Changes between Version 14 and Version 15 of Openvpn24ManPage
- Timestamp:
- 02/21/19 07:44:05 (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Openvpn24ManPage
v14 v15 760 760 IP address changes due to DHCP, we should configure 761 761 our IP address change script (see man page for 762 <B><A HREF="/ cgi-bin/man/man2html?8+dhcpcd">dhcpcd</A></B>(8)762 <B><A HREF="/man/man2html?8+dhcpcd">dhcpcd</A></B>(8) 763 763 764 764 ) to deliver a … … 949 949 of the TAP-Win32 driver. When used on *nix, requires that the tun 950 950 driver supports an 951 <B><A HREF="/ cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8)951 <B><A HREF="/man/man2html?8+ifconfig">ifconfig</A></B>(8) 952 952 953 953 command which sets a subnet instead of a remote endpoint IP address. … … 1082 1082 <P> 1083 1083 This option, while primarily a proxy for the 1084 <B><A HREF="/ cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8)1084 <B><A HREF="/man/man2html?8+ifconfig">ifconfig</A></B>(8) 1085 1085 1086 1086 command, is designed to simplify TUN/TAP … … 1151 1151 This option is intended as 1152 1152 a convenience proxy for the 1153 <B><A HREF="/ cgi-bin/man/man2html?8+route">route</A></B>(8)1153 <B><A HREF="/man/man2html?8+route">route</A></B>(8) 1154 1154 1155 1155 shell command, … … 1441 1441 <B>local</B> 1442 1442 1443 flag if both OpenVPN servers are directly connected via a common subnet,1443 flag if both OpenVPN peers are directly connected via a common subnet, 1444 1444 such as with wireless. The 1445 1445 <B>local</B> … … 2752 2752 <DD> 2753 2753 Use this option when OpenVPN is being run from the inetd or 2754 <B><A HREF="/ cgi-bin/man/man2html?8+xinetd">xinetd</A>(8)</B>2754 <B><A HREF="/man/man2html?8+xinetd">xinetd</A>(8)</B> 2755 2755 2756 2756 server. … … 3094 3094 framing for compression will still be enabled, allowing a different 3095 3095 setting to be pushed later. 3096 <P> 3097 <B>Security Considerations</B> 3098 3099 <P> 3100 Compression and encryption is a tricky combination. If an attacker knows or is 3101 able to control (parts of) the plaintext of packets that contain secrets, the 3102 attacker might be able to extract the secret if compression is enabled. See 3103 e.g. the CRIME and BREACH attacks on TLS which also leverage compression to 3104 break encryption. If you are not entirely sure that the above does not apply 3105 to your traffic, you are advised to *not* enable compression. 3106 <P> 3096 3107 3097 3108 <DT><B>--comp-lzo [mode]</B> … … 3737 3748 supports AES-GCM-128 and AES-GCM-256. 3738 3749 <P> 3739 IV_ UI_VER=<gui_id> <version> -- the UI version of a UI if one is3750 IV_GUI_VER=<gui_id> <version> -- the UI version of a UI if one is 3740 3751 running, for example "de.blinkt.openvpn 0.5.47" for the 3741 3752 Android app. … … 5988 5999 5989 6000 <DD> 5990 A list 6001 6002 <BR> 6003 6004 6005 <DT> 6006 6007 <B>--tls-ciphersuites l</B> 6008 6009 <DD>A list 5991 6010 <B>l</B> 5992 6011 5993 6012 of allowable TLS ciphers delimited by a colon (":"). 5994 6013 <P> 5995 Th issetting can be used to ensure that certain cipher suites are used (or6014 These setting can be used to ensure that certain cipher suites are used (or 5996 6015 not used) for the TLS connection. OpenVPN uses TLS to secure the control 5997 6016 channel, over which the keys that are used to protect the actual VPN traffic … … 6002 6021 documentation for details on the cipher list interpretation. 