summaryrefslogtreecommitdiffstats
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* Add option to disable Diffie Hellman key exchange by setting '--dh none'Steffan Karger2015-01-041-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | As requested on the mailing list and in trac ticket #410, add an option to disable 'traditional' Diffie Hellman key exchange. People want to be able to create ecdh-only configurations. This patch also disables RSA key exchange by default for OpenSSL builds, to prevent that people who set "--dh none" but have an OpenSSL version that doesn't support ECDH end up with a less secure connection. Note that users that specify their own --tls-cipher override these defaults and thus can still use whatever OpenSSL supports (and might thus end up with less secure connections). PolarSSL does not allow to easily disable RSA key exchange during runtime, but its default compile options do not include RSA key exchange based cipher suites. Finally update the manpage to reflect the new behaviour, and while touching it change the text to motivate users towards a more secure configuration. v2 - disable RSA key exchange by default Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1420141569-11773-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9376 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove ENABLE_SSL define (and --disable-ssl configure option)Steffan Karger2014-12-312-7/+7
| | | | | | | | | | | | | | | | | | | Remove the --disable-ssl configure option and accompanying ENABLE_SSL defines in the master/2.4 branch, to reduce the code and testing complexity a bit. This does not remove to runtime option to run without SSL, just the compile time option to not include any SSL-related code. During the community meeting in November 2014 there were no objections amongst he developers present. Also, this has been announced on the -users and -devel mailing lists two weeks ago, without any response whatsoever. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <54A4248A.1090501@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9371 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Make 'provider' option to --show-pkcs11-ids optional where p11-kit is presentDavid Woodhouse2014-12-271-1/+7
| | | | | | | | | | Trac: 490 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1418905506.21260.6.camel@infradead.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9355 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit a91a06cb291414c9e657377e44f7a57343ae7f5a)
* pkcs11: Load p11-kit-proxy.so module by defaultDavid Woodhouse2014-12-271-0/+10
| | | | | | | | | | | | | | | If the user specifies --pkcs11-id or --pkcs-id-management but neglects to explicitly provide a --pkcs11-provider argument, and if the system has p11-kit installed, then load the p11-kit proxy module so that the system-configured tokens are available. Trac: 490 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1418303015.31745.78.camel@infradead.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9342 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1)
* Update doxygen (a bit)Steffan Karger2014-12-073-40/+35
| | | | | | | | | | | | | | | | | This is not a full update, but just updates some data channel-related docs I came across. Other pages probably need a bit of attention too. Stuff that was changed: * Explain data channel crypto format in crypto.h * Add P_DATA_V1 and P_DATA_V2 packet format spec * Remove '2.1' from title * Update some OpenSSL-specific text Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1417978095-19427-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9318 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove possibility of using --tls-auth with non OpenVPN Static key filesArne Schwabe2014-12-061-18/+3
| | | | | | | | | | In older version OpenVPN would hash a --tls-auth file if it does not conform to the expected format Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1417871704-30273-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9306 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix to --shaper documentation on the man-pageSamuli Seppänen2014-11-231-0/+1
| | | | | | | | | | Trac: #413 Trac-URL: https://community.openvpn.net/openvpn/ticket/413 Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1416564585-14546-1-git-send-email-samuli@openvpn.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/9254 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add --tls-version-maxSteffan Karger2014-11-141-0/+5
| | | | | | | | | | | | | | | Because using TLS 1.2 breaks certain setups, a user might want to enforce a maximum TLS version to use. This patch adds that option. This patch removes a number of #ifdefs from ssl_polarssl.c, because the polarssl versions we currently support (polar 1.2 for openvpn 2.3, and polar 1.3 for openvpn-master) have all versions unconditionally enabled. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <544EC052.3080809@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9210 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add documentation for PERSIST_TUN_ACTION (Android specific)Arne Schwabe2014-10-071-1/+16
