Changes between Version 3 and Version 4 of Openvpn24ManPage
- Timestamp:
- 11/17/16 13:05:35 (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Openvpn24ManPage
v3 v4 1986 1986 are mutually exclusive and cannot be used together. 1987 1987 1988 <DT><B>--keepalive n m</B>1988 <DT><B>--keepalive interval timeout</B> 1989 1989 1990 1990 <DD> … … 1993 1993 1994 1994 and 1995 <B>--ping-restart.</B> 1996 1997 <P> 1998 This option can be used on both client and server side, but it is 1999 in enough to add this on the server side as it will push appropriate 2000 <B>--ping</B> 2001 2002 and 1995 2003 <B>--ping-restart</B> 1996 2004 1997 in server mode configurations. 1998 <P> 1999 The server timeout is set twice the value of the second argument. 2000 This ensures that a timeout is detected on client side 2001 before the server side drops the connection. 2005 options to the client. If used on both server and client, 2006 the values pushed from server will override the client local values. 2007 <P> 2008 The 2009 <B>timeout</B> 2010 2011 argument will be twice as long on the server side. This ensures that 2012 a timeout is detected on client side before the server side drops 2013 the connection. 2002 2014 <P> 2003 2015 For example, … … 2008 2020 <PRE> 2009 2021 <B> if mode server: 2010 ping 10 2011 ping-restart 120 2012 push "ping 10" 2013 push "ping-restart 60" 2022 ping 10 # Argument: interval 2023 ping-restart 120 # Argument: timeout*2 2024 push "ping 10" # Argument: interval 2025 push "ping-restart 60" # Argument: timeout 2014 2026 else 2015 ping 10 2016 ping-restart 60 2027 ping 10 # Argument: interval 2028 ping-restart 60 # Argument: timeout 2017 2029 </B></PRE> 2018 2030 … … 4059 4071 The following 4060 4072 options are legal in a client-specific context: 4061 <B>--push, --push-reset, --push-remove, --iroute, --ifconfig-push, --config, --comp-lzo, --disable, --max-routes-per-client.</B> 4073 <B>--push, --push-reset, --push-remove, --iroute, --ifconfig-push,</B> 4074 4075 and 4076 <B>--config.</B> 4062 4077 4063 4078 … … 4232 4247 <B>--proto udp</B> 4233 4248 4234 and 4235 <B>--tls-auth.</B> 4249 and either 4250 <B>--tls-auth</B> 4251 4252 or 4253 <B>--tls-crypt</B>. 4236 4254 4237 4255 … … 4376 4394 4377 4395 in the OpenVPN source distribution. 4396 4397 <DT><B>--auth-gen-token [lifetime]</B> 4398 4399 <DD> 4400 After successful user/password authentication, the OpenVPN 4401 server will with this option generate a temporary 4402 authentication token and push that to client. On the following 4403 renegotiations, the OpenVPN client will pass this token instead 4404 of the users password. On the server side the server will do 4405 the token authentication internally and it will NOT do any 4406 additional authentications against configured external 4407 user/password authentication mechanisms. 4408 <P> 4409 The 4410 <B>lifetime</B> 4411 4412 argument defines how long the generated token is valid. The 4413 lifetime is defined in seconds. If lifetime is not set 4414 or it is set to 0, the token will never expire. 4415 <P> 4416 This feature is useful for environments which is configured 4417 to use One Time Passwords (OTP) as part of the user/password 4418 authentications and that authentication mechanism does not 4419 implement any auth-token support. 4378 4420 4379 4421 <DT><B>--opt-verify</B> … … 4556 4598 This option is immediately deprecated. It is only implemented 4557 4599 to make the transition to the new formatting less intrusive. It will be 4558 removed either in OpenVPN v2.4 or v2.5. So please make sure you use the 4559 <B>--verify-x509-name</B> 4560 4561 option instead of 4562 <B>--tls-remote</B> 4563 4564 as soon as possible and update your scripts where necessary. 4600 removed in OpenVPN v2.5. So please update your scripts/plug-ins where necessary. 4565 4601 4566 4602 <DT><B>--no-name-remapping (DEPRECATED)</B> … … 4580 4616 <B>Please note:</B> 4581 4617 4582 This option is now deprecated. It will be removed either in OpenVPN v2.44583 or v2.5.So please make sure you support the new X.509 name formatting4618 This option is now deprecated. It will be removed in OpenVPN v2.5. 4619 So please make sure you support the new X.509 name formatting 4584 4620 described with the 4585 4621 <B>--compat-names</B> … … 4845 4881 OpenVPN will not send any exit 4846 4882 notifications unless this option is enabled. 