From 9356bae859938c30808aa0d2ee764bdcbb5dbe0d Mon Sep 17 00:00:00 2001 From: James Yonan Date: Wed, 5 Jan 2011 00:50:11 +0000 Subject: Added --x509-track option. Version 2.1.3e git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6780 e7ae566f-a301-0410-adde-c780ea21d3b5 --- openvpn.8 | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'openvpn.8') diff --git a/openvpn.8 b/openvpn.8 index 004a30b..3cdc07e 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -4311,6 +4311,18 @@ works in a environment too. .\"********************************************************* .TP +.B --x509-track attribute +Save peer X509 +.B attribute +value in environment for use by plugins and management interface. +Prepend a '+' to +.B attribute +to save values from full cert chain. Values will be encoded +as X509__=. Multiple +.B --x509-track +options can be defined to track multiple attributes. +.\"********************************************************* +.TP .B --ns-cert-type client|server Require that peer certificate was signed with an explicit .B nsCertType -- cgit From 15be3202b279abc431597db5d11e826eaf1c1bb6 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Mon, 10 Jan 2011 19:13:02 +0000 Subject: * added --management-up-down option to allow management interface to be notified of tunnel up/down events. * pulled --ip-win32 options will be suppressed on the client if --route-nopull option is specified. Version 2.1.3f git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6813 e7ae566f-a301-0410-adde-c780ea21d3b5 --- openvpn.8 | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'openvpn.8') diff --git a/openvpn.8 b/openvpn.8 index 3cdc07e..164b58e 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -2367,6 +2367,11 @@ lines of log file history for usage by the management channel. .\"********************************************************* .TP +.B --management-up-down +Report tunnel up/down events to management interface. +.B +.\"********************************************************* +.TP .B --management-client-auth Gives management interface client the responsibility to authenticate clients after their client certificate -- cgit From 581bef87088ed2c559f66552088166903cf0098d Mon Sep 17 00:00:00 2001 From: James Yonan Date: Fri, 18 Feb 2011 17:48:25 +0000 Subject: Added "client-nat" option for stateless, one-to-one NAT on the client side. Version 2.1.3i. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6944 e7ae566f-a301-0410-adde-c780ea21d3b5 --- openvpn.8 | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) (limited to 'openvpn.8') diff --git a/openvpn.8 b/openvpn.8 index 164b58e..c5eb3ca 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -1067,6 +1067,31 @@ and .B --route-gateway. .\"********************************************************* .TP +.B --client-nat snat|dnat network netmask alias +This pushable client option sets up a stateless one-to-one NAT +rule on packet addresses (not ports), and is useful in cases +where routes or ifconfig settings pushed to the client would +create an IP numbering conflict. + +.B network/netmask +(for example 192.168.0.0/255.255.0.0) +defines the local view of a resource from the client perspective, while +.B alias/netmask +(for example 10.64.0.0/255.255.0.0) +defines the remote view from the server perspective. + +Use +.B snat +(source NAT) for resources owned by the client and +.B dnat +(destination NAT) for remote resources. + +Set +.B --verb 6 +for debugging info showing the transformation of src/dest +addresses in packets. +.\"********************************************************* +.TP .B --redirect-gateway flags... (Experimental) Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. @@ -2706,7 +2731,7 @@ This option is deprecated, and should be replaced with which is functionally equivalent. .\"********************************************************* .TP -.B --ifconfig-push local remote-netmask +.B --ifconfig-push local remote-netmask [alias] Push virtual IP endpoints for client tunnel, overriding the --ifconfig-pool dynamic allocation. @@ -2725,6 +2750,15 @@ are from the perspective of the client, not the server. They may be DNS names rather than IP addresses, in which case they will be resolved on the server at the time of client connection. +The optional +.B alias +parameter may be used in cases where NAT causes the client view +of its local endpoint to differ from the server view. In this case +.B local/remote-netmask +will refer to the server view while +.B alias/remote-netmask +will refer to the client view. + This option must be associated with a specific client instance, which means that it must be specified either in a client instance config file using -- cgit From 1c5ff7722dbd3e32aa3e5b7d5cb77773f083472d Mon Sep 17 00:00:00 2001 From: James Yonan Date: Sun, 13 Mar 2011 06:59:25 +0000 Subject: Added optional journal directory argument to "port-share" directive, for reporting client IP origins of proxied connections. git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7031 e7ae566f-a301-0410-adde-c780ea21d3b5 --- openvpn.8 | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'openvpn.8') diff --git a/openvpn.8 b/openvpn.8 index c5eb3ca..037ba7e 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -3240,7 +3240,7 @@ disable the remapping feature. Don't use this option unless you know what you are doing! .