| 3136 | | <DT><B>--management IP port [pw-file]</B> |
| 3137 | | |
| 3138 | | <DD> |
| 3139 | | Enable a TCP server on |
| 3140 | | <B>IP:port</B> |
| 3141 | | |
| 3142 | | to handle daemon management functions. |
| 3143 | | <B>pw-file,</B> |
| 3144 | | |
| 3145 | | if specified, |
| 3146 | | is a password file (password on first line) |
| 3147 | | or "stdin" to prompt from standard input. The password |
| 3148 | | provided will set the password which TCP clients will need |
| 3149 | | to provide in order to access management functions. |
| 3150 | | <P> |
| 3151 | | The management interface can also listen on a unix domain socket, |
| 3152 | | for those platforms that support it. To use a unix domain socket, specify |
| 3153 | | the unix socket pathname in place of |
| 3154 | | <B>IP</B> |
| 3155 | | |
| 3156 | | and set |
| 3157 | | <B>port</B> |
| 3158 | | |
| 3159 | | to 'unix'. While the default behavior is to create a unix domain socket |
| 3160 | | that may be connected to by any process, the |
| | 3136 | <DT><B>--management socket-name unix [pw-file] (recommended)</B> |
| | 3137 | |
| | 3138 | <DD> |
| | 3139 | |
| | 3140 | <BR> |
| | 3141 | |
| | 3142 | |
| | 3143 | <DT> |
| | 3144 | |
| | 3145 | <B>--management IP port [pw-file]</B> |
| | 3146 | |
| | 3147 | <DD>Enable a management server on a |
| | 3148 | <B>socket-name</B> |
| | 3149 | |
| | 3150 | Unix socket on those platforms supporting it, or on |
| | 3151 | a designated TCP port. |
| | 3152 | <P> |
| | 3153 | <B>pw-file</B> |
| | 3154 | |
| | 3155 | , if specified, is a password file where the password must be on first line. |
| | 3156 | Instead of a filename it can use the keyword stdin which will prompt the user |
| | 3157 | for a password to use when OpenVPN is starting. |
| | 3158 | <P> |
| | 3159 | For unix sockets, the default behaviour is to create a unix domain socket |
| | 3160 | that may be connected to by any process. Use the |
| 3166 | | directives can be used to restrict access. |
| 3167 | | <P> |
| 3168 | | The management interface provides a special mode where the TCP |
| 3169 | | management link can operate over the tunnel itself. To enable this mode, |
| 3170 | | set |
| 3171 | | <B>IP</B> |
| 3172 | | |
| 3173 | | = "tunnel". Tunnel mode will cause the management interface |
| 3174 | | to listen for a TCP connection on the local VPN address of the |
| 3175 | | TUN/TAP interface. |
| 3176 | | <P> |
| 3177 | | While the management port is designed for programmatic control |
| 3178 | | of OpenVPN by other applications, it is possible to telnet |
| 3179 | | to the port, using a telnet client in "raw" mode. Once connected, |
| 3180 | | type "help" for a list of commands. |
| 3181 | | <P> |
| 3182 | | For detailed documentation on the management interface, see |
| 3183 | | the management-notes.txt file in the |
| 3184 | | <B>management</B> |
| 3185 | | |
| 3186 | | folder of |
| 3187 | | the OpenVPN source distribution. |
| 3188 | | <P> |
| 3189 | | It is strongly recommended that |
| 3190 | | <B>IP</B> |
| 3191 | | |
| 3192 | | be set to 127.0.0.1 |
| 3193 | | (localhost) to restrict accessibility of the management |
| 3194 | | server to local clients. |
| | 3166 | directives to restrict access. |
| | 3167 | <P> |
| | 3168 | The management interface provides a special mode where the TCP management link |
| | 3169 | can operate over the tunnel itself. To enable this mode, set IP to |