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1412712650-5173-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9090 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove deprecated --max-routes option from manualArne Schwabe2014-07-251-7/+0
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1406237866-9086-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8938 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix server routes not working in topology subnet with --server [v3]Arne Schwabe2014-07-131-1/+4
| | | | | | | | | | | | | | | | | | | | The IPv4 routing code needs an IPv4 address to point a route to, and in --topology subnet mode, the *server* did not have one set by default. So we now just default --route-gateway to the next address right after the server address - the specific address doesn't matter, as the correct next-hop will not be resolved by the host OS but by the OpenVPN daemon. All that is needed is "it's in the subnet routed to the tun interface". Using the server address itself would work on unix, but doesn't work with the Windows TAP driver (as it does not spoof ARP responses for itself). Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1405254527-23833-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8904
* Do not upcase x509-username-field for mixed-case arguments.Andris Kalnozols2014-07-101-6/+38
| | | | | | | | | | | | | | I revisited options.c to refine its brute-force upcasing behavior. Now, the upcasing is done only if the option argument is all lowercase. Mixed-case arguments and those with the "ext:" prefix are left unchanged. This preserves the original intent of the "helpful" upcasing feature for backwards compatibility while limiting its scope in a straightforward way. Signed-off-by: Andris Kalnozols <andris@hpl.hp.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <53B1BDD8.8020705@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix some typos in the man page.Andris Kalnozols2014-06-281-4/+4
| | | | | | | Signed-off-by: Andris Kalnozols <andris@hpl.hp.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <53AF0D20.7020204@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* More IPv6-related updates to the openvpn man page.Gert Doering2014-04-271-6/+10
| | | | | | | | | | | | | | Point to correct kernel version for --multihome and IPv4-mapped addresses (3.15, Tore Anderson). Remove old reference to http://www.greenie.net/ from the IPv6 section, as the code and documentation in here is more current than on that site. Some more additions and clarifications. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Tore Anderson <tore@fud.no> Message-Id: <1398511854-3609-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8642
* Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.Steffan Karger2014-04-271-0/+6
| | | | | | | | | | | | | | | This changes the representation of the tls_serial_{n} environment variable from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour. Because hex representation for serials makes sense too, and to ease transition for PolarSSL users, added tls_serial_hex_{n} that exports the serial in hex represenation for both crypto library backends. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1398588561-18964-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8649 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Rewrite manpage section about --multihomeGert Doering2014-04-251-12/+16
| | | | | | | | | | | | Part of the information was confusing, part was outdated, and part was just not making sense. Pointed out in trac#348. Also add note about Linux IPv4-mapped issues as per trac#306. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1398453555-19706-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8635
* Fix man page and OSCP script: tls_serial_{n} is decimalArne Schwabe2014-04-251-3/+3
| | | | | | | | | | | | Commit 7d5e26cbb53 fixed extracting serial but did not change the format, which always has been decimal. This patch fixes the manpage and OSCP.sh script to conform with the implementation. Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1396001222-5033-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8409 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add support for elliptic curve diffie-hellmann key exchange (ECDH)Steffan Karger2014-04-251-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | This patch is based on Jan Just Keijser's patch from Feb 7, 2012. When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the heavy lifting. For OpenSSL builds, if a user specifies a curve using --ecdh-curve, it first tries to override automatic selection using that curve. For older OpenSSL, tries the following things (in order of preference): * When supplied, use the ecdh curve specified by the user. * Try to extract the curve from the private key, use the same curve. * Fall back on secp384r1 curve. Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do *not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be used. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <53597BEA.6080408@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8625 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement an easy parsable log output that allows access to flags of the log ↵Arne Schwabe2014-03-221-0/+6
