Changes between Version 11 and Version 12 of Openvpn24ManPage

Timestamp:

09/26/17 11:51:16 (7 years ago)

Author:

Samuli Seppänen

Comment:

Update man-page to 2.4.4

Openvpn24ManPage

@@ -73 +73 @@
 using client & server certificates.
 OpenVPN also
-supports non-encrypted TCP/UDP tunnels.  
+supports non-encrypted TCP/UDP tunnels.
 <P>
 OpenVPN is designed to work with the
@@ -930 +930 @@
 <B>--ifconfig-pool-linear</B>
 
-directive which is available in OpenVPN 2.0 and is now deprecated.
+directive which is available in OpenVPN 2.0, is deprecated and will be
+removed in OpenVPN 2.5
 <P>
 <B>subnet --</B>
@@ -2466 +2467 @@
 <B>system. </B>
 
-As of OpenVPN v2.3, this flag is no longer accepted.  In most *nix environments the execve()
+As of OpenVPN 2.3, this flag is no longer accepted.  In most *nix environments the execve()
 approach has been used without any issues.
 <P>
@@ -2479 +2480 @@
 <B>system</B>
 
-flag to run these scripts.  As of OpenVPN v2.3 it is now a strict requirement to have
+flag to run these scripts.  As of OpenVPN 2.3 it is now a strict requirement to have
 full path to the script interpreter when running non-executables files.
 This is not needed for executable files, such as .exe, .com, .bat or .cmd files.  For
@@ -2709 +2710 @@
 
 option is used to tell OpenVPN to ask for the pass phrase (this
-requirement is new in 2.3.7, and is a consequence of calling daemon()
+requirement is new in v2.3.7, and is a consequence of calling daemon()
 before initializing the crypto layer).
 <P>
@@ -3053 +3054 @@
 are different compression algorithms, with LZ4 generally
 offering the best performance with least CPU usage.
-For backwards compatibility with OpenVPN versions before 2.4, use &quot;lzo&quot;
+For backwards compatibility with OpenVPN versions before v2.4, use &quot;lzo&quot;
 (which is identical to the older option &quot;--comp-lzo yes&quot;).
 <P>
@@ -3066 +3067 @@
 
 <DD>
+<B>DEPRECATED</B>
+
+This option will be removed in a future OpenVPN release.  Use the
+newer
+<B>--compress</B>
+
+instead.
+<P>
 Use LZO compression -- may add up to 1 byte per
 packet for incompressible data.
@@ -3071 +3080 @@
 
 may be &quot;yes&quot;, &quot;no&quot;, or &quot;adaptive&quot; (default).
-<P>
-This option is deprecated in favor of the newer
-<B>--compress</B>
-
-option.
 <P>
 In a server mode setup, it is possible to selectively turn
@@ -3797 +3801 @@
 <B>--ifconfig-push</B>
 
+<P>
 
 <DT><B>--ifconfig-pool-linear</B>
 
 <DD>
+<B>DEPRECATED</B>
+
+This option will be removed in OpenVPN 2.5
+<P>
 Modifies the
 <B>--ifconfig-pool</B>
@@ -4482 +4491 @@
 to detect this condition and respond accordingly.
 
-<DT><B>--client-cert-not-required (DEPRECATED)</B>
-
-<DD>
+<DT><B>--client-cert-not-required</B>
+
+<DD>
+<B>DEPRECATED</B>
+
+This option will be removed in OpenVPN 2.5
+<P>
 Don't require client certificate, client will authenticate
 using username/password only.  Be aware that using this directive
 is less secure than requiring certificates from all clients.
 <P>
-<P>
 <B>Please note:</B>
 
-This option is now deprecated and will be removed in OpenVPN v2.5.
-It is replaced by
+This is replaced by
 <B>--verify-client-cert</B>
 
@@ -4573 +4584 @@
 rather than the common name from the client cert.
 
-<DT><B>--compat-names [no-remapping] (DEPRECATED)</B>
-
-<DD>
+<DT><B>--compat-names [no-remapping]</B>
+
+<DD>
+<B>DEPRECATED</B>
+
+This option will be removed in OpenVPN 2.5
+<P>
 Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted
 like this:
@@ -4596 +4611 @@
 scripts which does not handle the new formatting or UTF-8 characters.
 <DT><DD>
-In OpenVPN v2.3 the formatting of these fields changed into a more
+In OpenVPN 2.3 the formatting of these fields changed into a more
 standardised format.  It now looks like:
 <DT><DD>
@@ -4602 +4617 @@
 
