Changes between Version 11 and Version 12 of Openvpn24ManPage


Ignore:
Timestamp:
09/26/17 11:51:16 (4 months ago)
Author:
samuli
Comment:

Update man-page to 2.4.4

Legend:

Unmodified
Added
Removed
Modified
  • Openvpn24ManPage

    v11 v12  
    7373using client & server certificates.
    7474OpenVPN also
    75 supports non-encrypted TCP/UDP tunnels. 
     75supports non-encrypted TCP/UDP tunnels.
    7676<P>
    7777OpenVPN is designed to work with the
     
    930930<B>--ifconfig-pool-linear</B>
    931931
    932 directive which is available in OpenVPN 2.0 and is now deprecated.
     932directive which is available in OpenVPN 2.0, is deprecated and will be
     933removed in OpenVPN 2.5
    933934<P>
    934935<B>subnet --</B>
     
    24662467<B>system. </B>
    24672468
    2468 As of OpenVPN v2.3, this flag is no longer accepted.  In most *nix environments the execve()
     2469As of OpenVPN 2.3, this flag is no longer accepted.  In most *nix environments the execve()
    24692470approach has been used without any issues.
    24702471<P>
     
    24792480<B>system</B>
    24802481
    2481 flag to run these scripts.  As of OpenVPN v2.3 it is now a strict requirement to have
     2482flag to run these scripts.  As of OpenVPN 2.3 it is now a strict requirement to have
    24822483full path to the script interpreter when running non-executables files.
    24832484This is not needed for executable files, such as .exe, .com, .bat or .cmd files.  For
     
    27092710
    27102711option is used to tell OpenVPN to ask for the pass phrase (this
    2711 requirement is new in 2.3.7, and is a consequence of calling daemon()
     2712requirement is new in v2.3.7, and is a consequence of calling daemon()
    27122713before initializing the crypto layer).
    27132714<P>
     
    30533054are different compression algorithms, with LZ4 generally
    30543055offering the best performance with least CPU usage.
    3055 For backwards compatibility with OpenVPN versions before 2.4, use &quot;lzo&quot;
     3056For backwards compatibility with OpenVPN versions before v2.4, use &quot;lzo&quot;
    30563057(which is identical to the older option &quot;--comp-lzo yes&quot;).
    30573058<P>
     
    30663067
    30673068<DD>
     3069<B>DEPRECATED</B>
     3070
     3071This option will be removed in a future OpenVPN release.  Use the
     3072newer
     3073<B>--compress</B>
     3074
     3075instead.
     3076<P>
    30683077Use LZO compression -- may add up to 1 byte per
    30693078packet for incompressible data.
     
    30713080
    30723081may be &quot;yes&quot;, &quot;no&quot;, or &quot;adaptive&quot; (default).
    3073 <P>
    3074 This option is deprecated in favor of the newer
    3075 <B>--compress</B>
    3076 
    3077 option.
    30783082<P>
    30793083In a server mode setup, it is possible to selectively turn
     
    37973801<B>--ifconfig-push</B>
    37983802
     3803<P>
    37993804
    38003805<DT><B>--ifconfig-pool-linear</B>
    38013806
    38023807<DD>
     3808<B>DEPRECATED</B>
     3809
     3810This option will be removed in OpenVPN 2.5
     3811<P>
    38033812Modifies the
    38043813<B>--ifconfig-pool</B>
     
    44824491to detect this condition and respond accordingly.
    44834492
    4484 <DT><B>--client-cert-not-required (DEPRECATED)</B>
    4485 
    4486 <DD>
     4493<DT><B>--client-cert-not-required</B>
     4494
     4495<DD>
     4496<B>DEPRECATED</B>
     4497
     4498This option will be removed in OpenVPN 2.5
     4499<P>
    44874500Don't require client certificate, client will authenticate
    44884501using username/password only.  Be aware that using this directive
    44894502is less secure than requiring certificates from all clients.
    44904503<P>
    4491 <P>
    44924504<B>Please note:</B>
    44934505
    4494 This option is now deprecated and will be removed in OpenVPN v2.5.
    4495 It is replaced by
     4506This is replaced by
    44964507<B>--verify-client-cert</B>
    44974508
     
