diff options
-rw-r--r-- | helper.c | 5 | ||||
-rw-r--r-- | openvpn.8 | 171 | ||||
-rw-r--r-- | options.c | 6 | ||||
-rw-r--r-- | options.h | 1 | ||||
-rw-r--r-- | version.m4 | 2 |
5 files changed, 101 insertions, 84 deletions
@@ -320,7 +320,8 @@ helper_client_server (struct options *o) * mode server * tls-server * - * push "route-gateway dhcp" + * if !nogw: + * push "route-gateway dhcp" */ else if (o->server_bridge_defined | o->server_bridge_proxy_dhcp) { @@ -355,7 +356,7 @@ helper_client_server (struct options *o) o->ifconfig_pool_netmask = o->server_bridge_netmask; push_option (o, print_opt_route_gateway (o->server_bridge_ip, &o->gc), M_USAGE); } - else if (o->server_bridge_proxy_dhcp) + else if (o->server_bridge_proxy_dhcp && !(o->server_flags & SF_NO_PUSH_ROUTE_GATEWAY)) { push_option (o, print_opt_route_gateway_dhcp (&o->gc), M_USAGE); } @@ -21,25 +21,28 @@ .\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA .\" .\" Manual page for openvpn +.\ .\" SH section heading .\" SS subsection heading .\" LP paragraph .\" IP indented paragraph .\" TP hanging label +.\ +.\" .nf -- no formatting +.\" .fi -- resume formatting +.\" .ft 3 -- boldface +.\" .ft -- normal face +.\" .in +|-{n} -- indent +.\" .TH openvpn 8 "17 November 2008" .\"********************************************************* .SH NAME openvpn \- secure IP tunnel daemon. .\"********************************************************* .SH SYNOPSIS -.LP -.nh -.in +4 -.ti -4 -.B openvpn [ options ... ] -.in -4 -.ti +4 -.hy +.ft 3 +openvpn [ options ... ] +.ft .\"********************************************************* .SH INTRODUCTION .LP @@ -128,31 +131,27 @@ Note that OpenVPN 2.0 and higher performs backslash-based shell escaping for characters not in single quotations, so the following mappings should be observed: -.RS -.ft 3 .nf -.sp +.ft 3 +.in +4 \\\\ Maps to a single backslash character (\\). \\" Pass a literal doublequote character ("), don't interpret it as enclosing a parameter. \\[SPACE] Pass a literal space or tab character, don't interpret it as a parameter delimiter. +.in -4 .ft -.LP -.RE .fi For example on Windows, use double backslashes to represent pathnames: -.RS -.ft 3 .nf -.sp +.ft 3 +.in +4 secret "c:\\\\OpenVPN\\\\secret.key" +.in -4 .ft -.LP -.RE .fi For examples of configuration files, @@ -160,10 +159,10 @@ see .I http://openvpn.net/examples.html Here is an example configuration file: -.RS -.ft 3 + .nf -.sp +.ft 3 +.in +4 # # Sample OpenVPN configuration file for # using a pre-shared static key. @@ -182,9 +181,8 @@ ifconfig 10.1.0.1 10.1.0.2 # Our pre-shared static key secret static.key +.in -4 .ft -.LP -.RE .fi .\"********************************************************* .SS Tunnel Options: @@ -291,10 +289,9 @@ list. Here is an example of connection profile usage: -.RS -.ft 3 .nf -.sp +.ft 3 +.in +4 client dev tun @@ -323,9 +320,8 @@ persist-tun pkcs12 client.p12 ns-cert-type server verb 3 +.in -4 .ft -.LP -.RE .fi First we try to connect to a server at 198.19.34.56:1194 using UDP. @@ -671,12 +667,12 @@ for an example on setting up a TUN device. You must use either tun devices on both ends of the connection or tap devices on both ends. You cannot mix them, as they -represent different underlying protocols. +represent different underlying network layers. .B tun -devices encapsulate IPv4 or IPv6 while +devices encapsulate IPv4 or IPv6 (OSI Layer 3) while .B tap -devices encapsulate Ethernet 802.3. +devices encapsulate Ethernet 802.3 (OSI Layer 2). .\"********************************************************* .TP .B --dev-type device-type @@ -684,8 +680,10 @@ Which device type are we using? .B device-type should be .B tun +(OSI Layer 3) or -.B tap. +.B tap +(OSI Layer 2). Use this option only if the TUN/TAP device used with .B --dev does not begin with @@ -1482,10 +1480,9 @@ For example, .B --keepalive 10 60 expands as follows: -.RS -.ft 3 .nf -.sp +.ft 3 +.in +4 if mode server: ping 10 ping-restart 120 @@ -1494,9 +1491,8 @@ expands as follows: else ping 10 ping-restart 60 +.in -4 .ft -.LP -.RE .fi .\"********************************************************* .TP @@ -2177,15 +2173,13 @@ Next in a file, specify the compression setting for the client, for example: -.RS -.ft 3 .nf -.sp +.ft 3 +.in +4 comp-lzo yes push "comp-lzo yes" +.in -4 .ft -.LP -.RE .fi The first line sets the @@ -2383,10 +2377,9 @@ For example, .B --server 10.8.0.0 255.255.255.0 expands as follows: -.RS -.ft 3 .nf -.sp +.ft 3 +.in +4 mode server tls-server push "topology [topology]" @@ -2406,9 +2399,8 @@ expands as follows: if !nopool: ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 push "route-gateway 10.8.0.1" +.in -4 .ft -.LP -.RE .fi Don't use @@ -2418,7 +2410,9 @@ if you are ethernet bridging. Use instead. .