summaryrefslogtreecommitdiff
path: root/app/openvpn/doc
diff options
context:
space:
mode:
authorParménides GV <parmegv@sdf.org>2015-01-19 16:31:59 +0100
committerParménides GV <parmegv@sdf.org>2015-01-19 16:31:59 +0100
commit1e748855652780d225fd113320ffe1bceca5ba8e (patch)
treea0b257591ef9f3b4c662165c20ffad120fcdeba1 /app/openvpn/doc
parentfab7a89f44d59f3c7ea7505ae05a3c8b4c67c0b8 (diff)
parent45cf8b1cc3085a575c5a460eb7d8191ee6033da4 (diff)
Merge branch 'develop'
Diffstat (limited to 'app/openvpn/doc')
-rw-r--r--app/openvpn/doc/doxygen/doc_data_crypto.h4
-rw-r--r--app/openvpn/doc/doxygen/doc_mainpage.h2
-rw-r--r--app/openvpn/doc/doxygen/doc_protocol_overview.h69
-rw-r--r--app/openvpn/doc/openvpn.827
4 files changed, 44 insertions, 58 deletions
diff --git a/app/openvpn/doc/doxygen/doc_data_crypto.h b/app/openvpn/doc/doxygen/doc_data_crypto.h
index ee72b8cd..640203f4 100644
--- a/app/openvpn/doc/doxygen/doc_data_crypto.h
+++ b/app/openvpn/doc/doxygen/doc_data_crypto.h
@@ -69,7 +69,5 @@
*
* @par Crypto algorithms
* This module uses the crypto algorithm implementations of the external
- * OpenSSL library. More precisely, it uses the OpenSSL library's \c
- * EVP_Cipher* and \c HMAC_* set of functions to perform cryptographic
- * operations on data channel packets.
+ * crypto library (currently either OpenSSL (default), or PolarSSL).
*/
diff --git a/app/openvpn/doc/doxygen/doc_mainpage.h b/app/openvpn/doc/doxygen/doc_mainpage.h
index 821b2e87..ed8e324e 100644
--- a/app/openvpn/doc/doxygen/doc_mainpage.h
+++ b/app/openvpn/doc/doxygen/doc_mainpage.h
@@ -29,7 +29,7 @@
*/
/**
- * @mainpage OpenVPN v2.1 source code documentation
+ * @mainpage OpenVPN source code documentation
*
* This documentation describes the internal structure of OpenVPN. It was
* automatically generated from specially formatted comment blocks in
diff --git a/app/openvpn/doc/doxygen/doc_protocol_overview.h b/app/openvpn/doc/doxygen/doc_protocol_overview.h
index 26fed331..9edafcfb 100644
--- a/app/openvpn/doc/doxygen/doc_protocol_overview.h
+++ b/app/openvpn/doc/doxygen/doc_protocol_overview.h
@@ -5,7 +5,7 @@
* packet encryption, packet authentication, and
* packet compression.
*
- * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
+ * Copyright (C) 2010-2014 Fox Crypto B.V. <openvpn@fox-it.com>
*
*
* This program is free software; you can redistribute it and/or modify
@@ -61,24 +61,26 @@
* following describes the various opcodes available.
*
* - Control channel messages:
- * - \c P_CONTROL_HARD_RESET_CLIENT_V1 -- %Key method 1, initial %key
+ * - \ref P_CONTROL_HARD_RESET_CLIENT_V1 -- %Key method 1, initial %key
* from client, forget previous state.
- * - \c P_CONTROL_HARD_RESET_SERVER_V1 -- %Key method 1, initial %key
+ * - \ref P_CONTROL_HARD_RESET_SERVER_V1 -- %Key method 1, initial %key
* from server, forget previous state.
- * - \c P_CONTROL_HARD_RESET_CLIENT_V2 -- %Key method 2, initial %key
+ * - \ref P_CONTROL_HARD_RESET_CLIENT_V2 -- %Key method 2, initial %key
* from client, forget previous state.
- * - \c P_CONTROL_HARD_RESET_SERVER_V2 -- %Key method 2, initial %key
+ * - \ref P_CONTROL_HARD_RESET_SERVER_V2 -- %Key method 2, initial %key
* from server, forget previous state.
- * - \c P_CONTROL_SOFT_RESET_V1 -- New %key, with a graceful
+ * - \ref P_CONTROL_SOFT_RESET_V1 -- New %key, with a graceful
* transition from old to new %key in the sense that a transition
* window exists where both the old or new key_id can be used.
- * - \c P_CONTROL_V1 -- Control channel packet (usually TLS
+ * - \ref P_CONTROL_V1 -- Control channel packet (usually TLS
* ciphertext).
- * - \c P_ACK_V1 -- Acknowledgement for control channel packets
+ * - \ref P_ACK_V1 -- Acknowledgement for control channel packets
* received.
* - Data channel messages:
- * - \c P_DATA_V1 -- Data channel packet containing data channel
+ * - \ref P_DATA_V1 -- Data channel packet containing data channel
* ciphertext.
+ * - \ref P_DATA_V2 -- Data channel packet containing peer-id and data
+ * channel ciphertext.