    45734584rather than the common name from the client cert.
    45744585
    4575 <DT><B>--compat-names [no-remapping] (DEPRECATED)</B>
    4576 
    4577 <DD>
     4586<DT><B>--compat-names [no-remapping]</B>
     4587
     4588<DD>
     4589<B>DEPRECATED</B>
     4590
     4591This option will be removed in OpenVPN 2.5
     4592<P>
    45784593Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted
    45794594like this:
     
    45964611scripts which does not handle the new formatting or UTF-8 characters.
    45974612<DT><DD>
    4598 In OpenVPN v2.3 the formatting of these fields changed into a more
     4613In OpenVPN 2.3 the formatting of these fields changed into a more
    45994614standardised format.  It now looks like:
    46004615<DT><DD>
     
    46024617
    46034618<DT><DD>
    4604 The new default format in OpenVPN v2.3 also does not do the character remapping
     4619The new default format in OpenVPN 2.3 also does not do the character remapping
    46054620which happened earlier.  This new format enables proper support for UTF-8
    46064621characters in the usernames, X.509 Subject fields and Common Name variables and
     
    46244639This option is immediately deprecated.  It is only implemented
    46254640to make the transition to the new formatting less intrusive.  It will be
    4626 removed in OpenVPN v2.5.  So please update your scripts/plug-ins where necessary.
    4627 
    4628 <DT><B>--no-name-remapping (DEPRECATED)</B>
    4629 
    4630 <DD>
     4641removed in OpenVPN 2.5.  So please update your scripts/plug-ins where necessary.
     4642
     4643<DT><B>--no-name-remapping</B>
     4644
     4645<DD>
     4646<B>DEPRECATED</B>
     4647
     4648This option will be removed in OpenVPN 2.5
     4649<P>
    46314650The
    46324651<B>--no-name-remapping</B>
     
    46424661<B>Please note:</B>
    46434662
    4644 This option is now deprecated.  It will be removed in OpenVPN v2.5.
     4663This option is now deprecated.  It will be removed in OpenVPN 2.5.
    46454664So please make sure you support the new X.509 name formatting
    46464665described with the
     
    49865005<P>
    49875006Another advantageous aspect of Static Key encryption mode is that
    4988 it is a handshake-free protocol 
     5007it is a handshake-free protocol
    49895008without any distinguishing signature or feature
    49905009(such as a header or protocol handshake sequence)
     
    50605079<B>alg.</B>
    50615080
     5081<P>
    50625082The default is
    50635083<B>BF-CBC,</B>
    50645084
    5065 an abbreviation for Blowfish in Cipher Block Chaining mode.
    5066 <P>
    5067 Using BF-CBC is no longer recommended, because of it's 64-bit block size.  This
     5085an abbreviation for Blowfish in Cipher Block Chaining mode.  When cipher
     5086negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server
     5087side will automatically upgrade to
     5088<B>AES-256-GCM.</B>
     5089
     5090See
     5091<B>--ncp-ciphers</B>
     5092
     5093and
     5094<B>--ncp-disable</B>
     5095
     5096for more details on NCP.
     5097<P>
     5098Using
     5099<B>BF-CBC</B>
     5100
     5101is no longer recommended, because of its 64-bit block size.  This
    50685102small block size allows attacks based on collisions, as demonstrated by SWEET32.
    5069 See <A HREF="https://community.openvpn.net/openvpn/wiki/SWEET32">https://community.openvpn.net/openvpn/wiki/SWEET32</A> for details.
     5103See <A HREF="https://community.openvpn.net/openvpn/wiki/SWEET32">https://community.openvpn.net/openvpn/wiki/SWEET32</A> for details.  Due to
     5104this, support for
     5105<B>BF-CBC, DES, CAST5, IDEA</B>
     5106
     5107and
     5108<B>RC2</B>
     5109
     5110ciphers will be removed in OpenVPN 2.6.
    50705111<P>
    50715112To see other ciphers that are available with OpenVPN, use the
     
