Changes between Version 14 and Version 15 of Openvpn24ManPage


Ignore:
Timestamp:
02/21/19 07:44:05 (6 months ago)
Author:
Samuli Seppänen
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Openvpn24ManPage

    v14 v15  
    760760IP address changes due to DHCP, we should configure
    761761our IP address change script (see man page for
    762 <B><A HREF="/cgi-bin/man/man2html?8+dhcpcd">dhcpcd</A></B>(8)
     762<B><A HREF="/man/man2html?8+dhcpcd">dhcpcd</A></B>(8)
    763763
    764764) to deliver a
     
    949949of the TAP-Win32 driver.  When used on *nix, requires that the tun
    950950driver supports an
    951 <B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8)
     951<B><A HREF="/man/man2html?8+ifconfig">ifconfig</A></B>(8)
    952952
    953953command which sets a subnet instead of a remote endpoint IP address.
     
    10821082<P>
    10831083This option, while primarily a proxy for the
    1084 <B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8)
     1084<B><A HREF="/man/man2html?8+ifconfig">ifconfig</A></B>(8)
    10851085
    10861086command, is designed to simplify TUN/TAP
     
    11511151This option is intended as
    11521152a convenience proxy for the
    1153 <B><A HREF="/cgi-bin/man/man2html?8+route">route</A></B>(8)
     1153<B><A HREF="/man/man2html?8+route">route</A></B>(8)
    11541154
    11551155shell command,
     
    14411441<B>local</B>
    14421442
    1443 flag if both OpenVPN servers are directly connected via a common subnet,
     1443flag if both OpenVPN peers are directly connected via a common subnet,
    14441444such as with wireless.  The
    14451445<B>local</B>
     
    27522752<DD>
    27532753Use this option when OpenVPN is being run from the inetd or
    2754 <B><A HREF="/cgi-bin/man/man2html?8+xinetd">xinetd</A>(8)</B>
     2754<B><A HREF="/man/man2html?8+xinetd">xinetd</A>(8)</B>
    27552755
    27562756server.
     
    30943094framing for compression will still be enabled, allowing a different
    30953095setting to be pushed later.
     3096<P>
     3097<B>Security Considerations</B>
     3098
     3099<P>
     3100Compression and encryption is a tricky combination.  If an attacker knows or is
     3101able to control (parts of) the plaintext of packets that contain secrets, the
     3102attacker might be able to extract the secret if compression is enabled.  See
     3103e.g. the CRIME and BREACH attacks on TLS which also leverage compression to
     3104break encryption.  If you are not entirely sure that the above does not apply
     3105to your traffic, you are advised to *not* enable compression.
     3106<P>
    30963107
    30973108<DT><B>--comp-lzo [mode]</B>
     
    37373748supports AES-GCM-128 and AES-GCM-256.
    37383749<P>
    3739 IV_UI_VER=&lt;gui_id&gt; &lt;version&gt; -- the UI version of a UI if one is
     3750IV_GUI_VER=&lt;gui_id&gt; &lt;version&gt; -- the UI version of a UI if one is
    37403751running, for example &quot;de.blinkt.openvpn 0.5.47&quot; for the
    37413752Android app.
     
    59885999
    59896000<DD>
    5990 A list
     6001
     6002<BR>
     6003
     6004
     6005<DT>
     6006
     6007<B>--tls-ciphersuites l</B>
     6008
     6009<DD>A list
    59916010<B>l</B>
    59926011
    59936012of allowable TLS ciphers delimited by a colon (&quot;:&quot;).
    59946013<P>
    5995 This setting can be used to ensure that certain cipher suites are used (or
     6014These setting can be used to ensure that certain cipher suites are used (or
    59966015not used) for the TLS connection.  OpenVPN uses TLS to secure the control
    59976016channel, over which the keys that are used to protect the actual VPN traffic
     
    60026021documentation for details on the cipher list interpretation.
    60036022<P>
     6023For OpenSSL, the
     6024<B>--tls-cipher</B>
     6025
     6026is used for TLS 1.2 and below. For TLS 1.3 and up, the
     6027<B>--tls-ciphersuites</B>
     6028
     6029setting is used. mbed TLS has no TLS 1.3 support yet and only the
     6030<B>--tls-cipher</B>
     6031
     6032setting is used.
     6033<P>
    60046034Use
    60056035<B>--show-tls</B>
     
