Miscellaneous man page edits, fixed some formatting issues.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3550 e7ae566f-a301-0410-adde-c780ea21d3b5
... | ... |
@@ -320,7 +320,8 @@ helper_client_server (struct options *o) |
320 | 320 |
* mode server |
321 | 321 |
* tls-server |
322 | 322 |
* |
323 |
- * push "route-gateway dhcp" |
|
323 |
+ * if !nogw: |
|
324 |
+ * push "route-gateway dhcp" |
|
324 | 325 |
*/ |
325 | 326 |
else if (o->server_bridge_defined | o->server_bridge_proxy_dhcp) |
326 | 327 |
{ |
... | ... |
@@ -355,7 +356,7 @@ helper_client_server (struct options *o) |
355 | 355 |
o->ifconfig_pool_netmask = o->server_bridge_netmask; |
356 | 356 |
push_option (o, print_opt_route_gateway (o->server_bridge_ip, &o->gc), M_USAGE); |
357 | 357 |
} |
358 |
- else if (o->server_bridge_proxy_dhcp) |
|
358 |
+ else if (o->server_bridge_proxy_dhcp && !(o->server_flags & SF_NO_PUSH_ROUTE_GATEWAY)) |
|
359 | 359 |
{ |
360 | 360 |
push_option (o, print_opt_route_gateway_dhcp (&o->gc), M_USAGE); |
361 | 361 |
} |
... | ... |
@@ -21,25 +21,28 @@ |
21 | 21 |
.\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
22 | 22 |
.\" |
23 | 23 |
.\" Manual page for openvpn |
24 |
+.\ |
|
24 | 25 |
.\" SH section heading |
25 | 26 |
.\" SS subsection heading |
26 | 27 |
.\" LP paragraph |
27 | 28 |
.\" IP indented paragraph |
28 | 29 |
.\" TP hanging label |
30 |
+.\ |
|
31 |
+.\" .nf -- no formatting |
|
32 |
+.\" .fi -- resume formatting |
|
33 |
+.\" .ft 3 -- boldface |
|
34 |
+.\" .ft -- normal face |
|
35 |
+.\" .in +|-{n} -- indent |
|
36 |
+.\" |
|
29 | 37 |
.TH openvpn 8 "17 November 2008" |
30 | 38 |
.\"********************************************************* |
31 | 39 |
.SH NAME |
32 | 40 |
openvpn \- secure IP tunnel daemon. |
33 | 41 |
.\"********************************************************* |
34 | 42 |
.SH SYNOPSIS |
35 |
-.LP |
|
36 |
-.nh |
|
37 |
-.in +4 |
|
38 |
-.ti -4 |
|
39 |
-.B openvpn [ options ... ] |
|
40 |
-.in -4 |
|
41 |
-.ti +4 |
|
42 |
-.hy |
|
43 |
+.ft 3 |
|
44 |
+openvpn [ options ... ] |
|
45 |
+.ft |
|
43 | 46 |
.\"********************************************************* |
44 | 47 |
.SH INTRODUCTION |
45 | 48 |
.LP |
... | ... |
@@ -128,31 +131,27 @@ Note that OpenVPN 2.0 and higher performs backslash-based shell |
128 | 128 |
escaping for characters not in single quotations, |
129 | 129 |
so the following mappings should be observed: |
130 | 130 |
|
131 |
-.RS |
|
132 |
-.ft 3 |
|
133 | 131 |
.nf |
134 |
-.sp |
|
132 |
+.ft 3 |
|
133 |
+.in +4 |
|
135 | 134 |
\\\\ Maps to a single backslash character (\\). |
136 | 135 |
\\" Pass a literal doublequote character ("), don't |
137 | 136 |
interpret it as enclosing a parameter. |
138 | 137 |
\\[SPACE] Pass a literal space or tab character, don't |
139 | 138 |
interpret it as a parameter delimiter. |
139 |
+.in -4 |
|
140 | 140 |
.ft |
141 |
-.LP |
|
142 |
-.RE |
|
143 | 141 |
.fi |
144 | 142 |
|
145 | 143 |
For example on Windows, use double backslashes to |
146 | 144 |
represent pathnames: |
147 | 145 |
|
148 |
-.RS |
|
149 |
-.ft 3 |
|
150 | 146 |
.nf |
151 |
-.sp |
|
147 |
+.ft 3 |
|
148 |
+.in +4 |
|
