1. openvpn
  2. Commit 48fe8bb37167b57722d209274626f5f91975c001
Browse code

The man page needs dash escaping in UTF-8 environments

There was a debian bugreport which was filed in 2005 . It was patched but
it seems that nobody forwarded the patch to the openvpn project itself.

The problem is quite simple:
The dashes for options (the double dashes) are not escaped. This causes
trouble in relationship with utf-8 .

Since the bugreport was closed it was patched within the debian/ubuntu
packages itself. I've attached the patch to get it atleast reviewed by the
openvpn project itself.

See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296133> for details.

sf.net tracker:
<https://sourceforge.net/tracker/?func=detail&aid=2935611&group_id=48978&atid=454721>

Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Tested-by: Jan Just Keijser <janjust@nikhef.nl>
Tested-by: Pavel Shramov <shramov@mexmat.net>
Tested-by: Samuli Seppänen <samuli@openvpn.net>

Jan Brinkmann authored on 2010/03/01 07:29:29
Showing 1 changed files
openvpn.8
History View file @ 48fe8bb
... ... 
@@ -97,25 +97,25 @@ with a relatively lightweight footprint.
97 97 
 .SH OPTIONS
98 98 
 OpenVPN allows any option to be placed either on the command line
99 99 
 or in a configuration file.  Though all command line options are preceded
100 
-by a double-leading-dash ("--"), this prefix can be removed when
100 
+by a double-leading-dash ("\-\-"), this prefix can be removed when
101 101 
 an option is placed in a configuration file.
102 102 
 .\"*********************************************************
103 103 
 .TP
104 
-.B --help
104 
+.B \-\-help
105 105 
 Show options.
106 106 
 .\"*********************************************************
107 107 
 .TP
108 
-.B --config file
108 
+.B \-\-config file
109 109 
 Load additional config options from
110 110 
 .B file
111 111 
 where each line corresponds to one command line option,
112 
-but with the leading '--' removed.
112 
+but with the leading '\-\-' removed.
113 113
114 114 
 If
115 
-.B --config file
115 
+.B \-\-config file
116 116 
 is the only option to the openvpn command,
117 117 
 the
118 
-.B --config
118 
+.B \-\-config
119 119 
 can be removed, and the command can be given as
120 120 
 .B openvpn file
121 121
... ... 
@@ -187,25 +187,25 @@ secret static.key
187 187 
 .\"*********************************************************
188 188 
 .SS Tunnel Options:
189 189 
 .TP
190 
-.B --mode m
190 
+.B \-\-mode m
191 191 
 Set OpenVPN major mode.  By default, OpenVPN runs in
192 192 
 point-to-point mode ("p2p").  OpenVPN 2.0 introduces
193 193 
 a new mode ("server") which implements a multi-client
194 194 
 server capability.
195 195 
 .\"*********************************************************
196 196 
 .TP
197 
-.B --local host
197 
+.B \-\-local host
198 198 
 Local host name or IP address for bind.
199 199 
 If specified, OpenVPN will bind to this address only.
200 200 
 If unspecified, OpenVPN will bind to all interfaces.
201 201 
 .\"*********************************************************
202 202 
 .TP
203 
-.B --remote host [port] [proto]
203 
+.B \-\-remote host [port] [proto]
204 204 
 Remote host name or IP address.  On the client, multiple
205 
-.B --remote
205 
+.B \-\-remote
206 206 
 options may be specified for redundancy, each referring
207 207 
 to a different OpenVPN server.  Specifying multiple
208 
-.B --remote
208 
+.B \-\-remote
209 209 
 options for this purpose is a special case of the more
210 210 
 general connection-profile feature.  See the
211 211 
 .B <connection>
... ... 
@@ -214,7 +214,7 @@ documentation below.
214 214 
 The OpenVPN client will try to connect to a server at
215 215 
 .B host:port
216 216 
 in the order specified by the list of
217 
-.B --remote
217 
+.B \-\-remote
218 218 
 options.
219 219
220 220 
 .B proto
... ... 
@@ -229,18 +229,18 @@ one server.
229 229
230 230 
 Note that since UDP is connectionless, connection failure
231 231 
 is defined by the
232 
-.B --ping
232 
+.B \-\-ping
233 233 
 and
234 
-.B --ping-restart
234 
+.B \-\-ping-restart
235 235 
 options.
236 236
237 237 
 Note the following corner case:  If you use multiple
238 
-.B --remote
238 
+.B \-\-remote
239 239 
 options, AND you are dropping root privileges on
240 240 
 the client with
241 
-.B --user
241 
+.B \-\-user
242 242 
 and/or
243 
-.B --group,
243 
+.B \-\-group,
244 244 
 AND the client is running a non-Windows OS, if the client needs
245 245 
 to switch to a different server, and that server pushes
246 246 
 back different TUN/TAP or route settings, the client may lack
... ... 
@@ -248,7 +248,7 @@ the necessary privileges to close and reopen the TUN/TAP interface.
248 248 
 This could cause the client to exit with a fatal error.
249 249
250 250 
 If
251 
-.B --remote
251 
+.B \-\-remote
252 252 
 is unspecified, OpenVPN will listen
253 253 
 for packets from any IP address, but will not act on those packets unless
254 254 
 they pass all authentication tests.  This requirement for authentication
... ... 
@@ -257,7 +257,7 @@ trusted IP addresses (it is very easy to forge a source IP address on
257 257 
 a UDP packet).
258 258
259 259 
 When used in TCP mode,
260 
-.B --remote
260 
+.B \-\-remote
261 261 
 will act as a filter, rejecting connections from any host which does
262 262 
 not match
263 263 
 .B host.
... ... 
@@ -283,7 +283,7 @@ and
283 283 
 An OpenVPN client will try each connection profile sequentially
284 284 
 until it achieves a successful connection.
285 285
286 
-.B --remote-random
286 
+.B \-\-remote-random
287 287 
 can be used to initially "scramble" the connection
288 288 
 list.
289 289
... ... 
@@ -387,15 +387,15 @@ only consider profiles using protocol
387 387 
 ('tcp'|'udp').
388 388 
 .\"*********************************************************
389 389 
 .TP
390 
-.B --remote-random
390 
+.B \-\-remote-random
391 391 
 When multiple
392 
-.B --remote
392 
+.B \-\-remote
393 393 
 address/ports are specified, or if connection profiles are being
394 394 
 used, initially randomize the order of the list
395 395 
 as a kind of basic load-balancing measure.
396 396 
 .\"*********************************************************
397 397 
 .TP
398 
-.B --proto p
398 
+.B \-\-proto p
399 399 
 Use protocol
400 400 
 .B p
401 401 
 for communicating with remote host.
... ... 
@@ -409,17 +409,17 @@ or
409 409 
 The default protocol is
410 410 
 .B udp
411 411 
 when
412 
-.B --proto
412 
+.B \-\-proto
413 413 
 is not specified.
414 414
415 415 
 For UDP operation,
416 
-.B --proto udp
416 
+.B \-\-proto udp
417 417 
 should be specified on both peers.
418 418
419 419 
 For TCP operation, one peer must use
420 
-.B --proto tcp-server
420 
+.B \-\-proto tcp-server
421 421 
 and the other must use
422 
-.B --proto tcp-client.
422 
+.B \-\-proto tcp-client.
423 423 
 A peer started with
424 424 
 .B tcp-server
425 425 
 will wait indefinitely for an incoming connection.  A peer
... ... 
@@ -427,9 +427,9 @@ started with
427 427 
 .B tcp-client
428 428 
 will attempt to connect, and if that fails, will sleep for 5
429 429 
 seconds (adjustable via the
430 
-.B --connect-retry
430 
+.B \-\-connect-retry
431 431 
 option) and try again infinite or up to N retries (adjustable via the
432 
-.B --connect-retry-max
432 
+.B \-\-connect-retry-max
433 433 
 option).  Both TCP client and server will simulate
434 434 
 a SIGUSR1 restart signal if either side resets the connection.
435 435
... ... 
@@ -449,9 +449,9 @@ application-level UDP protocols, or tunneling protocols which don't
449 449 
 possess a built-in reliability layer.
450 450 
 .\"*********************************************************
451 451 
 .TP
452 
-.B --connect-retry n
452 
+.B \-\-connect-retry n
453 453 
 For
454 
-.B --proto tcp-client,
454 
+.B \-\-proto tcp-client,
455 455 
 take
456 456 
 .B n
457 457 
 as the
... ... 
@@ -459,16 +459,16 @@ number of seconds to wait
459 459 
 between connection retries (default=5).
460 460 
 .\"*********************************************************
461 461 
 .TP
462 
-.B --connect-retry-max n
462 
+.B \-\-connect-retry-max n
463 463 
 For
464 
-.B --proto tcp-client,
464 
+.B \-\-proto tcp-client,
465 465 
 take
466 466 
 .B n
467 467 
 as the
468 468 
 number of retries of connection attempt (default=infinite).
469 469 
 .\"*********************************************************
470 470 
 .TP
471 
-.B --auto-proxy
471 
+.B \-\-auto-proxy
472 472 
 Try to sense HTTP or SOCKS proxy settings automatically.
473 473 
 If no settings are present, a direct connection will be attempted.
474 474 
 If both HTTP and SOCKS settings are present, HTTP will be preferred.
... ... 
@@ -480,7 +480,7 @@ InternetQueryOption API.
480 480 
 This option exists in OpenVPN 2.1 or higher.
481 481 
 .\"*********************************************************
482 482 
 .TP
483 
-.B --http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method]
483 
+.B \-\-http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method]
484 484 
 Connect to remote host through an HTTP proxy at address
485 485 
 .B server
486 486 
 and port
... ... 
@@ -515,32 +515,32 @@ determine the authentication method, but to reject weak
515 515 
 authentication protocols such as HTTP Basic Authentication.
516 516 
 .\"*********************************************************
517 517 
 .TP
518 
-.B --http-proxy-retry
518 
+.B \-\-http-proxy-retry
519 519 
 Retry indefinitely on HTTP proxy errors.  If an HTTP proxy error
520 520 
 occurs, simulate a SIGUSR1 reset.
521 521 
 .\"*********************************************************
522 522 
 .TP
523 
-.B --http-proxy-timeout n
523 
+.B \-\-http-proxy-timeout n
524 524 
 Set proxy timeout to
525 525 
 .B n
526 526 
 seconds, default=5.
527 527 
 .\"*********************************************************
528 528 
 .TP
529 
-.B --http-proxy-option type [parm]
529 
+.B \-\-http-proxy-option type [parm]
530 530 
 Set extended HTTP proxy options.
531 531 
 Repeat to set multiple options.
532 532
533 
-.B VERSION version --
533 
+.B VERSION version \-\-
534 534 
 Set HTTP version number to
535 535 
 .B version
536 536 
 (default=1.0).
537 537
538 
-.B AGENT user-agent --
538 
+.B AGENT user-agent \-\-
539 539 
 Set HTTP "User-Agent" string to
540 540 
 .B user-agent.
541 541 
 .\"*********************************************************
542 542 
 .TP
543 
-.B --socks-proxy server [port]
543 
+.B \-\-socks-proxy server [port]
544 544 
 Connect to remote host through a Socks5 proxy at address
545 545 
 .B server
546 546 
 and port
... ... 
@@ -548,14 +548,14 @@ and port
548 548 
 (default=1080).
549 549 
 .\"*********************************************************
550 550 
 .TP
551 
-.B --socks-proxy-retry
551 
+.B \-\-socks-proxy-retry
552 552 
 Retry indefinitely on Socks proxy errors.  If a Socks proxy error
553 553 
 occurs, simulate a SIGUSR1 reset.
554 554 
 .\"*********************************************************
555 555 
 .TP
556 
-.B --resolv-retry n
556 
+.B \-\-resolv-retry n
557 557 
 If hostname resolve fails for
558 
-.B --remote,
558 
+.B \-\-remote,
559 559 
 retry resolve for
560 560 
 .B n
561 561 
 seconds before failing.
... ... 
@@ -565,18 +565,18 @@ Set
565 565 
 to "infinite" to retry indefinitely.
566 566
567 567 
 By default,
568 
-.B --resolv-retry infinite
568 
+.B \-\-resolv-retry infinite
569 569 
 is enabled.  You can disable by setting n=0.
570 570 
 .\"*********************************************************
571 571 
 .TP
572 
-.B --float
572 
+.B \-\-float
573 573 
 Allow remote peer to change its IP address and/or port number, such as due to
574 574 
 DHCP (this is the default if
575 
-.B --remote
575 
+.B \-\-remote
576 576 
 is not used).
577 
-.B --float
577 
+.B \-\-float
578 578 
 when specified with
579 
-.B --remote
579 
+.B \-\-remote
580 580 
 allows an OpenVPN session to initially connect to a peer
581 581 
 at a known address, however if packets arrive from a new
582 582 
 address and pass all authentication tests, the new address
... ... 
@@ -585,14 +585,14 @@ you are connecting to a peer which holds a dynamic address
585 585 
 such as a dial-in user or DHCP client.
586 586
587 587 
 Essentially,
588 
-.B --float
588 
+.B \-\-float
589 589 
 tells OpenVPN to accept authenticated packets
590 590 
 from any address, not only the address which was specified in the
591 
-.B --remote
591 
+.B \-\-remote
592 592 
 option.
593 593 
 .\"*********************************************************
594 594 
 .TP
595 
-.B --ipchange cmd
595 
+.B \-\-ipchange cmd
596 596 
 Execute shell command
597 597 
 .B cmd
598 598 
 when our remote ip-address is initially authenticated or
... ... 
@@ -603,11 +603,11 @@ Execute as:
603 603 
 .B cmd ip_address port_number
604 604
605 605 
 Don't use
606 
-.B --ipchange
606 
+.B \-\-ipchange
607 607 
 in
608 
-.B --mode server
608 
+.B \-\-mode server
609 609 
 mode.  Use a
610 
-.B --client-connect
610 
+.B \-\-client-connect
611 611 
 script instead.
612 612
613 613 
 See the "Environmental Variables" section below for
... ... 
@@ -642,41 +642,41 @@ reestablish a connection with its most recently authenticated
642 642 
 peer on its new IP address.
