Changes between Version 11 and Version 12 of Openvpn23ManPage

Timestamp:

05/06/14 07:43:49 (10 years ago)

Author:

Samuli Seppänen

Comment:

--

Openvpn23ManPage

@@ -284 +284 @@
 
 <DD>
-Add a random string (6 characters) to first DNS label of hostname to prevent
+Prepend a random string (6 bytes, 12 hex characters) to hostname to prevent
 DNS caching.  For example, &quot;foo.bar.gov&quot; would be modified to
 &quot;&lt;random-chars&gt;.foo.bar.gov&quot;.
@@ -650 +650 @@
 
 
-<DT><B>--socks-proxy server [port]</B>
+<DT><B>--socks-proxy server [port] [authfile]</B>
 
 <DD>
@@ -660 +660 @@
 
 (default=1080).
+<B>authfile</B>
+
+(optional) is a file containing a username and password on 2 lines, or
+&quot;stdin&quot; to prompt from console.
 
 <DT><B>--socks-proxy-retry</B>
@@ -770 +774 @@
 IP address changes due to DHCP, we should configure
 our IP address change script (see man page for
-<B>dhcpcd</B>(8)
+<B><A HREF="/cgi-bin/man/man2html?8+dhcpcd">dhcpcd</A></B>(8)
 
 ) to deliver a
@@ -936 +940 @@
 of the TAP-Win32 driver.  When used on *nix, requires that the tun
 driver supports an
-<B>ifconfig</B>(8)
+<B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8)
 
 command which sets a subnet instead of a remote endpoint IP address.
@@ -972 +976 @@
 <B>--dev-type tap.</B>
 
+<P>
+Under Mac OS X this option can be used to specify the default tun
+implementation. Using
+<B>--dev-node utun</B>
+
+forces usage of the native Darwin tun kernel support. Use
+<B>--dev-node utunN</B>
+
+to select a specific utun instance. To force using the tun.kext (/dev/tunX) use
+<B>--dev-node tun</B>.
+
+When not specifying a
+<B>--dev-node</B>
+
+option openvpn will first try to open utun, and fall back to tun.kext.
 <P>
 On Windows systems, select the TAP-Win32 adapter which
@@ -1050 +1069 @@
 <P>
 This option, while primarily a proxy for the
-<B>ifconfig</B>(8)
+<B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8)
 
 command, is designed to simplify TUN/TAP
@@ -1119 +1138 @@
 This option is intended as
 a convenience proxy for the
-<B>route</B>(8)
+<B><A HREF="/cgi-bin/man/man2html?8+route">route</A></B>(8)
 
 shell command,
@@ -1925 +1944 @@
 
 <P>
-Note that the behaviour of
+Note that the behavior of
 <B>SIGUSR1</B>
 
@@ -2314 +2333 @@
 new software features to gracefully degrade when encountered by
 older software versions.
+<P>
+It is also possible to tag a single directive so as not to trigger
+a fatal error if the directive isn't recognized.  To do this,
+prepend the following before the directive:
+<B>setenv opt</B>
+
+<P>
+Versions prior to OpenVPN 2.3.3 will always ignore options set with the
+<B>setenv opt</B>
+
+directive.
+<P>
+See also
+<B>--ignore-unknown-option</B>
+
 
 <DT><B>--setenv-safe name value</B>
@@ -2327 +2361 @@
 is a safety precaution to prevent a LD_PRELOAD style attack
 from a malicious or compromised server.
+
+<DT><B>--ignore-unknown-option opt1 opt2 opt3 ... optN</B>
+
+<DD>
+When one of options
+<B>opt1 ... optN</B>
+
+is encountered in the configuration file the configuration
+file parsing does not fail if this OpenVPN version does not
+support the option. Multiple
+<B>--ignore-unknown-option</B>
+
+options can be given to support a larger number of options to ignore.
+<P>
+This option should be used with caution, as there are good security
+reasons for having OpenVPN fail if it detects problems in a
+config file. Having said that, there are valid reasons for wanting
+new software features to gracefully degrade when encountered by
+older software versions.
+<P>
+<B>--ignore-unknown-option</B>
+
+is available since OpenVPN 2.3.3.
 
