Changes between Version 3 and Version 4 of Openvpn24ManPage


Ignore:
Timestamp:
11/17/16 13:05:35 (7 years ago)
Author:
Samuli Seppänen
Comment:

Update man-page to 2.4_beta1

Legend:

Unmodified
Added
Removed
Modified
  • Openvpn24ManPage

    v3 v4  
    19861986are mutually exclusive and cannot be used together.
    19871987
    1988 <DT><B>--keepalive n m</B>
     1988<DT><B>--keepalive interval timeout</B>
    19891989
    19901990<DD>
     
    19931993
    19941994and
     1995<B>--ping-restart.</B>
     1996
     1997<P>
     1998This option can be used on both client and server side, but it is
     1999in enough to add this on the server side as it will push appropriate
     2000<B>--ping</B>
     2001
     2002and
    19952003<B>--ping-restart</B>
    19962004
    1997 in server mode configurations.
    1998 <P>
    1999 The server timeout is set twice the value of the second argument.
    2000 This ensures that a timeout is detected on client side
    2001 before the server side drops the connection.
     2005options to the client.  If used on both server and client,
     2006the values pushed from server will override the client local values.
     2007<P>
     2008The
     2009<B>timeout</B>
     2010
     2011argument will be twice as long on the server side.  This ensures that
     2012a timeout is detected on client side before the server side drops
     2013the connection.
    20022014<P>
    20032015For example,
     
    20082020<PRE>
    20092021<B> if mode server:
    2010    ping 10
    2011    ping-restart 120
    2012    push &quot;ping 10&quot;
    2013    push &quot;ping-restart 60&quot;
     2022   ping 10                    # Argument: interval
     2023   ping-restart 120           # Argument: timeout*2
     2024   push &quot;ping 10&quot;             # Argument: interval
     2025   push &quot;ping-restart 60&quot;     # Argument: timeout
    20142026 else
    2015    ping 10
    2016    ping-restart 60
     2027   ping 10                    # Argument: interval
     2028   ping-restart 60            # Argument: timeout
    20172029</B></PRE>
    20182030
     
    40594071The following
    40604072options are legal in a client-specific context:
    4061 <B>--push, --push-reset, --push-remove, --iroute, --ifconfig-push, --config, --comp-lzo, --disable, --max-routes-per-client.</B>
     4073<B>--push, --push-reset, --push-remove, --iroute, --ifconfig-push,</B>
     4074
     4075and
     4076<B>--config.</B>
    40624077
    40634078
     
    42324247<B>--proto udp</B>
    42334248
    4234 and
    4235 <B>--tls-auth.</B>
     4249and either
     4250<B>--tls-auth</B>
     4251
     4252or
     4253<B>--tls-crypt</B>.
    42364254
    42374255
     
    43764394
    43774395in the OpenVPN source distribution.
     4396
     4397<DT><B>--auth-gen-token [lifetime]</B>
     4398
     4399<DD>
     4400After successful user/password authentication, the OpenVPN
     4401server will with this option generate a temporary
     4402authentication token and push that to client.  On the following
     4403renegotiations, the OpenVPN client will pass this token instead
     4404of the users password.  On the server side the server will do
     4405the token authentication internally and it will NOT do any
     4406additional authentications against configured external
     4407user/password authentication mechanisms.
     4408<P>
     4409The
     4410<B>lifetime</B>
     4411
     4412argument defines how long the generated token is valid.  The
     4413lifetime is defined in seconds.  If lifetime is not set
     4414or it is set to 0, the token will never expire.
     4415<P>
     4416This feature is useful for environments which is configured
     4417to use One Time Passwords (OTP) as part of the user/password
     4418authentications and that authentication mechanism does not
     4419implement any auth-token support.
    43784420
    43794421<DT><B>--opt-verify</B>
     
    45564598This option is immediately deprecated.  It is only implemented
    45574599to make the transition to the new formatting less intrusive.  It will be
    4558 removed either in OpenVPN v2.4 or v2.5.  So please make sure you use the
    4559 <B>--verify-x509-name</B>
    4560 
    4561 option instead of
    4562 <B>--tls-remote</B>
    4563 
    4564 as soon as possible and update your scripts where necessary.
     4600removed in OpenVPN v2.5.  So please update your scripts/plug-ins where necessary.
    45654601
    45664602<DT><B>--no-name-remapping (DEPRECATED)</B>
     
    45804616<B>Please note:</B>
    45814617
    4582 This option is now deprecated.  It will be removed either in OpenVPN v2.4
    4583 or v2.5.  So please make sure you support the new X.509 name formatting
     4618This option is now deprecated.  It will be removed in OpenVPN v2.5.
     4619So please make sure you support the new X.509 name formatting
    45844620described with the
    45854621<B>--compat-names</B>
     
    48454881OpenVPN will not send any exit
    48464882notifications unless this option is enabled.
     4883<DT><B>--allow-recursive-routing</B>
     4884
     4885<DD>
     4886When this option is set, OpenVPN will not drop incoming tun packets
     4887with same destination as host.
    48474888
    48484889</DL>
     