643 643 
 .\"*********************************************************
644 644 
 .TP
645 
-.B --port port
645 
+.B \-\-port port
646 646 
 TCP/UDP port number for both local and remote.  The current
647 647 
 default of 1194 represents the official IANA port number
648 648 
 assignment for OpenVPN and has been used since version 2.0-beta17.
649 649 
 Previous versions used port 5000 as the default.
650 650 
 .\"*********************************************************
651 651 
 .TP
652 
-.B --lport port
652 
+.B \-\-lport port
653 653 
 TCP/UDP port number for bind.
654 654 
 .\"*********************************************************
655 655 
 .TP
656 
-.B --rport port
656 
+.B \-\-rport port
657 657 
 TCP/UDP port number for remote.
658 658 
 .\"*********************************************************
659 659 
 .TP
660 
-.B --bind
660 
+.B \-\-bind
661 661 
 Bind to local address and port. This is the default unless any of
662 
-.B --proto tcp-client
662 
+.B \-\-proto tcp-client
663 663 
 ,
664 
-.B --http-proxy
664 
+.B \-\-http-proxy
665 665 
 or
666 
-.B --socks-proxy
666 
+.B \-\-socks-proxy
667 667 
 are used.
668 668 
 .\"*********************************************************
669 669 
 .TP
670 
-.B --nobind
670 
+.B \-\-nobind
671 671 
 Do not bind to local address and port.  The IP stack will allocate
672 672 
 a dynamic port for returning packets.  Since the value of the dynamic port
673 673 
 could not be known in advance by a peer, this option is only suitable for
674 674 
 peers which will be initiating connections by using the
675 
-.B --remote
675 
+.B \-\-remote
676 676 
 option.
677 677 
 .\"*********************************************************
678 678 
 .TP
679 
-.B --dev tunX | tapX | null
679 
+.B \-\-dev tunX | tapX | null
680 680 
 TUN/TAP virtual network device (
681 681 
 .B X
682 682 
 can be omitted for a dynamic device.)
... ... 
@@ -694,7 +694,7 @@ devices encapsulate IPv4 or IPv6 (OSI Layer 3) while
694 694 
 devices encapsulate Ethernet 802.3 (OSI Layer 2).
695 695 
 .\"*********************************************************
696 696 
 .TP
697 
-.B --dev-type device-type
697 
+.B \-\-dev-type device-type
698 698 
 Which device type are we using?
699 699 
 .B device-type
700 700 
 should be
... ... 
@@ -704,60 +704,60 @@ or
704 704 
 .B tap
705 705 
 (OSI Layer 2).
706 706 
 Use this option only if the TUN/TAP device used with
707 
-.B --dev
707 
+.B \-\-dev
708 708 
 does not begin with
709 709 
 .B tun
710 710 
 or
711 711 
 .B tap.
712 712 
 .\"*********************************************************
713 713 
 .TP
714 
-.B --topology mode
714 
+.B \-\-topology mode
715 715 
 Configure virtual addressing topology when running in
716 
-.B --dev tun
716 
+.B \-\-dev tun
717 717 
 mode.  This directive has no meaning in
718 
-.B --dev tap
718 
+.B \-\-dev tap
719 719 
 mode, which always uses a
720 720 
 .B subnet
721 721 
 topology.
722 722
723 723 
 If you set this directive on the server, the
724 
-.B --server
724 
+.B \-\-server
725 725 
 and
726 
-.B --server-bridge
726 
+.B \-\-server-bridge
727 727 
 directives will automatically push your chosen topology setting to clients
728 728 
 as well.  This directive can also be manually pushed to clients.  Like the
729 
-.B --dev
729 
+.B \-\-dev
730 730 
 directive, this directive must always be compatible between client and server.
731 731
732 732 
 .B mode
733 733 
 can be one of:
734 734
735 
-.B net30 --
735 
+.B net30 \-\-
736 736 
 Use a point-to-point topology, by allocating one /30 subnet per client.
737 737 
 This is designed to allow point-to-point semantics when some
738 738 
 or all of the connecting clients might be Windows systems.  This is the
739 739 
 default on OpenVPN 2.0.
740 740
741 
-.B p2p --
741 
+.B p2p \-\-
742 742 
 Use a point-to-point topology where the remote endpoint of the client's
743 743 
 tun interface always points to the local endpoint of the server's tun interface.
744 744 
 This mode allocates a single IP address per connecting client.
745 745 
 Only use
746 746 
 when none of the connecting clients are Windows systems.  This mode
747 747 
 is functionally equivalent to the
748 
-.B --ifconfig-pool-linear
748 
+.B \-\-ifconfig-pool-linear
749 749 
 directive which is available in OpenVPN 2.0 and is now deprecated.
750 750
751 
-.B subnet --
751 
+.B subnet \-\-
752 752 
 Use a subnet rather than a point-to-point topology by
753 753 
 configuring the tun interface with a local IP address and subnet mask,
754 754 
 similar to the topology used in
755 
-.B --dev tap
755 
+.B \-\-dev tap
756 756 
 and ethernet bridging mode.
757 757 
 This mode allocates a single IP address per connecting client and works on
758 758 
 Windows as well.  Only available when server and clients are OpenVPN 2.1 or
759 759 
 higher, or OpenVPN 2.0.x which has been manually patched with the
760 
-.B --topology
760 
+.B \-\-topology
761 761 
 directive code.  When used on Windows, requires version 8.2 or higher
762 762 
 of the TAP-Win32 driver.  When used on *nix, requires that the tun
763 763 
 driver supports an
... ... 
@@ -767,26 +767,26 @@ command which sets a subnet instead of a remote endpoint IP address.
767 767 
 This option exists in OpenVPN 2.1 or higher.
768 768 
 .\"*********************************************************
769 769 
 .TP
770 
-.B --tun-ipv6
770 
+.B \-\-tun-ipv6
771 771 
 Build a tun link capable of forwarding IPv6 traffic.
772 772 
 Should be used in conjunction with
773 
-.B --dev tun
773 
+.B \-\-dev tun
774 774 
 or
775 
-.B --dev tunX.
775 
+.B \-\-dev tunX.
776 776 
 A warning will be displayed
777 777 
 if no specific IPv6 TUN support for your OS has been compiled into OpenVPN.
778 778 
 .\"*********************************************************
779 779 
 .TP
780 
-.B --dev-node node
780 
+.B \-\-dev-node node
781 781 
 Explicitly set the device node rather than using
782 782 
 /dev/net/tun, /dev/tun, /dev/tap, etc.  If OpenVPN
783 783 
 cannot figure out whether
784 784 
 .B node
785 785 
 is a TUN or TAP device based on the name, you should
786 786 
 also specify
787 
-.B --dev-type tun
787 
+.B \-\-dev-type tun
788 788 
 or
789 
-.B --dev-type tap.
789 
+.B \-\-dev-type tap.
790 790
791 791 
 On Windows systems, select the TAP-Win32 adapter which
792 792 
 is named
... ... 
@@ -794,24 +794,24 @@ is named
794 794 
 in the Network Connections Control Panel or the
795 795 
 raw GUID of the adapter enclosed by braces.
796 796 
 The
797 
-.B --show-adapters
797 
+.B \-\-show-adapters
798 798 
 option under Windows can also be used
799 799 
 to enumerate all available TAP-Win32
800 800 
 adapters and will show both the network
801 801 
 connections control panel name and the GUID for
802 802 
 each TAP-Win32 adapter.
803 803 
 .TP
804 
-.B --lladdr address
804 
+.B \-\-lladdr address
805 805 
 Specify the link layer address, more commonly known as the MAC address.
806 806 
 Only applied to TAP devices.
807 807 
 .\"*********************************************************
808 808 
 .TP
809 
-.B --iproute cmd
809 
+.B \-\-iproute cmd
810 810 
 Set alternate command to execute instead of default iproute2 command.
811 811 
 May be used in order to execute OpenVPN in unprivileged environment.
812 812 
 .\"*********************************************************
813 813 
 .TP
814 
-.B --ifconfig l rn
814 
+.B \-\-ifconfig l rn
815 815 
 Set TUN/TAP adapter parameters.
816 816 
 .B l
817 817 
 is the IP address of the local VPN endpoint.
... ... 
@@ -826,7 +826,7 @@ which is being created or connected to.
826 826 
 For TUN devices, which facilitate virtual
827 827 
 point-to-point IP connections,
828 828 
 the proper usage of
829 
-.B --ifconfig
829 
+.B \-\-ifconfig
830 830 
 is to use two private IP addresses
831 831 
 which are not a member of any
832 832 
 existing subnet which is in use.
... ... 
@@ -840,7 +840,7 @@ you will be pinging across the VPN.
840 840 
 For TAP devices, which provide
841 841 
 the ability to create virtual
842 842 
 ethernet segments,
843 
-.B --ifconfig
843 
+.B \-\-ifconfig
844 844 
 is used to set an IP address and
845 845 
 subnet mask just as a physical
846 846 
 ethernet adapter would be
... ... 
@@ -861,42 +861,42 @@ standard interface to the different
861 861 
 ifconfig implementations on different
862 862 
 platforms.
863 863
864 
-.B --ifconfig
864 
+.B \-\-ifconfig
865 865 
 parameters which are IP addresses can
866 866 
 also be specified as a DNS or /etc/hosts
867 867 
 file resolvable name.
868 868
869 869 
 For TAP devices,
870 
-.B --ifconfig
870 
+.B \-\-ifconfig
871 871 
 should not be used if the TAP interface will be
872 872 
 getting an IP address lease from a DHCP
873 873 
 server.
874 874 
 .\"*********************************************************
875 875 
 .TP
876 
-.B --ifconfig-noexec
876 
+.B \-\-ifconfig-noexec
877 877 
 Don't actually execute ifconfig/netsh commands, instead
878 878 
 pass
879 
-.B --ifconfig
879 
+.B \-\-ifconfig
880 880 
 parameters to scripts using environmental variables.
881 881 
 .\"*********************************************************
882 882 
 .TP
883 
-.B --ifconfig-nowarn
883 
+.B \-\-ifconfig-nowarn
884 884 
 Don't output an options consistency check warning
885 885 
 if the
886 
-.B --ifconfig
886 
+.B \-\-ifconfig
887 887 
 option on this side of the
888 888 
 connection doesn't match the remote side.  This is useful
889 889 
 when you want to retain the overall benefits of the
890 890 
 options consistency check (also see
891 
-.B --disable-occ
891 
+.B \-\-disable-occ
892 892 
 option) while only disabling the ifconfig component of
893 893 
 the check.
894 894
895 895 
 For example,
896 896 
 if you have a configuration where the local host uses
897 
-.B --ifconfig
897 
+.B \-\-ifconfig
898 898 
 but the remote host does not, use
899 
-.B --ifconfig-nowarn
899 
+.B \-\-ifconfig-nowarn
900 900 
 on the local host.
901 901
902 902 
 This option will also silence warnings about potential
... ... 
@@ -904,7 +904,7 @@ address conflicts which occasionally annoy more experienced
904 904 
 users by triggering "false positive" warnings.
905 905 
 .\"*********************************************************
906 906 
 .TP
907 
-.B --route network/IP [netmask] [gateway] [metric]
907 
+.B \-\-route network/IP [netmask] [gateway] [metric]
908 908 
 Add route to routing table after connection is established.
909 909 
 Multiple routes can be specified.  Routes will be
910 910 
 automatically torn down in reverse order prior to
... ... 
@@ -918,20 +918,20 @@ while at the same time providing portable semantics
918 918 
 across OpenVPN's platform space.
919 919
920 920 
 .B netmask
921 
-default -- 255.255.255.255
921 
+default \-\- 255.255.255.255
922 922
923 923 
 .B gateway
924 
-default -- taken from
925 
-.B --route-gateway
924 
+default \-\- taken from
925 
+.B \-\-route-gateway
926 926 
 or the second parameter to
927 
-.B --ifconfig
927 
+.B \-\-ifconfig
928 928 
 when
929 
-.B --dev tun
929 
+.B \-\-dev tun
930 930 
 is specified.
931 931
932 932 
 .B metric
933 
-default -- taken from
934 
-.B --route-metric
933 
+default \-\- taken from
934 
+.B \-\-route-metric
935 935 
 otherwise 0.
936 936
937 937 
 The default can be specified by leaving an option blank or setting
... ... 
@@ -946,37 +946,37 @@ also be specified as a DNS or /etc/hosts
946 946 
 file resolvable name, or as one of three special keywords:
947 947
948 948 
 .B vpn_gateway
949 
+\-\- The remote VPN endpoint address
949 950 
 (derived either from
950 
-.B --route-gateway
951 
+.B \-\-route-gateway
951 952 
 or the second parameter to
952 
-.B --ifconfig
953 
+.B \-\-ifconfig
953 954 
 when
954 
-.B --dev tun
955 
+.B \-\-dev tun
955 956 
 is specified).
956 957
957 958 
 .B net_gateway
959 
+\-\- The pre-existing IP default gateway, read from the routing
958 960 
 table (not supported on all OSes).
959 961
960 962 
 .B remote_host
961 
-.B --remote
963 
+\-\- The
964 
+.B \-\-remote
962 965 
 address if OpenVPN is being run in client mode, and is undefined in server mode.
963 966 
 .\"*********************************************************
964 967 
 .TP
965 
-.B --max-routes n
968 
+.B \-\-max-routes n
966 969 
 Allow a maximum number of n
967 
-.B --route
970 
+.B \-\-route
968 971 
 options to be specified, either in the local configuration file,
969 972 
 or pulled from an OpenVPN server.  By default, n=100.
970 973 
 .\"*********************************************************
971 974 
 .TP
972 
-.B --route-gateway gw|'dhcp'
975 
+.B \-\-route-gateway gw|'dhcp'
973 976 
 Specify a default gateway
974 977 
 .B gw
975 978 
 for use with
976 
-.B --route.
979 
+.B \-\-route.
977 980
978 981 
 If
979 982 
 .B dhcp
... ... 
@@ -985,14 +985,14 @@ the gateway address will be extracted from a DHCP
985 985 
 negotiation with the OpenVPN server-side LAN.
986 986 
 .\"*********************************************************
987 987 
 .TP
988 
-.B --route-metric m
988 
+.B \-\-route-metric m
989 989 
 Specify a default metric
990 990 
 .B m
991 991 
 for use with
992 
-.B --route.