152 | 149 |
secret "c:\\\\OpenVPN\\\\secret.key" |
150 |
+.in -4 |
|
153 | 151 |
.ft |
154 |
-.LP |
|
155 |
-.RE |
|
156 | 152 |
.fi |
157 | 153 |
|
158 | 154 |
For examples of configuration files, |
... | ... |
@@ -160,10 +159,10 @@ see |
160 | 160 |
.I http://openvpn.net/examples.html |
161 | 161 |
|
162 | 162 |
Here is an example configuration file: |
163 |
-.RS |
|
164 |
-.ft 3 |
|
163 |
+ |
|
165 | 164 |
.nf |
166 |
-.sp |
|
165 |
+.ft 3 |
|
166 |
+.in +4 |
|
167 | 167 |
# |
168 | 168 |
# Sample OpenVPN configuration file for |
169 | 169 |
# using a pre-shared static key. |
... | ... |
@@ -182,9 +181,8 @@ ifconfig 10.1.0.1 10.1.0.2 |
182 | 182 |
|
183 | 183 |
# Our pre-shared static key |
184 | 184 |
secret static.key |
185 |
+.in -4 |
|
185 | 186 |
.ft |
186 |
-.LP |
|
187 |
-.RE |
|
188 | 187 |
.fi |
189 | 188 |
.\"********************************************************* |
190 | 189 |
.SS Tunnel Options: |
... | ... |
@@ -291,10 +289,9 @@ list. |
291 | 291 |
|
292 | 292 |
Here is an example of connection profile usage: |
293 | 293 |
|
294 |
-.RS |
|
295 |
-.ft 3 |
|
296 | 294 |
.nf |
297 |
-.sp |
|
295 |
+.ft 3 |
|
296 |
+.in +4 |
|
298 | 297 |
client |
299 | 298 |
dev tun |
300 | 299 |
|
... | ... |
@@ -323,9 +320,8 @@ persist-tun |
323 | 323 |
pkcs12 client.p12 |
324 | 324 |
ns-cert-type server |
325 | 325 |
verb 3 |
326 |
+.in -4 |
|
326 | 327 |
.ft |
327 |
-.LP |
|
328 |
-.RE |
|
329 | 328 |
.fi |
330 | 329 |
|
331 | 330 |
First we try to connect to a server at 198.19.34.56:1194 using UDP. |
... | ... |
@@ -671,12 +667,12 @@ for an example on setting up a TUN device. |
671 | 671 |
|
672 | 672 |
You must use either tun devices on both ends of the connection |
673 | 673 |
or tap devices on both ends. You cannot mix them, as they |
674 |
-represent different underlying protocols. |
|
674 |
+represent different underlying network layers. |
|
675 | 675 |
|
676 | 676 |
.B tun |
677 |
-devices encapsulate IPv4 or IPv6 while |
|
677 |
+devices encapsulate IPv4 or IPv6 (OSI Layer 3) while |
|
678 | 678 |
.B tap |
679 |
-devices encapsulate Ethernet 802.3. |
|
679 |
+devices encapsulate Ethernet 802.3 (OSI Layer 2). |
|
680 | 680 |
.\"********************************************************* |
681 | 681 |
.TP |
682 | 682 |
.B --dev-type device-type |
... | ... |
@@ -684,8 +680,10 @@ Which device type are we using? |
684 | 684 |
.B device-type |
685 | 685 |
should be |
686 | 686 |
.B tun |
687 |
+(OSI Layer 3) |
|
687 | 688 |
or |
688 |
-.B tap. |
|
689 |
+.B tap |
|
690 |
+(OSI Layer 2). |
|
689 | 691 |
Use this option only if the TUN/TAP device used with |
690 | 692 |
.B --dev |
691 | 693 |
does not begin with |
... | ... |
@@ -1482,10 +1480,9 @@ For example, |
1482 | 1482 |
.B --keepalive 10 60 |
1483 | 1483 |
expands as follows: |
1484 | 1484 |
|
1485 |
-.RS |
|
1486 |
-.ft 3 |
|
1487 | 1485 |
.nf |
1488 |
-.sp |
|
1486 |
+.ft 3 |
|
1487 |
+.in +4 |
|
1489 | 1488 |
if mode server: |
1490 | 1489 |
ping 10 |
1491 | 1490 |
ping-restart 120 |
... | ... |
@@ -1494,9 +1491,8 @@ expands as follows: |
1494 | 1494 |
else |
1495 | 1495 |
ping 10 |
1496 | 1496 |
ping-restart 60 |
1497 |
+.in -4 |
|