    50045045Using BF-CBC is no longer recommended, because of it's 64-bit block size.  This
    50055046small block size allows attacks based on collisions, as demonstrated by SWEET32.
     5047See <A HREF="https://community.openvpn.net/openvpn/wiki/SWEET32">https://community.openvpn.net/openvpn/wiki/SWEET32</A> for details.
    50065048<P>
    50075049To see other ciphers that are available with OpenVPN, use the
     
    57855827In method 1 (the default for OpenVPN 1.x), both sides generate
    57865828random encrypt and HMAC-send keys which are forwarded to
    5787 the other host over the TLS channel.
     5829the other host over the TLS channel. Method 1 is
     5830<B>deprecated in OpenVPN 2.4</B>
     5831
     5832, and
     5833<B>will be removed in OpenVPN 2.5</B>.
     5834
    57885835<P>
    57895836In method 2, (the default for OpenVPN 2.0)
     
    59656012
    59666013<DD>
    5967 Add an additional layer of HMAC authentication on top of the TLS
    5968 control channel to protect against DoS attacks.
     6014Add an additional layer of HMAC authentication on top of the TLS control channel
     6015to mitigate DoS attacks and attacks on the TLS stack.
    59696016<P>
    59706017In a nutshell,
     
    60496096<P>
    60506097It should be emphasized that this feature is optional and that the
    6051 passphrase/key file used with
     6098key file used with
    60526099<B>--tls-auth</B>
    60536100
    60546101gives a peer nothing more than the power to initiate a TLS
    60556102handshake.  It is not used to encrypt or authenticate any tunnel data.
     6103
     6104<DT><B>--tls-crypt keyfile</B>
     6105
     6106<DD>
     6107<P>
     6108Encrypt and authenticate all control channel packets with the key from
     6109<B>keyfile.</B>
     6110
     6111(See
     6112<B>--tls-auth</B>
     6113
     6114for more background.)
     6115<P>
     6116Encrypting (and authenticating) control channel packets:
     6117<DL COMPACT><DT><DD>
     6118<DL COMPACT>
     6119<DT>&bull;<DD>
     6120provides more privacy by hiding the certificate used for the TLS connection,
     6121<DT>&bull;<DD>
     6122makes it harder to identify OpenVPN traffic as such,
     6123<DT>&bull;<DD>
     6124provides &quot;poor-man's&quot; post-quantum security, against attackers who will never
     6125know the pre-shared key (i.e. no forward secrecy).
     6126</DL>
     6127</DL>
     6128
     6129<P>
     6130<DT><DD>
     6131In contrast to
     6132<B>--tls-auth</B>,
     6133
     6134<B>--tls-crypt</B>
     6135
     6136does *not* require the user to set
     6137<B>--key-direction</B>.
     6138
    60566139
    60576140<DT><B>--askpass [file]</B>
     
    62316314prefix will be left as-is.  This automatic upcasing feature
    62326315is deprecated and will be removed in a future release.
    6233 
    6234 <DT><B>--tls-remote name (DEPRECATED)</B>
    6235 
    6236 <DD>
    6237 Accept connections only from a host with X509 name
    6238 or common name equal to
    6239 <B>name.</B>
    6240 
    6241 The remote host must also pass all other tests
    6242 of verification.
    6243 <P>
    6244 <B>NOTE:</B>
    6245 
    6246 Because tls-remote may test against a common name prefix,
    6247 only use this option when you are using OpenVPN with a custom CA
    6248 certificate that is under your control.
    6249 Never use this option when your client certificates are signed by
    6250 a third party, such as a commercial web CA.
    6251 <P>
    6252 Name can also be a common name prefix, for example if you
    6253 want a client to only accept connections to &quot;Server-1&quot;,
    6254 &quot;Server-2&quot;, etc., you can simply use
    6255 <B>--tls-remote Server</B>
    6256 
    6257 <P>
    6258 Using a common name prefix is a useful alternative to managing
    6259 a CRL (Certificate Revocation List) on the client, since it allows the client
    6260 to refuse all certificates except for those associated
    6261 with designated servers.
    6262 <P>
    6263 <B>--tls-remote</B>
    6264 
    6265 is a useful replacement for the
    6266 <B>--tls-verify</B>
    6267 
    6268 option to verify the remote host, because
    6269 <B>--tls-remote</B>
    6270 
    6271 works in a
    6272 <B>--chroot</B>
    6273 
    6274 environment too.
    6275 <P>
    6276 <B>Please also note:</B>
    6277 
    6278 This option is now deprecated.  It will be removed either in OpenVPN v2.4
    6279 or v2.5.  So please make sure you support the new X.509 name formatting
    6280 described with the
    6281 <B>--compat-names</B>
    6282 
    6283 option as soon as possible by updating your configurations to use
    6284 <B>--verify-x509-name</B>
    6285 
    6286 instead.
    62876316
    62886317<DT><B>--verify-x509-name name type</B>
     
    88448873<A HREF="/cgi-bin/man/man2html">man2html</A>,
    88458874using the manual pages.<BR>
    8846 Time: 12:14:45 GMT, October 20, 2016
     8875Time: 13:04:04 GMT, November 17, 2016
    88478876}}}