992 
+.B \-\-route.
993 993 
 .\"*********************************************************
994 994 
 .TP
995 
-.B --route-delay [n] [w]
995 
+.B \-\-route-delay [n] [w]
996 996 
 Delay
997 997 
 .B n
998 998 
 seconds (default=0) after connection
... ... 
@@ -1000,16 +1000,16 @@ establishment, before adding routes. If
1000 1000 
 .B n
1001 1001 
 is 0, routes will be added immediately upon connection
1002 1002 
 establishment.  If
1003 
-.B --route-delay
1003 
+.B \-\-route-delay
1004 1004 
 is omitted, routes will be added immediately after TUN/TAP device
1005 1005 
 open and
1006 
-.B --up
1006 
+.B \-\-up
1007 1007 
 script execution, before any
1008 
-.B --user
1008 
+.B \-\-user
1009 1009 
 or
1010 
-.B --group
1010 
+.B \-\-group
1011 1011 
 privilege downgrade (or
1012 
-.B --chroot
1012 
+.B \-\-chroot
1013 1013 
 execution.)
1014 1014
1015 1015 
 This option is designed to be useful in scenarios where DHCP is
... ... 
@@ -1018,18 +1018,18 @@ tap adapter addresses.  The delay will give the DHCP handshake
1018 1018 
 time to complete before routes are added.
1019 1019
1020 1020 
 On Windows,
1021 
-.B --route-delay
1021 
+.B \-\-route-delay
1022 1022 
 tries to be more intelligent by waiting
1023 1023 
 .B w
1024 1024 
 seconds (w=30 by default)
1025 1025 
 for the TAP-Win32 adapter to come up before adding routes.
1026 1026 
 .\"*********************************************************
1027 1027 
 .TP
1028 
-.B --route-up cmd
1028 
+.B \-\-route-up cmd
1029 1029 
 Execute shell command
1030 1030 
 .B cmd
1031 1031 
 after routes are added, subject to
1032 
-.B --route-delay.
1032 
+.B \-\-route-delay.
1033 1033
1034 1034 
 See the "Environmental Variables" section below for
1035 1035 
 additional parameters passed as environmental variables.
... ... 
@@ -1039,17 +1039,17 @@ Note that
1039 1039 
 can be a shell command with multiple arguments.
1040 1040 
 .\"*********************************************************
1041 1041 
 .TP
1042 
-.B --route-noexec
1042 
+.B \-\-route-noexec
1043 1043 
 Don't add or remove routes automatically.  Instead pass routes to
1044 
-.B --route-up
1044 
+.B \-\-route-up
1045 1045 
 script using environmental variables.
1046 1046 
 .\"*********************************************************
1047 1047 
 .TP
1048 
-.B --route-nopull
1048 
+.B \-\-route-nopull
1049 1049 
 When used with
1050 
-.B --client
1050 
+.B \-\-client
1051 1051 
 or
1052 
-.B --pull,
1052 
+.B \-\-pull,
1053 1053 
 accept options pushed by server EXCEPT for routes.
1054 1054
1055 1055 
 When used on the client, this option effectively bars the
... ... 
@@ -1058,16 +1058,16 @@ however note that this option still allows the server
1058 1058 
 to set the TCP/IP properties of the client's TUN/TAP interface.
1059 1059 
 .\"*********************************************************
1060 1060 
 .TP
1061 
-.B --allow-pull-fqdn
1061 
+.B \-\-allow-pull-fqdn
1062 1062 
 Allow client to pull DNS names from server (rather than being limited
1063 1063 
 to IP address) for
1064 
-.B --ifconfig,
1065 
-.B --route,
1064 
+.B \-\-ifconfig,
1065 
+.B \-\-route,
1066 1066 
 and
1067 
-.B --route-gateway.
1067 
+.B \-\-route-gateway.
1068 1068 
 .\"*********************************************************
1069 1069 
 .TP
1070 
-.B --redirect-gateway flags...
1070 
+.B \-\-redirect-gateway flags...
1071 1071 
 (Experimental) Automatically execute routing commands to cause all outgoing IP traffic
1072 1072 
 to be redirected over the VPN.
1073 1073
... ... 
@@ -1075,7 +1075,7 @@ This option performs three steps:
1075 1075
1076 1076 
 .B (1)
1077 1077 
 Create a static route for the
1078 
-.B --remote
1078 
+.B \-\-remote
1079 1079 
 address which forwards to the pre-existing default gateway.
1080 1080 
 This is done so that
1081 1081 
 .B (3)
... ... 
@@ -1086,11 +1086,11 @@ Delete the default gateway route.
1086 1086
1087 1087 
 .B (3)
1088 1088 
 Set the new default gateway to be the VPN endpoint address (derived either from
1089 
-.B --route-gateway
1089 
+.B \-\-route-gateway
1090 1090 
 or the second parameter to
1091 
-.B --ifconfig
1091 
+.B \-\-ifconfig
1092 1092 
 when
1093 
-.B --dev tun
1093 
+.B \-\-dev tun
1094 1094 
 is specified).
1095 1095
1096 1096 
 When the tunnel is torn down, all of the above steps are reversed so
... ... 
@@ -1098,7 +1098,7 @@ that the original default route is restored.
1098 1098
1099 1099 
 Option flags:
1100 1100
1101 
-.B local --
1101 
+.B local \-\-
1102 1102 
 Add the
1103 1103 
 .B local
1104 1104 
 flag if both OpenVPN servers are directly connected via a common subnet,
... ... 
@@ -1108,19 +1108,19 @@ flag will cause step
1108 1108 
 .B 1
1109 1109 
 above to be omitted.
1110 1110
1111 
-.B def1 --
1111 
+.B def1 \-\-
1112 1112 
 Use this flag to override
1113 1113 
 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
1114 1114 
 rather than 0.0.0.0/0.  This has the benefit of overriding
1115 1115 
 but not wiping out the original default gateway.
1116 1116
1117 
-.B bypass-dhcp --
1117 
+.B bypass-dhcp \-\-
1118 1118 
 Add a direct route to the DHCP server (if it is non-local) which
1119 1119 
 bypasses the tunnel
1120 1120 
 (Available on Windows clients, may not be available
1121 1121 
 on non-Windows clients).
1122 1122
1123 
-.B bypass-dns --
1123 
+.B bypass-dns \-\-
1124 1124 
 Add a direct route to the DNS server(s) (if they are non-local) which
1125 1125 
 bypasses the tunnel
1126 1126 
 (Available on Windows clients, may not be available
... ... 
@@ -1129,13 +1129,13 @@ on non-Windows clients).
1129 1129 
 Using the def1 flag is highly recommended.
1130 1130 
 .\"*********************************************************
1131 1131 
 .TP
1132 
-.B --link-mtu n
1132 
+.B \-\-link-mtu n
1133 1133 
 Sets an upper bound on the size of UDP packets which are sent
1134 1134 
 between OpenVPN peers.  It's best not to set this parameter unless
1135 1135 
 you know what you're doing.
1136 1136 
 .\"*********************************************************
1137 1137 
 .TP
1138 
-.B --tun-mtu n
1138 
+.B \-\-tun-mtu n
1139 1139 
 Take the TUN device MTU to be
1140 1140 
 .B n
1141 1141 
 and derive the link MTU
... ... 
@@ -1151,17 +1151,17 @@ MTU problems often manifest themselves as connections which
1151 1151 
 hang during periods of active usage.
1152 1152
1153 1153 
 It's best to use the
1154 
-.B --fragment
1154 
+.B \-\-fragment
1155 1155 
 and/or
1156 
-.B --mssfix
1156 
+.B \-\-mssfix
1157 1157 
 options to deal with MTU sizing issues.
1158 1158 
 .\"*********************************************************
1159 1159 
 .TP
1160 
-.B --tun-mtu-extra n
1160 
+.B \-\-tun-mtu-extra n
1161 1161 
 Assume that the TUN/TAP device might return as many as
1162 1162 
 .B n
1163 1163 
 bytes more than the
1164 
-.B --tun-mtu
1164 
+.B \-\-tun-mtu
1165 1165 
 size on read.  This parameter defaults to 0, which is sufficient for
1166 1166 
 most TUN devices.  TAP devices may introduce additional overhead in excess
1167 1167 
 of the MTU size, and a setting of 32 is the default when TAP devices are used.
... ... 
@@ -1169,34 +1169,34 @@ This parameter only controls internal OpenVPN buffer sizing,
1169 1169 
 so there is no transmission overhead associated with using a larger value.
1170 1170 
 .\"*********************************************************
1171 1171 
 .TP
1172 
-.B --mtu-disc type
1172 
+.B \-\-mtu-disc type
1173 1173 
 Should we do Path MTU discovery on TCP/UDP channel?  Only supported on OSes such
1174 1174 
 as Linux that supports the necessary system call to set.
1175 1175
1176 1176 
 .B 'no'
1177 
+\-\- Never send DF (Don't Fragment) frames
1177 1178 
 .br
1178 1179 
 .B 'maybe'
1180 
+\-\- Use per-route hints
1179 1181 
 .br
1180 1182 
 .B 'yes'
1183 
+\-\- Always DF (Don't Fragment)
1181 1184 
 .br
1182 1185 
 .\"*********************************************************
1183 1186 
 .TP
1184 
-.B --mtu-test
1187 
+.B \-\-mtu-test
1185 1188 
 To empirically measure MTU on connection startup,
1186 1189 
 add the
1187 
-.B --mtu-test
1190 
+.B \-\-mtu-test
1188 1191 
 option to your configuration.
1189 1192 
 OpenVPN will send ping packets of various sizes
1190 1193 
 to the remote peer and measure the largest packets
1191 1194 
 which were successfully received.  The
1192 
-.B --mtu-test
1195 
+.B \-\-mtu-test
1193 1196 
 process normally takes about 3 minutes to complete.
1194 1197 
 .\"*********************************************************
1195 1198 
 .TP
1196 
-.B --fragment max
1199 
+.B \-\-fragment max
1197 1200 
 Enable internal datagram fragmentation so
1198 1201 
 that no UDP datagrams are sent which
1199 1202 
 are larger than
... ... 
@@ -1206,24 +1206,24 @@ bytes.
1206 1206 
 The
1207 1207 
 .B max
1208 1208 
 parameter is interpreted in the same way as the
1209 
-.B --link-mtu
1209 
+.B \-\-link-mtu
1210 1210 
 parameter, i.e. the UDP packet size after encapsulation
1211 1211 
 overhead has been added in, but not including
1212 1212 
 the UDP header itself.
1213 1213
1214 1214 
 The
1215 
-.B --fragment
1215 
+.B \-\-fragment
1216 1216 
 option only makes sense when you are using the UDP protocol (
1217 
-.B --proto udp
1217 
+.B \-\-proto udp
1218 1218 
 ).
1219 1219
1220 
-.B --fragment
1220 
+.B \-\-fragment
1221 1221 
 adds 4 bytes of overhead per datagram.
1222 1222
1223 1223 
 See the
1224 
-.B --mssfix
1224 
+.B \-\-mssfix
1225 1225 
 option below for an important related option to
1226 
-.B --fragment.
1226 
+.B \-\-fragment.
1227 1227
1228 1228 
 It should also be noted that this option is not meant to replace
1229 1229 
 UDP fragmentation at the IP stack level.  It is only meant as a
... ... 
@@ -1236,7 +1236,7 @@ internal fragmentation capability may be your only option, such
1236 1236 
 as tunneling a UDP multicast stream which requires fragmentation.
1237 1237 
 .\"*********************************************************
1238 1238 
 .TP
1239 
-.B --mssfix max
1239 
+.B \-\-mssfix max
1240 1240 
 Announce to TCP sessions running over the tunnel that they should limit
1241 1241 
 their send packet sizes such that after OpenVPN has encapsulated them,
1242 1242 
 the resulting UDP packet size that OpenVPN sends to its peer will not
... ... 
@@ -1247,33 +1247,33 @@ bytes.
1247 1247 
 The
1248 1248 
 .B max
1249 1249 
 parameter is interpreted in the same way as the
1250 
-.B --link-mtu
1250 
+.B \-\-link-mtu
1251 1251 
 parameter, i.e. the UDP packet size after encapsulation
1252 1252 
 overhead has been added in, but not including
1253 1253 
 the UDP header itself.
1254 1254
1255 1255 
 The
1256 
-.B --mssfix
1256 
+.B \-\-mssfix
1257 1257 
 option only makes sense when you are using the UDP protocol
1258 1258 
 for OpenVPN peer-to-peer communication, i.e.
1259 
-.B --proto udp.
1259 
+.B \-\-proto udp.
1260 1260
1261 
-.B --mssfix
1261 
+.B \-\-mssfix
1262 1262 
 and
1263 
-.B --fragment
1263 
+.B \-\-fragment
1264 1264 
 can be ideally used together, where
1265 
-.B --mssfix
1265 
+.B \-\-mssfix
1266 1266 
 will try to keep TCP from needing
1267 1267 
 packet fragmentation in the first place,
1268 1268 
 and if big packets come through anyhow
1269 1269 
 (from protocols other than TCP),
1270 
-.B --fragment
1270 
+.B \-\-fragment
1271 1271 
 will internally fragment them.
1272 1272
1273 1273 
 Both
1274 
-.B --fragment
1274 
+.B \-\-fragment
1275 1275 
 and
1276 
-.B --mssfix
1276 
+.B \-\-mssfix
1277 1277 
 are designed to work around cases where Path MTU discovery
1278 1278 
 is broken on the network path between OpenVPN peers.
1279 1279
... ... 
@@ -1282,35 +1282,35 @@ connection which successfully starts, but then stalls
1282 1282 
 during active usage.
1283 1283
1284 1284 
 If
1285 
-.B --fragment
1285 
+.B \-\-fragment
1286 1286 
 and
1287 
-.B --mssfix
1287 
+.B \-\-mssfix
1288 1288 
 are used together,
1289 
-.B --mssfix
1289 
+.B \-\-mssfix
1290 1290 
 will take its default
1291 1291 
 .B max
1292 1292 
 parameter from the
1293 
-.B --fragment max
1293 
+.B \-\-fragment max
1294 1294 
 option.
