Changes between Version 14 and Version 15 of Openvpn23ManPage
- Timestamp:
- 06/08/15 06:56:30 (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Openvpn23ManPage
v14 v15 277 277 278 278 is a DNS name which resolves to multiple IP addresses, 279 one will be randomly 280 chosen, providing a sort of basic load-balancingand281 failover capability.279 the first address returned by the system getaddrinfo() function 280 will be used (no DNS randomization inside OpenVPN 2.3.x, and 281 it will not try multiple addresses). 282 282 283 283 <DT><B>--remote-random-hostname</B> … … 789 789 790 790 <DD> 791 TCP/UDP port number for both local and remote. The current 791 TCP/UDP port number or port name for both local and remote (sets both 792 <B>--lport</B> 793 794 and 795 <B>--rport</B> 796 797 options to given port). The current 792 798 default of 1194 represents the official IANA port number 793 799 assignment for OpenVPN and has been used since version 2.0-beta17. … … 797 803 798 804 <DD> 799 TCP/UDP port number for bind. 805 Set local TCP/UDP port number or name. Cannot be used together with 806 <B>--nobind</B> 807 808 option. 800 809 801 810 <DT><B>--rport port</B> 802 811 803 812 <DD> 804 TCP/UDP port number for remote. 813 Set TCP/UDP port number or name used by the 814 <B>--remote</B> 815 816 option. The port can also be set directly using the 817 <B>--remote</B> 818 819 option. 805 820 806 821 <DT><B>--bind</B> … … 945 960 <P> 946 961 This option exists in OpenVPN 2.1 or higher. 962 <P> 963 Note: Using 964 <B>--topology subnet</B> 965 966 changes the interpretation of the arguments of 967 <B>--ifconfig</B> 968 969 to mean "address netmask", no longer "local remote". 947 970 948 971 <DT><B>--tun-ipv6</B> … … 1025 1048 1026 1049 is the IP address of the local VPN endpoint. 1027 For TUN devices ,1050 For TUN devices in point-to-point mode, 1028 1051 <B>rn</B> 1029 1052 1030 1053 is the IP address of the remote VPN endpoint. 1031 For TAP devices, 1054 For TAP devices, or TUN devices used with 1055 <B>--topology subnet,</B> 1056 1032 1057 <B>rn</B> 1033 1058 1034 is the subnet mask of the virtual ethernetsegment1059 is the subnet mask of the virtual network segment 1035 1060 which is being created or connected to. 1036 1061 <P> 1037 1062 For TUN devices, which facilitate virtual 1038 point-to-point IP connections, 1063 point-to-point IP connections (when used in 1064 <B>--topology net30</B> 1065 1066 or 1067 <B>p2p</B> 1068 1069 mode), 1039 1070 the proper usage of 1040 1071 <B>--ifconfig</B> … … 1053 1084 For TAP devices, which provide 1054 1085 the ability to create virtual 1055 ethernet segments, 1086 ethernet segments, or TUN devices in 1087 <B>--topology subnet</B> 1088 1089 mode (which create virtual "multipoint networks"), 1056 1090 <B>--ifconfig</B> 1057 1091 … … 2195 2229 as the last parameter. 2196 2230 <P> 2231 NOTE: on restart, OpenVPN will not pass the full set of environment 2232 variables to the script. Namely, everything related to routing and 2233 gateways will not be passed, as nothing needs to be done anyway - all 2234 the routing setup is already in place. Additionally, the up-restart 2235 script will run with the downgraded UID/GID settings (if configured). 2236 <P> 2197 2237 The following standalone example shows how the 2198 2238 <B>--up</B> … … 2428 2468 As of OpenVPN v2.3, this flag is no longer accepted. In most *nix environments the execve() 2429 2469 approach has been used without any issues. 