    60106040<B>--tls-cipher</B>
    60116041
    6012 is an expert feature, which - if used correcly - can improve the security of
    6013 your VPN connection.  But it is also easy to unwittingly use it to carefully
     6042and
     6043<B>--tls-ciphersuites</B>
     6044
     6045are expert features, which - if used correcly - can improve the security of
     6046your VPN connection.  But it is also easy to unwittingly use them to carefully
    60146047align a gun with your foot, or just break your connection.  Use with care!
    60156048<P>
     
    60186051&quot;DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA&quot; when using
    60196052OpenSSL.
     6053<P>
     6054The default for --tls-ciphersuites is to use the crypto library's default.
    60206055
    60216056<DT><B>--tls-cert-profile profile</B>
     
    64576492client, which replaces the local password with the
    64586493UNIQUE_TOKEN_VALUE.
     6494<P>
     6495Newer clients (2.4.7+) will fall back to the original password method
     6496after a failed auth. Older clients will keep using the token value
     6497and react acording to
     6498<B>--auth-retry</B>
     6499
    64596500
    64606501<DT><B>--tls-verify cmd</B>
     
    68796920option.  This file must be shared with the
    68806921peer over a pre-existing secure channel such as
    6881 <B><A HREF="/cgi-bin/man/man2html?1+scp">scp</A></B>(1)
     6922<B><A HREF="/man/man2html?1+scp">scp</A></B>(1)
    68826923
    68836924
     
    69166957
    69176958scripts to run the appropriate
    6918 <B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8)
     6959<B><A HREF="/man/man2html?8+ifconfig">ifconfig</A></B>(8)
    69196960
    69206961and
    6921 <B><A HREF="/cgi-bin/man/man2html?8+route">route</A></B>(8)
     6962<B><A HREF="/man/man2html?8+route">route</A></B>(8)
    69226963
    69236964commands.  These commands can be placed in the the same shell script
     
    73617402
    73627403option.  On non-Windows systems, the
    7363 <B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8)
     7404<B><A HREF="/man/man2html?8+ifconfig">ifconfig</A></B>(8)
    73647405
    73657406command provides similar functionality.
     
    87198760
    87208761option will produce verbose output, similar to the
    8721 <B><A HREF="/cgi-bin/man/man2html?8+tcpdump">tcpdump</A></B>(8)
     8762<B><A HREF="/man/man2html?8+tcpdump">tcpdump</A></B>(8)
    87228763
    87238764program.  Omit the
     
    87468787to alice over a secure medium such as by
    87478788using the
    8748 <B><A HREF="/cgi-bin/man/man2html?1+scp">scp</A></B>(1)
     8789<B><A HREF="/man/man2html?1+scp">scp</A></B>(1)
    87498790
    87508791program.
     
    90569097<H2>SEE ALSO</H2>
    90579098
    9058 <B><A HREF="/cgi-bin/man/man2html?8+dhcpcd">dhcpcd</A></B>(8),
    9059 
    9060 <B><A HREF="/cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8),
    9061 
    9062 <B><A HREF="/cgi-bin/man/man2html?1+openssl">openssl</A></B>(1),
    9063 
    9064 <B><A HREF="/cgi-bin/man/man2html?8+route">route</A></B>(8),
    9065 
    9066 <B><A HREF="/cgi-bin/man/man2html?1+scp">scp</A></B>(1)
    9067 
    9068 <B><A HREF="/cgi-bin/man/man2html?1+ssh">ssh</A></B>(1)
     9099<B><A HREF="/man/man2html?8+dhcpcd">dhcpcd</A></B>(8),
     9100
     9101<B><A HREF="/man/man2html?8+ifconfig">ifconfig</A></B>(8),
     9102
     9103<B><A HREF="/man/man2html?1+openssl">openssl</A></B>(1),
     9104
     9105<B><A HREF="/man/man2html?8+route">route</A></B>(8),
     9106
     9107<B><A HREF="/man/man2html?1+scp">scp</A></B>(1)
     9108
     9109<B><A HREF="/man/man2html?1+ssh">ssh</A></B>(1)
    90699110
    90709111
     
    91569197<HR>
    91579198This document was created by
    9158 <A HREF="/cgi-bin/man/man2html">man2html</A>,
     9199<A HREF="/man/man2html">man2html</A>,
    91599200using the manual pages.<BR>
    9160 Time: 07:13:41 GMT, April 24, 2018
     9201Time: 12:29:12 GMT, February 20, 2019
    91619202}}}