6003 6022 <P> 6023 For OpenSSL, the 6024 <B>--tls-cipher</B> 6025 6026 is used for TLS 1.2 and below. For TLS 1.3 and up, the 6027 <B>--tls-ciphersuites</B> 6028 6029 setting is used. mbed TLS has no TLS 1.3 support yet and only the 6030 <B>--tls-cipher</B> 6031 6032 setting is used. 6033 <P> 6004 6034 Use 6005 6035 <B>--show-tls</B> … … 6010 6040 <B>--tls-cipher</B> 6011 6041 6012 is an expert feature, which - if used correcly - can improve the security of 6013 your VPN connection. But it is also easy to unwittingly use it to carefully 6042 and 6043 <B>--tls-ciphersuites</B> 6044 6045 are expert features, which - if used correcly - can improve the security of 6046 your VPN connection. But it is also easy to unwittingly use them to carefully 6014 6047 align a gun with your foot, or just break your connection. Use with care! 6015 6048 <P> … … 6018 6051 "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" when using 6019 6052 OpenSSL. 6053 <P> 6054 The default for --tls-ciphersuites is to use the crypto library's default. 6020 6055 6021 6056 <DT><B>--tls-cert-profile profile</B> … … 6457 6492 client, which replaces the local password with the 6458 6493 UNIQUE_TOKEN_VALUE. 6494 <P> 6495 Newer clients (2.4.7+) will fall back to the original password method 6496 after a failed auth. Older clients will keep using the token value 6497 and react acording to 6498 <B>--auth-retry</B> 6499 6459 6500 6460 6501 <DT><B>--tls-verify cmd</B> … … 6879 6920 option. This file must be shared with the 6880 6921 peer over a pre-existing secure channel such as 6881 <B><A HREF="/ cgi-bin/man/man2html?1+scp">scp</A></B>(1)6922 <B><A HREF="/man/man2html?1+scp">scp</A></B>(1) 6882 6923 6883 6924 … … 6916 6957 6917 6958 scripts to run the appropriate 6918 <B><A HREF="/ cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8)6959 <B><A HREF="/man/man2html?8+ifconfig">ifconfig</A></B>(8) 6919 6960 6920 6961 and 6921 <B><A HREF="/ cgi-bin/man/man2html?8+route">route</A></B>(8)6962 <B><A HREF="/man/man2html?8+route">route</A></B>(8) 6922 6963 6923 6964 commands. These commands can be placed in the the same shell script … … 7361 7402 7362 7403 option. On non-Windows systems, the 7363 <B><A HREF="/ cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8)7404 <B><A HREF="/man/man2html?8+ifconfig">ifconfig</A></B>(8) 7364 7405 7365 7406 command provides similar functionality. … … 8719 8760 8720 8761 option will produce verbose output, similar to the 8721 <B><A HREF="/ cgi-bin/man/man2html?8+tcpdump">tcpdump</A></B>(8)8762 <B><A HREF="/man/man2html?8+tcpdump">tcpdump</A></B>(8) 8722 8763 8723 8764 program. Omit the … … 8746 8787 to alice over a secure medium such as by 8747 8788 using the 8748 <B><A HREF="/ cgi-bin/man/man2html?1+scp">scp</A></B>(1)8789 <B><A HREF="/man/man2html?1+scp">scp</A></B>(1) 8749 8790 8750 8791 program. … … 9056 9097 <H2>SEE ALSO</H2> 9057 9098 9058 <B><A HREF="/ cgi-bin/man/man2html?8+dhcpcd">dhcpcd</A></B>(8),9059 9060 <B><A HREF="/ cgi-bin/man/man2html?8+ifconfig">ifconfig</A></B>(8),9061 9062 <B><A HREF="/ cgi-bin/man/man2html?1+openssl">openssl</A></B>(1),9063 9064 <B><A HREF="/ cgi-bin/man/man2html?8+route">route</A></B>(8),9065 9066 <B><A HREF="/ cgi-bin/man/man2html?1+scp">scp</A></B>(1)9067 9068 <B><A HREF="/ cgi-bin/man/man2html?1+ssh">ssh</A></B>(1)9099 <B><A HREF="/man/man2html?8+dhcpcd">dhcpcd</A></B>(8), 9100 9101 <B><A HREF="/man/man2html?8+ifconfig">ifconfig</A></B>(8), 9102 9103 <B><A HREF="/man/man2html?1+openssl">openssl</A></B>(1), 9104 9105 <B><A HREF="/man/man2html?8+route">route</A></B>(8), 9106 9107 <B><A HREF="/man/man2html?1+scp">scp</A></B>(1) 9108 9109 <B><A HREF="/man/man2html?1+ssh">ssh</A></B>(1) 9069 9110 9070 9111 … … 9156 9197 <HR> 9157 9198 This document was created by 9158 <A HREF="/ cgi-bin/man/man2html">man2html</A>,9199 <A HREF="/man/man2html">man2html</A>, 9159 9200 using the manual pages.<BR> 9160 Time: 07:13:41 GMT, April 24, 20189201 Time: 12:29:12 GMT, February 20, 2019 9161 9202 }}}