1295 1295
1296 1296 
 Therefore, one could lower the maximum UDP packet size
1297 1297 
 to 1300 (a good first try for solving MTU-related
1298 1298 
 connection problems) with the following options:
1299 1299
1300 
-.B --tun-mtu 1500 --fragment 1300 --mssfix
1300 
+.B \-\-tun-mtu 1500 \-\-fragment 1300 \-\-mssfix
1301 1301 
 .\"*********************************************************
1302 1302 
 .TP
1303 
-.B --sndbuf size
1303 
+.B \-\-sndbuf size
1304 1304 
 Set the TCP/UDP socket send buffer size.
1305 1305 
 Currently defaults to 65536 bytes.
1306 1306 
 .\"*********************************************************
1307 1307 
 .TP
1308 
-.B --rcvbuf size
1308 
+.B \-\-rcvbuf size
1309 1309 
 Set the TCP/UDP socket receive buffer size.
1310 1310 
 Currently defaults to 65536 bytes.
1311 1311 
 .\"*********************************************************
1312 1312 
 .TP
1313 
-.B --socket-flags flags...
1313 
+.B \-\-socket-flags flags...
1314 1314 
 Apply the given flags to the OpenVPN transport socket.
1315 1315 
 Currently, only
1316 1316 
 .B TCP_NODELAY
... ... 
@@ -1327,12 +1327,12 @@ This option is pushable from server to client, and should be used
1327 1327 
 on both client and server for maximum effect.
1328 1328 
 .\"*********************************************************
1329 1329 
 .TP
1330 
-.B --txqueuelen n
1330 
+.B \-\-txqueuelen n
1331 1331 
 (Linux only) Set the TX queue length on the TUN/TAP interface.
1332 1332 
 Currently defaults to 100.
1333 1333 
 .\"*********************************************************
1334 1334 
 .TP
1335 
-.B --shaper n
1335 
+.B \-\-shaper n
1336 1336 
 Limit bandwidth of outgoing tunnel data to
1337 1337 
 .B n
1338 1338 
 bytes per second on the TCP/UDP port.
... ... 
@@ -1368,7 +1368,7 @@ OpenVPN allows
1368 1368 
 to be between 100 bytes/sec and 100 Mbytes/sec.
1369 1369 
 .\"*********************************************************
1370 1370 
 .TP
1371 
-.B --inactive n [bytes]
1371 
+.B \-\-inactive n [bytes]
1372 1372 
 Causes OpenVPN to exit after
1373 1373 
 .B n
1374 1374 
 seconds of inactivity on the TUN/TAP device.  The time length
... ... 
@@ -1382,18 +1382,18 @@ produces a combined in/out byte count that is less than
1382 1382 
 .B bytes.
1383 1383 
 .\"*********************************************************
1384 1384 
 .TP
1385 
-.B --ping n
1385 
+.B \-\-ping n
1386 1386 
 Ping remote over the TCP/UDP control channel
1387 1387 
 if no packets have been sent for at least
1388 1388 
 .B n
1389 1389 
 seconds (specify
1390 
-.B --ping
1390 
+.B \-\-ping
1391 1391 
 on both peers to cause ping packets to be sent in both directions since
1392 1392 
 OpenVPN ping packets are not echoed like IP ping packets).
1393 1393 
 When used in one of OpenVPN's secure modes (where
1394 
-.B --secret, --tls-server,
1394 
+.B \-\-secret, \-\-tls-server,
1395 1395 
 or
1396 
-.B --tls-client
1396 
+.B \-\-tls-client
1397 1397 
 is specified), the ping packet
1398 1398 
 will be cryptographically secure.
1399 1399
... ... 
@@ -1406,33 +1406,33 @@ pass will not time out.
1406 1406
1407 1407 
 (2) To provide a basis for the remote to test the existence
1408 1408 
 of its peer using the
1409 
-.B --ping-exit
1409 
+.B \-\-ping-exit
1410 1410 
 option.
1411 1411 
 .\"*********************************************************
1412 1412 
 .TP
1413 
-.B --ping-exit n
1413 
+.B \-\-ping-exit n
1414 1414 
 Causes OpenVPN to exit after
1415 1415 
 .B n
1416 1416 
 seconds pass without reception of a ping
1417 1417 
 or other packet from remote.
1418 1418 
 This option can be combined with
1419 
-.B --inactive, --ping,
1419 
+.B \-\-inactive, \-\-ping,
1420 1420 
 and
1421 
-.B --ping-exit
1421 
+.B \-\-ping-exit
1422 1422 
 to create a two-tiered inactivity disconnect.
1423 1423
1424 1424 
 For example,
1425 1425
1426 
-.B openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
1426 
+.B openvpn [options...] \-\-inactive 3600 \-\-ping 10 \-\-ping-exit 60
1427 1427
1428 1428 
 when used on both peers will cause OpenVPN to exit within 60
1429 1429 
 seconds if its peer disconnects, but will exit after one
1430 1430 
 hour if no actual tunnel data is exchanged.
1431 1431 
 .\"*********************************************************
1432 1432 
 .TP
1433 
-.B --ping-restart n
1433 
+.B \-\-ping-restart n
1434 1434 
 Similar to
1435 
-.B --ping-exit,
1435 
+.B \-\-ping-exit,
1436 1436 
 but trigger a
1437 1437 
 .B SIGUSR1
1438 1438 
 restart after
... ... 
@@ -1451,13 +1451,13 @@ as
1451 1451
1452 1452 
 If the peer cannot be reached, a restart will be triggered, causing
1453 1453 
 the hostname used with
1454 
-.B --remote
1454 
+.B \-\-remote
1455 1455 
 to be re-resolved (if
1456 
-.B --resolv-retry
1456 
+.B \-\-resolv-retry
1457 1457 
 is also specified).
1458 1458
1459 1459 
 In server mode,
1460 
-.B --ping-restart, --inactive,
1460 
+.B \-\-ping-restart, \-\-inactive,
1461 1461 
 or any other type of internally generated signal will always be
1462 1462 
 applied to
1463 1463 
 individual client instance objects, never to whole server itself.
... ... 
@@ -1466,14 +1466,14 @@ which would normally cause a restart, will cause the deletion
1466 1466 
 of the client instance object instead.
1467 1467
1468 1468 
 In client mode, the
1469 
-.B --ping-restart
1469 
+.B \-\-ping-restart
1470 1470 
 parameter is set to 120 seconds by default.  This default will
1471 1471 
 hold until the client pulls a replacement value from the server, based on
1472 1472 
 the
1473 
-.B --keepalive
1473 
+.B \-\-keepalive
1474 1474 
 setting in the server configuration.
1475 1475 
 To disable the 120 second default, set
1476 
-.B --ping-restart 0
1476 
+.B \-\-ping-restart 0
1477 1477 
 on the client.
1478 1478
1479 1479 
 See the signals section below for more information
... ... 
@@ -1483,27 +1483,27 @@ on
1483 1483 
 Note that the behavior of
1484 1484 
 .B SIGUSR1
1485 1485 
 can be modified by the
1486 
-.B --persist-tun, --persist-key, --persist-local-ip,
1486 
+.B \-\-persist-tun, \-\-persist-key, \-\-persist-local-ip,
1487 1487 
 and
1488 
-.B --persist-remote-ip
1488 
+.B \-\-persist-remote-ip
1489 1489 
 options.
1490 1490
1491 1491 
 Also note that
1492 
-.B --ping-exit
1492 
+.B \-\-ping-exit
1493 1493 
 and
1494 
-.B --ping-restart
1494 
+.B \-\-ping-restart
1495 1495 
 are mutually exclusive and cannot be used together.
1496 1496 
 .\"*********************************************************
1497 1497 
 .TP
1498 
-.B --keepalive n m
1498 
+.B \-\-keepalive n m
1499 1499 
 A helper directive designed to simplify the expression of
1500 
-.B --ping
1500 
+.B \-\-ping
1501 1501 
 and
1502 
-.B --ping-restart
1502 
+.B \-\-ping-restart
1503 1503 
 in server mode configurations.
1504 1504
1505 1505 
 For example,
1506 
-.B --keepalive 10 60
1506 
+.B \-\-keepalive 10 60
1507 1507 
 expands as follows:
1508 1508
1509 1509 
 .nf
... ... 
@@ -1522,24 +1522,24 @@ expands as follows:
1522 1522 
 .fi
1523 1523 
 .\"*********************************************************
1524 1524 
 .TP
1525 
-.B --ping-timer-rem
1525 
+.B \-\-ping-timer-rem
1526 1526 
 Run the
1527 
-.B --ping-exit
1527 
+.B \-\-ping-exit
1528 1528 
 /
1529 
-.B --ping-restart
1529 
+.B \-\-ping-restart
1530 1530 
 timer only if we have a remote address.  Use this option if you are
1531 1531 
 starting the daemon in listen mode (i.e. without an explicit
1532 
-.B --remote
1532 
+.B \-\-remote
1533 1533 
 peer), and you don't want to start clocking timeouts until a remote
1534 1534 
 peer connects.
1535 1535 
 .\"*********************************************************
1536 1536 
 .TP
1537 
-.B --persist-tun
1537 
+.B \-\-persist-tun
1538 1538 
 Don't close and reopen TUN/TAP device or run up/down scripts
1539 1539 
 across
1540 1540 
 .B SIGUSR1
1541 1541 
 or
1542 
-.B --ping-restart
1542 
+.B \-\-ping-restart
1543 1543 
 restarts.
1544 1544
1545 1545 
 .B SIGUSR1
... ... 
@@ -1549,14 +1549,14 @@ but which offers finer-grained control over
1549 1549 
 reset options.
1550 1550 
 .\"*********************************************************
1551 1551 
 .TP
1552 
-.B --persist-key
1552 
+.B \-\-persist-key
1553 1553 
 Don't re-read key files across
1554 1554 
 .B SIGUSR1
1555 1555 
 or
1556 
-.B --ping-restart.
1556 
+.B \-\-ping-restart.
1557 1557
1558 1558 
 This option can be combined with
1559 
-.B --user nobody
1559 
+.B \-\-user nobody
1560 1560 
 to allow restarts triggered by the
1561 1561 
 .B SIGUSR1
1562 1562 
 signal.
... ... 
@@ -1569,29 +1569,29 @@ This option solves the problem by persisting keys across
1569 1569 
 resets, so they don't need to be re-read.
1570 1570 
 .\"*********************************************************
1571 1571 
 .TP
1572 
-.B --persist-local-ip
1572 
+.B \-\-persist-local-ip
1573 1573 
 Preserve initially resolved local IP address and port number
1574 1574 
 across
1575 1575 
 .B SIGUSR1
1576 1576 
 or
1577 
-.B --ping-restart
1577 
+.B \-\-ping-restart
1578 1578 
 restarts.
1579 1579 
 .\"*********************************************************
1580 1580 
 .TP
1581 
-.B --persist-remote-ip
1581 
+.B \-\-persist-remote-ip
1582 1582 
 Preserve most recently authenticated remote IP address and port number
1583 1583 
 across
1584 1584 
 .B SIGUSR1
1585 1585 
 or
1586 
-.B --ping-restart
1586 
+.B \-\-ping-restart
1587 1587 
 restarts.
1588 1588 
 .\"*********************************************************
1589 1589 
 .TP
1590 
-.B --mlock
1590 
+.B \-\-mlock
1591 1591 
 Disable paging by calling the POSIX mlockall function.
1592 1592 
 Requires that OpenVPN be initially run as root (though
1593 1593 
 OpenVPN can subsequently downgrade its UID using the
1594 
-.B --user
1594 
+.B \-\-user
1595 1595 
 option).
1596 1596
1597 1597 
 Using this option ensures that key material and tunnel
... ... 
@@ -1603,33 +1603,33 @@ would not be able to scan the system swap file to
1603 1603 
 recover previously used
1604 1604 
 ephemeral keys, which are used for a period of time
1605 1605 
 governed by the
1606 
-.B --reneg
1606 
+.B \-\-reneg
1607 1607 
 options (see below), then are discarded.
1608 1608
1609 1609 
 The downside
1610 1610 
 of using
1611 
-.B --mlock
1611 
+.B \-\-mlock
1612 1612 
 is that it will reduce the amount of physical
1613 1613 
 memory available to other applications.
1614 1614 
 .\"*********************************************************
1615 1615 
 .TP
1616 
-.B --up cmd
1616 
+.B \-\-up cmd
1617 1617 
 Shell command to run after successful TUN/TAP device open
1618 1618 
 (pre
1619 
-.B --user
1619 
+.B \-\-user
1620 1620 
 UID change).  The up script is useful for specifying route
1621 1621 
 commands which route IP traffic destined for
1622 1622 
 private subnets which exist at the other
1623 1623 
 end of the VPN connection into the tunnel.
1624 1624
1625 1625 
 For
1626 
-.B --dev tun
1626 
+.B \-\-dev tun
1627 1627 
 execute as:
1628 1628
1629 1629 
 .B cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip [ init | restart ]
1630 1630
1631 1631 
 For
1632 
-.B --dev tap
1632 
+.B \-\-dev tap
1633 1633 
 execute as:
1634 1634
1635 1635 
 .B cmd tap_dev tap_mtu link_mtu ifconfig_local_ip ifconfig_netmask [ init | restart ]
... ... 
@@ -1654,62 +1654,62 @@ In this context, the last command line parameter passed to the script
1654 1654 
 will be
1655 1655 
 .I init.
1656 1656 
 If the
1657 
-.B --up-restart
1657 
+.B \-\-up-restart
1658 1658 
 option is also used, the up script will be called for restarts as
1659 1659 
 well.  A restart is considered to be a partial reinitialization
1660 1660 
 of OpenVPN where the TUN/TAP instance is preserved (the
1661 
-.B --persist-tun
1661 
+.B \-\-persist-tun
1662 1662 
 option will enable such preservation).  A restart
1663 1663 
 can be generated by a SIGUSR1 signal, a
1664 
-.B --ping-restart
1664 
+.B \-\-ping-restart
1665 1665 
 timeout, or a connection reset when the TCP protocol is enabled
1666 1666 
 with the
1667 
-.B --proto
1667 
+.B \-\-proto
1668 1668 
 option.  If a restart occurs, and
1669 
-.B --up-restart
1669 
+.B \-\-up-restart
1670 1670 
 has been specified, the up script will be called with
1671 1671 
 .I restart
1672 1672 
 as the last parameter.