 <DT><B>--script-security level</B>
@@ -2507 +2564 @@
 complications can result when scripts or restarts
 are executed after the chroot operation.
+<P>
+Note: if OpenVPN is built using the PolarSSL SSL
+library,
+<B>--chroot</B>
+
+will only work if a /dev/urandom device node is available
+inside the chroot directory
+<B>dir.</B>
+
+This is due to the way PolarSSL works (it wants to open
+/dev/urandom every time randomness is needed, not just once
+at startup) and nothing OpenVPN can influence.
 
 <DT><B>--setcon context</B>
@@ -2620 +2689 @@
 <DD>
 Use this option when OpenVPN is being run from the inetd or
-<B>xinetd(8)</B>
+<B><A HREF="/cgi-bin/man/man2html?8+xinetd">xinetd</A>(8)</B>
 
 server.
@@ -2791 +2860 @@
 
 <DD>
-Configure a multi-homed UDP server.  This option can be used when
-OpenVPN has been configured to listen on all interfaces, and will
-attempt to bind client sessions to the interface on which packets
-are being received, so that outgoing packets will be sent out
-of the same interface.  Note that this option is only relevant for
-UDP servers and currently is only implemented on Linux.
-<P>
-Note: clients connecting to a
-<B>--multihome</B>
-
-server should always use the
-<B>--nobind</B>
-
-option.
+Configure a multi-homed UDP server.  This option needs to be used when
+a server has more than one IP address (e.g. multiple interfaces, or
+secondary IP addresses), and is not using
+<B>--local</B>
+
+to force binding to one specific address only.  This option will
+add some extra lookups to the packet path to ensure that the UDP reply
+packets are always sent from the address that the client is
+talking to. This is not supported on all platforms, and it adds more
+processing, so it's not enabled by default.
+<P>
+Note: this option is only relevant for UDP servers.
+<P>
+Note 2: if you do an IPv6+IPv4 dual-stack bind on a Linux machine with
+multiple IPv4 address, connections to IPv4 addresses will not work
+right on kernels before 3.15, due to missing kernel support for the
+IPv4-mapped case (some distributions have ported this to earlier kernel
+versions, though).
 
 <DT><B>--echo [parms...]</B>
@@ -2985 +3058 @@
 <B>port</B>
 
-to 'unix'.  While the default behaviour is to create a unix domain socket
+to 'unix'.  While the default behavior is to create a unix domain socket
 that may be connected to by any process, the
 <B>--management-client-user</B>
@@ -4200 +4273 @@
 
 <DT><DD>
-In addition the old behaviour was to remap any character other than
+In addition the old behavivour was to remap any character other than
 alphanumeric, underscore ('_'), dash ('-'), dot ('.'), and slash ('/') to
 underscore ('_').  The X.509 Subject string as returned by the
@@ -5128 +5201 @@
 above).
 
+<DT><B>--tls-version-min version ['or-highest']</B>
+
+<DD>
+Enable TLS version negotiation, and set the minimum
+TLS version we will accept from the peer (default is &quot;1.0&quot;).
+Examples for version
+include &quot;1.0&quot;, &quot;1.1&quot;, or &quot;1.2&quot;.  If 'or-highest' is specified
+and version is not recognized, we will only accept the highest TLS
+version supported by the local SSL implementation.
+<P>
+If this options is not set, the code in OpenVPN 2.3.4 will default
+to using TLS 1.0 only, without any version negotiation.  This reverts
+the beaviour to what OpenVPN versions up to 2.3.2 did, as it turned
+out that TLS version negotiation can lead to handshake problems due
+to new signature algorithms in TLS 1.2.
+
 <DT><B>--pkcs12 file</B>
 
@@ -5479 +5568 @@
 be derived by taking a secure hash of this file, similar to
 the
-<B>md5sum</B>(1)
+<B><A HREF="/cgi-bin/man/man2html?1+md5sum">md5sum</A></B>(1)
 
 or
-<B>sha1sum</B>(1)
+<B><A HREF="/cgi-bin/man/man2html?1+sha1sum">sha1sum</A></B>(1)
 
 commands.
@@ -6011 +6100 @@
 option.  This file must be shared with the
 peer over a pre-existing secure channel such as
-<B>scp</B>(1)
+<B><A HREF="/cgi-bin/man/man2html?1+scp">scp</A></B>(1)
 
