@@ -320,7 +320,8 @@ helper_client_server (struct options *o)

    * mode server

    * tls-server

    *

-   * push "route-gateway dhcp"

+   * if !nogw:

+   *   push "route-gateway dhcp"

    */

   else if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)

     {

@@ -355,7 +356,7 @@ helper_client_server (struct options *o)

 	  o->ifconfig_pool_netmask = o->server_bridge_netmask;

 	  push_option (o, print_opt_route_gateway (o->server_bridge_ip, &o->gc), M_USAGE);

 	}

-      else if (o->server_bridge_proxy_dhcp)

+      else if (o->server_bridge_proxy_dhcp && !(o->server_flags & SF_NO_PUSH_ROUTE_GATEWAY))

 	{

 	  push_option (o, print_opt_route_gateway_dhcp (&o->gc), M_USAGE);

 	}

@@ -21,25 +21,28 @@

 .\"  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

 .\"

 .\" Manual page for openvpn

+.\

 .\" SH section heading

 .\" SS subsection heading

 .\" LP paragraph

 .\" IP indented paragraph

 .\" TP hanging label

+.\

+.\" .nf -- no formatting

+.\" .fi -- resume formatting

+.\" .ft 3 -- boldface

+.\" .ft -- normal face

+.\" .in +|-{n} -- indent

+.\"

 .TH openvpn 8 "17 November 2008"

 .\"*********************************************************

 .SH NAME

 openvpn \- secure IP tunnel daemon.

 .\"*********************************************************

 .SH SYNOPSIS

-.LP

-.nh

-.in +4

-.ti -4

-.B openvpn [ options ... ]

-.in -4

-.ti +4

-.hy

+.ft 3

+openvpn [ options ... ]

+.ft

 .\"*********************************************************

 .SH INTRODUCTION

 .LP

@@ -128,31 +131,27 @@ Note that OpenVPN 2.0 and higher performs backslash-based shell

 escaping for characters not in single quotations,

 so the following mappings should be observed:

-.RS

-.ft 3

 .nf

-.sp

+.ft 3

+.in +4

 \\\\       Maps to a single backslash character (\\).

 \\"       Pass a literal doublequote character ("), don't

          interpret it as enclosing a parameter.

 \\[SPACE] Pass a literal space or tab character, don't

          interpret it as a parameter delimiter.

+.in -4

 .ft

-.LP

-.RE

 .fi

 For example on Windows, use double backslashes to

 represent pathnames:

-.RS

-.ft 3

 .nf

-.sp

+.ft 3

+.in +4

 secret "c:\\\\OpenVPN\\\\secret.key"

+.in -4

 .ft

-.LP

-.RE

 .fi

 For examples of configuration files,

@@ -160,10 +159,10 @@ see

 .I http://openvpn.net/examples.html

 Here is an example configuration file:

-.RS

-.ft 3

+

 .nf

-.sp

+.ft 3

+.in +4

 #

 # Sample OpenVPN configuration file for

 # using a pre-shared static key.

@@ -182,9 +181,8 @@ ifconfig 10.1.0.1 10.1.0.2

 # Our pre-shared static key

 secret static.key

+.in -4

 .ft

-.LP

-.RE

 .fi

 .\"*********************************************************

 .SS Tunnel Options:

@@ -291,10 +289,9 @@ list.

 Here is an example of connection profile usage:

-.RS

-.ft 3

 .nf

-.sp

+.ft 3

+.in +4

 client

 dev tun

@@ -323,9 +320,8 @@ persist-tun

 pkcs12 client.p12

 ns-cert-type server

 verb 3

+.in -4

 .ft

-.LP

-.RE

 .fi

 First we try to connect to a server at 198.19.34.56:1194 using UDP.

@@ -671,12 +667,12 @@ for an example on setting up a TUN device.

 You must use either tun devices on both ends of the connection

 or tap devices on both ends.  You cannot mix them, as they

-represent different underlying protocols.

+represent different underlying network layers.

 .B tun

-devices encapsulate IPv4 or IPv6 while

+devices encapsulate IPv4 or IPv6 (OSI Layer 3) while

 .B tap

-devices encapsulate Ethernet 802.3.