1673 1673
1674 1674 
 The following standalone example shows how the
1675 
-.B --up
1675 
+.B \-\-up
1676 1676 
 script can be called in both an initialization and restart context.
1677 1677 
 (NOTE: for security reasons, don't run the following example unless UDP port
1678 1678 
 9999 is blocked by your firewall.  Also, the example will run indefinitely,
1679 1679 
 so you should abort with control-c).
1680 1680
1681 
-.B openvpn --dev tun --port 9999 --verb 4 --ping-restart 10 --up 'echo up' --down 'echo down' --persist-tun --up-restart
1681 
+.B openvpn \-\-dev tun \-\-port 9999 \-\-verb 4 \-\-ping-restart 10 \-\-up 'echo up' \-\-down 'echo down' \-\-persist-tun \-\-up-restart
1682 1682
1683 1683 
 Note that OpenVPN also provides the
1684 
-.B --ifconfig
1684 
+.B \-\-ifconfig
1685 1685 
 option to automatically ifconfig the TUN device,
1686 1686 
 eliminating the need to define an
1687 
-.B --up
1687 
+.B \-\-up
1688 1688 
 script, unless you also want to configure routes
1689 1689 
 in the
1690 
-.B --up
1690 
+.B \-\-up
1691 1691 
 script.
1692 1692
1693 1693 
 If
1694 
-.B --ifconfig
1694 
+.B \-\-ifconfig
1695 1695 
 is also specified, OpenVPN will pass the ifconfig local
1696 1696 
 and remote endpoints on the command line to the
1697 
-.B --up
1697 
+.B \-\-up
1698 1698 
 script so that they can be used to configure routes such as:
1699 1699
1700 1700 
 .B route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
1701 1701 
 .\"*********************************************************
1702 1702 
 .TP
1703 
-.B --up-delay
1703 
+.B \-\-up-delay
1704 1704 
 Delay TUN/TAP open and possible
1705 
-.B --up
1705 
+.B \-\-up
1706 1706 
 script execution
1707 1707 
 until after TCP/UDP connection establishment with peer.
1708 1708
1709 1709 
 In
1710 
-.B --proto udp
1710 
+.B \-\-proto udp
1711 1711 
 mode, this option normally requires the use of
1712 
-.B --ping
1712 
+.B \-\-ping
1713 1713 
 to allow connection initiation to be sensed in the absence
1714 1714 
 of tunnel data, since UDP is a "connectionless" protocol.
1715 1715
... ... 
@@ -1718,50 +1718,50 @@ transitioning to "connected" until connection establishment,
1718 1718 
 i.e. the receipt of the first authenticated packet from the peer.
1719 1719 
 .\"*********************************************************
1720 1720 
 .TP
1721 
-.B --down cmd
1721 
+.B \-\-down cmd
1722 1722 
 Shell command to run after TUN/TAP device close
1723 1723 
 (post
1724 
-.B --user
1724 
+.B \-\-user
1725 1725 
 UID change and/or
1726 
-.B --chroot
1726 
+.B \-\-chroot
1727 1727 
 ).  Called with the same parameters and environmental
1728 1728 
 variables as the
1729 
-.B --up
1729 
+.B \-\-up
1730 1730 
 option above.
1731 1731
1732 1732 
 Note that if you reduce privileges by using
1733 
-.B --user
1733 
+.B \-\-user
1734 1734 
 and/or
1735 
-.B --group,
1735 
+.B \-\-group,
1736 1736 
 your
1737 
-.B --down
1737 
+.B \-\-down
1738 1738 
 script will also run at reduced privilege.
1739 1739 
 .\"*********************************************************
1740 1740 
 .TP
1741 
-.B --down-pre
1741 
+.B \-\-down-pre
1742 1742 
 Call
1743 
-.B --down
1743 
+.B \-\-down
1744 1744 
 cmd/script before, rather than after, TUN/TAP close.
1745 1745 
 .\"*********************************************************
1746 1746 
 .TP
1747 
-.B --up-restart
1747 
+.B \-\-up-restart
1748 1748 
 Enable the
1749 
-.B --up
1749 
+.B \-\-up
1750 1750 
 and
1751 
-.B --down
1751 
+.B \-\-down
1752 1752 
 scripts to be called for restarts as well as initial program start.
1753 1753 
 This option is described more fully above in the
1754 
-.B --up
1754 
+.B \-\-up
1755 1755 
 option documentation.
1756 1756 
 .\"*********************************************************
1757 1757 
 .TP
1758 
-.B --setenv name value
1758 
+.B \-\-setenv name value
1759 1759 
 Set a custom environmental variable
1760 1760 
 .B name=value
1761 1761 
 to pass to script.
1762 1762 
 .\"*********************************************************
1763 1763 
 .TP
1764 
-.B --setenv FORWARD_COMPATIBLE 1
1764 
+.B \-\-setenv FORWARD_COMPATIBLE 1
1765 1765 
 Relax config file syntax checking so that unknown directives
1766 1766 
 will trigger a warning but not a fatal error,
1767 1767 
 on the assumption that a given unknown directive might be valid
... ... 
@@ -1774,7 +1774,7 @@ new software features to gracefully degrade when encountered by
1774 1774 
 older software versions.
1775 1775 
 .\"*********************************************************
1776 1776 
 .TP
1777 
-.B --setenv-safe name value
1777 
+.B \-\-setenv-safe name value
1778 1778 
 Set a custom environmental variable
1779 1779 
 .B OPENVPN_name=value
1780 1780 
 to pass to script.
... ... 
@@ -1785,23 +1785,23 @@ is a safety precaution to prevent a LD_PRELOAD style attack
1785 1785 
 from a malicious or compromised server.
1786 1786 
 .\"*********************************************************
1787 1787 
 .TP
1788 
-.B --script-security level [method]
1788 
+.B \-\-script-security level [method]
1789 1789 
 This directive offers policy-level control over OpenVPN's usage of external programs
1790 1790 
 and scripts.  Lower
1791 1791 
 .B level
1792 1792 
 values are more restrictive, higher values are more permissive.  Settings for
1793 1793 
 .B level:
1794 1794
1795 
-.B 0 --
1795 
+.B 0 \-\-
1796 1796 
 Strictly no calling of external programs.
1797 1797 
 .br
1798 
-.B 1 --
1798 
+.B 1 \-\-
1799 1799 
 (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.
1800 1800 
 .br
1801 
-.B 2 --
1801 
+.B 2 \-\-
1802 1802 
 Allow calling of built-in executables and user-defined scripts.
1803 1803 
 .br
1804 
-.B 3 --
1804 
+.B 3 \-\-
1805 1805 
 Allow passwords to be passed to scripts via environmental variables (potentially unsafe).
1806 1806
1807 1807 
 The
... ... 
@@ -1810,33 +1810,33 @@ parameter indicates how OpenVPN should call external commands and scripts.
1810 1810 
 Settings for
1811 1811 
 .B method:
1812 1812
1813 
-.B execve --
1813 
+.B execve \-\-
1814 1814 
 (default) Use execve() function on Unix family OSes and CreateProcess() on Windows.
1815 1815 
 .br
1816 
-.B system --
1816 
+.B system \-\-
1817 1817 
 Use system() function (deprecated and less safe since the external program command
1818 1818 
 line is subject to shell expansion).
1819 1819
1820 1820 
 The
1821 
-.B --script-security
1821 
+.B \-\-script-security
1822 1822 
 option was introduced in OpenVPN 2.1_rc9.  For configuration file compatibility
1823 1823 
 with previous OpenVPN versions, use:
1824 
-.B --script-security 3 system
1824 
+.B \-\-script-security 3 system
1825 1825 
 .\"*********************************************************
1826 1826 
 .TP
1827 
-.B --disable-occ
1827 
+.B \-\-disable-occ
1828 1828 
 Don't output a warning message if option inconsistencies are detected between
1829 1829 
 peers.  An example of an option inconsistency would be where one peer uses
1830 
-.B --dev tun
1830 
+.B \-\-dev tun
1831 1831 
 while the other peer uses
1832 
-.B --dev tap.
1832 
+.B \-\-dev tap.
1833 1833
1834 1834 
 Use of this option is discouraged, but is provided as
1835 1835 
 a temporary fix in situations where a recent version of OpenVPN must
1836 1836 
 connect to an old version.
1837 1837 
 .\"*********************************************************
1838 1838 
 .TP
1839 
-.B --user user
1839 
+.B \-\-user user
1840 1840 
 Change the user ID of the OpenVPN process to
1841 1841 
 .B user
1842 1842 
 after initialization, dropping privileges in the process.
... ... 
@@ -1858,7 +1858,7 @@ you want to reset an OpenVPN daemon with a
1858 1858 
 signal
1859 1859 
 (for example in response
1860 1860 
 to a DHCP reset), you should make use of one or more of the
1861 
-.B --persist
1861 
+.B \-\-persist
1862 1862 
 options to ensure that OpenVPN doesn't need to execute any privileged
1863 1863 
 operations in order to restart (such as re-reading key files
1864 1864 
 or running
... ... 
@@ -1866,16 +1866,16 @@ or running
1866 1866 
 on the TUN device).
1867 1867 
 .\"*********************************************************
1868 1868 
 .TP
1869 
-.B --group group
1869 
+.B \-\-group group
1870 1870 
 Similar to the
1871 
-.B --user
1871 
+.B \-\-user
1872 1872 
 option,
1873 1873 
 this option changes the group ID of the OpenVPN process to
1874 1874 
 .B group
1875 1875 
 after initialization.
1876 1876 
 .\"*********************************************************
1877 1877 
 .TP
1878 
-.B --cd dir
1878 
+.B \-\-cd dir
1879 1879 
 Change directory to
1880 1880 
 .B dir
1881 1881 
 prior to reading any files such as
... ... 
@@ -1887,16 +1887,16 @@ to the current directory such as "." or "..".
1887 1887
1888 1888 
 This option is useful when you are running
1889 1889 
 OpenVPN in
1890 
-.B --daemon
1890 
+.B \-\-daemon
1891 1891 
 mode, and you want to consolidate all of
1892 1892 
 your OpenVPN control files in one location.
1893 1893 
 .\"*********************************************************
1894 1894 
 .TP
1895 
-.B --chroot dir
1895 
+.B \-\-chroot dir
1896 1896 
 Chroot to
1897 1897 
 .B dir
1898 1898 
 after initialization.
1899 
-.B --chroot
1899 
+.B \-\-chroot
1900 1900 
 essentially redefines
1901 1901 
 .B dir
1902 1902 
 as being the top
... ... 
@@ -1915,22 +1915,22 @@ complications can result when scripts or restarts
1915 1915 
 are executed after the chroot operation.
1916 1916 
 .\"*********************************************************
1917 1917 
 .TP
1918 
-.B --setcon context
1918 
+.B \-\-setcon context
1919 1919 
 Apply SELinux
1920 1920 
 .B context
1921 1921 
 after initialization. This
1922 1922 
 essentially provides the ability to restrict OpenVPN's
1923 1923 
 rights to only network I/O operations, thanks to
1924 1924 
 SELinux. This goes further than
1925 
-.B --user
1925 
+.B \-\-user
1926 1926 
 and
1927 
-.B --chroot
1927 
+.B \-\-chroot
1928 1928 
 in that those two, while being great security features,
1929 1929 
 unfortunately do not protect against privilege escalation
1930 1930 
 by exploitation of a vulnerable system call. You can of
1931 1931 
 course combine all three, but please note that since
1932 1932 
 setcon requires access to /proc you will have to provide
1933 
-it inside the chroot directory (e.g. with mount --bind).
1933 
+it inside the chroot directory (e.g. with mount \-\-bind).
1934 1934
1935 1935 
 Since the setcon operation is delayed until after
1936 1936 
 initialization, OpenVPN can be restricted to just
... ... 
@@ -1942,13 +1942,13 @@ allow many things required only during initialization.
1942 1942 
 Like with chroot, complications can result when scripts
1943 1943 
 or restarts are executed after the setcon operation,
1944 1944 
 which is why you should really consider using the
1945 
-.B --persist-key
1945 
+.B \-\-persist-key
1946 1946 
 and
1947 
-.B --persist-tun
1947 
+.B \-\-persist-tun
1948 1948 
 options.
1949 1949 
 .\"*********************************************************
1950 1950 
 .TP
1951 
-.B --daemon [progname]
1951 
+.B \-\-daemon [progname]
1952 1952 
 Become a daemon after all initialization functions are completed.
1953 1953 
 This option will cause all message and error output to
1954 1954 
 be sent to the syslog file (such as /var/log/messages),
... ... 
@@ -1957,10 +1957,10 @@ ifconfig commands,
1957 1957 
 which will go to /dev/null unless otherwise redirected.
1958 1958 
 The syslog redirection occurs immediately at the point
1959 1959 
 that
1960 
-.B --daemon
1960 
+.B \-\-daemon
1961 1961 
 is parsed on the command line even though
1962 1962 
 the daemonization point occurs later.  If one of the
1963 
-.B --log
1963 
+.B \-\-log
1964 1964 
 options is present, it will supercede syslog
1965 1965 
 redirection.
1966 1966
... ... 
@@ -1976,7 +1976,7 @@ When unspecified,
1976 1976 
 defaults to "openvpn".
1977 1977
1978 1978 
 When OpenVPN is run with the
1979 
-.B --daemon
1979 
+.B \-\-daemon
1980 1980 
 option, it will try to delay daemonization until the majority of initialization
1981 1981 
 functions which are capable of generating fatal errors are complete.  This means
1982 1982 
 that initialization scripts can test the return status of the
... ... 
@@ -1986,20 +1986,20 @@ has correctly initialized and entered the packet forwarding event loop.
1986 1986 
 In OpenVPN, the vast majority of errors which occur after initialization are non-fatal.
1987 1987 
 .\"*********************************************************
1988 1988 
 .TP
1989 
-.B --syslog [progname]
1989 
+.B \-\-syslog [progname]
1990 1990 
 Direct log output to system logger, but do not become a daemon.