    50785119
    50795120to disable encryption.
    5080 <P>
    5081 As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by
    5082 <B>--cipher</B>.
    5083 
    5084 See
    5085 <B>--ncp-ciphers</B>
    5086 
    5087 and
    5088 <B>--ncp-disable</B>
    5089 
    5090 for more on NCP.
    50915121<P>
    50925122
     
    51305160<B>--ncp-ciphers</B>.
    51315161
    5132 E.g. a non-NCP client (&lt;=2.3, or with --ncp-disabled set) connecting to a
    5133 NCP server (2.4+) with &quot;--cipher BF-CBC&quot; and &quot;--ncp-ciphers
     5162E.g. a non-NCP client (&lt;=v2.3, or with --ncp-disabled set) connecting to a
     5163NCP server (v2.4+) with &quot;--cipher BF-CBC&quot; and &quot;--ncp-ciphers
    51345164AES-256-GCM:AES-256-CBC&quot; set can either specify &quot;--cipher BF-CBC&quot; or
    51355165&quot;--cipher AES-256-CBC&quot; and both will work.
     
    51455175
    51465176<DD>
     5177<B>DEPRECATED</B>
     5178
     5179This option will be removed in OpenVPN 2.6.
     5180<P>
    51475181Size of cipher key in bits (optional).
    51485182If unspecified, defaults to cipher-specific default.  The
     
    51945228
    51955229<DD>
     5230<B>DEPRECATED</B>
     5231
     5232This option will be removed in OpenVPN 2.5.
     5233<P>
    51965234(Advanced) Disable OpenVPN's protection against replay attacks.
    51975235Don't use this option unless you are prepared to make
     
    53815419
    53825420<DD>
    5383 <P>
    53845421<B>DEPRECATED</B>
    53855422
     
    54085445
    54095446<DD>
    5410 Enable prediction resistance on PolarSSL's RNG.
     5447Enable prediction resistance on mbed TLS's RNG.
    54115448<P>
    54125449Enabling prediction resistance causes the RNG to reseed in each
     
    54175454entropy to the kernel pool.
    54185455<P>
    5419 Note that this option only works with PolarSSL versions greater
    5420 than 1.1.
    54215456
    54225457<DT><B>--test-crypto</B>
     
    55425577<DD>
    55435578Directory containing trusted certificates (CAs and CRLs).
    5544 Not available with PolarSSL.
     5579Not available with mbed TLS.
    55455580<P>
    55465581When using the
     
    55805615to disable Diffie Hellman key exchange (and use ECDH only). Note that this
    55815616requires peers to be using an SSL library that supports ECDH TLS cipher suites
    5582 (e.g. OpenSSL 1.0.1+, or PolarSSL 1.3+).
     5617(e.g. OpenSSL 1.0.1+, or mbed TLS 2.0+).
    55835618<P>
    55845619Use
     
    57075742<B>--key.</B>
    57085743
    5709 Not available with PolarSSL.
     5744Not available with mbed TLS.
    57105745
    57115746<DT><B>--verify-hash hash [algo]</B>
     
    58675902
    58685903<DD>
     5904<B>DEPRECATED</B>
     5905
     5906This option will be removed in OpenVPN 2.5
     5907<P>
    58695908Use data channel key negotiation method
    58705909<B>m.</B>
     
    59245963<P>
    59255964The supplied list of ciphers is (after potential OpenSSL/IANA name translation)
    5926 simply supplied to the crypto library.  Please see the OpenSSL and/or PolarSSL
     5965simply supplied to the crypto library.  Please see the OpenSSL and/or mbed TLS
    59275966documentation for details on the cipher list interpretation.
    59285967<P>
     
    59395978align a gun with your foot, or just break your connection.  Use with care!
    59405979<P>
    5941 The default for --tls-cipher is to use PolarSSL's default cipher list
    5942 when using PolarSSL or
     5980The default for --tls-cipher is to use mbed TLS's default cipher list
     5981when using mbed TLS or
    59435982&quot;DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA&quot; when using
    59445983OpenSSL.
     