4883 <DT><B>--allow-recursive-routing</B> 4884 4885 <DD> 4886 When this option is set, OpenVPN will not drop incoming tun packets 4887 with same destination as host. 4847 4888 4848 4889 </DL> … … 5004 5045 Using BF-CBC is no longer recommended, because of it's 64-bit block size. This 5005 5046 small block size allows attacks based on collisions, as demonstrated by SWEET32. 5047 See <A HREF="https://community.openvpn.net/openvpn/wiki/SWEET32">https://community.openvpn.net/openvpn/wiki/SWEET32</A> for details. 5006 5048 <P> 5007 5049 To see other ciphers that are available with OpenVPN, use the … … 5785 5827 In method 1 (the default for OpenVPN 1.x), both sides generate 5786 5828 random encrypt and HMAC-send keys which are forwarded to 5787 the other host over the TLS channel. 5829 the other host over the TLS channel. Method 1 is 5830 <B>deprecated in OpenVPN 2.4</B> 5831 5832 , and 5833 <B>will be removed in OpenVPN 2.5</B>. 5834 5788 5835 <P> 5789 5836 In method 2, (the default for OpenVPN 2.0) … … 5965 6012 5966 6013 <DD> 5967 Add an additional layer of HMAC authentication on top of the TLS 5968 control channel to protect against DoS attacks.6014 Add an additional layer of HMAC authentication on top of the TLS control channel 6015 to mitigate DoS attacks and attacks on the TLS stack. 5969 6016 <P> 5970 6017 In a nutshell, … … 6049 6096 <P> 6050 6097 It should be emphasized that this feature is optional and that the 6051 passphrase/key file used with6098 key file used with 6052 6099 <B>--tls-auth</B> 6053 6100 6054 6101 gives a peer nothing more than the power to initiate a TLS 6055 6102 handshake. It is not used to encrypt or authenticate any tunnel data. 6103 6104 <DT><B>--tls-crypt keyfile</B> 6105 6106 <DD> 6107 <P> 6108 Encrypt and authenticate all control channel packets with the key from 6109 <B>keyfile.</B> 6110 6111 (See 6112 <B>--tls-auth</B> 6113 6114 for more background.) 6115 <P> 6116 Encrypting (and authenticating) control channel packets: 6117 <DL COMPACT><DT><DD> 6118 <DL COMPACT> 6119 <DT>•<DD> 6120 provides more privacy by hiding the certificate used for the TLS connection, 6121 <DT>•<DD> 6122 makes it harder to identify OpenVPN traffic as such, 6123 <DT>•<DD> 6124 provides "poor-man's" post-quantum security, against attackers who will never 6125 know the pre-shared key (i.e. no forward secrecy). 6126 </DL> 6127 </DL> 6128 6129 <P> 6130 <DT><DD> 6131 In contrast to 6132 <B>--tls-auth</B>, 6133 6134 <B>--tls-crypt</B> 6135 6136 does *not* require the user to set 6137 <B>--key-direction</B>. 6138 6056 6139 6057 6140 <DT><B>--askpass [file]</B> … … 6231 6314 prefix will be left as-is. This automatic upcasing feature 6232 6315 is deprecated and will be removed in a future release. 6233 6234 <DT><B>--tls-remote name (DEPRECATED)</B>6235 6236 <DD>6237 Accept connections only from a host with X509 name6238 or common name equal to6239 <B>name.</B>6240 6241 The remote host must also pass all other tests6242 of verification.6243 <P>6244 <B>NOTE:</B>6245 6246 Because tls-remote may test against a common name prefix,6247 only use this option when you are using OpenVPN with a custom CA6248 certificate that is under your control.6249 Never use this option when your client certificates are signed by6250 a third party, such as a commercial web CA.6251 <P>6252 Name can also be a common name prefix, for example if you6253 want a client to only accept connections to "Server-1",6254 "Server-2", etc., you can simply use6255 <B>--tls-remote Server</B>6256 6257 <P>6258 Using a common name prefix is a useful alternative to managing6259 a CRL (Certificate Revocation List) on the client, since it allows the client6260 to refuse all certificates except for those associated6261 with designated servers.6262 <P>6263 <B>--tls-remote</B>6264 6265 is a useful replacement for the6266 <B>--tls-verify</B>6267 6268 option to verify the remote host, because6269 <B>--tls-remote</B>6270 6271 works in a6272 <B>--chroot</B>6273 6274 environment too.6275 <P>6276 <B>Please also note:</B>6277 6278 This option is now deprecated. It will be removed either in OpenVPN v2.46279 or v2.5. So please make sure you support the new X.509 name formatting6280 described with the6281 <B>--compat-names</B>6282 6283 option as soon as possible by updating your configurations to use6284 <B>--verify-x509-name</B>6285 6286 instead.6287 6316 6288 6317 <DT><B>--verify-x509-name name type</B> … … 8844 8873 <A HREF="/cgi-bin/man/man2html">man2html</A>, 8845 8874 using the manual pages.<BR> 8846 Time: 1 2:14:45 GMT, October 20, 20168875 Time: 13:04:04 GMT, November 17, 2016 8847 8876 }}}