| | | | | | | | | | message Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-5-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8374 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix "." in description of utun.Thomas Veerman2014-01-231-2/+2
| | | | Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Document issue with --chroot, /dev/urandom and PolarSSL.Gert Doering2014-01-121-0/+10
| | | | | | | | | See trac#218 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1389441036-12538-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8213
* Make code and documentation for --remote-random-hostname consistent.Gert Doering2014-01-091-1/+1
| | | | | | | | | | | | | | Documentation examples, description and code were disagreeing on what this option actually does. Now they will all agree that it will *prepend* a random-byte string to the hostname name before resolving to work around DNS caching (needs a "*" wildcard record in the zone). Fix trac #143 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1384698620-27946-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7999
* Document "lz4" argument to "compress" config option.Gert Doering2014-01-061-2/+4
| | | | | | | Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389012640-24174-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8178
* Implement listing on IPv4/IPv6 dual socket on all platformArne Schwabe2013-11-291-1/+7
| | | | | | | | | | With this patch OpenVPN will listen on Ipv4 as well as IPv6 when an IPv6 socket is used. Using bind ipv6only will disable this behavior Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1385382680-5912-7-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8052 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement dual stack client support for OpenVPNArne Schwabe2013-11-291-11/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch contains a number of changes. I did not further spit this since some changes make only sense being changed together. Always use connection_list, simplifies the reconnection logic. Change meaning of --connect-retry-max and --connect-retry to be used all connections. This now allows OpenVPN to quit after n unsuccessful udp connection attempts Remove the tcp reconnection logic. Failing a TCP connection will now cause a USR1 like a UDP connection. Also extend sig->source from bool to int to specify signal source. This allows a finer grained reconnection logic if necessary in the future. Dual-Stack support: if an address resolves to multiple records each address is tried in sequential order. Then proceed to next connection entry. Introduce the field current_remote to represent the current connecting remote. Also change some fields to struct addrinfo* form openvn_addr to store multiple addresses needed for the dual stack support. Change meaning from udp and tcp to allow both IPv4 and IPv6. Introducue new udp4 and tcp4 to force IPv4. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1385382680-5912-6-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8058 Signed-off-by: Gert Doering <gert@greenie.muc.de> Message-ID: <20131129194258.GL161@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8071 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Change the type of all ports in openvpn to const char* and let getaddrinfo ↵Arne Schwabe2013-11-221-4/+4
| | | | | | | | | | | | | | | | | resolve the port together with the hostname. This delays error reporting from config parsing to resolving of host addresses. But it allows statements like remote openvpn.example.org openvpn port https management localhost ntp Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1385064495-25877-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8018 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Document authfile for socks serverDavide Brini2013-11-151-1/+4
| | | | | | | | | | | | | It looks like it's possible to specify an optional authfile as third argument of the "socks-proxy" directive. This patch updates the man page to document that. Signed-off-by: Davide Brini <dave_br@gmx.com> Acked-by: Heiko Hund <heiko.hund@sophos.com> Message-Id: <0MTjMy-1VU1I42Lo0-00QV4k@mail.gmx.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7875 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement custom HTTP header for http-proxy, and always send user-agent:Arne Schwabe2013-11-151-0/+7
| | | | | | | | | | | | | | | | There are some patched OpenVPN versions out there without source code (e.g. NDMVPN) that support adding custom http header. This patch adds custom header to OpenVPN and supports the syntax that the "in the wild" variants use. Patch v3 also prints all custom headers with other http options in --verb 5 Patch v4 does clean up the add_proxy_header function Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1382688143-17247-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7946 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add a note what setenv opt does for OpenVPN < 2.3.3Arne Schwabe2013-08-161-0/+4