 
@@ -6048 +6137 @@
 
 scripts to run the appropriate
-<B>ifconfig</B>(8)
+<B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8)
 
 and
-<B>route</B>(8)
+<B><A HREF="/cgi-bin/man/man2html?8+route">route</A></B>(8)
 
 commands.  These commands can be placed in the the same shell script
@@ -6468 +6557 @@
 
 option.  On non-Windows systems, the
-<B>ifconfig</B>(8)
+<B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8)
 
 command provides similar functionality.
@@ -6535 +6624 @@
 
 The following options exist to support IPv6 tunneling in peer-to-peer
-and client-server mode.  As of now, this is just very basic
-documentation of the IPv6-related options. More documentation can be
-found on <A HREF="http://www.greenie.net/ipv6/openvpn.html">http://www.greenie.net/ipv6/openvpn.html</A>
+and client-server mode.  All options are modeled after their IPv4
+counterparts, so more detailed explanations given there apply here
+as well (except for
+<B>--topology</B>
+
+, which has no effect on IPv6).
 <DL COMPACT>
 <DT><B>--ifconfig-ipv6 ipv6addr/bits ipv6remote</B>
@@ -6575 +6667 @@
 <B>/bits</B>
 
-setting controls the size of the pool.
+setting controls the size of the pool.  Due to implementation details,
+the pool size must be between /64 and /112.
 <DT><B>--ifconfig-ipv6-push ipv6addr/bits ipv6remote</B>
 
@@ -7320 +7413 @@
 script.
 
+<DT><B>tls_digest_{n}</B>
+
+<DD>
+Contains the certificate SHA1 fingerprint/digest hash value,
+where
+<B>n</B>
+
+is the verification level.  Only set for TLS connections.  Set prior
+to execution of
+<B>--tls-verify</B>
+
+script.
+
 <DT><B>tls_id_{n}</B>
 
@@ -7344 +7450 @@
 <B>--tls-verify</B>
 
-script. This is in the form of a hex string like &quot;37AB46E0&quot;, which is
-suitable for doing serial-based OCSP queries (with OpenSSL, you have
-to prepend &quot;0x&quot; to the string). If something goes wrong while reading
+script. This is in the form of a decimal string like &quot;933971680&quot;, which is
+suitable for doing serial-based OCSP queries (with OpenSSL, do not
+prepend &quot;0x&quot; to the string) If something goes wrong while reading
 the value from the certificate it will be an empty string, so your
 code should check that.
 See the contrib/OCSP_check/OCSP_check.sh script for an example.
+
+<DT><B>tls_serial_hex_{n}</B>
+
+<DD>
+Like
+<B>tls_serial_{n}</B>,
+
+but in hex form (e.g. &quot;12:34:56:78:9A&quot;).
 
 <DT><B>tun_mtu</B>
@@ -7759 +7873 @@
 
 option will produce verbose output, similar to the
-<B>tcpdump</B>(8)
+<B><A HREF="/cgi-bin/man/man2html?8+tcpdump">tcpdump</A></B>(8)
 
 program.  Omit the
@@ -7786 +7900 @@
 to june over a secure medium such as by
 using the
-<B>scp</B>(1)
+<B><A HREF="/cgi-bin/man/man2html?1+scp">scp</A></B>(1)
 
 program.
@@ -8096 +8210 @@
 <H2>SEE ALSO</H2>
 
-<B>dhcpcd</B>(8),
-
-<B>ifconfig</B>(8),
-
-<B>openssl</B>(1),
-
-<B>route</B>(8),
-
-<B>scp</B>(1)
-
-<B>ssh</B>(1)
+<B><A HREF="/cgi-bin/man/man2html?8+dhcpcd">dhcpcd</A></B>(8),
+
+<B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8),
+
+<B><A HREF="/cgi-bin/man/man2html?1+openssl">openssl</A></B>(1),
+
+<B><A HREF="/cgi-bin/man/man2html?8+route">route</A></B>(8),
+
+<B><A HREF="/cgi-bin/man/man2html?1+scp">scp</A></B>(1)
+
+<B><A HREF="/cgi-bin/man/man2html?1+ssh">ssh</A></B>(1)
 
 
@@ -8195 +8309 @@
 <HR>
 This document was created by
-man2html,
+<A HREF="/cgi-bin/man/man2html">man2html</A>,
 using the manual pages.<BR>
-Time: 15:49:01 GMT, July 12, 2013
+Time: 07:38:58 GMT, May 06, 2014
 }}}