1991 1991 
 See
1992 
-.B --daemon
1992 
+.B \-\-daemon
1993 1993 
 directive above for description of
1994 1994 
 .B progname
1995 1995 
 parameter.
1996 1996 
 .\"*********************************************************
1997 1997 
 .TP
1998 
-.B --passtos
1998 
+.B \-\-passtos
1999 1999 
 Set the TOS field of the tunnel packet to what the payload's TOS is.
2000 2000 
 .\"*********************************************************
2001 2001 
 .TP
2002 
-.B --inetd [wait|nowait] [progname]
2002 
+.B \-\-inetd [wait|nowait] [progname]
2003 2003 
 Use this option when OpenVPN is being run from the inetd or
2004 2004 
 .BR xinetd(8)
2005 2005 
 server.
... ... 
@@ -2010,7 +2010,7 @@ option must match what is specified in the inetd/xinetd
2010 2010 
 config file.  The
2011 2011 
 .B nowait
2012 2012 
 mode can only be used with
2013 
-.B --proto tcp-server.
2013 
+.B \-\-proto tcp-server.
2014 2014 
 The default is
2015 2015 
 .B wait.
2016 2016 
 The
... ... 
@@ -2022,16 +2022,16 @@ see the OpenVPN FAQ:
2022 2022 
 .I http://openvpn.net/faq.html#oneport
2023 2023
2024 2024 
 This option precludes the use of
2025 
-.B --daemon, --local,
2025 
+.B \-\-daemon, \-\-local,
2026 2026 
 or
2027 
-.B --remote.
2027 
+.B \-\-remote.
2028 2028 
 Note that this option causes message and error output to be handled in the same
2029 2029 
 way as the
2030 
-.B --daemon
2030 
+.B \-\-daemon
2031 2031 
 option.  The optional
2032 2032 
 .B progname
2033 2033 
 parameter is also handled exactly as in
2034 
-.B --daemon.
2034 
+.B \-\-daemon.
2035 2035
2036 2036 
 Also note that in
2037 2037 
 .B wait
... ... 
@@ -2041,7 +2041,7 @@ on using OpenVPN with xinetd:
2041 2041 
 .I http://openvpn.net/1xhowto.html
2042 2042 
 .\"*********************************************************
2043 2043 
 .TP
2044 
-.B --log file
2044 
+.B \-\-log file
2045 2045 
 Output logging messages to
2046 2046 
 .B file,
2047 2047 
 including output to stdout/stderr which
... ... 
@@ -2052,44 +2052,44 @@ already exists it will be truncated.
2052 2052 
 This option takes effect
2053 2053 
 immediately when it is parsed in the command line
2054 2054 
 and will supercede syslog output if
2055 
-.B --daemon
2055 
+.B \-\-daemon
2056 2056 
 or
2057 
-.B --inetd
2057 
+.B \-\-inetd
2058 2058 
 is also specified.
2059 2059 
 This option is persistent over the entire course of
2060 2060 
 an OpenVPN instantiation and will not be reset by SIGHUP,
2061 2061 
 SIGUSR1, or
2062 
-.B --ping-restart.
2062 
+.B \-\-ping-restart.
2063 2063
2064 2064 
 Note that on Windows, when OpenVPN is started as a service,
2065 2065 
 logging occurs by default without the need to specify
2066 2066 
 this option.
2067 2067 
 .\"*********************************************************
2068 2068 
 .TP
2069 
-.B --log-append file
2069 
+.B \-\-log-append file
2070 2070 
 Append logging messages to
2071 2071 
 .B file.
2072 2072 
 If
2073 2073 
 .B file
2074 2074 
 does not exist, it will be created.
2075 2075 
 This option behaves exactly like
2076 
-.B --log
2076 
+.B \-\-log
2077 2077 
 except that it appends to rather
2078 2078 
 than truncating the log file.
2079 2079 
 .\"*********************************************************
2080 2080 
 .TP
2081 
-.B --suppress-timestamps
2081 
+.B \-\-suppress-timestamps
2082 2082 
 Avoid writing timestamps to log messages, even when they
2083 2083 
 otherwise would be prepended. In particular, this applies to
2084 2084 
 log messages sent to stdout.
2085 2085 
 .\"*********************************************************
2086 2086 
 .TP
2087 
-.B --writepid file
2087 
+.B \-\-writepid file
2088 2088 
 Write OpenVPN's main process ID to
2089 2089 
 .B file.
2090 2090 
 .\"*********************************************************
2091 2091 
 .TP
2092 
-.B --nice n
2092 
+.B \-\-nice n
2093 2093 
 Change process priority after initialization
2094 2094 
 (
2095 2095 
 .B n
... ... 
@@ -2098,14 +2098,14 @@ greater than 0 is lower priority,
2098 2098 
 less than zero is higher priority).
2099 2099 
 .\"*********************************************************
2100 2100 
 .\".TP
2101 
-.\".B --nice-work n
2101 
+.\".B \-\-nice-work n
2102 2102 
 .\"Change priority of background TLS work thread.  The TLS thread
2103 2103 
 .\"feature is enabled when OpenVPN is built
2104 2104 
 .\"with pthread support, and you are running OpenVPN
2105 2105 
 .\"in TLS mode (i.e. with
2106 
-.\".B --tls-client
2106 
+.\".B \-\-tls-client
2107 2107 
 .\"or
2108 
-.\".B --tls-server
2108 
+.\".B \-\-tls-server
2109 2109 
 .\"specified).
2110 2110 
 .\"
2111 2111 
 .\"Using a TLS thread offloads the CPU-intensive process of SSL/TLS-based
... ... 
@@ -2115,12 +2115,12 @@ less than zero is higher priority).
2115 2115 
 .\"The parameter
2116 2116 
 .\".B n
2117 2117 
 .\"is interpreted exactly as with the
2118 
-.\".B --nice
2118 
+.\".B \-\-nice
2119 2119 
 .\"option above, but in relation to the work thread rather
2120 2120 
 .\"than the main thread.
2121 2121 
 .\"*********************************************************
2122 2122 
 .TP
2123 
-.B --fast-io
2123 
+.B \-\-fast-io
2124 2124 
 (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding
2125 2125 
 a call to poll/epoll/select prior to the write operation.  The purpose
2126 2126 
 of such a call would normally be to block until the device
... ... 
@@ -2131,13 +2131,13 @@ by avoiding the poll/epoll/select call, improving CPU efficiency
2131 2131 
 by 5% to 10%.
2132 2132
2133 2133 
 This option can only be used on non-Windows systems, when
2134 
-.B --proto udp
2134 
+.B \-\-proto udp
2135 2135 
 is specified, and when
2136 
-.B --shaper
2136 
+.B \-\-shaper
2137 2137 
 is NOT specified.
2138 2138 
 .\"*********************************************************
2139 2139 
 .TP
2140 
-.B --multihome
2140 
+.B \-\-multihome
2141 2141 
 Configure a multi-homed UDP server.  This option can be used when
2142 2142 
 OpenVPN has been configured to listen on all interfaces, and will
2143 2143 
 attempt to bind client sessions to the interface on which packets
... ... 
@@ -2146,13 +2146,13 @@ of the same interface.  Note that this option is only relevant for
2146 2146 
 UDP servers and currently is only implemented on Linux.
2147 2147
2148 2148 
 Note: clients connecting to a
2149 
-.B --multihome
2149 
+.B \-\-multihome
2150 2150 
 server should always use the
2151 
-.B --nobind
2151 
+.B \-\-nobind
2152 2152 
 option.
2153 2153 
 .\"*********************************************************
2154 2154 
 .TP
2155 
-.B --echo [parms...]
2155 
+.B \-\-echo [parms...]
2156 2156 
 Echo
2157 2157 
 .B parms
2158 2158 
 to log output.
... ... 
@@ -2161,7 +2161,7 @@ Designed to be used to send messages to a controlling application
2161 2161 
 which is receiving the OpenVPN log output.
2162 2162 
 .\"*********************************************************
2163 2163 
 .TP
2164 
-.B --remap-usr1 signal
2164 
+.B \-\-remap-usr1 signal
2165 2165 
 Control whether internally or externally
2166 2166 
 generated SIGUSR1 signals are remapped to
2167 2167 
 SIGHUP (restart without persisting state) or
... ... 
@@ -2172,20 +2172,20 @@ can be set to "SIGHUP" or "SIGTERM".  By default, no remapping
2172 2172 
 occurs.
2173 2173 
 .\"*********************************************************
2174 2174 
 .TP
2175 
-.B --verb n
2175 
+.B \-\-verb n
2176 2176 
 Set output verbosity to
2177 2177 
 .B n
2178 2178 
 (default=1).  Each level shows all info from the previous levels.
2179 2179 
 Level 3 is recommended if you want a good summary
2180 2180 
 of what's happening without being swamped by output.
2181 2181
2182 
-.B 0 --
2182 
+.B 0 \-\-
2183 2183 
 No output except fatal errors.
2184 2184 
 .br
2185 
-.B 1 to 4 --
2185 
+.B 1 to 4 \-\-
2186 2186 
 Normal usage range.
2187 2187 
 .br
2188 
-.B 5 --
2188 
+.B 5 \-\-
2189 2189 
 Output
2190 2190 
 .B R
2191 2191 
 and
... ... 
@@ -2193,12 +2193,12 @@ and
2193 2193 
 characters to the console for each packet read and write, uppercase is
2194 2194 
 used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
2195 2195 
 .br
2196 
-.B 6 to 11 --
2196 
+.B 6 to 11 \-\-
2197 2197 
 Debug info range (see errlevel.h for additional
2198 2198 
 information on debug levels).
2199 2199 
 .\"*********************************************************
2200 2200 
 .TP
2201 
-.B --status file [n]
2201 
+.B \-\-status file [n]
2202 2202 
 Write operational status to
2203 2203 
 .B file
2204 2204 
 every
... ... 
@@ -2210,21 +2210,21 @@ Status can also be written to the syslog by sending a
2210 2210 
 signal.
2211 2211 
 .\"*********************************************************
2212 2212 
 .TP
2213 
-.B --status-version [n]
2213 
+.B \-\-status-version [n]
2214 2214 
 Choose the status file format version number.  Currently
2215 2215 
 .B n
2216 2216 
 can be 1, 2, or 3 and defaults to 1.
2217 2217 
 .\"*********************************************************
2218 2218 
 .TP
2219 
-.B --mute n
2219 
+.B \-\-mute n
2220 2220 
 Log at most
2221 2221 
 .B n
2222 2222 
 consecutive messages in the same category.  This is useful to
2223 2223 
 limit repetitive logging of similar message types.
2224 2224 
 .\"*********************************************************
2225 2225 
 .TP
2226 
-.B --comp-lzo [mode]
2227 
-Use fast LZO compression -- may add up to 1 byte per
2226 
+.B \-\-comp-lzo [mode]
2227 
+Use fast LZO compression \-\- may add up to 1 byte per
2228 2228 
 packet for incompressible data.
2229 2229 
 .B mode
2230 2230 
 may be "yes", "no", or "adaptive" (default).
... ... 
@@ -2234,16 +2234,16 @@ compression on or off for individual clients.
2234 2234
2235 2235 
 First, make sure the client-side config file enables selective
2236 2236 
 compression by having at least one
2237 
-.B --comp-lzo
2237 
+.B \-\-comp-lzo
2238 2238 
 directive, such as
2239 
-.B --comp-lzo no.
2239 
+.B \-\-comp-lzo no.
2240 2240 
 This will turn off compression by default,
2241 2241 
 but allow a future directive push from the server to
2242 2242 
 dynamically change the
2243 2243 
 on/off/adaptive setting.
2244 2244
2245 2245 
 Next in a
2246 
-.B --client-config-dir
2246 
+.B \-\-client-config-dir
2247 2247 
 file, specify the compression setting for the client,
2248 2248 
 for example:
2249 2249
... ... 
@@ -2262,12 +2262,12 @@ setting for the server
2262 2262 
 side of the link, the second sets the client side.
2263 2263 
 .\"*********************************************************
2264 2264 
 .TP
2265 
-.B --comp-noadapt
2265 
+.B \-\-comp-noadapt
2266 2266 
 When used in conjunction with
2267 
-.B --comp-lzo,
2267 
+.B \-\-comp-lzo,
2268 2268 
 this option will disable OpenVPN's adaptive compression algorithm.
2269 2269 
 Normally, adaptive compression is enabled with
2270 
-.B --comp-lzo.
2270 
+.B \-\-comp-lzo.
2271 2271
2272 2272 
 Adaptive compression tries to optimize the case where you have
2273 2273 
 compression enabled, but you are sending predominantly uncompressible
... ... 
@@ -2279,7 +2279,7 @@ the compression efficiency will be very low, triggering openvpn to disable
2279 2279 
 compression for a period of time until the next re-sample test.
2280 2280 
 .\"*********************************************************
2281 2281 
 .TP
2282 
-.B --management IP port [pw-file]
2282 
+.B \-\-management IP port [pw-file]
2283 2283 
 Enable a TCP server on
2284 2284 
 .B IP:port
2285 2285 
 to handle daemon management functions.
... ... 
@@ -2298,9 +2298,9 @@ and set
2298 2298 
 .B port
2299 2299 
 to 'unix'.  While the default behavior is to create a unix domain socket
2300 2300 
 that may be connected to by any process, the
2301 
-.B --management-client-user
2301 
+.B \-\-management-client-user
2302 2302 
 and
2303 
-.B --management-client-group
2303 
+.B \-\-management-client-group
2304 2304 
 directives can be used to restrict access.
2305 2305
2306 2306 
 The management interface provides a special mode where the TCP
... ... 
@@ -2329,24 +2329,24 @@ be set to 127.0.0.1
2329 2329 
 server to local clients.
2330 2330 
 .\"*********************************************************
2331 2331 
 .TP
2332 
-.B --management-query-passwords
2332 
+.B \-\-management-query-passwords
2333 2333 
 Query management channel for private key password and
2334 
-.B --auth-user-pass
2334 
+.B \-\-auth-user-pass
2335 2335 
 username/password.  Only query the management channel
2336 2336 
 for inputs which ordinarily would have been queried from the
2337 2337 
 console.
