summaryrefslogtreecommitdiff
path: root/openvpn/doc
diff options
context:
space:
mode:
authorarne <arne@gaia.fritz.box>2012-12-25 23:22:13 +0100
committerarne <arne@gaia.fritz.box>2012-12-25 23:22:13 +0100
commitc9dc454f4ec38f075f951fbf32935054023eed94 (patch)
tree33d36c8bfb68db406e3ae90237b145077efecda5 /openvpn/doc
parente57c7dd4a792d02897140d0c5e2d014bcd1147c0 (diff)
parentb2b8b3da3f501543338fc5065519ab778379c274 (diff)
Merge local changes with repository
Diffstat (limited to 'openvpn/doc')
-rw-r--r--openvpn/doc/management-notes.txt28
-rw-r--r--openvpn/doc/openvpn.882
2 files changed, 79 insertions, 31 deletions
diff --git a/openvpn/doc/management-notes.txt b/openvpn/doc/management-notes.txt
index a07a5142..ef39b855 100644
--- a/openvpn/doc/management-notes.txt
+++ b/openvpn/doc/management-notes.txt
@@ -750,6 +750,34 @@ To accept connecting to the host and port directly, use this command:
proxy NONE
+COMMAND -- rsa-sig (OpenVPN 2.3 or higher)
+------------------------------------------
+Provides support for external storage of the private key. Requires the
+--management-external-key option. This option can be used instead of "key"
+in client mode, and allows the client to run without the need to load the
+actual private key. When the SSL protocol needs to perform an RSA sign
+operation, the data to be signed will be sent to the management interface
+via a notification as follows:
+
+>RSA_SIGN:[BASE64_DATA]
+
+The management interface client should then sign BASE64_DATA
+using the private key and return the SSL signature as follows:
+
+rsa-sig
+[BASE64_SIG_LINE]
+.
+.
+.
+END
+
+Base64 encoded output of RSA_sign(NID_md5_sha1,... will provide a
+correct signature.
+
+This capability is intended to allow the use of arbitrary cryptographic
+service providers with OpenVPN via the management interface.
+
+
OUTPUT FORMAT
-------------
diff --git a/openvpn/doc/openvpn.8 b/openvpn/doc/openvpn.8
index da1c0f9e..d66bd665 100644
--- a/openvpn/doc/openvpn.8
+++ b/openvpn/doc/openvpn.8
@@ -456,13 +456,9 @@ possess a built-in reliability layer.
.\"*********************************************************
.TP
.B \-\-connect-retry n
-For
-.B \-\-proto tcp-client,
-take
+Wait
.B n
-as the
-number of seconds to wait
-between connection retries (default=5).
+seconds between connection attempts (default=5).
.\"*********************************************************
.TP
.B \-\-connect-timeout n
@@ -474,12 +470,15 @@ seconds (default=10).
.\"*********************************************************
.TP
.B \-\-connect-retry-max n
-For
-.B \-\-proto tcp-client,
-take
.B n
-as the
-number of retries of connection attempt (default=infinite).
+specifies the number of times all
+.B \-\-remote
+respectively
+.B <connection>
+statements are tried. Specifiying
+.B n
+as one would try each entry exactly once. A sucessful connection
+resets the counter. (default=umlimited).
.\"*********************************************************
.TP
.B \-\-show-proxy-settings
@@ -651,18 +650,18 @@ peer on its new IP address.
.\"*********************************************************
.TP
.B \-\-port port
-TCP/UDP port number for both local and remote. The current
+TCP/UDP port number or port name for both local and remote. The current
default of 1194 represents the official IANA port number
assignment for OpenVPN and has been used since version 2.0-beta17.
Previous versions used port 5000 as the default.
.\"*********************************************************
.TP
.B \-\-lport port
-TCP/UDP port number for bind.
+TCP/UDP port number or name for bind.
.\"*********************************************************
.TP
.B \-\-rport port
-TCP/UDP port number for remote.
+TCP/UDP port number or name for remote.
.\"*********************************************************
.TP
.B \-\-bind
@@ -1886,7 +1885,7 @@ is a safety precaution to prevent a LD_PRELOAD style attack
from a malicious or compromised server.
.\"*********************************************************
.TP
-.B \-\-script-security level [method]
+.B \-\-script-security level
This directive offers policy-level control over OpenVPN's usage of external programs
and scripts. Lower
.B level
@@ -1905,24 +1904,40 @@ Allow calling of built-in executables and user-defined scripts.
.B 3 \-\-
Allow passwords to be passed to scripts via environmental variables (potentially unsafe).
-The
+OpenVPN releases before v2.3 also supported a
.B method
-parameter indicates how OpenVPN should call external commands and scripts.
-Settings for
-.B method:
+flag which indicated how OpenVPN should call external commands and scripts. This
+could be either
+.B execve
+or
+.B system.
+As of OpenVPN v2.3, this flag is no longer accepted. In most *nix environments the execve()
+approach has been used without any issues.
+
+To run scripts in Windows in earlier OpenVPN
+versions you needed to either add a full path to the script interpreter which can parse the
+script or use the
+.B system
+flag to run these scripts. As of OpenVPN v2.3 it is now a strict requirement to have
+full path to the script interpreter when running non-executables files.
+This is not needed for executable files, such as .exe, .com, .bat or .cmd files. For
+example, if you have a Visual Basic script, you must use this syntax now:
-.B execve \-\-
-(default) Use execve() function on Unix family OSes and CreateProcess() on Windows.
-.br
-.B system \-\-
-Use system() function (deprecated and less safe since the external program command
-line is subject to shell expansion).
+.nf
+.ft 3
+.in +4
+\-\-up 'C:\\\\Windows\\\\System32\\\\wscript.exe C:\\\\Program\\ Files\\\\OpenVPN\\\\config\\\\my-up-script.vbs'
+.in -4
+.ft
+.fi
-The
-.B \-\-script-security
-option was introduced in OpenVPN 2.1_rc9. For configuration file compatibility
-with previous OpenVPN versions, use:
-.B \-\-script-security 3 system
+Please note the single quote marks and the escaping of the backslashes (\\) and
+the space character.
+
+The reason the support for the
+.B system
+flag was removed is due to the security implications with shell expansions
+when executing scripts via the system() call.
.\"*********************************************************
.TP
.B \-\-disable-occ
@@ -2464,6 +2479,11 @@ Allow management interface to override
.B \-\-remote
directives (client-only).
.\"*********************************************************
+.B \-\-management-external-key
+Allows usage for external private key file instead of
+.B \-\-key
+option (client-only).
+.\"*********************************************************
.TP
.B \-\-management-forget-disconnect
Make OpenVPN forget passwords when management session
@@ -5675,7 +5695,7 @@ Set on program initiation and reset on SIGHUP.
.\"*********************************************************
.TP
.B local_port
-The local port number, specified by
+The local port number or name, specified by
.B \-\-port
or
.B \-\-lport.