Changes between Version 11 and Version 12 of Openvpn23ManPage
- Timestamp:
- 05/06/14 07:43:49 (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Openvpn23ManPage
v11 v12 284 284 285 285 <DD> 286 Add a random string (6 characters) to first DNS label ofhostname to prevent286 Prepend a random string (6 bytes, 12 hex characters) to hostname to prevent 287 287 DNS caching. For example, "foo.bar.gov" would be modified to 288 288 "<random-chars>.foo.bar.gov". … … 650 650 651 651 652 <DT><B>--socks-proxy server [port] </B>652 <DT><B>--socks-proxy server [port] [authfile]</B> 653 653 654 654 <DD> … … 660 660 661 661 (default=1080). 662 <B>authfile</B> 663 664 (optional) is a file containing a username and password on 2 lines, or 665 "stdin" to prompt from console. 662 666 663 667 <DT><B>--socks-proxy-retry</B> … … 770 774 IP address changes due to DHCP, we should configure 771 775 our IP address change script (see man page for 772 <B> dhcpcd</B>(8)776 <B><A HREF="/cgi-bin/man/man2html?8+dhcpcd">dhcpcd</A></B>(8) 773 777 774 778 ) to deliver a … … 936 940 of the TAP-Win32 driver. When used on *nix, requires that the tun 937 941 driver supports an 938 <B> ifconfig</B>(8)942 <B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8) 939 943 940 944 command which sets a subnet instead of a remote endpoint IP address. … … 972 976 <B>--dev-type tap.</B> 973 977 978 <P> 979 Under Mac OS X this option can be used to specify the default tun 980 implementation. Using 981 <B>--dev-node utun</B> 982 983 forces usage of the native Darwin tun kernel support. Use 984 <B>--dev-node utunN</B> 985 986 to select a specific utun instance. To force using the tun.kext (/dev/tunX) use 987 <B>--dev-node tun</B>. 988 989 When not specifying a 990 <B>--dev-node</B> 991 992 option openvpn will first try to open utun, and fall back to tun.kext. 974 993 <P> 975 994 On Windows systems, select the TAP-Win32 adapter which … … 1050 1069 <P> 1051 1070 This option, while primarily a proxy for the 1052 <B> ifconfig</B>(8)1071 <B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8) 1053 1072 1054 1073 command, is designed to simplify TUN/TAP … … 1119 1138 This option is intended as 1120 1139 a convenience proxy for the 1121 <B> route</B>(8)1140 <B><A HREF="/cgi-bin/man/man2html?8+route">route</A></B>(8) 1122 1141 1123 1142 shell command, … … 1925 1944 1926 1945 <P> 1927 Note that the behavio ur of1946 Note that the behavior of 1928 1947 <B>SIGUSR1</B> 1929 1948 … … 2314 2333 new software features to gracefully degrade when encountered by 2315 2334 older software versions. 2335 <P> 2336 It is also possible to tag a single directive so as not to trigger 2337 a fatal error if the directive isn't recognized. To do this, 2338 prepend the following before the directive: 2339 <B>setenv opt</B> 2340 2341 <P> 2342 Versions prior to OpenVPN 2.3.3 will always ignore options set with the 2343 <B>setenv opt</B> 2344 2345 directive. 2346 <P> 2347 See also 2348 <B>--ignore-unknown-option</B> 2349 2316 2350 2317 2351 <DT><B>--setenv-safe name value</B> … … 2327 2361 is a safety precaution to prevent a LD_PRELOAD style attack 2328 2362 from a malicious or compromised server. 2363 2364 <DT><B>--ignore-unknown-option opt1 opt2 opt3 ... optN</B> 2365 2366 <DD> 2367 When one of options 2368 <B>opt1 ... optN</B> 2369 2370 is encountered in the configuration file the configuration 2371 file parsing does not fail if this OpenVPN version does not 2372 support the option. Multiple 2373 <B>--ignore-unknown-option</B> 2374 2375 options can be given to support a larger number of options to ignore. 2376 <P> 2377 This option should be used with caution, as there are good security 2378 reasons for having OpenVPN fail if it detects problems in a 2379 config file. Having said that, there are valid reasons for wanting 2380 new software features to gracefully degrade when encountered by 2381 older software versions. 2382 <P> 2383 <B>--ignore-unknown-option</B> 2384 2385 is available since OpenVPN 2.3.3. 2329 2386 2330 2387 <DT><B>--script-security level</B> … … 2507 2564 complications can result when scripts or restarts 2508 2565 are executed after the chroot operation. 