+devices encapsulate Ethernet 802.3 (OSI Layer 2).

 .\"*********************************************************

 .TP

 .B --dev-type device-type

@@ -684,8 +680,10 @@ Which device type are we using?

 .B device-type

 should be

 .B tun

+(OSI Layer 3)

 or

-.B tap.

+.B tap

+(OSI Layer 2).

 Use this option only if the TUN/TAP device used with

 .B --dev

 does not begin with

@@ -1482,10 +1480,9 @@ For example,

 .B --keepalive 10 60

 expands as follows:

-.RS

-.ft 3

 .nf

-.sp

+.ft 3

+.in +4

  if mode server:

    ping 10

    ping-restart 120

@@ -1494,9 +1491,8 @@ expands as follows:

  else

    ping 10

    ping-restart 60

+.in -4

 .ft

-.LP

-.RE

 .fi

 .\"*********************************************************

 .TP

@@ -2177,15 +2173,13 @@ Next in a

 file, specify the compression setting for the client,

 for example:

-.RS

-.ft 3

 .nf

-.sp

+.ft 3

+.in +4

 comp-lzo yes

 push "comp-lzo yes"

+.in -4

 .ft

-.LP

-.RE

 .fi

 The first line sets the

@@ -2383,10 +2377,9 @@ For example,

 .B --server 10.8.0.0 255.255.255.0

 expands as follows:

-.RS

-.ft 3

 .nf

-.sp

+.ft 3

+.in +4

  mode server

  tls-server

  push "topology [topology]"

@@ -2406,9 +2399,8 @@ expands as follows:

    if !nopool:

      ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0

    push "route-gateway 10.8.0.1"

+.in -4

 .ft

-.LP

-.RE

 .fi

 Don't use

@@ -2418,7 +2410,9 @@ if you are ethernet bridging.  Use

 instead.

 .\"*********************************************************

 .TP

-.B --server-bridge [ gateway netmask pool-start-IP pool-end-IP ]

+.B --server-bridge gateway netmask pool-start-IP pool-end-IP

+.TP

+.B --server-bridge ['nogw']

 A helper directive similar to

 .B --server

@@ -2433,7 +2427,10 @@ address for their TAP adapter from the DHCP server running

 on the OpenVPN server-side LAN.

 Note that only clients that support

 the binding of a DHCP client with the TAP adapter (such as

-Windows) can support this mode.

+Windows) can support this mode.  The optional 

+.B nogw

+flag (advanced) indicates that gateway information should not be

+pushed to the client.

 To configure ethernet bridging, you 

 must first use your OS's bridging capability

@@ -2470,35 +2467,44 @@ For example,

 .B server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254

 expands as follows:

-.RS

-.ft 3

 .nf

-.sp

+.ft 3

+.in +4

 mode server

 tls-server

 ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0

 push "route-gateway 10.8.0.4"

+.in -4

 .ft

-.LP

-.RE

 .fi

 In another example,

 .B --server-bridge

 (without parameters) expands as follows:

-.RS

-.ft 3

 .nf

-.sp

+.ft 3

+.in +4

 mode server

 tls-server

 push "route-gateway dhcp"

+.in -4

+.ft

+.fi

+

+Or

+.B --server-bridge nogw

+expands as follows:

+

+.nf

+.ft 3

+.in +4

+mode server

+tls-server

+.in -4

 .ft

-.LP

-.RE

 .fi

 .\"*********************************************************

 .TP

@@ -2878,16 +2884,14 @@ is generally a good latency optimization.

 The macro expands as follows:

-.RS

-.ft 3

 .nf

-.sp

+.ft 3

+.in +4

  if mode server:

    socket-flags TCP_NODELAY

    push "socket-flags TCP_NODELAY"

+.in -4

 .ft

-.LP

-.RE

 .fi

 .\"*********************************************************

 .TP

@@ -3148,15 +3152,13 @@ in it's configuration.