1497 | 1498 |
.ft |
1498 |
-.LP |
|
1499 |
-.RE |
|
1500 | 1499 |
.fi |
1501 | 1500 |
.\"********************************************************* |
1502 | 1501 |
.TP |
... | ... |
@@ -2177,15 +2173,13 @@ Next in a |
2177 | 2177 |
file, specify the compression setting for the client, |
2178 | 2178 |
for example: |
2179 | 2179 |
|
2180 |
-.RS |
|
2181 |
-.ft 3 |
|
2182 | 2180 |
.nf |
2183 |
-.sp |
|
2181 |
+.ft 3 |
|
2182 |
+.in +4 |
|
2184 | 2183 |
comp-lzo yes |
2185 | 2184 |
push "comp-lzo yes" |
2185 |
+.in -4 |
|
2186 | 2186 |
.ft |
2187 |
-.LP |
|
2188 |
-.RE |
|
2189 | 2187 |
.fi |
2190 | 2188 |
|
2191 | 2189 |
The first line sets the |
... | ... |
@@ -2383,10 +2377,9 @@ For example, |
2383 | 2383 |
.B --server 10.8.0.0 255.255.255.0 |
2384 | 2384 |
expands as follows: |
2385 | 2385 |
|
2386 |
-.RS |
|
2387 |
-.ft 3 |
|
2388 | 2386 |
.nf |
2389 |
-.sp |
|
2387 |
+.ft 3 |
|
2388 |
+.in +4 |
|
2390 | 2389 |
mode server |
2391 | 2390 |
tls-server |
2392 | 2391 |
push "topology [topology]" |
... | ... |
@@ -2406,9 +2399,8 @@ expands as follows: |
2406 | 2406 |
if !nopool: |
2407 | 2407 |
ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 |
2408 | 2408 |
push "route-gateway 10.8.0.1" |
2409 |
+.in -4 |
|
2409 | 2410 |
.ft |
2410 |
-.LP |
|
2411 |
-.RE |
|
2412 | 2411 |
.fi |
2413 | 2412 |
|
2414 | 2413 |
Don't use |
... | ... |
@@ -2418,7 +2410,9 @@ if you are ethernet bridging. Use |
2418 | 2418 |
instead. |
2419 | 2419 |
.\"********************************************************* |
2420 | 2420 |
.TP |
2421 |
-.B --server-bridge [ gateway netmask pool-start-IP pool-end-IP ] |
|
2421 |
+.B --server-bridge gateway netmask pool-start-IP pool-end-IP |
|
2422 |
+.TP |
|
2423 |
+.B --server-bridge ['nogw'] |
|
2422 | 2424 |
|
2423 | 2425 |
A helper directive similar to |
2424 | 2426 |
.B --server |
... | ... |
@@ -2433,7 +2427,10 @@ address for their TAP adapter from the DHCP server running |
2433 | 2433 |
on the OpenVPN server-side LAN. |
2434 | 2434 |
Note that only clients that support |
2435 | 2435 |
the binding of a DHCP client with the TAP adapter (such as |
2436 |
-Windows) can support this mode. |
|
2436 |
+Windows) can support this mode. The optional |
|
2437 |
+.B nogw |
|
2438 |
+flag (advanced) indicates that gateway information should not be |
|
2439 |
+pushed to the client. |
|
2437 | 2440 |
|
2438 | 2441 |
To configure ethernet bridging, you |
2439 | 2442 |
must first use your OS's bridging capability |
... | ... |
@@ -2470,35 +2467,44 @@ For example, |
2470 | 2470 |
.B server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 |
2471 | 2471 |
expands as follows: |
2472 | 2472 |
|
2473 |
-.RS |
|
2474 |
-.ft 3 |
|
2475 | 2473 |
.nf |
2476 |
-.sp |
|
2474 |
+.ft 3 |
|
2475 |
+.in +4 |
|
2477 | 2476 |
mode server |
2478 | 2477 |
tls-server |
2479 | 2478 |
|
2480 | 2479 |
ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 |
2481 | 2480 |
push "route-gateway 10.8.0.4" |
2481 |
+.in -4 |
|
2482 | 2482 |
.ft |
2483 |
-.LP |
|
2484 |
-.RE |
|
2485 | 2483 |
.fi |
2486 | 2484 |
|
2487 | 2485 |
In another example, |
2488 | 2486 |
.B --server-bridge |
2489 | 2487 |
