Changes between Version 21 and Version 22 of Openvpn23ManPage


Ignore:
Timestamp:
12/07/16 11:50:05 (6 months ago)
Author:
samuli
Comment:

Update man-page to 2.3.14

Legend:

Unmodified
Added
Removed
Modified
  • Openvpn23ManPage

    v21 v22  
    20022002are mutually exclusive and cannot be used together.
    20032003
    2004 <DT><B>--keepalive n m</B>
     2004<DT><B>--keepalive interval timeout</B>
    20052005
    20062006<DD>
     
    20092009
    20102010and
     2011<B>--ping-restart.</B>
     2012
     2013<P>
     2014This option can be used on both client and server side, but it is
     2015in enough to add this on the server side as it will push appropriate
     2016<B>--ping</B>
     2017
     2018and
    20112019<B>--ping-restart</B>
    20122020
    2013 in server mode configurations.
    2014 <P>
    2015 The server timeout is set twice the value of the second argument.
    2016 This ensures that a timeout is detected on client side
    2017 before the server side drops the connection.
     2021options to the client.  If used on both server and client,
     2022the values pushed from server will override the client local values.
     2023<P>
     2024The
     2025<B>timeout</B>
     2026
     2027argument will be twice as long on the server side.  This ensures that
     2028a timeout is detected on client side before the server side drops
     2029the connection.
    20182030<P>
    20192031For example,
     
    20242036<PRE>
    20252037<B> if mode server:
    2026    ping 10
    2027    ping-restart 120
    2028    push &quot;ping 10&quot;
    2029    push &quot;ping-restart 60&quot;
     2038   ping 10                    # Argument: interval
     2039   ping-restart 120           # Argument: timeout*2
     2040   push &quot;ping 10&quot;             # Argument: interval
     2041   push &quot;ping-restart 60&quot;     # Argument: timeout
    20302042 else
    2031    ping 10
    2032    ping-restart 60
     2043   ping 10                    # Argument: interval
     2044   ping-restart 60            # Argument: timeout
    20332045</B></PRE>
    20342046
     
    33743386   ifconfig 10.8.0.1 255.255.255.0
    33753387   if !nopool:
    3376      ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
     3388     ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
    33773389   push &quot;route-gateway 10.8.0.1&quot;
    33783390   if route-gateway unset:
     
    35203532
    35213533<B>--setenv,</B>
     3534
     3535<B>--auth-token,</B>
    35223536
    35233537<B>--persist-key, --persist-tun, --echo,</B>
     
    46364650will try to resend the exit notification message.  OpenVPN will not send any exit
    46374651notifications unless this option is enabled.
     4652<DT><B>--allow-recursive-routing</B>
     4653
     4654<DD>
     4655When this option is set, OpenVPN will not drop incoming tun packets
     4656with same destination as host.
    46384657
    46394658</DL>
     
    58625881username/password.  It is always cached.
    58635882
     5883<DT><B>--auth-token token</B>
     5884
     5885<DD>
     5886This is not an option to be used directly in any configuration files,
     5887but rather push this option from a
     5888<B>--client-connect</B>
     5889
     5890script or a
     5891<B>--plugin</B>
     5892
     5893which hooks into the OPENVPN_PLUGIN_CLIENT_CONNECT or
     5894OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls.  This option provides
     5895a possibility to replace the clients password with an authentication
     5896token during the lifetime of the OpenVPN client.
     5897<P>
     5898Whenever the connection is renegotiated and the
     5899<B>--auth-user-pass-verify</B>
     5900
     5901script or
     5902<B>--plugin</B>
     5903
     5904making use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is
     5905triggered, it will pass over this token as the password
     5906instead of the password the user provided.  The authentication
     5907token can only be reset by a full reconnect where the server
     5908can push new options to the client.  The password the user entered
     5909is never preserved once an authentication token have been set.  If
     5910the OpenVPN server side rejects the authentication token, the
     5911client will receive an AUTH_FAIL and disconnect.
     5912<P>
     5913The purpose of this is to enable two factor authentication
     5914methods, such as HOTP or TOTP, to be used without needing to
     5915retrieve a new OTP code each time the connection is renegotiated.
     5916Another use case is to cache authentication data on the client
     5917without needing to have the users password cached in memory
     5918during the life time of the session.
     5919<P>
     5920To make use of this feature, the
     5921<B>--client-connect</B>
     5922
     5923script or
     5924<B>--plugin</B>
     5925
     5926needs to put
     5927<P>
     5928<PRE>
     5929<B>push &quot;auth-token UNIQUE_TOKEN_VALUE&quot;
     5930</B></PRE>
     5931
     5932<P>
     5933into the file/buffer for dynamic configuration data.  This
     5934will then make the OpenVPN server to push this value to the
     5935client, which replaces the local password with the
     5936UNIQUE_TOKEN_VALUE.
     5937
    58645938<DT><B>--tls-verify cmd</B>
    58655939
     
    64696543mode, OpenVPN will cause the DHCP server to masquerade as if it were
    64706544coming from the remote endpoint.  The optional offset parameter is
    6471 an integer which is &gt; -256 and &lt; 256 and which defaults to 0.
     6545an integer which is &gt; -256 and &lt; 256 and which defaults to -1.
    64726546If offset is positive, the DHCP server will masquerade as the IP
    64736547address at network address + offset.
     
    85598633<A HREF="/cgi-bin/man/man2html">man2html</A>,
    85608634using the manual pages.<BR>
    8561 Time: 11:31:53 GMT, November 03, 2016
     8635Time: 11:48:16 GMT, December 07, 2016
    85628636}}}