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1376640680-26468-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7798 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add support to ignore specific options.Arne Schwabe2013-08-161-0/+22
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1376640664-26379-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7799 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Added "setenv opt" directive prefix. If present, and if theJames Yonan2013-07-151-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | directive that follows is recognized, it will be processed as if the "setenv opt" prefix was absent. If present and if the directive that follows is not recognized, the directive will be ignored rather than cause a fatal error. For example, suppose you are distributing a client configuration file and want to set the minimum TLS version that the client requires from the server to 1.2. By using the following directive, setenv opt tls-version-min 1.2 or-highest only newer clients that understand the tls-version-min directive would process it, while older clients would ignore it. (cherry picked from commit 27713761e4110bb92f1c6dfe85db291e8c6e0f56) Signed-off-by: James Yonan <james@openvpn.net> URL: http://thread.gmane.org/gmane.network.openvpn.devel/7771 URL: http://thread.gmane.org/gmane.network.openvpn.devel/7744 URL: https://github.com/jamesyonan/openvpn/commit/27713761e4110bb92f1c6dfe85db291e8c6e0f56 Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
* TLS version negotiationJames Yonan2013-07-111-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Updated the TLS negotiation logic to adaptively try to connect using the highest TLS version supported by both client and server. Previously, OpenVPN (when linked with OpenSSL) would always connect using TLS 1.0. Also added tls-version-min directive to force a higher TLS version than 1.0: tls-version-min <version> ['or-highest'] -- sets the minimum TLS version we will accept from the peer. Examples for version include "1.0" (default), "1.1", or "1.2". If 'or-highest' is specified and version is not recognized, we will only accept the highest TLS version supported by the local SSL implementation. Examples: tls-version-min 1.1 -- fail the connection unless peer can connect at TLS 1.1 or higher. tls-version-min 1.2 or-highest -- require that the peer connect at TLS 1.2 or higher, however if the local SSL implementation doesn't support TLS 1.2 (as it wouldn't if linked with an older version of OpenSSL), reduce the minimum required version to the highest version supported by the local SSL implementation (such as TLS 1.0). This is intended to allow client configurations to target higher TLS versions that are supported on the server, even if some older clients don't support these versions yet. [ This is a merged patch from on the following commits on git://github.com/jamesyonan/openvpn.git 03a5599202bdc3ba07983dc4efdae387fb8fb436 d23005413b0e0f28a3c48a6342f494763d5c9b40 ] Signed-off-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> URL: http://thread.gmane.org/gmane.network.openvpn.devel/7743 URL: http://thread.gmane.org/gmane.network.openvpn.devel/7744 Message-Id: 51C77F12.1090802@openvpn.net Signed-off-by: David Sommerseth <davids@redhat.com>
* man page: Update man page about the tls_digest_{n} environment variableDavid Sommerseth2013-07-031-0/+10
| | | | | | | | Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1370600111-5983-1-git-send-email-dazo@users.sourceforge.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/7659 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add support of utun devices under Mac OS XArne Schwabe2013-07-031-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mac OS X 10.7+ natively supports tun devices (called utun). The "standard" utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and tun.ko do not work together). When OpenVPN is compiled with utun support it will if no dev-node is given first try to use utun and if that is not available will try the traditional tun devices v2: Fixed tap support, get device name via ioctl, add manage v3.1: Fix compiling without if/utun.h, fix manage errors v4/v5: Don't try open to dynamically open utun0 -255 when early utun initialization fails, fix fallback to tun, give fatal error message when utun fails but no tun fallback should be done v6: add commit message change log, replace strstr with strncmp, move v7: Throw error if a user does the strange combination of --dev tun --dev-type tap and --dev-node utun A lot good input on earlier patches by Jonathan K. Bullard <jkbullard@gmail.com> Parts of the patches are inspired from Peter Sagerson's <psagers@ignorare.net> utun patch Signed-off-by: Arne Schwabe <arne@rfc2549.org> Tested-by: Jonathan K. Bullard <jkbullard@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1371811708-8528-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7739 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Improve documentation and help text for --route-ipv6.Gert Doering2013-06-111-1/+5
| | | | | | | | Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1368873781-29552-1-git-send-email-gert@greenie.muc.de URL: http://article.gmane.org/gmane.network.openvpn.devel/7598 Signed-off-by: David Sommerseth <davids@redhat.com>
* Added support for the Snappy compression algorithmJames Yonan2013-05-191-1/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added support for the Snappy compression algorithm which has shown to have considerably better compression speed than LZO at a comparable compression ratio. To enable Snappy add: compress snappy to both client and server config files. Alternatively, enable compression framing on the client: compress and have the server selectively push "compress snappy" to the client. This change also extends the client capability handshake to include IV_SNAPPY so the server can be aware that a connecting client supports Snappy. Note that the Snappy implementation also includes an improved framing approach where the first byte of the compressed payload is replaced by the compression control byte (the first payload byte is moved to the end of the packet). This solves off-by-one alignment issues, which improves performance on ARM. By default, the configure script will try to build with Snappy support. To disable, use the --disable-snappy option. The --enable-lzo-stub configure directive is now --enable-comp-stub (because it's not actually "lzo" but "compression-enabled packet framing") Add compression overhead to extra buffer unconditionally, as long as USE_COMP is defined. OpenVPN SVN r8206 (2.1.21a) and r8212 (2.1.21b) Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1366393268-27392-3-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7531 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Document the Android implementation in OpenVPNArne Schwabe2013-05-012-0/+77
| | | | | | | | | | Also fix a minor mistake in the manpage. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1367353997-6669-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7571 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fixed usage of stale define USE_SSL to ENABLE_SSLSteffan Karger2013-04-151-1/+1
| | | | | | | | Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <516BCEA2.6000608@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7509 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* add new option for X.509 name verificationHeiko Hund2013-03-071-13/+69
| | | | | | | | | | | | | | Add the option --verify-x509-name to provide the functionality of the now deprecated --tls-remote. The new option accepts RFC 2253 subject DNs only and compares RDN or RDN prefix only if configured explicitly. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: 1362670601-18660-1-git-send-email-heiko.hund@sophos.com URL: http://article.gmane.org/gmane.network.openvpn.devel/7376 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* reintroduce --no-name-remapping optionHeiko Hund2013-03-071-9/+23
| | | | | | | | | | | The option is just an alias for --compat-names no-remapping and is introduced so pre-2.3 server configurations don't break. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: 1361526263-1740-2-git-send-email-heiko.hund@sophos.com URL: http://article.gmane.org/gmane.network.openvpn.devel/7364 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* man page patch for missing optionsJan Just Keijser2013-02-031-2/+9
| | | | | | | | | man page patch to include the options that were made connection-entry specific in 2.3.0 Acked-by: Gert Doering <gert@greenie.muc.de> Message-ID: 510E4344.6010608@nikhef.nl Signed-off-by: Gert Doering <gert@greenie.muc.de>
* doc/management-notes.txt: fix typoJoachim Schipper2012-11-291-1/+1
| | | | | | | | Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1CED409804E2164C8104F9E623B08B901323D0B184@FOXDFT02.FOX.local URL: http://article.gmane.org/gmane.network.openvpn.devel/7141 Signed-off-by: David Sommerseth <davids@redhat.com>
* Remove the support for using system() when executing external programs or ↵David Sommerseth2012-10-311-16/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | scripts This patch removes the support for the system() call, and enforces the usage of execve() on the *nix platform and CreateProcessW() on Windows. This is to enhance the overall security when calling external scripts. Using system() is prone to shell expansions, which may lead to security breaches. Which is also why the execve() approach has been the default since commit a82813527551f0e79c6d6ed5a9c1162e3c171bcf which re-introduced the system() in Nov. 2008. After having asked on the mailing list and checked around on the IRC channels, the genereal consensus is that very few uses system() these days. The only annoyance I've been made aware of is that this will now require adding a full path to the script