summaryrefslogtreecommitdiffstats
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* Implement '--redirect-gateway ipv6'Gert Doering2015-09-201-0/+11
| | | | | | | | | | | | | | | | | | | Add "ipv6" and "!ipv4" sub-options to "--redirect-gateway" option. This is done in the same way as in the OpenVPN 3 code base, so "--redirect-gateway ipv6" will redirect both IPv4 and IPv6 - if you want v6-only, use "--redirect-gateway ipv6 !ipv4". The actual implementation is much simpler than for IPv4 - we just add a few extra routes to the route_ipv6_option_list and leave it to init_route_ipv6_list() to figure out whether there is an overlap with IPv6 transport, and if yes, insert a host route to the VPN server via the current IPv6 default gateway. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1441985627-14822-8-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/10086
* Create basic infrastructure for IPv6 default gateway handling / redirection.Gert Doering2015-09-151-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | - introduce get_default_gateway_ipv6() and add stub functions with the implementation plan to the 4 major code blocks here (Windows, Linux/Android, *BSD and Solaris, "others") - add &rgi6 to print_default_gateway(), and teach it to print v4, v6 or both, depending on the calling environment - unlike IPv4 (today), get_default_gateway_ipv6() is passed the actual target IPv6 address of the server we're looking for, so we can handle more complicated routing setups ("default to eth0, vpn server to ppp0") correctly - consequently, --show-gateway has an optional parameter now, the IPv6 address to look up (for debugging) - document --show-gateway and the extra option in openvpn.8 Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1441985627-14822-5-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/10087 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Document --daemon changes and consequences (--askpass, --auth-nocache).Gert Doering2015-07-141-0/+16
| | | | | | | | | Trac #574, #576 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1436857794-29419-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9923
* Improve documentation in --script-security section of the man-pageSamuli Seppänen2015-06-021-0/+5
| | | | | | | | | | Trac: #395 Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1433231982-24945-1-git-send-email-samuli@openvpn.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/9777 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* slightly enhance documentation about --cipherGert Doering2015-05-271-1/+1
| | | | | | | | | | | point out that this is for "data channel" packets trac #463 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1432674063-15916-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9746
* Disallow usage of --server-poll-timeout in --secret key mode.Gert Doering2015-05-241-0/+4
| | | | | | | | | | | | | | | The internal machinery wants TLS for this to work, so just add this to the (long) list of options not allowed unless either --tls-client or --tls-server is active. For added sanity, add an ASSERT() call to the place where this combination caused a NULL ptr reference, and document the restriction. Fix trac #373 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1432472554-24666-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9736
* Clarify --capath option in manpageSteffan Karger2015-05-241-1/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevent confusion as described in trac #422 by better explaining the behaviour of --capath, and providing pointers to relevant openssl man pages. Attached are patches for the master and release/2.3 branches. The only difference is that in the master patch, a line referencing the requirement for OpenSSL 0.9.7 is removed, since master already requires OpenSSL >= 0.9.8. -Steffan Content-Type: text/x-patch; name="2.3-Clarify-capath-option-in-manpage.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="2.3-Clarify-capath-option-in-manpage.patch" >From 3626088e146dbf959d7ec73f4e7cc5ab24c1ad57 Mon Sep 17 00:00:00 2001 From: Steffan Karger <steffan@karger.me> Date: Sun, 24 May 2015 11:18:34 +0200 Subject: [PATCH] Clarify --capath option in manpage Prevent confusion as described in trac #422 by better explaining the behaviour of --capath, and providing pointers to relevant openssl man pages. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <55619DC4.2020108@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9732 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Correct note about DNS randomization in openvpn.8Gert Doering2015-05-241-3/+5
| | | | | | | | | | | | | Commit 4880739c17b502d00a removed DNS randomization, and the dual-stack patches for 2.4 completely changed the getaddrinfo() result handling again, but neither fact ever made it into the man page. Trac #411 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1432454172-1318-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9730
* Re-read auth-user-pass file on (re)connect if requiredSteffan Karger2015-05-231-0/+3
| | | | | | | | | | | | | | Fixes trac #225 ('--auth-user-pass FILE' and '--auth-nocache' problem). This patch is based on the changes suggested by ye_olde_iron in the trac ticket. Also added a note to the manpage to inform people to use absolute paths when combining --auth-user-pass file and --auth-nocache. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1432386145-15045-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9717 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* include ifconfig_ environment variables in --up-restart env setJan Just Keijser2015-05-231-0/+6
| | | | | | | | | | | | | | | | | here's my patch for bug #93: missing ifconfig_* env vars after up-restart. Tested with both IPv4, IPv6, topology subnet and topology net30 Document differences between --up-restart and --up in openvpn.8 See trac #93 and the discussion starting with <555BF270.3090706@nikhef.nl> on the openvpn-devel mailing list. fix trac #93 Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <555BF270.3090706@nikhef.nl> URL: http://article.gmane.org/gmane.network.openvpn.devel/9705 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Updated manpage for --rport and --lportRobert Fischer2015-05-181-3/+13