 <DT><DD>
-The new default format in OpenVPN v2.3 also does not do the character remapping
+The new default format in OpenVPN 2.3 also does not do the character remapping
 which happened earlier.  This new format enables proper support for UTF-8
 characters in the usernames, X.509 Subject fields and Common Name variables and
@@ -4624 +4639 @@
 This option is immediately deprecated.  It is only implemented
 to make the transition to the new formatting less intrusive.  It will be
-removed in OpenVPN v2.5.  So please update your scripts/plug-ins where necessary.
-
-<DT><B>--no-name-remapping (DEPRECATED)</B>
-
-<DD>
+removed in OpenVPN 2.5.  So please update your scripts/plug-ins where necessary.
+
+<DT><B>--no-name-remapping</B>
+
+<DD>
+<B>DEPRECATED</B>
+
+This option will be removed in OpenVPN 2.5
+<P>
 The
 <B>--no-name-remapping</B>
@@ -4642 +4661 @@
 <B>Please note:</B>
 
-This option is now deprecated.  It will be removed in OpenVPN v2.5.
+This option is now deprecated.  It will be removed in OpenVPN 2.5.
 So please make sure you support the new X.509 name formatting
 described with the
@@ -4986 +5005 @@
 <P>
 Another advantageous aspect of Static Key encryption mode is that
-it is a handshake-free protocol 
+it is a handshake-free protocol
 without any distinguishing signature or feature
 (such as a header or protocol handshake sequence) 
@@ -5060 +5079 @@
 <B>alg.</B>
 
+<P>
 The default is
 <B>BF-CBC,</B>
 
-an abbreviation for Blowfish in Cipher Block Chaining mode.
-<P>
-Using BF-CBC is no longer recommended, because of it's 64-bit block size.  This
+an abbreviation for Blowfish in Cipher Block Chaining mode.  When cipher
+negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server
+side will automatically upgrade to
+<B>AES-256-GCM.</B>
+
+See
+<B>--ncp-ciphers</B>
+
+and
+<B>--ncp-disable</B>
+
+for more details on NCP.
+<P>
+Using
+<B>BF-CBC</B>
+
+is no longer recommended, because of its 64-bit block size.  This
 small block size allows attacks based on collisions, as demonstrated by SWEET32.
-See <A HREF="https://community.openvpn.net/openvpn/wiki/SWEET32">https://community.openvpn.net/openvpn/wiki/SWEET32</A> for details.
+See <A HREF="https://community.openvpn.net/openvpn/wiki/SWEET32">https://community.openvpn.net/openvpn/wiki/SWEET32</A> for details.  Due to
+this, support for
+<B>BF-CBC, DES, CAST5, IDEA</B>
+
+and
+<B>RC2</B>
+
+ciphers will be removed in OpenVPN 2.6.
 <P>
 To see other ciphers that are available with OpenVPN, use the
@@ -5078 +5119 @@
 
 to disable encryption.
-<P>
-As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by
-<B>--cipher</B>.
-
-See
-<B>--ncp-ciphers</B>
-
-and
-<B>--ncp-disable</B>
-
-for more on NCP.
 <P>
 
@@ -5130 +5160 @@
 <B>--ncp-ciphers</B>.
 
-E.g. a non-NCP client (&lt;=2.3, or with --ncp-disabled set) connecting to a
-NCP server (2.4+) with &quot;--cipher BF-CBC&quot; and &quot;--ncp-ciphers
+E.g. a non-NCP client (&lt;=v2.3, or with --ncp-disabled set) connecting to a
+NCP server (v2.4+) with &quot;--cipher BF-CBC&quot; and &quot;--ncp-ciphers
 AES-256-GCM:AES-256-CBC&quot; set can either specify &quot;--cipher BF-CBC&quot; or
 &quot;--cipher AES-256-CBC&quot; and both will work.
@@ -5145 +5175 @@
 
 <DD>
+<B>DEPRECATED</B>
+
+This option will be removed in OpenVPN 2.6.
+<P>
 Size of cipher key in bits (optional).
 If unspecified, defaults to cipher-specific default.  The
@@ -5194 +5228 @@
 
 <DD>
+<B>DEPRECATED</B>
+
+This option will be removed in OpenVPN 2.5.
+<P>
 (Advanced) Disable OpenVPN's protection against replay attacks.
 Don't use this option unless you are prepared to make
@@ -5381 +5419 @@
 
 <DD>
-<P>
 <B>DEPRECATED</B>
 
@@ -5408 +5445 @@
 
 <DD>
-Enable prediction resistance on PolarSSL's RNG.
+Enable prediction resistance on mbed TLS's RNG.
 <P>
 Enabling prediction resistance causes the RNG to reseed in each
@@ -5417 +5454 @@
 entropy to the kernel pool.
 <P>
-Note that this option only works with PolarSSL versions greater
-than 1.1.
 