(without parameters) expands as follows: |
2490 | 2488 |
|
2491 |
-.RS |
|
2492 |
-.ft 3 |
|
2493 | 2489 |
.nf |
2494 |
-.sp |
|
2490 |
+.ft 3 |
|
2491 |
+.in +4 |
|
2495 | 2492 |
mode server |
2496 | 2493 |
tls-server |
2497 | 2494 |
|
2498 | 2495 |
push "route-gateway dhcp" |
2496 |
+.in -4 |
|
2497 |
+.ft |
|
2498 |
+.fi |
|
2499 |
+ |
|
2500 |
+Or |
|
2501 |
+.B --server-bridge nogw |
|
2502 |
+expands as follows: |
|
2503 |
+ |
|
2504 |
+.nf |
|
2505 |
+.ft 3 |
|
2506 |
+.in +4 |
|
2507 |
+mode server |
|
2508 |
+tls-server |
|
2509 |
+.in -4 |
|
2499 | 2510 |
.ft |
2500 |
-.LP |
|
2501 |
-.RE |
|
2502 | 2511 |
.fi |
2503 | 2512 |
.\"********************************************************* |
2504 | 2513 |
.TP |
... | ... |
@@ -2878,16 +2884,14 @@ is generally a good latency optimization. |
2878 | 2878 |
|
2879 | 2879 |
The macro expands as follows: |
2880 | 2880 |
|
2881 |
-.RS |
|
2882 |
-.ft 3 |
|
2883 | 2881 |
.nf |
2884 |
-.sp |
|
2882 |
+.ft 3 |
|
2883 |
+.in +4 |
|
2885 | 2884 |
if mode server: |
2886 | 2885 |
socket-flags TCP_NODELAY |
2887 | 2886 |
push "socket-flags TCP_NODELAY" |
2887 |
+.in -4 |
|
2888 | 2888 |
.ft |
2889 |
-.LP |
|
2890 |
-.RE |
|
2891 | 2889 |
.fi |
2892 | 2890 |
.\"********************************************************* |
2893 | 2891 |
.TP |
... | ... |
@@ -3148,15 +3152,13 @@ in it's configuration. |
3148 | 3148 |
A helper directive designed to simplify the configuration |
3149 | 3149 |
of OpenVPN's client mode. This directive is equivalent to: |
3150 | 3150 |
|
3151 |
-.RS |
|
3152 |
-.ft 3 |
|
3153 | 3151 |
.nf |
3154 |
-.sp |
|
3152 |
+.ft 3 |
|
3153 |
+.in +4 |
|
3155 | 3154 |
pull |
3156 | 3155 |
tls-client |
3156 |
+.in -4 |
|
3157 | 3157 |
.ft |
3158 |
-.LP |
|
3159 |
-.RE |
|
3160 | 3158 |
.fi |
3161 | 3159 |
.\"********************************************************* |
3162 | 3160 |
.TP |
... | ... |
@@ -3364,7 +3366,9 @@ OpenVPN, use the |
3364 | 3364 |
.B --show-ciphers |
3365 | 3365 |
option. |
3366 | 3366 |
|
3367 |
-OpenVPN supports the CBC, CFB, and OFB cipher modes. |
|
3367 |
+OpenVPN supports the CBC, CFB, and OFB cipher modes, |
|
3368 |
+however CBC is recommended and CFB and OFB should |
|
3369 |
+be considered advanced modes. |
|
3368 | 3370 |
|
3369 | 3371 |
Set |
3370 | 3372 |
.B alg=none |
... | ... |
@@ -3412,7 +3416,7 @@ supported by OpenSSL. |
3412 | 3412 |
.\"********************************************************* |
3413 | 3413 |
.TP |
3414 | 3414 |
.B --no-replay |
3415 |
-Disable OpenVPN's protection against replay attacks. |
|
3415 |
+(Advanced) Disable OpenVPN's protection against replay attacks. |
|
3416 | 3416 |
Don't use this option unless you are prepared to make |
3417 | 3417 |
a tradeoff of greater efficiency in exchange for less |
3418 | 3418 |
security. |
... | ... |
@@ -3575,7 +3579,7 @@ This option only makes sense when replay protection is enabled |
3575 | 3575 |
.\"********************************************************* |
3576 | 3576 |
.TP |
3577 | 3577 |
.B --no-iv |
3578 |
-Disable OpenVPN's use of IV (cipher initialization vector). |
|
3578 |
+(Advanced) Disable OpenVPN's use of IV (cipher initialization vector). |
