Changes between Version 4 and Version 5 of Openvpn24ManPage

Timestamp:

11/25/16 07:55:36 (7 years ago)

Author:

Samuli Seppänen

Comment:

Update man-page to OpenVPN 2.4_beta2

Openvpn24ManPage

@@ -3577 +3577 @@
 <B>--setenv,</B>
 
+<B>--auth-token,</B>
+
 <B>--persist-key, --persist-tun, --echo,</B>
 
@@ -5100 +5102 @@
 <B>--cipher</B>.
 
+<P>
+Additionally, to allow for more smooth transition, if NCP is enabled, OpenVPN
+will inherit the cipher of the peer if that cipher is different from the local
+<B>--cipher</B>
+
+setting, but the peer cipher is one of the ciphers specified in
+<B>--ncp-ciphers</B>.
+
+E.g. a non-NCP client (&lt;=2.3, or with --ncp-disabled set) connecting to a
+NCP server (2.4+) with &quot;--cipher BF-CBC&quot; and &quot;--ncp-ciphers
+AES-256-GCM:AES-256-CBC&quot; set can either specify &quot;--cipher BF-CBC&quot; or
+&quot;--cipher AES-256-CBC&quot; and both will work.
 <P>
 
@@ -6197 +6211 @@
 username/password.  It is always cached.
 
+<DT><B>--auth-token token</B>
+
+<DD>
+This is not an option to be used directly in any configuration files,
+but rather push this option from a
+<B>--client-connect</B>
+
+script or a
+<B>--plugin</B>
+
+which hooks into the OPENVPN_PLUGIN_CLIENT_CONNECT or
+OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls.  This option provides
+a possibility to replace the clients password with an authentication
+token during the lifetime of the OpenVPN client.
+<P>
+Whenever the connection is renegotiated and the
+<B>--auth-user-pass-verify</B>
+
+script or
+<B>--plugin</B>
+
+making use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is
+triggered, it will pass over this token as the password
+instead of the password the user provided.  The authentication
+token can only be reset by a full reconnect where the server
+can push new options to the client.  The password the user entered
+is never preserved once an authentication token have been set.  If
+the OpenVPN server side rejects the authentication token, the
+client will receive an AUTH_FAIL and disconnect.
+<P>
+The purpose of this is to enable two factor authentication
+methods, such as HOTP or TOTP, to be used without needing to
+retrieve a new OTP code each time the connection is renegotiated.
+Another use case is to cache authentication data on the client
+without needing to have the users password cached in memory
+during the life time of the session.
+<P>
+To make use of this feature, the
+<B>--client-connect</B>
+
+script or
+<B>--plugin</B>
+
+needs to put
+<P>
+<PRE>
+<B>push &quot;auth-token UNIQUE_TOKEN_VALUE&quot;
+</B></PRE>
+
+<P>
+into the file/buffer for dynamic configuration data.  This
+will then make the OpenVPN server to push this value to the
+client, which replaces the local password with the
+UNIQUE_TOKEN_VALUE.
+
 <DT><B>--tls-verify cmd</B>
 
@@ -6879 +6948 @@
 <B>DNS addr --</B>
 
-Set primary domain name server address.  Repeat
+Set primary domain name server IPv4 address.  Repeat
 this option to set secondary DNS server addresses.
+<P>
+<B>DNS6 addr --</B>
+
+Set primary domain name server IPv6 address.  Repeat
+this option to set secondary DNS server IPv6 addresses.
+<P>
+Note: currently this is handled using netsh (the
+existing DHCP code can only do IPv4 DHCP, and that protocol only
+permits IPv4 addresses anywhere).  The option will be put into the
+environment, so an
+<B>--up</B>
+
+script could act upon it if needed.
 <P>
 <B>WINS addr --</B>
@@ -8156 +8238 @@
 <B>--ca, --cert, --dh, --extra-certs, --key, --pkcs12, --secret,</B>
 
-<B>--crl-verify, --http-proxy-user-pass</B>
+<B>--crl-verify, --http-proxy-user-pass, --tls-auth</B>
 
 and
-<B>--tls-auth</B>
+<B>--tls-crypt</B>
 
 options.
@@ -8873 +8955 @@
 <A HREF="/cgi-bin/man/man2html">man2html</A>,
 using the manual pages.<BR>
-Time: 13:04:04 GMT, November 17, 2016
+Time: 07:54:11 GMT, November 25, 2016
 }}}