2338 2338 
 .\"*********************************************************
2339 2339 
 .TP
2340 
-.B --management-forget-disconnect
2340 
+.B \-\-management-forget-disconnect
2341 2341 
 Make OpenVPN forget passwords when management session
2342 2342 
 disconnects.
2343 2343
2344 2344 
 This directive does not affect the
2345 
-.B --http-proxy
2345 
+.B \-\-http-proxy
2346 2346 
 username/password.  It is always cached.
2347 2347 
 .\"*********************************************************
2348 2348 
 .TP
2349 
-.B --management-hold
2349 
+.B \-\-management-hold
2350 2350 
 Start OpenVPN in a hibernating state, until a client
2351 2351 
 of the management interface explicitly starts it
2352 2352 
 with the
... ... 
@@ -2354,45 +2354,45 @@ with the
2354 2354 
 command.
2355 2355 
 .\"*********************************************************
2356 2356 
 .TP
2357 
-.B --management-signal
2357 
+.B \-\-management-signal
2358 2358 
 Send SIGUSR1 signal to OpenVPN if management session disconnects.
2359 2359 
 This is useful when you wish to disconnect an OpenVPN session on
2360 2360 
 user logoff.
2361 2361 
 .\"*********************************************************
2362 2362 
 .TP
2363 
-.B --management-log-cache n
2363 
+.B \-\-management-log-cache n
2364 2364 
 Cache the most recent
2365 2365 
 .B n
2366 2366 
 lines of log file history for usage
2367 2367 
 by the management channel.
2368 2368 
 .\"*********************************************************
2369 2369 
 .TP
2370 
-.B --management-client-auth
2370 
+.B \-\-management-client-auth
2371 2371 
 Gives management interface client the responsibility
2372 2372 
 to authenticate clients after their client certificate
2373 2373 
 has been verified.  See management-notes.txt in OpenVPN
2374 2374 
 distribution for detailed notes.
2375 2375 
 .\"*********************************************************
2376 2376 
 .TP
2377 
-.B --management-client-pf
2377 
+.B \-\-management-client-pf
2378 2378 
 Management interface clients must specify a packet
2379 2379 
 filter file for each connecting client.  See management-notes.txt
2380 2380 
 in OpenVPN distribution for detailed notes.
2381 2381 
 .\"*********************************************************
2382 2382 
 .TP
2383 
-.B --management-client-user u
2383 
+.B \-\-management-client-user u
2384 2384 
 When the management interface is listening on a unix domain socket,
2385 2385 
 only allow connections from user
2386 2386 
 .B u.
2387 2387 
 .\"*********************************************************
2388 2388 
 .TP
2389 
-.B --management-client-group g
2389 
+.B \-\-management-client-group g
2390 2390 
 When the management interface is listening on a unix domain socket,
2391 2391 
 only allow connections from group
2392 2392 
 .B g.
2393 2393 
 .\"*********************************************************
2394 2394 
 .TP
2395 
-.B --plugin module-pathname [init-string]
2395 
+.B \-\-plugin module-pathname [init-string]
2396 2396 
 Load plug-in module from the file
2397 2397 
 .B module-pathname,
2398 2398 
 passing
... ... 
@@ -2428,7 +2428,7 @@ the connection to be authenticated.
2428 2428 
 .SS Server Mode
2429 2429 
 Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode
2430 2430 
 is supported, and can be enabled with the
2431 
-.B --mode server
2431 
+.B \-\-mode server
2432 2432 
 option.  In server mode, OpenVPN will listen on a single
2433 2433 
 port for incoming client connections.  All client
2434 2434 
 connections will be routed through a single tun or tap
... ... 
@@ -2438,7 +2438,7 @@ on sufficiently fast hardware.  SSL/TLS authentication must
2438 2438 
 be used in this mode.
2439 2439 
 .\"*********************************************************
2440 2440 
 .TP
2441 
-.B --server network netmask
2441 
+.B \-\-server network netmask
2442 2442 
 A helper directive designed to simplify the configuration
2443 2443 
 of OpenVPN's server mode.  This directive will set up an
2444 2444 
 OpenVPN server which will allocate addresses to clients
... ... 
@@ -2448,7 +2448,7 @@ for use as the server-side endpoint of the local
2448 2448 
 TUN/TAP interface.
2449 2449
2450 2450 
 For example,
2451 
-.B --server 10.8.0.0 255.255.255.0
2451 
+.B \-\-server 10.8.0.0 255.255.255.0
2452 2452 
 expands as follows:
2453 2453
2454 2454 
 .nf
... ... 
@@ -2478,23 +2478,23 @@ expands as follows:
2478 2478 
 .fi
2479 2479
2480 2480 
 Don't use
2481 
-.B --server
2481 
+.B \-\-server
2482 2482 
 if you are ethernet bridging.  Use
2483 
-.B --server-bridge
2483 
+.B \-\-server-bridge
2484 2484 
 instead.
2485 2485 
 .\"*********************************************************
2486 2486 
 .TP
2487 
-.B --server-bridge gateway netmask pool-start-IP pool-end-IP
2487 
+.B \-\-server-bridge gateway netmask pool-start-IP pool-end-IP
2488 2488 
 .TP
2489 
-.B --server-bridge ['nogw']
2489 
+.B \-\-server-bridge ['nogw']
2490 2490
2491 2491 
 A helper directive similar to
2492 
-.B --server
2492 
+.B \-\-server
2493 2493 
 which is designed to simplify the configuration
2494 2494 
 of OpenVPN's server mode in ethernet bridging configurations.
2495 2495
2496 2496 
 If
2497 
-.B --server-bridge
2497 
+.B \-\-server-bridge
2498 2498 
 is used without any parameters, it will enable a DHCP-proxy
2499 2499 
 mode, where connecting OpenVPN clients will receive an IP
2500 2500 
 address for their TAP adapter from the DHCP server running
... ... 
@@ -2522,7 +2522,7 @@ IP/netmask on the bridge interface.  The
2522 2522 
 and
2523 2523 
 .B netmask
2524 2524 
 parameters to
2525 
-.B --server-bridge
2525 
+.B \-\-server-bridge
2526 2526 
 can be set to either the IP/netmask of the
2527 2527 
 bridge interface, or the IP/netmask of the
2528 2528 
 default gateway/router on the bridged
... ... 
@@ -2554,7 +2554,7 @@ push "route-gateway 10.8.0.4"
2554 2554 
 .fi
2555 2555
2556 2556 
 In another example,
2557 
-.B --server-bridge
2557 
+.B \-\-server-bridge
2558 2558 
 (without parameters) expands as follows:
2559 2559
2560 2560 
 .nf
... ... 
@@ -2569,7 +2569,7 @@ push "route-gateway dhcp"
2569 2569 
 .fi
2570 2570
2571 2571 
 Or
2572 
-.B --server-bridge nogw
2572 
+.B \-\-server-bridge nogw
2573 2573 
 expands as follows:
2574 2574
2575 2575 
 .nf
... ... 
@@ -2582,13 +2582,13 @@ tls-server
2582 2582 
 .fi
2583 2583 
 .\"*********************************************************
2584 2584 
 .TP
2585 
-.B --push "option"
2585 
+.B \-\-push "option"
2586 2586 
 Push a config file option back to the client for remote
2587 2587 
 execution.  Note that
2588 2588 
 .B
2589 2589 
 option
2590 2590 
 must be enclosed in double quotes ("").  The client must specify
2591 
-.B --pull
2591 
+.B \-\-pull
2592 2592 
 in its config file.  The set of options which can be
2593 2593 
 pushed is limited by both feasibility and security.
2594 2594 
 Some options such as those which would execute scripts
... ... 
@@ -2599,44 +2599,44 @@ cannot be pushed because the client needs to know
2599 2599 
 them before the connection to the server can be initiated.
2600 2600
2601 2601 
 This is a partial list of options which can currently be pushed:
2602 
-.B --route, --route-gateway, --route-delay, --redirect-gateway,
2603 
-.B --ip-win32, --dhcp-option,
2604 
-.B --inactive, --ping, --ping-exit, --ping-restart,
2605 
-.B --setenv,
2606 
-.B --persist-key, --persist-tun, --echo,
2607 
-.B --comp-lzo,
2608 
-.B --socket-flags,
2609 
-.B --sndbuf, --rcvbuf
2602 
+.B \-\-route, \-\-route-gateway, \-\-route-delay, \-\-redirect-gateway,
2603 
+.B \-\-ip-win32, \-\-dhcp-option,
2604 
+.B \-\-inactive, \-\-ping, \-\-ping-exit, \-\-ping-restart,
2605 
+.B \-\-setenv,
2606 
+.B \-\-persist-key, \-\-persist-tun, \-\-echo,
2607 
+.B \-\-comp-lzo,
2608 
+.B \-\-socket-flags,
2609 
+.B \-\-sndbuf, \-\-rcvbuf
2610 2610 
 .\"*********************************************************
2611 2611 
 .TP
2612 
-.B --push-reset
2612 
+.B \-\-push-reset
2613 2613 
 Don't inherit the global push list for a specific client instance.
2614 2614 
 Specify this option in a client-specific context such
2615 2615 
 as with a
2616 
-.B --client-config-dir
2616 
+.B \-\-client-config-dir
2617 2617 
 configuration file.  This option will ignore
2618 
-.B --push
2618 
+.B \-\-push
2619 2619 
 options at the global config file level.
2620 2620 
 .\"*********************************************************
2621 2621 
 .TP
2622 
-.B --disable
2622 
+.B \-\-disable
2623 2623 
 Disable a particular client (based on the common name)
2624 2624 
 from connecting.  Don't use this option to disable a client
2625 2625 
 due to key or password compromise.  Use a CRL (certificate
2626 2626 
 revocation list) instead (see the
2627 
-.B --crl-verify
2627 
+.B \-\-crl-verify
2628 2628 
 option).
2629 2629
2630 2630 
 This option must be associated with a specific client instance,
2631 2631 
 which means that it must be specified either in a client
2632 2632 
 instance config file using
2633 
-.B --client-config-dir
2633 
+.B \-\-client-config-dir
2634 2634 
 or dynamically generated using a
2635 
-.B --client-connect
2635 
+.B \-\-client-connect
2636 2636 
 script.
2637 2637 
 .\"*********************************************************
2638 2638 
 .TP
2639 
-.B --ifconfig-pool start-IP end-IP [netmask]
2639 
+.B \-\-ifconfig-pool start-IP end-IP [netmask]
2640 2640 
 Set aside a pool of subnets to be
2641 2641 
 dynamically allocated to connecting clients, similar
2642 2642 
 to a DHCP server.  For tun-style
... ... 
@@ -2649,7 +2649,7 @@ parameter will also be pushed to clients.
2649 2649
2650 2650 
 .\"*********************************************************
2651 2651 
 .TP
2652 
-.B --ifconfig-pool-persist file [seconds]
2652 
+.B \-\-ifconfig-pool-persist file [seconds]
2653 2653 
 Persist/unpersist ifconfig-pool
2654 2654 
 data to
2655 2655 
 .B file,
... ... 
@@ -2664,7 +2664,7 @@ IP address assigned to them from the ifconfig-pool.
2664 2664 
 Maintaining a long-term
2665 2665 
 association is good for clients because it allows them
2666 2666 
 to effectively use the
2667 
-.B --persist-tun
2667 
+.B \-\-persist-tun
2668 2668 
 option.
2669 2669
2670 2670 
 .B file
... ... 
@@ -2685,32 +2685,32 @@ suggestions only, based on past associations between
2685 2685 
 a common name and IP address.  They do not guarantee that the given common
2686 2686 
 name will always receive the given IP address.  If you want guaranteed
2687 2687 
 assignment, use
2688 
-.B --ifconfig-push
2688 
+.B \-\-ifconfig-push
2689 2689 
 .\"*********************************************************
2690 2690 
 .TP
2691 
-.B --ifconfig-pool-linear
2691 
+.B \-\-ifconfig-pool-linear
2692 2692 
 Modifies the
2693 
-.B --ifconfig-pool
2693 
+.B \-\-ifconfig-pool
2694 2694 
 directive to
2695 2695 
 allocate individual TUN interface addresses for
2696 2696 
 clients rather than /30 subnets.  NOTE:  This option
2697 2697 
 is incompatible with Windows clients.
2698 2698
2699 2699 
 This option is deprecated, and should be replaced with
2700 
-.B --topology p2p
2700 
+.B \-\-topology p2p
2701 2701 
 which is functionally equivalent.
2702 2702 
 .\"*********************************************************
2703 2703 
 .TP
2704 
-.B --ifconfig-push local remote-netmask
2704 
+.B \-\-ifconfig-push local remote-netmask
2705 2705 
 Push virtual IP endpoints for client tunnel,
2706 
-overriding the --ifconfig-pool dynamic allocation.
2706 
+overriding the \-\-ifconfig-pool dynamic allocation.
2707 2707
2708 2708 
 The parameters
2709 2709 
 .B local
2710 2710 
 and
2711 2711 
 .B remote-netmask
2712 2712 
 are set according to the
2713 
-.B --ifconfig
2713 
+.B \-\-ifconfig
2714 2714 
 directive which you want to execute on the client machine to
2715 2715 
 configure the remote end of the tunnel.  Note that the parameters
2716 2716 
 .B local
... ... 
@@ -2723,13 +2723,13 @@ on the server at the time of client connection.
2723 2723 
 This option must be associated with a specific client instance,
2724 2724 
 which means that it must be specified either in a client
2725 2725 
 instance config file using
2726 
-.B --client-config-dir
2726 
+.B \-\-client-config-dir
2727 2727 
 or dynamically generated using a
2728 
-.B --client-connect
2728 
+.B \-\-client-connect
2729 2729 
 script.
2730 2730
2731 2731 
 Remember also to include a
2732 
-.B --route
2732 
+.B \-\-route
2733 2733 
 directive in the main OpenVPN config file which encloses
2734 2734 
 .B local,
2735 2735 
 so that the kernel will know to route it
... ... 
@@ -2739,23 +2739,23 @@ OpenVPN's internal client IP address selection algorithm works as
2739 2739 
 follows:
2740 2740
2741 2741 
 .B 1
2742 
-.B --client-connect script
2742 
+\-\- Use
2743 
+.B \-\-client-connect script
2743 2744 
 generated file for static IP (first choice).