2566 <P> 2567 Note: if OpenVPN is built using the PolarSSL SSL 2568 library, 2569 <B>--chroot</B> 2570 2571 will only work if a /dev/urandom device node is available 2572 inside the chroot directory 2573 <B>dir.</B> 2574 2575 This is due to the way PolarSSL works (it wants to open 2576 /dev/urandom every time randomness is needed, not just once 2577 at startup) and nothing OpenVPN can influence. 2509 2578 2510 2579 <DT><B>--setcon context</B> … … 2620 2689 <DD> 2621 2690 Use this option when OpenVPN is being run from the inetd or 2622 <B> xinetd(8)</B>2691 <B><A HREF="/cgi-bin/man/man2html?8+xinetd">xinetd</A>(8)</B> 2623 2692 2624 2693 server. … … 2791 2860 2792 2861 <DD> 2793 Configure a multi-homed UDP server. This option can be used when 2794 OpenVPN has been configured to listen on all interfaces, and will 2795 attempt to bind client sessions to the interface on which packets 2796 are being received, so that outgoing packets will be sent out 2797 of the same interface. Note that this option is only relevant for 2798 UDP servers and currently is only implemented on Linux. 2799 <P> 2800 Note: clients connecting to a 2801 <B>--multihome</B> 2802 2803 server should always use the 2804 <B>--nobind</B> 2805 2806 option. 2862 Configure a multi-homed UDP server. This option needs to be used when 2863 a server has more than one IP address (e.g. multiple interfaces, or 2864 secondary IP addresses), and is not using 2865 <B>--local</B> 2866 2867 to force binding to one specific address only. This option will 2868 add some extra lookups to the packet path to ensure that the UDP reply 2869 packets are always sent from the address that the client is 2870 talking to. This is not supported on all platforms, and it adds more 2871 processing, so it's not enabled by default. 2872 <P> 2873 Note: this option is only relevant for UDP servers. 2874 <P> 2875 Note 2: if you do an IPv6+IPv4 dual-stack bind on a Linux machine with 2876 multiple IPv4 address, connections to IPv4 addresses will not work 2877 right on kernels before 3.15, due to missing kernel support for the 2878 IPv4-mapped case (some distributions have ported this to earlier kernel 2879 versions, though). 2807 2880 2808 2881 <DT><B>--echo [parms...]</B> … … 2985 3058 <B>port</B> 2986 3059 2987 to 'unix'. While the default behavio ur is to create a unix domain socket3060 to 'unix'. While the default behavior is to create a unix domain socket 2988 3061 that may be connected to by any process, the 2989 3062 <B>--management-client-user</B> … … 4200 4273 4201 4274 <DT><DD> 4202 In addition the old behavi our was to remap any character other than4275 In addition the old behavivour was to remap any character other than 4203 4276 alphanumeric, underscore ('_'), dash ('-'), dot ('.'), and slash ('/') to 4204 4277 underscore ('_'). The X.509 Subject string as returned by the … … 5128 5201 above). 5129 5202 5203 <DT><B>--tls-version-min version ['or-highest']</B> 5204 5205 <DD> 5206 Enable TLS version negotiation, and set the minimum 5207 TLS version we will accept from the peer (default is "1.0"). 5208 Examples for version 5209 include "1.0", "1.1", or "1.2". If 'or-highest' is specified 5210 and version is not recognized, we will only accept the highest TLS 5211 version supported by the local SSL implementation. 5212 <P> 5213 If this options is not set, the code in OpenVPN 2.3.4 will default 5214 to using TLS 1.0 only, without any version negotiation. This reverts 5215 the beaviour to what OpenVPN versions up to 2.3.2 did, as it turned 5216 out that TLS version negotiation can lead to handshake problems due 5217 to new signature algorithms in TLS 1.2. 