    60886127
    60896128<P>
    6090 Older versions (up to 2.3) supported a freeform passphrase file.
    6091 This is no longer supported in newer versions (2.4+).
     6129Older versions (up to OpenVPN 2.3) supported a freeform passphrase file.
     6130This is no longer supported in newer versions (v2.4+).
    60926131<P>
    60936132See the
     
    64926531
    64936532or you could use
    6494 <B>--verify-x509-name Server -name-prefix</B>
     6533<B>--verify-x509-name Server- name-prefix</B>
    64956534
    64966535if you want a client to only accept connections to &quot;Server-1&quot;, &quot;Server-2&quot;, etc.
     
    65376576options can be defined to track multiple attributes.
    65386577
    6539 <DT><B>--ns-cert-type client|server (DEPRECATED)</B>
    6540 
    6541 <DD>
    6542 This option is deprecated.  Use the more modern equivalent
     6578<DT><B>--ns-cert-type client|server</B>
     6579
     6580<DD>
     6581<B>DEPRECATED</B>
     6582
     6583This option will be removed in OpenVPN 2.5.  Use the more modern equivalent
    65436584<B>--remote-cert-tls</B>
    65446585
     
    67776818<H3>TUN/TAP persistent tunnel config mode:</H3>
    67786819
    6779 Available with linux 2.4.7+.  These options comprise a standalone mode
     6820Available with Linux 2.4.7+.  These options comprise a standalone mode
    67806821of OpenVPN which can be used to create and delete persistent tunnels.
    67816822
     
    71847225<DD>
    71857226Ask Windows to release the TAP adapter lease on shutdown.
    7186 This option has no effect now, as it is enabled by default starting with version 2.4.1.
     7227This option has no effect now, as it is enabled by default starting with OpenVPN 2.4.1.
    71877228
    71887229<DT><B>--register-dns</B>
     
    75317572<B>X509 Names:</B>
    75327573
    7533 Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), at 
     7574Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), at
    75347575('@'), colon (':'), slash ('/'), and equal ('=').  Alphanumeric is defined
    75357576as a character which will cause the C library isalnum() function to return
     
    75387579<B>Common Names:</B>
    75397580
    7540 Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at               
     7581Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at
    75417582('@').
    75427583<P>
     
    75557596<B>--client-config-dir filename as derived from common name or username:</B>
    75567597
    7557 Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for &quot;.&quot; or 
    7558 &quot;..&quot; as standalone strings.  As of 2.0.1-rc6, the at ('@') character has
     7598Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for &quot;.&quot; or
     7599&quot;..&quot; as standalone strings.  As of v2.0.1-rc6, the at ('@') character has
    75597600been added as well for compatibility with the common name character class.
    75607601<P>
     
    89809021<H2>COPYRIGHT</H2>
    89819022
    8982 Copyright (C) 2002-2010 OpenVPN Technologies, Inc. This program is free software;
     9023Copyright (C) 2002-2017 OpenVPN Technologies, Inc. This program is free software;
    89839024you can redistribute it and/or modify
    89849025it under the terms of the GNU General Public License version 2
     
    90479088<A HREF="/cgi-bin/man/man2html">man2html</A>,
    90489089using the manual pages.<BR>
    9049 Time: 13:10:45 GMT, June 20, 2017
     9090Time: 09:28:23 GMT, September 26, 2017
    90509091}}}