\"********************************************************* .TP -.B --port-share host port +.B --port-share host port [dir] When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN @@ -3250,6 +3250,16 @@ Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. +.B dir +specifies an optional directory where a temporary file with name N +containing content C will be dynamically generated for each proxy +connection, where N is the source IP:port of the client connection +and C is the source IP:port of the connection to the proxy +receiver. This directory can be used as a dictionary by +the proxy receiver to determine the origin of the connection. +Each generated file will be automatically deleted when the proxied +connection is torn down. + Not implemented on Windows. .\"********************************************************* .SS Client Mode -- cgit From d5497262ae1d1a7cf50a45b5ab6750f63bf8565d Mon Sep 17 00:00:00 2001 From: James Yonan Date: Sun, 24 Apr 2011 00:59:28 +0000 Subject: Added 'dir' flag to "crl-verify" (see man page for info). Don't call SSL_CTX_set_client_CA_list or SSL_CTX_set_client_CA_list if not running in server mode (these functions are only useful for TLS/SSL servers). Modified openvpn_snprintf to return false on overflow, and true otherwise. When AUTH_FAILED,... is received, log the full string. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7213 e7ae566f-a301-0410-adde-c780ea21d3b5 --- openvpn.8 | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'openvpn.8') diff --git a/openvpn.8 b/openvpn.8 index 037ba7e..1953b16 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -4457,7 +4457,7 @@ or .B --tls-verify. .\"********************************************************* .TP -.B --crl-verify crl +.B --crl-verify crl ['dir'] Check peer certificate against the file .B crl in PEM format. @@ -4473,6 +4473,16 @@ overall integrity of the PKI. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. + +If the optional +.B dir +flag is specified, enable a different mode where +.B crl +is a directory containing files named as revoked serial numbers +(the files may be empty, the contents are never read). If a client +requests a connection, where the client certificate serial number +(decimal string) is the name of a file present in the directory, +it will be rejected. .\"********************************************************* .SS SSL Library information: .\"********************************************************* -- cgit From 7966d75a9d41453a56e41eaae7b0fd64f75f7ec3 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Mon, 25 Apr 2011 04:58:34 +0000 Subject: Added new "extra-certs" and "verify-hash" options (see man page for details). Increase the timeout after SIGUSR1 restart when restart is not due to server_poll_timeout. Version 2.1.3v git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7215 e7ae566f-a301-0410-adde-c780ea21d3b5 --- openvpn.8 | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'openvpn.8') diff --git a/openvpn.8 b/openvpn.8 index 1953b16..85889de 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -3887,6 +3887,22 @@ that for certificate authority functions, you must set up the files ). .\"********************************************************* .TP +.B --extra-certs file +Specify a +.B file +containing one or more PEM certs (concatenated together) +that complete the +local certificate chain. + +This option is useful for "split" CAs, where the CA for server +certs is different than the CA for client certs. Putting certs +in this file allows them to be used to complete the local +certificate chain without trusting them to verify the peer-submitted +certificate, as would be the case if the certs were placed in the +.B ca +file. +.\"********************************************************* +.TP .B --key file Local peer's private key in .pem format. Use the private key which was generated when you built your peer's certificate (see @@ -3903,6 +3919,17 @@ and .B --key. .\"********************************************************* .TP +.B --verify-hash hash +Specify SHA1 fingerprint for level-1 cert. The level-1 cert is the +CA (or intermediate cert) that signs the leaf certificate, and is +one removed from the leaf certificate in the direction of the root. +When accepting a connection from a peer, the level-1 cert +fingerprint must match +.B hash +or certificate verification will fail. Hash is specified +as XX:XX:... For example: AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16 +.\"********************************************************* +.TP .B --pkcs11-cert-private [0|1]... Set if access to certificate object should be performed after login. Every provider has its own setting. -- cgit