5218 5130 5219 <DT><B>--pkcs12 file</B> 5131 5220 … … 5479 5568 be derived by taking a secure hash of this file, similar to 5480 5569 the 5481 <B> md5sum</B>(1)5570 <B><A HREF="/cgi-bin/man/man2html?1+md5sum">md5sum</A></B>(1) 5482 5571 5483 5572 or 5484 <B> sha1sum</B>(1)5573 <B><A HREF="/cgi-bin/man/man2html?1+sha1sum">sha1sum</A></B>(1) 5485 5574 5486 5575 commands. … … 6011 6100 option. This file must be shared with the 6012 6101 peer over a pre-existing secure channel such as 6013 <B> scp</B>(1)6102 <B><A HREF="/cgi-bin/man/man2html?1+scp">scp</A></B>(1) 6014 6103 6015 6104 … … 6048 6137 6049 6138 scripts to run the appropriate 6050 <B> ifconfig</B>(8)6139 <B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8) 6051 6140 6052 6141 and 6053 <B> route</B>(8)6142 <B><A HREF="/cgi-bin/man/man2html?8+route">route</A></B>(8) 6054 6143 6055 6144 commands. These commands can be placed in the the same shell script … … 6468 6557 6469 6558 option. On non-Windows systems, the 6470 <B> ifconfig</B>(8)6559 <B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8) 6471 6560 6472 6561 command provides similar functionality. … … 6535 6624 6536 6625 The following options exist to support IPv6 tunneling in peer-to-peer 6537 and client-server mode. As of now, this is just very basic 6538 documentation of the IPv6-related options. More documentation can be 6539 found on <A HREF="http://www.greenie.net/ipv6/openvpn.html">http://www.greenie.net/ipv6/openvpn.html</A> 6626 and client-server mode. All options are modeled after their IPv4 6627 counterparts, so more detailed explanations given there apply here 6628 as well (except for 6629 <B>--topology</B> 6630 6631 , which has no effect on IPv6). 6540 6632 <DL COMPACT> 6541 6633 <DT><B>--ifconfig-ipv6 ipv6addr/bits ipv6remote</B> … … 6575 6667 <B>/bits</B> 6576 6668 6577 setting controls the size of the pool. 6669 setting controls the size of the pool. Due to implementation details, 6670 the pool size must be between /64 and /112. 6578 6671 <DT><B>--ifconfig-ipv6-push ipv6addr/bits ipv6remote</B> 6579 6672 … … 7320 7413 script. 7321 7414 7415 <DT><B>tls_digest_{n}</B> 7416 7417 <DD> 7418 Contains the certificate SHA1 fingerprint/digest hash value, 7419 where 7420 <B>n</B> 7421 7422 is the verification level. Only set for TLS connections. Set prior 7423 to execution of 7424 <B>--tls-verify</B> 7425 7426 script. 7427 7322 7428 <DT><B>tls_id_{n}</B> 7323 7429 … … 7344 7450 <B>--tls-verify</B> 7345 7451 7346 script. This is in the form of a hex string like "37AB46E0", which is7347 suitable for doing serial-based OCSP queries (with OpenSSL, you have7348 to prepend "0x" to the string).If something goes wrong while reading7452 script. This is in the form of a decimal string like "933971680", which is 7453 suitable for doing serial-based OCSP queries (with OpenSSL, do not 7454 prepend "0x" to the string) If something goes wrong while reading 7349 7455 the value from the certificate it will be an empty string, so your 7350 7456 code should check that. 7351 7457 See the contrib/OCSP_check/OCSP_check.sh script for an example. 7458 7459 <DT><B>tls_serial_hex_{n}</B> 7460 7461 <DD> 7462 Like 7463 <B>tls_serial_{n}</B>, 7464 7465 but in hex form (e.g. "12:34:56:78:9A"). 7352 7466 7353 7467 <DT><B>tun_mtu</B> … … 7759 7873 7760 7874 option will produce verbose output, similar to the 7761 <B> tcpdump</B>(8)7875 <B><A HREF="/cgi-bin/man/man2html?8+tcpdump">tcpdump</A></B>(8) 7762 7876 7763 7877 program. Omit the … … 7786 7900 to june over a secure medium such as by 7787 7901 using the 7788 <B> scp</B>(1)7902 <B><A HREF="/cgi-bin/man/man2html?1+scp">scp</A></B>(1) 7789 7903 7790 7904 program. … … 8096 8210 <H2>SEE ALSO</H2> 8097 8211 8098 <B> dhcpcd</B>(8),8099 8100 <B> ifconfig</B>(8),8101 8102 <B> openssl</B>(1),8103 8104 <B> route</B>(8),8105 8106 <B> scp</B>(1)8107 8108 <B> ssh</B>(1)8212 <B><A HREF="/cgi-bin/man/man2html?8+dhcpcd">dhcpcd</A></B>(8), 8213 8214 <B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8), 8215 8216 <B><A HREF="/cgi-bin/man/man2html?1+openssl">openssl</A></B>(1), 8217 8218 <B><A HREF="/cgi-bin/man/man2html?8+route">route</A></B>(8), 8219 8220 <B><A HREF="/cgi-bin/man/man2html?1+scp">scp</A></B>(1) 8221 8222 <B><A HREF="/cgi-bin/man/man2html?1+ssh">ssh</A></B>(1) 8109 8223 8110 8224 … … 8195 8309 <HR> 8196 8310 This document was created by 8197 man2html,8311 <A HREF="/cgi-bin/man/man2html">man2html</A>, 8198 8312 using the manual pages.<BR> 8199 Time: 15:49:01 GMT, July 12, 20138313 Time: 07:38:58 GMT, May 06, 2014 8200 8314 }}}