| | | | | | | | | | | [SK: v2, patch taken from trac #127 and updated to current master branch] Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1431976869-4948-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9701 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Properly escape dashes on the man-pageSamuli Seppänen2015-05-151-600/+600
| | | | | | | | | | | | | | | | | On UTF-8 systems groff interprets unescaped dashes as hyphens and escaped dashes as minus signs. Unescaped dashes can cause problems when searching for or copying and pasting options. This patch ensures that dashes in command-line options are escaped and that everything else is left unescaped. This patch is for the Git "master" branch. Trac: 512 Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1431339554-20553-1-git-send-email-samuli@openvpn.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/9674 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Improve --tls-cipher and --show-tls man page descriptionSteffan Karger2015-05-091-12/+28
| | | | | | | | | | | | | | As reported in trac tickets #304, #358 and #359 (and possibly more), the usage and interpretation of --tls-cipher (and --show-tls) is tricky. This patch extends the man page to explain those a bit better and point out that --tls-cipher is an expert feature (i.e. easy to get wrong). Also add a notice to the --show-tls output, referring to the man page explanation. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1430840857-6123-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9651 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add note about file permissions and --crl-verify to manpage.Gert Doering2015-05-021-0/+5
| | | | | | | | | Trac #522 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1430593625-855-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9634
* explain effect of --topology subnet on --ifconfigGert Doering2015-04-301-5/+18
| | | | | | | | | | | | | The fact that the second parameter of --ifconfig is no longer a "remote address" but a "netmask" when using --dev tun and --topology subnet was not documented clearly enough. Trac #370 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1430216419-11943-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9616
* Mac OS X Keychain management clientVasily Kulikov2015-04-132-0/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support for using certificates stored in the Mac OSX Keychain to authenticate with the OpenVPN server. This works with certificates stored on the computer as well as certificates on hardware tokens that support Apple's tokend interface. The patch is based on the Windows Crypto API certificate functionality that currently exists in OpenVPN. This patch version implements management client which handles RSA-SIGN command for RSA offloading. Also it handles new 'NEED-CERTIFICATE' request to pass a certificate from the keychain to OpenVPN. OpenVPN itself gets new 'NEED-CERTIFICATE" command which is called when --management-external-cert is used. It is implemented as a multiline command very similar to an existing 'RSA-SIGN' command. The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049. v4: - added '--management-external-cert' argument - keychain-mcd now parses NEED-CERTIFICATE argument if 'auto' is passed as cmdline's identity template - fixed typo in help output option name - added '--management-external-cert' info in openvpn(8) manpage - added 'certificate' command documentation into doc/management-notes.txt v3: - used new 'NEED-CERTIFICATE' command for certificate data request instead of 'NEED-OK' - improved option checking - improved invalid certificate selection string handling - added man page for keychain-mcd - handle INFO, FATAL commands from openvpn and show them to user * ACK from Arne Schwabe for OpenVPN part * ACK from James based on Arne's testing v2 (http://sourceforge.net/p/openvpn/mailman/message/33225603/): - used management interface to communicate with OpenVPN process v1 (http://sourceforge.net/p/openvpn/mailman/message/33125844/): - used RSA_METHOD to extend openvpn itself Signed-off-by: Vasily Kulikov <segoon@openwall.com> -- Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20150225160718.GA6306@cachalot> URL: http://article.gmane.org/gmane.network.openvpn.devel/9486 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Document the default for tls-cipher.Arne Schwabe2015-03-051-0/+3
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1425479025-7573-2-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9503 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add option to disable Diffie Hellman key exchange by setting '--dh none'Steffan Karger2015-01-041-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | As requested on the mailing list and in trac ticket #410, add an option to disable 'traditional' Diffie Hellman key exchange. People want to be able to create ecdh-only configurations. This patch also disables RSA key exchange by default for OpenSSL builds, to prevent that people who set "--dh none" but have an OpenSSL version that doesn't support ECDH end up with a less secure connection. Note that users that specify their own --tls-cipher override these defaults and thus can still use whatever OpenSSL supports (and might thus end up with less secure connections). PolarSSL does not allow to easily disable RSA key exchange during runtime, but its default compile options do not include RSA key exchange based cipher suites. Finally update the manpage to reflect the new behaviour, and while touching it change the text to motivate users towards a more secure configuration. v2 - disable RSA key exchange by default Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1420141569-11773-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9376 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove ENABLE_SSL define (and --disable-ssl configure option)Steffan Karger2014-12-312-7/+7