 A helper directive designed to simplify the configuration

 of OpenVPN's client mode.  This directive is equivalent to:

-.RS

-.ft 3

 .nf

-.sp

+.ft 3

+.in +4

  pull

  tls-client

+.in -4

 .ft

-.LP

-.RE

 .fi

 .\"*********************************************************

 .TP

@@ -3364,7 +3366,9 @@ OpenVPN, use the

 .B --show-ciphers

 option.

-OpenVPN supports the CBC, CFB, and OFB cipher modes.

+OpenVPN supports the CBC, CFB, and OFB cipher modes,

+however CBC is recommended and CFB and OFB should

+be considered advanced modes.

 Set

 .B alg=none

@@ -3412,7 +3416,7 @@ supported by OpenSSL.

 .\"*********************************************************

 .TP

 .B --no-replay

-Disable OpenVPN's protection against replay attacks.

+(Advanced) Disable OpenVPN's protection against replay attacks.

 Don't use this option unless you are prepared to make

 a tradeoff of greater efficiency in exchange for less

 security.

@@ -3575,7 +3579,7 @@ This option only makes sense when replay protection is enabled

 .\"*********************************************************

 .TP

 .B --no-iv

-Disable OpenVPN's use of IV (cipher initialization vector).

+(Advanced) Disable OpenVPN's use of IV (cipher initialization vector).

 Don't use this option unless you are prepared to make

 a tradeoff of greater efficiency in exchange for less

 security.

@@ -4834,6 +4838,14 @@ strings from untrusted sources to be passed as parameters to scripts,

 saved in the environment, used as a common name, translated to a filename,

 etc.

+.B Q:

+Can string remapping be disabled?

+

+.B A:

+Yes, by using the

+.B --no-name-remapping

+option, however this should be considered an advanced option.

+

 Here is a brief rundown of OpenVPN's current string types and the 

 permitted character class for each string:

@@ -5327,10 +5339,10 @@ OpenVPN server using the sample client certificate

 in sample-keys (client.crt).

 Note that the verification level is 0 for the client certificate

 and 1 for the CA certificate.

-.RS

-.ft 3

+

 .nf

-.sp

+.ft 3

+.in +4

 X509_0_emailAddress=me@myhost.mydomain

 X509_0_CN=Test-Client

 X509_0_O=OpenVPN-TEST

@@ -5341,9 +5353,8 @@ X509_1_O=OpenVPN-TEST

 X509_1_L=BISHKEK

 X509_1_ST=NA

 X509_1_C=KG

+.in -4

 .ft

-.LP

-.RE

 .fi

 .\"*********************************************************

 .SH SIGNALS

@@ -5736,12 +5747,10 @@ OpenVPN's web site is at

 Go here to download the latest version of OpenVPN, subscribe

 to the mailing lists, read the mailing list

-archives, or browse the CVS repository.

+archives, or browse the SVN repository.

 .\"*********************************************************

 .SH BUGS

-Report all bugs to the OpenVPN users list <openvpn-users@lists.sourceforge.net>.

-To subscribe to the list or see the archives, go to

-.I http://openvpn.net/mail.html

+Report all bugs to the OpenVPN team <info@openvpn.net>.

 .\"*********************************************************

 .SH "SEE ALSO"

 .BR dhcpcd (8),

@@ -4512,6 +4512,12 @@ add_option (struct options *options,

       options->server_bridge_pool_start = pool_start;

       options->server_bridge_pool_end = pool_end;

     }

+  else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw"))

+    {

+      VERIFY_PERMISSION (OPT_P_GENERAL);

+      options->server_bridge_proxy_dhcp = true;

+      options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;

+    }

   else if (streq (p[0], "server-bridge") && !p[1])

     {

       VERIFY_PERMISSION (OPT_P_GENERAL);

@@ -347,6 +347,7 @@ struct options

 # define SF_NOPOOL (1<<0)

 # define SF_TCP_NODELAY_HELPER (1<<1)

+# define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)

   unsigned int server_flags;

   bool server_bridge_proxy_dhcp;

@@ -1,5 +1,5 @@

 dnl define the OpenVPN version

-define(PRODUCT_VERSION,[2.1_rc15])

+define(PRODUCT_VERSION,[2.1_rc15a])

 dnl define the TAP version

 define(PRODUCT_TAP_ID,[tap0901])

 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])