interpreter together with the script, and not just put in the script name alone. But to just use the script name in Windows, you had to configure --script-security with the 'system' flag earlier too. So my conclusion is that it's better to add a full path to the script interpreter in Windows and raise the overal security with OpenVPN, than to continue to have a possible potentially risky OpenVPN configuration just to make life "easier" for Windows script users. Removal of the system() call, also solves a nasty bug related to the usage of putenv() on the *nix platforms. For more information please see: http://thread.gmane.org/gmane.network.openvpn.devel/7090 https://community.openvpn.net/openvpn/ticket/228 Trac-ticket: 228 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1351539352-17371-1-git-send-email-dazo@users.sourceforge.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/7114
* Document man agent-external-keyArne Schwabe2012-10-152-0/+33
| | | | | | | | | | | Adapt commit message from cf69617bbea45a15423c4188daa9386debcbe1ec for man page and management documentation. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1349082318-985-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/7081 Signed-off-by: David Sommerseth <davids@redhat.com>
* Add --compat-names optionHeiko Hund2012-09-121-0/+52
| | | | | | | | | | | | | | | | | | | | | | | | With this option, users can basically undo the changes of the UTF-8 support commit 5e86fd93779482b90a191f929edebe414cd78a4f. It's here for short term compatibility and should be removed again as soon as possible. When OpenSSL is used, the subject strings will be in the proprietary format again. Generally username, X.509 CN, and X.509 subject will again be subject to '_' replacemant, unless the "no-remapping" flag is also specified. That flag ensures compatibility with setups using the --no-name-remapping option, that has been removed in 2.3. [v2: More comments related to compat_flags() added by DS plus using COMPAT_FLAG_QUERY expclit] [v3: Improved the man page entry for --compat-names, after suggestions from Bernhard R. Link] Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1347377664-15462-1-git-send-email-dazo@users.sourceforge.net URL: http://article.gmane.org/gmane.network.openvpn.devel/7053
* Document that keep alive will double the second value in server mode and ↵Arne Schwabe2012-09-111-0/+4
| | | | | | | | | | give a short explanation why the value is chosen. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1346674564-17260-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/7041 Signed-off-by: David Sommerseth <davids@redhat.com>
* Document --management-client and --management-signal a bit betterArne Schwabe2012-09-021-3/+7
| | | | | | | | Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1344447102-22271-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/6962 Signed-off-by: David Sommerseth <davids@redhat.com>
* Document the inlining of files in openvpn and document key-directionArne Schwabe2012-09-021-0/+39
| | | | | | | | | | | | | | | | | | This patch documents the usage of inline files in OpenVPN. Hackish ways of inline files are deliberately left out. For tls-auth and secret the key-direction option is right way of specifying the direction and not by using two tls-auth/secret lines where the first sets the direction and has a dummy file name and the second sets the inline file data but does not reset the direction parameter. Also pkcs12 [[INLINE]] base64encoded_data works but is a quirk of how the config parser works Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1345756860-2044-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/7006 Signed-off-by: David Sommerseth <davids@redhat.com>
* add option --management-query-proxyHeiko Hund2012-07-192-0/+37
| | | | | | | | | | | | | | | | Make openvpn query for proxy information through the management interface. This allows GUIs to provide (automatically detected) proxy information on a per connection basis. This new option supersedes the undocumented --http-proxy-fallback option and puts the responsibilty for HTTP proxy fallback handling to the GUI caring for such. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Reviewed-by: James Yonan <james@openvpn.net> Message-Id: 1342009010-9735-1-git-send-email-heiko.hund@sophos.com URL: http://article.gmane.org/gmane.network.openvpn.devel/6841 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* build: integrate plugins build into core buildAlon Bar-Lev2012-06-262-1/+51
| | | | | | | | | | | | | | | | | | As disucssed[1], keep plugins in repository. 1, Proper automake/libtool build. 2. Move example plugins to samples/sample-plugins. 3. Plugins are installed at LIBDIR/openvpn/plugins. [1] http://comments.gmane.org/gmane.network.openvpn.devel/6436 Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1337035323-27465-1-git-send-email-alon.barlev@gmail.com URL: http://article.gmane.org/gmane.network.openvpn.devel/6591 Signed-off-by: David Sommerseth <davids@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-12 07:29:38 +0000