|
3579 | 3579 |
Don't use this option unless you are prepared to make |
3580 | 3580 |
a tradeoff of greater efficiency in exchange for less |
3581 | 3581 |
security. |
... | ... |
@@ -4834,6 +4838,14 @@ strings from untrusted sources to be passed as parameters to scripts, |
4834 | 4834 |
saved in the environment, used as a common name, translated to a filename, |
4835 | 4835 |
etc. |
4836 | 4836 |
|
4837 |
+.B Q: |
|
4838 |
+Can string remapping be disabled? |
|
4839 |
+ |
|
4840 |
+.B A: |
|
4841 |
+Yes, by using the |
|
4842 |
+.B --no-name-remapping |
|
4843 |
+option, however this should be considered an advanced option. |
|
4844 |
+ |
|
4837 | 4845 |
Here is a brief rundown of OpenVPN's current string types and the |
4838 | 4846 |
permitted character class for each string: |
4839 | 4847 |
|
... | ... |
@@ -5327,10 +5339,10 @@ OpenVPN server using the sample client certificate |
5327 | 5327 |
in sample-keys (client.crt). |
5328 | 5328 |
Note that the verification level is 0 for the client certificate |
5329 | 5329 |
and 1 for the CA certificate. |
5330 |
-.RS |
|
5331 |
-.ft 3 |
|
5330 |
+ |
|
5332 | 5331 |
.nf |
5333 |
-.sp |
|
5332 |
+.ft 3 |
|
5333 |
+.in +4 |
|
5334 | 5334 |
X509_0_emailAddress=me@myhost.mydomain |
5335 | 5335 |
X509_0_CN=Test-Client |
5336 | 5336 |
X509_0_O=OpenVPN-TEST |
... | ... |
@@ -5341,9 +5353,8 @@ X509_1_O=OpenVPN-TEST |
5341 | 5341 |
X509_1_L=BISHKEK |
5342 | 5342 |
X509_1_ST=NA |
5343 | 5343 |
X509_1_C=KG |
5344 |
+.in -4 |
|
5344 | 5345 |
.ft |
5345 |
-.LP |
|
5346 |
-.RE |
|
5347 | 5346 |
.fi |
5348 | 5347 |
.\"********************************************************* |
5349 | 5348 |
.SH SIGNALS |
... | ... |
@@ -5736,12 +5747,10 @@ OpenVPN's web site is at |
5736 | 5736 |
|
5737 | 5737 |
Go here to download the latest version of OpenVPN, subscribe |
5738 | 5738 |
to the mailing lists, read the mailing list |
5739 |
-archives, or browse the CVS repository. |
|
5739 |
+archives, or browse the SVN repository. |
|
5740 | 5740 |
.\"********************************************************* |
5741 | 5741 |
.SH BUGS |
5742 |
-Report all bugs to the OpenVPN users list <openvpn-users@lists.sourceforge.net>. |
|
5743 |
-To subscribe to the list or see the archives, go to |
|
5744 |
-.I http://openvpn.net/mail.html |
|
5742 |
+Report all bugs to the OpenVPN team <info@openvpn.net>. |
|
5745 | 5743 |
.\"********************************************************* |
5746 | 5744 |
.SH "SEE ALSO" |
5747 | 5745 |
.BR dhcpcd (8), |
... | ... |
@@ -4512,6 +4512,12 @@ add_option (struct options *options, |
4512 | 4512 |
options->server_bridge_pool_start = pool_start; |
4513 | 4513 |
options->server_bridge_pool_end = pool_end; |
4514 | 4514 |
} |
4515 |
+ else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw")) |
|
4516 |
+ { |
|
4517 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4518 |
+ options->server_bridge_proxy_dhcp = true; |
|
4519 |
+ options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY; |
|
4520 |
+ } |
|
4515 | 4521 |
else if (streq (p[0], "server-bridge") && !p[1]) |
4516 | 4522 |
{ |
4517 | 4523 |
VERIFY_PERMISSION (OPT_P_GENERAL); |