 <DT><B>--test-crypto</B>
@@ -5542 +5577 @@
 <DD>
 Directory containing trusted certificates (CAs and CRLs).
-Not available with PolarSSL.
+Not available with mbed TLS.
 <P>
 When using the
@@ -5580 +5615 @@
 to disable Diffie Hellman key exchange (and use ECDH only). Note that this
 requires peers to be using an SSL library that supports ECDH TLS cipher suites
-(e.g. OpenSSL 1.0.1+, or PolarSSL 1.3+).
+(e.g. OpenSSL 1.0.1+, or mbed TLS 2.0+).
 <P>
 Use
@@ -5707 +5742 @@
 <B>--key.</B>
 
-Not available with PolarSSL.
+Not available with mbed TLS.
 
 <DT><B>--verify-hash hash [algo]</B>
@@ -5867 +5902 @@
 
 <DD>
+<B>DEPRECATED</B>
+
+This option will be removed in OpenVPN 2.5
+<P>
 Use data channel key negotiation method
 <B>m.</B>
@@ -5924 +5963 @@
 <P>
 The supplied list of ciphers is (after potential OpenSSL/IANA name translation)
-simply supplied to the crypto library.  Please see the OpenSSL and/or PolarSSL
+simply supplied to the crypto library.  Please see the OpenSSL and/or mbed TLS
 documentation for details on the cipher list interpretation.
 <P>
@@ -5939 +5978 @@
 align a gun with your foot, or just break your connection.  Use with care!
 <P>
-The default for --tls-cipher is to use PolarSSL's default cipher list
-when using PolarSSL or
+The default for --tls-cipher is to use mbed TLS's default cipher list
+when using mbed TLS or
 &quot;DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA&quot; when using
 OpenSSL.
@@ -6088 +6127 @@
 
 <P>
-Older versions (up to 2.3) supported a freeform passphrase file.
-This is no longer supported in newer versions (2.4+).
+Older versions (up to OpenVPN 2.3) supported a freeform passphrase file.
+This is no longer supported in newer versions (v2.4+).
 <P>
 See the
@@ -6492 +6531 @@
 
 or you could use
-<B>--verify-x509-name Server -name-prefix</B>
+<B>--verify-x509-name Server- name-prefix</B>
 
 if you want a client to only accept connections to &quot;Server-1&quot;, &quot;Server-2&quot;, etc.
@@ -6537 +6576 @@
 options can be defined to track multiple attributes.
 
-<DT><B>--ns-cert-type client|server (DEPRECATED)</B>
-
-<DD>
-This option is deprecated.  Use the more modern equivalent
+<DT><B>--ns-cert-type client|server</B>
+
+<DD>
+<B>DEPRECATED</B>
+
+This option will be removed in OpenVPN 2.5.  Use the more modern equivalent
 <B>--remote-cert-tls</B>
 
@@ -6777 +6818 @@
 <H3>TUN/TAP persistent tunnel config mode:</H3>
 
-Available with linux 2.4.7+.  These options comprise a standalone mode
+Available with Linux 2.4.7+.  These options comprise a standalone mode
 of OpenVPN which can be used to create and delete persistent tunnels.
 
@@ -7184 +7225 @@
 <DD>
 Ask Windows to release the TAP adapter lease on shutdown.
-This option has no effect now, as it is enabled by default starting with version 2.4.1.
+This option has no effect now, as it is enabled by default starting with OpenVPN 2.4.1.
 
 <DT><B>--register-dns</B>
@@ -7531 +7572 @@
 <B>X509 Names:</B>
 
-Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), at 
+Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), at
 ('@'), colon (':'), slash ('/'), and equal ('=').  Alphanumeric is defined 
 as a character which will cause the C library isalnum() function to return 
@@ -7538 +7579 @@
 <B>Common Names:</B>
 
-Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at                
+Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at
 ('@').
 <P>
@@ -7555 +7596 @@
 <B>--client-config-dir filename as derived from common name or username:</B>
 
-Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for &quot;.&quot; or 
-&quot;..&quot; as standalone strings.  As of 2.0.1-rc6, the at ('@') character has
+Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for &quot;.&quot; or
+&quot;..&quot; as standalone strings.  As of v2.0.1-rc6, the at ('@') character has
 been added as well for compatibility with the common name character class.
 <P>
@@ -8980 +9021 @@
 <H2>COPYRIGHT</H2>
 
-Copyright (C) 2002-2010 OpenVPN Technologies, Inc. This program is free software;
+Copyright (C) 2002-2017 OpenVPN Technologies, Inc. This program is free software;
 you can redistribute it and/or modify
 it under the terms of the GNU General Public License version 2
@@ -9047 +9088 @@
 <A HREF="/cgi-bin/man/man2html">man2html</A>,
 using the manual pages.<BR>
-Time: 13:10:45 GMT, June 20, 2017
+Time: 09:28:23 GMT, September 26, 2017
 }}}