| | | | | | | | | | | | | | | | | | | Remove the --disable-ssl configure option and accompanying ENABLE_SSL defines in the master/2.4 branch, to reduce the code and testing complexity a bit. This does not remove to runtime option to run without SSL, just the compile time option to not include any SSL-related code. During the community meeting in November 2014 there were no objections amongst he developers present. Also, this has been announced on the -users and -devel mailing lists two weeks ago, without any response whatsoever. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <54A4248A.1090501@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9371 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Make 'provider' option to --show-pkcs11-ids optional where p11-kit is presentDavid Woodhouse2014-12-271-1/+7
| | | | | | | | | | Trac: 490 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1418905506.21260.6.camel@infradead.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9355 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit a91a06cb291414c9e657377e44f7a57343ae7f5a)
* pkcs11: Load p11-kit-proxy.so module by defaultDavid Woodhouse2014-12-271-0/+10
| | | | | | | | | | | | | | | If the user specifies --pkcs11-id or --pkcs-id-management but neglects to explicitly provide a --pkcs11-provider argument, and if the system has p11-kit installed, then load the p11-kit proxy module so that the system-configured tokens are available. Trac: 490 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1418303015.31745.78.camel@infradead.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9342 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1)
* Update doxygen (a bit)Steffan Karger2014-12-073-40/+35
| | | | | | | | | | | | | | | | | This is not a full update, but just updates some data channel-related docs I came across. Other pages probably need a bit of attention too. Stuff that was changed: * Explain data channel crypto format in crypto.h * Add P_DATA_V1 and P_DATA_V2 packet format spec * Remove '2.1' from title * Update some OpenSSL-specific text Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1417978095-19427-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9318 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove possibility of using --tls-auth with non OpenVPN Static key filesArne Schwabe2014-12-061-18/+3
| | | | | | | | | | In older version OpenVPN would hash a --tls-auth file if it does not conform to the expected format Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1417871704-30273-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9306 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix to --shaper documentation on the man-pageSamuli Seppänen2014-11-231-0/+1
| | | | | | | | | | Trac: #413 Trac-URL: https://community.openvpn.net/openvpn/ticket/413 Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1416564585-14546-1-git-send-email-samuli@openvpn.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/9254 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add --tls-version-maxSteffan Karger2014-11-141-0/+5
| | | | | | | | | | | | | | | Because using TLS 1.2 breaks certain setups, a user might want to enforce a maximum TLS version to use. This patch adds that option. This patch removes a number of #ifdefs from ssl_polarssl.c, because the polarssl versions we currently support (polar 1.2 for openvpn 2.3, and polar 1.3 for openvpn-master) have all versions unconditionally enabled. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <544EC052.3080809@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9210 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add documentation for PERSIST_TUN_ACTION (Android specific)Arne Schwabe2014-10-071-1/+16
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1412712650-5173-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9090 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove deprecated --max-routes option from manualArne Schwabe2014-07-251-7/+0
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1406237866-9086-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8938 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix server routes not working in topology subnet with --server [v3]Arne Schwabe2014-07-131-1/+4
| | | | | | | | | | | | | | | | | | | | The IPv4 routing code needs an IPv4 address to point a route to, and in --topology subnet mode, the *server* did not have one set by default. So we now just default --route-gateway to the next address right after the server address - the specific address doesn't matter, as the correct next-hop will not be resolved by the host OS but by the OpenVPN daemon. All that is needed is "it's in the subnet routed to the tun interface". Using the server address itself would work on unix, but doesn't work with the Windows TAP driver (as it does not spoof ARP responses for itself). Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1405254527-23833-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8904
* Do not upcase x509-username-field for mixed-case arguments.Andris Kalnozols2014-07-101-6/+38
| | | | | | | | | | | | | | I revisited options.c to refine its brute-force upcasing behavior. Now, the upcasing is done only if the option argument is all lowercase. Mixed-case arguments and those with the "ext:" prefix are left unchanged. This preserves the original intent of the "helpful" upcasing feature for backwards compatibility while limiting its scope in a straightforward way. Signed-off-by: Andris Kalnozols <andris@hpl.hp.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <53B1BDD8.8020705@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix some typos in the man page.Andris Kalnozols2014-06-281-4/+4