2470 <P> 2471 Some directives such as --up allow options to be passed to the external 2472 script. In these cases make sure the script name does not contain any spaces or 2473 the configuration parser will choke because it can't determine where the script 2474 name ends and script options start. 2430 2475 <P> 2431 2476 To run scripts in Windows in earlier OpenVPN … … 4526 4571 4527 4572 seconds waiting for a response before trying the next server. 4573 As this only makes sense in client-to-server setups, it cannot 4574 be used in point-to-point setups using 4575 <B>--secret</B> 4576 4577 symmetrical key mode. 4528 4578 4529 4579 <DT><B>--explicit-exit-notify [n]</B> … … 4674 4724 4675 4725 <DD> 4676 Encrypt packets with cipher algorithm4726 Encrypt data channel packets with cipher algorithm 4677 4727 <B>alg.</B> 4678 4728 … … 5107 5157 Available with OpenSSL version >= 0.9.7 dev. 5108 5158 Not available with PolarSSL. 5159 <P> 5160 When using the 5161 <B>--capath</B> 5162 5163 option, you are required to supply valid CRLs for the CAs too. CAs in the 5164 capath directory are expected to be named <hash>.<n>. CRLs are expected to 5165 be named <hash>.r<n>. See the 5166 <B>-CApath</B> 5167 5168 option of 5169 <B>openssl verify</B> 5170 5171 , and the 5172 <B>-hash</B> 5173 5174 option of 5175 <B>openssl x509</B> 5176 5177 and 5178 <B>openssl crl</B> 5179 5180 for more information. 5109 5181 5110 5182 <DT><B>--dh file</B> … … 5201 5273 Local peer's private key in .pem format. Use the private key which was generated 5202 5274 when you built your peer's certificate (see 5203 <B>- cert file</B>5275 <B>--cert file</B> 5204 5276 5205 5277 above). … … 5215 5287 version supported by the local SSL implementation. 5216 5288 <P> 5217 If this options is not set, the code in OpenVPN 2.3.4 will default 5218 to using TLS 1.0 only, without any version negotiation. This reverts 5219 the beaviour to what OpenVPN versions up to 2.3.2 did, as it turned 5220 out that TLS version negotiation can lead to handshake problems due 5221 to new signature algorithms in TLS 1.2. 5289 Also see 5290 <B>--tls-version-max</B> 5291 5292 below, for information on compatibility. 5222 5293 5223 5294 <DT><B>--tls-version-max version</B> … … 5226 5297 Set the maximum TLS version we will use (default is the highest version 5227 5298 supported). Examples for version include "1.0", "1.1", or "1.2". 5299 <P> 5300 If and only if this is set to 1.0, and OpenSSL is used (not PolarSSL), 5301 then OpenVPN will set up OpenSSL to use a fixed TLSv1 handshake. All 5302 other configurations will autonegotiate in the given limits, and the 5303 choice of handshake versions is left to the SSL implementation. 5228 5304 5229 5305 <DT><B>--pkcs12 file</B> … … 5299 5375 <B>--pkcs12.</B> 5300 5376 5377 <P> 5378 If p11-kit is present on the system, its 5379 <B>p11-kit-proxy.so</B> 5380 5381 module will be loaded by default if either the 5382 <B>--pkcs11-id</B> 5383 5384 or 5385 <B>--pkcs11-id-management</B> 5386 5387 options are specified without 5388 <B>--pkcs11-provider</B> 5389 5390 being given. 5301 5391 5302 5392 <DT><B>--pkcs11-private-mode mode...</B> … … 5419 5509 5420 5510 of allowable TLS ciphers delimited by a colon (":"). 5421 If you require a high level of security, 5422 you may want to set this parameter manually, to prevent a 5423 version rollback attack where a man-in-the-middle attacker tries 5424 to force two peers to negotiate to the lowest level 5425 of security they both support. 5511 <P> 5512 This setting can be used to ensure that certain cipher suites are used (or 5513 not used) for the TLS connection. OpenVPN uses TLS to secure the control 5514 channel, over which the keys that are used to protect the actual VPN traffic 5515 are exchanged. 