3136 | | <DT><B>--management IP port [pw-file]</B> |
3137 | | |
3138 | | <DD> |
3139 | | Enable a TCP server on |
3140 | | <B>IP:port</B> |
3141 | | |
3142 | | to handle daemon management functions. |
3143 | | <B>pw-file,</B> |
3144 | | |
3145 | | if specified, |
3146 | | is a password file (password on first line) |
3147 | | or "stdin" to prompt from standard input. The password |
3148 | | provided will set the password which TCP clients will need |
3149 | | to provide in order to access management functions. |
3150 | | <P> |
3151 | | The management interface can also listen on a unix domain socket, |
3152 | | for those platforms that support it. To use a unix domain socket, specify |
3153 | | the unix socket pathname in place of |
3154 | | <B>IP</B> |
3155 | | |
3156 | | and set |
3157 | | <B>port</B> |
3158 | | |
3159 | | to 'unix'. While the default behavior is to create a unix domain socket |
3160 | | that may be connected to by any process, the |
| 3136 | <DT><B>--management socket-name unix [pw-file] (recommended)</B> |
| 3137 | |
| 3138 | <DD> |
| 3139 | |
| 3140 | <BR> |
| 3141 | |
| 3142 | |
| 3143 | <DT> |
| 3144 | |
| 3145 | <B>--management IP port [pw-file]</B> |
| 3146 | |
| 3147 | <DD>Enable a management server on a |
| 3148 | <B>socket-name</B> |
| 3149 | |
| 3150 | Unix socket on those platforms supporting it, or on |
| 3151 | a designated TCP port. |
| 3152 | <P> |
| 3153 | <B>pw-file</B> |
| 3154 | |
| 3155 | , if specified, is a password file where the password must be on first line. |
| 3156 | Instead of a filename it can use the keyword stdin which will prompt the user |
| 3157 | for a password to use when OpenVPN is starting. |
| 3158 | <P> |
| 3159 | For unix sockets, the default behaviour is to create a unix domain socket |
| 3160 | that may be connected to by any process. Use the |
3166 | | directives can be used to restrict access. |
3167 | | <P> |
3168 | | The management interface provides a special mode where the TCP |
3169 | | management link can operate over the tunnel itself. To enable this mode, |
3170 | | set |
3171 | | <B>IP</B> |
3172 | | |
3173 | | = "tunnel". Tunnel mode will cause the management interface |
3174 | | to listen for a TCP connection on the local VPN address of the |
3175 | | TUN/TAP interface. |
3176 | | <P> |
3177 | | While the management port is designed for programmatic control |
3178 | | of OpenVPN by other applications, it is possible to telnet |
3179 | | to the port, using a telnet client in "raw" mode. Once connected, |
3180 | | type "help" for a list of commands. |
3181 | | <P> |
3182 | | For detailed documentation on the management interface, see |
3183 | | the management-notes.txt file in the |
3184 | | <B>management</B> |
3185 | | |
3186 | | folder of |
3187 | | the OpenVPN source distribution. |
3188 | | <P> |
3189 | | It is strongly recommended that |
3190 | | <B>IP</B> |
3191 | | |
3192 | | be set to 127.0.0.1 |
3193 | | (localhost) to restrict accessibility of the management |
3194 | | server to local clients. |
| 3166 | directives to restrict access. |
| 3167 | <P> |
| 3168 | The management interface provides a special mode where the TCP management link |
| 3169 | can operate over the tunnel itself. To enable this mode, set IP to |
| 3170 | <B>tunnel.</B> |
| 3171 | |
| 3172 | Tunnel mode will cause the management interface to listen for a |
| 3173 | TCP connection on the local VPN address of the TUN/TAP interface. |
| 3174 | <P> |
| 3175 | <B>BEWARE</B> |
| 3176 | |
| 3177 | of enabling the management interface over TCP. In these cases you should |
| 3178 | <I>ALWAYS</I> |
| 3179 | |
| 3180 | make use of |
| 3181 | <B>pw-file</B> |
| 3182 | |
| 3183 | to password protect the management interface. Any user who can connect to this |
| 3184 | TCP |
| 3185 | <B>IP:port</B> |
| 3186 | |
| 3187 | will be able to manage and control (and interfere with) the OpenVPN process. |
| 3188 | It is also strongly recommended to set IP to 127.0.0.1 (localhost) to restrict |
| 3189 | accessibility of the management server to local clients. |
| 3190 | <P> |
| 3191 | While the management port is designed for programmatic control of OpenVPN by |
| 3192 | other applications, it is possible to telnet to the port, using a telnet client |
| 3193 | in "raw" mode. Once connected, type "help" for a list of commands. |
| 3194 | <P> |
| 3195 | For detailed documentation on the management interface, see the |
| 3196 | <I>management-notes.txt</I> |
| 3197 | |
| 3198 | file in the management folder of the OpenVPN source distribution. |
| 3199 | <P> |
| 5989 | |
| 5990 | <DT><B>--tls-cert-profile profile</B> |
| 5991 | |
| 5992 | <DD> |
| 5993 | Set the allowed cryptographic algorithms for certificates according to |
| 5994 | <B>profile</B>. |
| 5995 | |
| 5996 | <P> |
| 5997 | The following profiles are supported: |
| 5998 | <P> |
| 5999 | <B>legacy</B> |
| 6000 | |
| 6001 | (default): SHA1 and newer, RSA 2048-bit+, any elliptic curve. |
| 6002 | <P> |
| 6003 | <B>preferred</B> |
| 6004 | |
| 6005 | : SHA2 and newer, RSA 2048-bit+, any elliptic curve. |
| 6006 | <P> |
| 6007 | <B>suiteb</B> |
| 6008 | |
| 6009 | : SHA256/SHA384, ECDSA with P-256 or P-384. |
| 6010 | <P> |
| 6011 | This option is only fully supported for mbed TLS builds. OpenSSL builds use |
| 6012 | the following approximation: |
| 6013 | <P> |
| 6014 | <B>legacy</B> |
| 6015 | |
| 6016 | (default): sets "security level 1" |
| 6017 | <P> |
| 6018 | <B>preferred</B> |
| 6019 | |
| 6020 | : sets "security level 2" |
| 6021 | <P> |
| 6022 | <B>suiteb</B> |
| 6023 | |
| 6024 | : sets "security level 3" and --tls-cipher "SUITEB128". |
| 6025 | <P> |
| 6026 | OpenVPN will migrate to 'preferred' as default in the future. Please ensure |
| 6027 | that your keys already comply. |
7090 | | <B>DNS6 addr --</B> |
7091 | | |
7092 | | Set primary domain name server IPv6 address. Repeat |
7093 | | this option to set secondary DNS server IPv6 addresses. |
7094 | | <P> |
7095 | | Note: currently this is handled using netsh (the |
7096 | | existing DHCP code can only do IPv4 DHCP, and that protocol only |
7097 | | permits IPv4 addresses anywhere). The option will be put into the |
7098 | | environment, so an |
| 7134 | Note: DNS IPv6 servers are currently set using netsh (the existing |
| 7135 | DHCP code can only do IPv4 DHCP, and that protocol only permits IPv4 |
| 7136 | addresses anywhere). The option will be put into the environment, so |
| 7137 | an |