| | | | | | | Signed-off-by: Andris Kalnozols <andris@hpl.hp.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <53AF0D20.7020204@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* More IPv6-related updates to the openvpn man page.Gert Doering2014-04-271-6/+10
| | | | | | | | | | | | | | Point to correct kernel version for --multihome and IPv4-mapped addresses (3.15, Tore Anderson). Remove old reference to http://www.greenie.net/ from the IPv6 section, as the code and documentation in here is more current than on that site. Some more additions and clarifications. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Tore Anderson <tore@fud.no> Message-Id: <1398511854-3609-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8642
* Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.Steffan Karger2014-04-271-0/+6
| | | | | | | | | | | | | | | This changes the representation of the tls_serial_{n} environment variable from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour. Because hex representation for serials makes sense too, and to ease transition for PolarSSL users, added tls_serial_hex_{n} that exports the serial in hex represenation for both crypto library backends. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1398588561-18964-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8649 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Rewrite manpage section about --multihomeGert Doering2014-04-251-12/+16
| | | | | | | | | | | | Part of the information was confusing, part was outdated, and part was just not making sense. Pointed out in trac#348. Also add note about Linux IPv4-mapped issues as per trac#306. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1398453555-19706-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8635
* Fix man page and OSCP script: tls_serial_{n} is decimalArne Schwabe2014-04-251-3/+3
| | | | | | | | | | | | Commit 7d5e26cbb53 fixed extracting serial but did not change the format, which always has been decimal. This patch fixes the manpage and OSCP.sh script to conform with the implementation. Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1396001222-5033-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8409 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add support for elliptic curve diffie-hellmann key exchange (ECDH)Steffan Karger2014-04-251-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | This patch is based on Jan Just Keijser's patch from Feb 7, 2012. When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the heavy lifting. For OpenSSL builds, if a user specifies a curve using --ecdh-curve, it first tries to override automatic selection using that curve. For older OpenSSL, tries the following things (in order of preference): * When supplied, use the ecdh curve specified by the user. * Try to extract the curve from the private key, use the same curve. * Fall back on secp384r1 curve. Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do *not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be used. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <53597BEA.6080408@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8625 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement an easy parsable log output that allows access to flags of the log ↵Arne Schwabe2014-03-221-0/+6
| | | | | | | | | | message Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-5-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8374 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix "." in description of utun.Thomas Veerman2014-01-231-2/+2
| | | | Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Document issue with --chroot, /dev/urandom and PolarSSL.Gert Doering2014-01-121-0/+10
| | | | | | | | | See trac#218 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1389441036-12538-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8213
* Make code and documentation for --remote-random-hostname consistent.Gert Doering2014-01-091-1/+1
| | | | | | | | | | | | | | Documentation examples, description and code were disagreeing on what this option actually does. Now they will all agree that it will *prepend* a random-byte string to the hostname name before resolving to work around DNS caching (needs a "*" wildcard record in the zone). Fix trac #143 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1384698620-27946-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7999
* Document "lz4" argument to "compress" config option.Gert Doering2014-01-061-2/+4
| | | | | | | Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389012640-24174-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8178
* Implement listing on IPv4/IPv6 dual socket on all platformArne Schwabe2013-11-291-1/+7
| | | | | | | | | | With this patch OpenVPN will listen on Ipv4 as well as IPv6 when an IPv6 socket is used. Using bind ipv6only will disable this behavior Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1385382680-5912-7-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8052 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement dual stack client support for OpenVPNArne Schwabe2013-11-291-11/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch contains a number of changes. I did not further spit this since some changes make only sense being changed together. Always use connection_list, simplifies the reconnection logic. Change meaning of --connect-retry-max and --connect-retry to be used all connections. This now allows OpenVPN to quit after n unsuccessful udp connection attempts Remove the tcp reconnection logic. Failing a TCP connection will now cause a USR1 like a UDP connection. Also extend sig->source from bool to int to specify signal source. This allows a finer grained reconnection logic if necessary in the future. Dual-Stack support: if an address resolves to multiple records each address is tried in sequential order. Then proceed to next connection entry. Introduce the field current_remote to represent the current connecting remote. Also change some fields to struct addrinfo* form openvn_addr to store multiple addresses needed for the dual stack support. Change meaning from udp and tcp to allow both IPv4 and IPv6. Introducue new udp4 and tcp4 to force IPv4. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1385382680-5912-6-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8058 Signed-off-by: Gert Doering <gert@greenie.muc.de> Message-ID: <20131129194258.GL161@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8071 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Change the type of all ports in openvpn to const char* and let getaddrinfo ↵Arne Schwabe2013-11-221-4/+4