*
* @subsection network_protocol_external_key_id Session IDs and Key IDs
*
@@ -139,10 +141,10 @@
* channel is used to exchange random %key material for bidirectional
* cipher and HMAC keys which will be used to secure data channel packets.
* OpenVPN currently implements two %key methods. %Key method 1 directly
- * derives keys using random bits obtained from the \c RAND_bytes()
- * OpenSSL function. %Key method 2 mixes random %key material from both
- * sides of the connection using the TLS PRF mixing function. %Key method
- * 2 is the preferred method and is the default for OpenVPN 2.0.
+ * derives keys using random bits obtained from the \c rand_bytes() function.
+ * %Key method 2 mixes random %key material from both sides of the connection
+ * using the TLS PRF mixing function. %Key method 2 is the preferred method and
+ * is the default for OpenVPN 2.0+.
*
* The @ref key_generation "Data channel key generation" related page
* describes the %key methods in more detail.
@@ -173,27 +175,22 @@
*
* @section network_protocol_data Structure of data channel messages
*
- * @subsection network_protocol_data_ciphertext Structure of ciphertext data channel messages
- *
- * The P_DATA_* payload represents encrypted, encapsulated tunnel packets
- * which tend to be either IP packets or Ethernet frames. This is
- * essentially the "payload" of the VPN.
- *
- * Data channel packets in ciphertext form consist of the following parts:
- * - HMAC of ciphertext IV + ciphertext (if not disabled by \c --auth
- * none).
- * - Ciphertext IV (size is cipher-dependent, if not disabled by \c
- * --no-iv).
- * - Tunnel packet ciphertext.
- *
- * @subsection network_protocol_data_plaintext Structure of plaintext data channel messages
- *
- * Data channel packets in plaintext form consist of the following parts:
- * - packet-id (4 or 8 bytes, if not disabled by --no-replay).
- * - In TLS mode, 4 bytes are used because the implementation can
- * force a TLS renegotation before \c 2^32 packets are sent.
- * - In pre-shared %key mode, 8 bytes are used (sequence number and \c
- * time_t value) to allow long-term %key usage without packet-id
- * collisions.
- * - User plaintext (n bytes).
+ * The P_DATA_* payload represents encapsulated tunnel packets which tend to be
+ * either IP packets or Ethernet frames. This is essentially the "payload" of
+ * the VPN. Data channel packets consist of a data channel header, and a
+ * payload. There are two possible formats:
+ *
+ * @par P_DATA_V1
+ * P_DATA_V1 packets have a 1-byte header, carrying the \ref P_DATA_V1 \c opcode
+ * and \c key_id, followed by the payload:\n
+ * <tt> [ 5-bit opcode | 3-bit key_id ] [ payload ] </tt>
+ *
+ * @par P_DATA_V2
+ * P_DATA_V2 packets have the same 1-byte opcode/key_id, but carrying the \ref
+ * P_DATA_V2 opcode, followed by a 3-byte peer-id, which uniquely identifies
+ * the peer:\n
+ * <tt> [ 5-bit opcode | 3-bit key_id ] [ 24-bit peer-id ] [ payload ] </tt>
+ *
+ * See @ref data_crypto for details on the data channel payload format.
+ *
*/
diff --git a/app/openvpn/doc/openvpn.8 b/app/openvpn/doc/openvpn.8
index f2911c0e..532eda5c 100644
--- a/app/openvpn/doc/openvpn.8
+++ b/app/openvpn/doc/openvpn.8
@@ -1437,6 +1437,7 @@ Currently defaults to 100.
Limit bandwidth of outgoing tunnel data to
.B n
bytes per second on the TCP/UDP port.
+Note that this will only work if mode is set to p2p.
If you want to limit the bandwidth
in both directions, use this option on both peers.
@@ -4330,6 +4331,11 @@ and version is not recognized, we will only accept the highest TLS
version supported by the local SSL implementation.
.\"*********************************************************
.TP
+.B \-\-tls-version-max version
+Set the maximum TLS version we will use (default is the highest version
+supported). Examples for version include "1.0", "1.1", or "1.2".
+.\"*********************************************************
+.TP
.B \-\-pkcs12 file
Specify a PKCS #12 file containing local private key,
local certificate, and root CA certificate.
@@ -4603,26 +4609,11 @@ bearing an incorrect HMAC signature can be dropped immediately without
response.
.B file
-(required) is a key file which can be in one of two formats:
-
-.B (1)
-An OpenVPN static key file generated by
+(required) is a file in OpenVPN static key format which can be generated by
.B \-\-genkey
-(required if
-.B direction
-parameter is used).
-
-.B (2)
-A freeform passphrase file. In this case the HMAC key will
-be derived by taking a secure hash of this file, similar to
-the
-.BR md5sum (1)
-or
-.BR sha1sum (1)
-commands.
-OpenVPN will first try format (1), and if the file fails to parse as
-a static key file, format (2) will be used.
+Older versions (up to 2.3) supported a freeform passphrase file.
+This is no longer supported in newer versions (2.4+).
See the
.B \-\-secret