5516 <P> 5517 The supplied list of ciphers is (after potential OpenSSL/IANA name translation) 5518 simply supplied to the crypto library. Please see the OpenSSL and/or PolarSSL 5519 documentation for details on the cipher list interpretation. 5520 <P> 5426 5521 Use 5427 5522 <B>--show-tls</B> 5428 5523 5429 to see a list of supported TLS ciphers. 5524 to see a list of TLS ciphers supported by your crypto library. 5525 <P> 5526 Warning! 5527 <B>--tls-cipher</B> 5528 5529 is an expert feature, which - if used correcly - can improve the security of 5530 your VPN connection. But it is also easy to unwittingly use it to carefully 5531 align a gun with your foot, or just break your connection. Use with care! 5532 <P> 5533 The default for --tls-cipher is to use PolarSSL's default cipher list 5534 when using PolarSSL or "DEFAULT:!EXP:!PSK:!SRP:!kRSA" when using OpenSSL. 5430 5535 5431 5536 <DT><B>--tls-timeout n</B> … … 5573 5678 parameter is used). 5574 5679 <P> 5575 <B>(2) </B>5680 <B>(2) DEPRECATED</B> 5576 5681 5577 5682 A freeform passphrase file. In this case the HMAC key will … … 5583 5688 <B><A HREF="/cgi-bin/man/man2html?1+sha1sum">sha1sum</A></B>(1) 5584 5689 5585 commands. 5690 commands. This option is deprecated and will stop working in OpenVPN 2.4 and 5691 newer releases. 5586 5692 <P> 5587 5693 OpenVPN will first try format (1), and if the file fails to parse as … … 5712 5818 OpenVPN session. 5713 5819 <P> 5820 When using --auth-nocache in combination with a user/password file 5821 and --chroot or --daemon, make sure to use an absolute path. 5822 <P> 5714 5823 This directive does not affect the 5715 5824 <B>--http-proxy</B> … … 6096 6205 (decimal string) is the name of a file present in the directory, 6097 6206 it will be rejected. 6207 <P> 6208 Note: As the crl file (or directory) is read every time a peer connects, 6209 if you are dropping root privileges with 6210 <B>--user,</B> 6211 6212 make sure that this user has sufficient privileges to read the file. 6098 6213 6099 6214 </DL> … … 6125 6240 <DD> 6126 6241 (Standalone) 6127 Show all TLS ciphers (TLS used only as a control channel). The TLS 6128 ciphers will be sorted from highest preference (most secure) to 6129 lowest. 6242 Show all TLS ciphers supported by the crypto library. OpenVPN uses TLS to 6243 secure the control channel, over which the keys that are used to protect the 6244 actual VPN traffic are exchanged. The TLS ciphers will be sorted from highest 6245 preference (most secure) to lowest. 6246 <P> 6247 Be aware that whether a cipher suite in this list can actually work depends on 6248 the specific setup of both peers (e.g. both peers must support the cipher, and 6249 an ECDSA cipher suite will not work if you are using an RSA certificate, etc.). 6130 6250 6131 6251 <DT><B>--show-engines</B> … … 6660 6780 6661 6781 <DL COMPACT> 6662 <DT><B>--show-pkcs11-ids provider[cert_private]</B>6782 <DT><B>--show-pkcs11-ids [provider] [cert_private]</B> 6663 6783 6664 6784 <DD> … … 6666 6786 Show PKCS#11 token object list. Specify cert_private as 1 6667 6787 if certificates are stored as private objects. 6788 <P> 6789 If p11-kit is present on the system, the 6790 <B>provider</B> 6791 6792 argument is optional; if omitted the default 6793 <B>p11-kit-proxy.so</B> 6794 6795 module will be queried. 6668 6796 <P> 6669 6797 <B>--verb</B> … … 8364 8492 <A HREF="/cgi-bin/man/man2html">man2html</A>, 8365 8493 using the manual pages.<BR> 8366 Time: 0 7:44:25 GMT, December 01, 20148494 Time: 06:53:40 GMT, June 08, 2015 8367 8495 }}}