| | | | | | | | | | | | | | | | | resolve the port together with the hostname. This delays error reporting from config parsing to resolving of host addresses. But it allows statements like remote openvpn.example.org openvpn port https management localhost ntp Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1385064495-25877-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8018 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Document authfile for socks serverDavide Brini2013-11-151-1/+4
| | | | | | | | | | | | | It looks like it's possible to specify an optional authfile as third argument of the "socks-proxy" directive. This patch updates the man page to document that. Signed-off-by: Davide Brini <dave_br@gmx.com> Acked-by: Heiko Hund <heiko.hund@sophos.com> Message-Id: <0MTjMy-1VU1I42Lo0-00QV4k@mail.gmx.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7875 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement custom HTTP header for http-proxy, and always send user-agent:Arne Schwabe2013-11-151-0/+7
| | | | | | | | | | | | | | | | There are some patched OpenVPN versions out there without source code (e.g. NDMVPN) that support adding custom http header. This patch adds custom header to OpenVPN and supports the syntax that the "in the wild" variants use. Patch v3 also prints all custom headers with other http options in --verb 5 Patch v4 does clean up the add_proxy_header function Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1382688143-17247-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7946 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add a note what setenv opt does for OpenVPN < 2.3.3Arne Schwabe2013-08-161-0/+4
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1376640680-26468-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7798 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add support to ignore specific options.Arne Schwabe2013-08-161-0/+22
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1376640664-26379-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7799 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Added "setenv opt" directive prefix. If present, and if theJames Yonan2013-07-151-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | directive that follows is recognized, it will be processed as if the "setenv opt" prefix was absent. If present and if the directive that follows is not recognized, the directive will be ignored rather than cause a fatal error. For example, suppose you are distributing a client configuration file and want to set the minimum TLS version that the client requires from the server to 1.2. By using the following directive, setenv opt tls-version-min 1.2 or-highest only newer clients that understand the tls-version-min directive would process it, while older clients would ignore it. (cherry picked from commit 27713761e4110bb92f1c6dfe85db291e8c6e0f56) Signed-off-by: James Yonan <james@openvpn.net> URL: http://thread.gmane.org/gmane.network.openvpn.devel/7771 URL: http://thread.gmane.org/gmane.network.openvpn.devel/7744 URL: https://github.com/jamesyonan/openvpn/commit/27713761e4110bb92f1c6dfe85db291e8c6e0f56 Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
* TLS version negotiationJames Yonan2013-07-111-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Updated the TLS negotiation logic to adaptively try to connect using the highest TLS version supported by both client and server. Previously, OpenVPN (when linked with OpenSSL) would always connect using TLS 1.0. Also added tls-version-min directive to force a higher TLS version than 1.0: tls-version-min <version> ['or-highest'] -- sets the minimum TLS version we will accept from the peer. Examples for version include "1.0" (default), "1.1", or "1.2". If 'or-highest' is specified and version is not recognized, we will only accept the highest TLS version supported by the local SSL implementation. Examples: tls-version-min 1.1 -- fail the connection unless peer can connect at TLS 1.1 or higher. tls-version-min 1.2 or-highest -- require that the peer connect at TLS 1.2 or higher, however if the local SSL implementation doesn't support TLS 1.2 (as it wouldn't if linked with an older version of OpenSSL), reduce the minimum required version to the highest version supported by the local SSL implementation (such as TLS 1.0). This is intended to allow client configurations to target higher TLS versions that are supported on the server, even if some older clients don't support these versions yet. [ This is a merged patch from on the following commits on git://github.com/jamesyonan/openvpn.git 03a5599202bdc3ba07983dc4efdae387fb8fb436 d23005413b0e0f28a3c48a6342f494763d5c9b40 ] Signed-off-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> URL: http://thread.gmane.org/gmane.network.openvpn.devel/7743 URL: http://thread.gmane.org/gmane.network.openvpn.devel/7744 Message-Id: 51C77F12.1090802@openvpn.net Signed-off-by: David Sommerseth <davids@redhat.com>
* man page: Update man page about the tls_digest_{n} environment variableDavid Sommerseth2013-07-031-0/+10
| | | | | | | | Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1370600111-5983-1-git-send-email-dazo@users.sourceforge.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/7659 Signed-off-by: Gert Doering <gert@greenie.muc.de>
generated by cgit (git 2.34.1) at 2024-04-19 15:38:29 +0000