| | 3170 | <B>tunnel.</B> |
| | 3171 | |
| | 3172 | Tunnel mode will cause the management interface to listen for a |
| | 3173 | TCP connection on the local VPN address of the TUN/TAP interface. |
| | 3174 | <P> |
| | 3175 | <B>BEWARE</B> |
| | 3176 | |
| | 3177 | of enabling the management interface over TCP. In these cases you should |
| | 3178 | <I>ALWAYS</I> |
| | 3179 | |
| | 3180 | make use of |
| | 3181 | <B>pw-file</B> |
| | 3182 | |
| | 3183 | to password protect the management interface. Any user who can connect to this |
| | 3184 | TCP |
| | 3185 | <B>IP:port</B> |
| | 3186 | |
| | 3187 | will be able to manage and control (and interfere with) the OpenVPN process. |
| | 3188 | It is also strongly recommended to set IP to 127.0.0.1 (localhost) to restrict |
| | 3189 | accessibility of the management server to local clients. |
| | 3190 | <P> |
| | 3191 | While the management port is designed for programmatic control of OpenVPN by |
| | 3192 | other applications, it is possible to telnet to the port, using a telnet client |
| | 3193 | in "raw" mode. Once connected, type "help" for a list of commands. |
| | 3194 | <P> |
| | 3195 | For detailed documentation on the management interface, see the |
| | 3196 | <I>management-notes.txt</I> |
| | 3197 | |
| | 3198 | file in the management folder of the OpenVPN source distribution. |
| | 3199 | <P> |
| | 5989 | |
| | 5990 | <DT><B>--tls-cert-profile profile</B> |
| | 5991 | |
| | 5992 | <DD> |
| | 5993 | Set the allowed cryptographic algorithms for certificates according to |
| | 5994 | <B>profile</B>. |
| | 5995 | |
| | 5996 | <P> |
| | 5997 | The following profiles are supported: |
| | 5998 | <P> |
| | 5999 | <B>legacy</B> |
| | 6000 | |
| | 6001 | (default): SHA1 and newer, RSA 2048-bit+, any elliptic curve. |
| | 6002 | <P> |
| | 6003 | <B>preferred</B> |
| | 6004 | |
| | 6005 | : SHA2 and newer, RSA 2048-bit+, any elliptic curve. |
| | 6006 | <P> |
| | 6007 | <B>suiteb</B> |
| | 6008 | |
| | 6009 | : SHA256/SHA384, ECDSA with P-256 or P-384. |
| | 6010 | <P> |
| | 6011 | This option is only fully supported for mbed TLS builds. OpenSSL builds use |
| | 6012 | the following approximation: |
| | 6013 | <P> |
| | 6014 | <B>legacy</B> |
| | 6015 | |
| | 6016 | (default): sets "security level 1" |
| | 6017 | <P> |
| | 6018 | <B>preferred</B> |
| | 6019 | |
| | 6020 | : sets "security level 2" |
| | 6021 | <P> |
| | 6022 | <B>suiteb</B> |
| | 6023 | |
| | 6024 | : sets "security level 3" and --tls-cipher "SUITEB128". |
| | 6025 | <P> |
| | 6026 | OpenVPN will migrate to 'preferred' as default in the future. Please ensure |
| | 6027 | that your keys already comply. |
| 7090 | | <B>DNS6 addr --</B> |
| 7091 | | |
| 7092 | | Set primary domain name server IPv6 address. Repeat |
| 7093 | | this option to set secondary DNS server IPv6 addresses. |
| 7094 | | <P> |
| 7095 | | Note: currently this is handled using netsh (the |
| 7096 | | existing DHCP code can only do IPv4 DHCP, and that protocol only |
| 7097 | | permits IPv4 addresses anywhere). The option will be put into the |
| 7098 | | environment, so an |
| | 7134 | Note: DNS IPv6 servers are currently set using netsh (the existing |
| | 7135 | DHCP code can only do IPv4 DHCP, and that protocol only permits IPv4 |
| | 7136 | addresses anywhere). The option will be put into the environment, so |
| | 7137 | an |
