community.openvpn.net/openvpn/wiki/SWEET32">https://community.openvpn.net/openvpn/wiki/SWEET32</A> for details. 5103 See <A HREF="https://community.openvpn.net/openvpn/wiki/SWEET32">https://community.openvpn.net/openvpn/wiki/SWEET32</A> for details. Due to 5104 this, support for 5105 <B>BF-CBC, DES, CAST5, IDEA</B> 5106 5107 and 5108 <B>RC2</B> 5109 5110 ciphers will be removed in OpenVPN 2.6. 5070 5111 <P> 5071 5112 To see other ciphers that are available with OpenVPN, use the … … 5078 5119 5079 5120 to disable encryption. 5080 <P>5081 As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by5082 <B>--cipher</B>.5083 5084 See5085 <B>--ncp-ciphers</B>5086 5087 and5088 <B>--ncp-disable</B>5089 5090 for more on NCP.5091 5121 <P> 5092 5122 … … 5130 5160 <B>--ncp-ciphers</B>. 5131 5161 5132 E.g. a non-NCP client (<= 2.3, or with --ncp-disabled set) connecting to a5133 NCP server ( 2.4+) with "--cipher BF-CBC" and "--ncp-ciphers5162 E.g. a non-NCP client (<=v2.3, or with --ncp-disabled set) connecting to a 5163 NCP server (v2.4+) with "--cipher BF-CBC" and "--ncp-ciphers 5134 5164 AES-256-GCM:AES-256-CBC" set can either specify "--cipher BF-CBC" or 5135 5165 "--cipher AES-256-CBC" and both will work. … … 5145 5175 5146 5176 <DD> 5177 <B>DEPRECATED</B> 5178 5179 This option will be removed in OpenVPN 2.6. 5180 <P> 5147 5181 Size of cipher key in bits (optional). 5148 5182 If unspecified, defaults to cipher-specific default. The … … 5194 5228 5195 5229 <DD> 5230 <B>DEPRECATED</B> 5231 5232 This option will be removed in OpenVPN 2.5. 5233 <P> 5196 5234 (Advanced) Disable OpenVPN's protection against replay attacks. 5197 5235 Don't use this option unless you are prepared to make … … 5381 5419 5382 5420 <DD> 5383 <P>5384 5421 <B>DEPRECATED</B> 5385 5422 … … 5408 5445 5409 5446 <DD> 5410 Enable prediction resistance on PolarSSL's RNG.5447 Enable prediction resistance on mbed TLS's RNG. 5411 5448 <P> 5412 5449 Enabling prediction resistance causes the RNG to reseed in each … … 5417 5454 entropy to the kernel pool. 5418 5455 <P> 5419 Note that this option only works with PolarSSL versions greater5420 than 1.1.5421 5456 5422 5457 <DT><B>--test-crypto</B> … … 5542 5577 <DD> 5543 5578 Directory containing trusted certificates (CAs and CRLs). 5544 Not available with PolarSSL.5579 Not available with mbed TLS. 5545 5580 <P> 5546 5581 When using the … … 5580 5615 to disable Diffie Hellman key exchange (and use ECDH only). Note that this 5581 5616 requires peers to be using an SSL library that supports ECDH TLS cipher suites 5582 (e.g. OpenSSL 1.0.1+, or PolarSSL 1.3+).5617 (e.g. OpenSSL 1.0.1+, or mbed TLS 2.0+). 5583 5618 <P> 5584 5619 Use … … 5707 5742 <B>--key.</B> 5708 5743 5709 Not available with PolarSSL.5744 Not available with mbed TLS. 5710 5745 5711 5746 <DT><B>--verify-hash hash [algo]</B> … … 5867 5902 5868 5903 <DD> 5904 <B>DEPRECATED</B> 5905 5906 This option will be removed in OpenVPN 2.5 5907 <P> 5869 5908 Use data channel key negotiation method 5870 5909 <B>m.</B> … … 5924 5963 <P> 5925 5964 The supplied list of ciphers is (after potential OpenSSL/IANA name translation) 5926 simply supplied to the crypto library. Please see the OpenSSL and/or PolarSSL5965 simply supplied to the crypto library. Please see the OpenSSL and/or mbed TLS 5927 5966 documentation for details on the cipher list interpretation. 