\"********************************************************* .TP -.B --server-bridge [ gateway netmask pool-start-IP pool-end-IP ] +.B --server-bridge gateway netmask pool-start-IP pool-end-IP +.TP +.B --server-bridge ['nogw'] A helper directive similar to .B --server @@ -2433,7 +2427,10 @@ address for their TAP adapter from the DHCP server running on the OpenVPN server-side LAN. Note that only clients that support the binding of a DHCP client with the TAP adapter (such as -Windows) can support this mode. +Windows) can support this mode. The optional +.B nogw +flag (advanced) indicates that gateway information should not be +pushed to the client. To configure ethernet bridging, you must first use your OS's bridging capability @@ -2470,35 +2467,44 @@ For example, .B server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows: -.RS -.ft 3 .nf -.sp +.ft 3 +.in +4 mode server tls-server ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 push "route-gateway 10.8.0.4" +.in -4 .ft -.LP -.RE .fi In another example, .B --server-bridge (without parameters) expands as follows: -.RS -.ft 3 .nf -.sp +.ft 3 +.in +4 mode server tls-server push "route-gateway dhcp" +.in -4 +.ft +.fi + +Or +.B --server-bridge nogw +expands as follows: + +.nf +.ft 3 +.in +4 +mode server +tls-server +.in -4 .ft -.LP -.RE .fi .\"********************************************************* .TP @@ -2878,16 +2884,14 @@ is generally a good latency optimization. The macro expands as follows: -.RS -.ft 3 .nf -.sp +.ft 3 +.in +4 if mode server: socket-flags TCP_NODELAY push "socket-flags TCP_NODELAY" +.in -4 .ft -.LP -.RE .fi .\"********************************************************* .TP @@ -3148,15 +3152,13 @@ in it's configuration. A helper directive designed to simplify the configuration of OpenVPN's client mode. This directive is equivalent to: -.RS -.ft 3 .nf -.sp +.ft 3 +.in +4 pull tls-client +.in -4 .ft -.LP -.RE .fi .\"********************************************************* .TP @@ -3364,7 +3366,9 @@ OpenVPN, use the .B --show-ciphers option. -OpenVPN supports the CBC, CFB, and OFB cipher modes. +OpenVPN supports the CBC, CFB, and OFB cipher modes, +however CBC is recommended and CFB and OFB should +be considered advanced modes. Set .B alg=none @@ -3412,7 +3416,7 @@ supported by OpenSSL. .\"********************************************************* .TP .B --no-replay -Disable OpenVPN's protection against replay attacks. +(Advanced) Disable OpenVPN's protection against replay attacks. Don't use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less security. @@ -3575,7 +3579,7 @@ This option only makes sense when replay protection is enabled .\"********************************************************* .TP .B --no-iv -Disable OpenVPN's use of IV (cipher initialization vector). +(Advanced) Disable OpenVPN's use of IV (cipher initialization vector). Don't use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less security. @@ -4834,6 +4838,14 @@ strings from untrusted sources to be passed as parameters to scripts, saved in the environment, used as a common name, translated to a filename, etc. +.B Q: +Can string remapping be disabled? + +.B A: +Yes, by using the +.B --no-name-remapping +option, however this should be considered an advanced option. + Here is a brief rundown of OpenVPN's current string types and the permitted character class for each string: @@ -5327,10 +5339,10 @@ OpenVPN server using the sample client certificate in sample-keys (client.crt). Note that the verification level is 0 for the client certificate and 1 for the CA certificate. -.RS -.ft 3 + .nf -.sp +.ft 3 +.in +4 X509_0_emailAddress=me@myhost.mydomain X509_0_CN=Test-Client X509_0_O=OpenVPN-TEST @@ -5341,9 +5353,8 @@ X509_1_O=OpenVPN-TEST X509_1_L=BISHKEK X509_1_ST=NA X509_1_C=KG +.in -4 .ft -.LP -.RE .fi .\"********************************************************* .SH SIGNALS @@ -5736,12 +5747,10 @@ OpenVPN's web site is at Go here to download the latest version of OpenVPN, subscribe to the mailing lists, read the mailing list -archives, or browse the CVS repository. +archives, or browse the SVN repository. .\"********************************************************* .SH BUGS -Report all bugs to the OpenVPN users list <openvpn-users@lists.sourceforge.net>. -To subscribe to the list or see the archives, go to -.I http://openvpn.net/mail.html +Report all bugs to the OpenVPN team <info@openvpn.net>. .\"********************************************************* .SH "SEE ALSO" .BR dhcpcd (8), @@ -4512,6 +4512,12 @@ add_option (struct options *options, options->server_bridge_pool_start = pool_start; options->server_bridge_pool_end = pool_end; } + else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw")) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->server_bridge_proxy_dhcp = true; + options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY; + } else if (streq (p[0], "server-bridge") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); @@ -347,6 +347,7 @@ struct options # define SF_NOPOOL (1<<0) # define SF_TCP_NODELAY_HELPER (1<<1) +# define SF_NO_PUSH_ROUTE_GATEWAY (1<<2) unsigned int server_flags; bool server_bridge_proxy_dhcp; @@ -1,5 +1,5 @@ dnl define the OpenVPN version -define(PRODUCT_VERSION,[2.1_rc15]) +define(PRODUCT_VERSION,[2.1_rc15a]) dnl define the TAP version define(PRODUCT_TAP_ID,[tap0901]) define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9]) |