5928 5967 <P> … … 5939 5978 align a gun with your foot, or just break your connection. Use with care! 5940 5979 <P> 5941 The default for --tls-cipher is to use PolarSSL's default cipher list5942 when using PolarSSLor5980 The default for --tls-cipher is to use mbed TLS's default cipher list 5981 when using mbed TLS or 5943 5982 "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" when using 5944 5983 OpenSSL. … … 6088 6127 6089 6128 <P> 6090 Older versions (up to 2.3) supported a freeform passphrase file.6091 This is no longer supported in newer versions ( 2.4+).6129 Older versions (up to OpenVPN 2.3) supported a freeform passphrase file. 6130 This is no longer supported in newer versions (v2.4+). 6092 6131 <P> 6093 6132 See the … … 6492 6531 6493 6532 or you could use 6494 <B>--verify-x509-name Server -name-prefix</B>6533 <B>--verify-x509-name Server- name-prefix</B> 6495 6534 6496 6535 if you want a client to only accept connections to "Server-1", "Server-2", etc. … … 6537 6576 options can be defined to track multiple attributes. 6538 6577 6539 <DT><B>--ns-cert-type client|server (DEPRECATED)</B> 6540 6541 <DD> 6542 This option is deprecated. Use the more modern equivalent 6578 <DT><B>--ns-cert-type client|server</B> 6579 6580 <DD> 6581 <B>DEPRECATED</B> 6582 6583 This option will be removed in OpenVPN 2.5. Use the more modern equivalent 6543 6584 <B>--remote-cert-tls</B> 6544 6585 … … 6777 6818 <H3>TUN/TAP persistent tunnel config mode:</H3> 6778 6819 6779 Available with linux 2.4.7+. These options comprise a standalone mode6820 Available with Linux 2.4.7+. These options comprise a standalone mode 6780 6821 of OpenVPN which can be used to create and delete persistent tunnels. 6781 6822 … … 7184 7225 <DD> 7185 7226 Ask Windows to release the TAP adapter lease on shutdown. 7186 This option has no effect now, as it is enabled by default starting with version2.4.1.7227 This option has no effect now, as it is enabled by default starting with OpenVPN 2.4.1. 7187 7228 7188 7229 <DT><B>--register-dns</B> … … 7531 7572 <B>X509 Names:</B> 7532 7573 7533 Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), at 7574 Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), at 7534 7575 ('@'), colon (':'), slash ('/'), and equal ('='). Alphanumeric is defined 7535 7576 as a character which will cause the C library isalnum() function to return … … 7538 7579 <B>Common Names:</B> 7539 7580 7540 Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at 7581 Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at 7541 7582 ('@'). 7542 7583 <P> … … 7555 7596 <B>--client-config-dir filename as derived from common name or username:</B> 7556 7597 7557 Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or 7558 ".." as standalone strings. As of 2.0.1-rc6, the at ('@') character has7598 Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or 7599 ".." as standalone strings. As of v2.0.1-rc6, the at ('@') character has 7559 7600 been added as well for compatibility with the common name character class. 7560 7601 <P> … … 8980 9021 <H2>COPYRIGHT</H2> 8981 9022 8982 Copyright (C) 2002-201 0OpenVPN Technologies, Inc. This program is free software;9023 Copyright (C) 2002-2017 OpenVPN Technologies, Inc. This program is free software; 8983 9024 you can redistribute it and/or modify 8984 9025 it under the terms of the GNU General Public License version 2 … … 9047 9088 <A HREF="/cgi-bin/man/man2html">man2html</A>, 9048 9089 using the manual pages.<BR> 9049 Time: 13:10:45 GMT, June 20, 20179090 Time: 09:28:23 GMT, September 26, 2017 9050 9091 }}}