2744 2745 
 .br
2745 2746 
 .B 2
2746 
-.B --client-config-dir
2747 
+\-\- Use
2748 
+.B \-\-client-config-dir
2747 2749 
 file for static IP (next choice).
2748 2750 
 .br
2749 2751 
 .B 3
2750 
-.B --ifconfig-pool
2752 
+\-\- Use
2753 
+.B \-\-ifconfig-pool
2751 2754 
 allocation for dynamic IP (last choice).
2752 2755 
 .br
2753 2756 
 .\"*********************************************************
2754 2757 
 .TP
2755 
-.B --iroute network [netmask]
2758 
+.B \-\-iroute network [netmask]
2756 2759 
 Generate an internal route to a specific
2757 2760 
 client. The
2758 2761 
 .B netmask
... ... 
@@ -2766,36 +2766,36 @@ the server to a particular client, regardless
2766 2766 
 of where the client is connecting from.  Remember
2767 2767 
 that you must also add the route to the system
2768 2768 
 routing table as well (such as by using the
2769 
-.B --route
2769 
+.B \-\-route
2770 2770 
 directive).  The reason why two routes are needed
2771 2771 
 is that the
2772 
-.B --route
2772 
+.B \-\-route
2773 2773 
 directive routes the packet from the kernel
2774 2774 
 to OpenVPN.  Once in OpenVPN, the
2775 
-.B --iroute
2775 
+.B \-\-iroute
2776 2776 
 directive routes to the specific client.
2777 2777
2778 2778 
 This option must be specified either in a client
2779 2779 
 instance config file using
2780 
-.B --client-config-dir
2780 
+.B \-\-client-config-dir
2781 2781 
 or dynamically generated using a
2782 
-.B --client-connect
2782 
+.B \-\-client-connect
2783 2783 
 script.
2784 2784
2785 2785 
 The
2786 
-.B --iroute
2786 
+.B \-\-iroute
2787 2787 
 directive also has an important interaction with
2788 
-.B --push
2788 
+.B \-\-push
2789 2789 
 "route ...".
2790 
-.B --iroute
2790 
+.B \-\-iroute
2791 2791 
 essentially defines a subnet which is owned by a
2792 2792 
 particular client (we will call this client A).
2793 2793 
 If you would like other clients to be able to reach A's
2794 2794 
 subnet, you can use
2795 
-.B --push
2795 
+.B \-\-push
2796 2796 
 "route ..."
2797 2797 
 together with
2798 
-.B --client-to-client
2798 
+.B \-\-client-to-client
2799 2799 
 to effect this.  In order for all clients to see
2800 2800 
 A's subnet, OpenVPN must push this route to all clients
2801 2801 
 EXCEPT for A, since the subnet is already owned by A.
... ... 
@@ -2804,11 +2804,11 @@ not pushing a route to a client
2804 2804 
 if it matches one of the client's iroutes.
2805 2805 
 .\"*********************************************************
2806 2806 
 .TP
2807 
-.B --client-to-client
2807 
+.B \-\-client-to-client
2808 2808 
 Because the OpenVPN server mode handles multiple clients
2809 2809 
 through a single tun or tap interface, it is effectively
2810 2810 
 a router.  The
2811 
-.B --client-to-client
2811 
+.B \-\-client-to-client
2812 2812 
 flag tells OpenVPN to internally route client-to-client
2813 2813 
 traffic rather than pushing all client-originating traffic
2814 2814 
 to the TUN/TAP interface.
... ... 
@@ -2820,13 +2820,13 @@ if you want to firewall tunnel traffic using
2820 2820 
 custom, per-client rules.
2821 2821 
 .\"*********************************************************
2822 2822 
 .TP
2823 
-.B --duplicate-cn
2823 
+.B \-\-duplicate-cn
2824 2824 
 Allow multiple clients with the same common name to concurrently connect.
2825 2825 
 In the absence of this option, OpenVPN will disconnect a client instance
2826 2826 
 upon connection of a new client having the same common name.
2827 2827 
 .\"*********************************************************
2828 2828 
 .TP
2829 
-.B --client-connect script
2829 
+.B \-\-client-connect script
2830 2830 
 Run
2831 2831 
 .B script
2832 2832 
 on client connection.  The script is passed the common name
... ... 
@@ -2842,7 +2842,7 @@ to be applied on the server when the client connects,
2842 2842 
 it should write it to the file named by $1.
2843 2843
2844 2844 
 See the
2845 
-.B --client-config-dir
2845 
+.B \-\-client-config-dir
2846 2846 
 option below for options which
2847 2847 
 can be legally used in a dynamically generated config file.
2848 2848
... ... 
@@ -2854,18 +2854,18 @@ returns a non-zero error status, it will cause the client
2854 2854 
 to be disconnected.
2855 2855 
 .\"*********************************************************
2856 2856 
 .TP
2857 
-.B --client-disconnect
2857 
+.B \-\-client-disconnect
2858 2858 
 Like
2859 
-.B --client-connect
2859 
+.B \-\-client-connect
2860 2860 
 but called on client instance shutdown.  Will not be called
2861 2861 
 unless the
2862 
-.B --client-connect
2862 
+.B \-\-client-connect
2863 2863 
 script and plugins (if defined)
2864 2864 
 were previously called on this instance with
2865 2865 
 successful (0) status returns.
2866 2866
2867 2867 
 The exception to this rule is if the
2868 
-.B --client-disconnect
2868 
+.B \-\-client-disconnect
2869 2869 
 script or plugins are cascaded, and at least one client-connect
2870 2870 
 function succeeded, then ALL of the client-disconnect functions for
2871 2871 
 scripts and plugins will be called on client instance object deletion,
... ... 
@@ -2874,7 +2874,7 @@ an error status.
2874 2874 
 .B
2875 2875 
 .\"*********************************************************
2876 2876 
 .TP
2877 
-.B --client-config-dir dir
2877 
+.B \-\-client-config-dir dir
2878 2878 
 Specify a directory
2879 2879 
 .B dir
2880 2880 
 for custom client config files.  After
... ... 
@@ -2888,9 +2888,9 @@ will instead try to open and parse a default file called
2888 2888
2889 2889 
 This file can specify a fixed IP address for a given
2890 2890 
 client using
2891 
-.B --ifconfig-push,
2891 
+.B \-\-ifconfig-push,
2892 2892 
 as well as fixed subnets owned by the client using
2893 
-.B --iroute.
2893 
+.B \-\-iroute.
2894 2894
2895 2895 
 One of the useful properties of this option is that it
2896 2896 
 allows client configuration files to be conveniently
... ... 
@@ -2899,28 +2899,28 @@ without needing to restart the server.
2899 2899
2900 2900 
 The following
2901 2901 
 options are legal in a client-specific context:
2902 
-.B --push, --push-reset, --iroute, --ifconfig-push,
2902 
+.B \-\-push, \-\-push-reset, \-\-iroute, \-\-ifconfig-push,
2903 2903 
 and
2904 
-.B --config.
2904 
+.B \-\-config.
2905 2905 
 .\"*********************************************************
2906 2906 
 .TP
2907 
-.B --ccd-exclusive
2907 
+.B \-\-ccd-exclusive
2908 2908 
 Require, as a
2909 2909 
 condition of authentication, that a connecting client has a
2910 
-.B --client-config-dir
2910 
+.B \-\-client-config-dir
2911 2911 
 file.
2912 2912 
 .\"*********************************************************
2913 2913 
 .TP
2914 
-.B --tmp-dir dir
2914 
+.B \-\-tmp-dir dir
2915 2915 
 Specify a directory
2916 2916 
 .B dir
2917 2917 
 for temporary files.  This directory will be used by
2918 
-.B --client-connect
2918 
+.B \-\-client-connect
2919 2919 
 scripts to dynamically generate client-specific
2920 2920 
 configuration files.
2921 2921 
 .\"*********************************************************
2922 2922 
 .TP
2923 
-.B --hash-size r v
2923 
+.B \-\-hash-size r v
2924 2924 
 Set the size of the real address hash table to
2925 2925 
 .B r
2926 2926 
 and the virtual address table to
... ... 
@@ -2928,13 +2928,13 @@ and the virtual address table to
2928 2928 
 By default, both tables are sized at 256 buckets.
2929 2929 
 .\"*********************************************************
2930 2930 
 .TP
2931 
-.B --bcast-buffers n
2931 
+.B \-\-bcast-buffers n
2932 2932 
 Allocate
2933 2933 
 .B n
2934 2934 
 buffers for broadcast datagrams (default=256).
2935 2935 
 .\"*********************************************************
2936 2936 
 .TP
2937 
-.B --tcp-queue-limit n
2937 
+.B \-\-tcp-queue-limit n
2938 2938 
 Maximum number of output packets queued before TCP (default=64).
2939 2939
2940 2940 
 When OpenVPN is tunneling data from a TUN/TAP device to a
... ... 
@@ -2946,7 +2946,7 @@ OpenVPN will start to drop outgoing packets directed
2946 2946 
 at this client.
2947 2947 
 .\"*********************************************************
2948 2948 
 .TP
2949 
-.B --tcp-nodelay
2949 
+.B \-\-tcp-nodelay
2950 2950 
 This macro sets the TCP_NODELAY socket flag on the server
2951 2951 
 as well as pushes it to connecting clients.  The TCP_NODELAY
2952 2952 
 flag disables the Nagle algorithm on TCP sockets causing
... ... 
@@ -2969,13 +2969,13 @@ The macro expands as follows:
2969 2969 
 .fi
2970 2970 
 .\"*********************************************************
2971 2971 
 .TP
2972 
-.B --max-clients n
2972 
+.B \-\-max-clients n
2973 2973 
 Limit server to a maximum of
2974 2974 
 .B n
2975 2975 
 concurrent clients.
2976 2976 
 .\"*********************************************************
2977 2977 
 .TP
2978 
-.B --max-routes-per-client n
2978 
+.B \-\-max-routes-per-client n
2979 2979 
 Allow a maximum of
2980 2980 
 .B n
2981 2981 
 internal routes per client (default=256).
... ... 
@@ -2985,9 +2985,9 @@ server with packets appearing to come from many unique MAC addresses,
2985 2985 
 forcing the server to deplete
2986 2986 
 virtual memory as its internal routing table expands.
2987 2987 
 This directive can be used in a
2988 
-.B --client-config-dir
2988 
+.B \-\-client-config-dir
2989 2989 
 file or auto-generated by a
2990 
-.B --client-connect
2990 
+.B \-\-client-connect
2991 2991 
 script to override the global value for a particular client.
2992 2992
2993 2993 
 Note that this
... ... 
@@ -2995,7 +2995,7 @@ directive affects OpenVPN's internal routing table, not the
2995 2995 
 kernel routing table.
2996 2996 
 .\"*********************************************************
2997 2997 
 .TP
2998 
-.B --connect-freq n sec
2998 
+.B \-\-connect-freq n sec
2999 2999 
 Allow a maximum of
3000 3000 
 .B n
3001 3001 
 new connections per
... ... 
@@ -3009,12 +3009,12 @@ DoS scenario, legitimate connections might also be refused.
3009 3009
3010 3010 
 For the best protection against DoS attacks in server mode,
3011 3011 
 use
3012 
-.B --proto udp
3012 
+.B \-\-proto udp
3013 3013 
 and
3014 
-.B --tls-auth.
3014 
+.B \-\-tls-auth.
3015 3015 
 .\"*********************************************************
3016 3016 
 .TP
3017 
-.B --learn-address cmd
3017 
+.B \-\-learn-address cmd
3018 3018 
 Run script or shell command
3019 3019 
 .B cmd
3020 3020 
 to validate client virtual addresses or routes.
... ... 
@@ -3022,19 +3022,19 @@ to validate client virtual addresses or routes.
3022 3022 
 .B cmd
3023 3023 
 will be executed with 3 parameters:
3024 3024
3025 
-.B [1] operation --
3025 
+.B [1] operation \-\-
3026 3026 
 "add", "update", or "delete" based on whether or not
3027 3027 
 the address is being added to, modified, or deleted from
3028 3028 
 OpenVPN's internal routing table.
3029 3029 
 .br
3030 
-.B [2] address --
3030 
+.B [2] address \-\-
3031 3031 
 The address being learned or unlearned.  This can be
3032 3032 
 an IPv4 address such as "198.162.10.14", an IPv4 subnet
3033 3033 
 such as "198.162.10.0/24", or an ethernet MAC address (when
3034 
-.B --dev tap
3034 
+.B \-\-dev tap
3035 3035 
 is being used) such as "00:FF:01:02:03:04".
3036 3036 
 .br
3037 
-.B [3] common name --
3037 
+.B [3] common name \-\-
3038 3038 
 The common name on the certificate associated with the
3039 3039 
 client linked to this address.  Only present for "add"
3040 3040 
 or "update" operations, not "delete".
... ... 
@@ -3054,7 +3054,7 @@ policies with regard to the client's high-level common name,
3054 3054 
 rather than the low level client virtual addresses.
3055 3055 
 .\"*********************************************************
3056 3056 
 .TP
3057 
-.B --auth-user-pass-verify script method
3057 
+.B \-\-auth-user-pass-verify script method
3058 3058 
 Require the client to provide a username/password (possibly
3059 3059 
 in addition to a client certificate) for authentication.
3060 3060
... ... 
@@ -3085,10 +3085,10 @@ will be passed as an argument to
3085 3085 
 and the file will be automatically deleted by OpenVPN after
3086 3086 
 the script returns.  The location of the temporary file is
3087 3087 
 controlled by the
3088 
-.B --tmp-dir
3088 
+.B \-\-tmp-dir
3089 3089 
 option, and will default to the current directory if unspecified.
3090 3090 
 For security, consider setting
3091 
-.B --tmp-dir
3091 
+.B \-\-tmp-dir
3092 3092 
 to a volatile storage medium such as
3093 3093 
 .B /dev/shm
3094 3094 
 (if available) to prevent the username/password file from touching the hard drive.
... ... 
@@ -3120,7 +3120,7 @@ For a sample script that performs PAM authentication, see
3120 3120 
 in the OpenVPN source distribution.
3121 3121 
 .\"*********************************************************
3122 3122 
 .TP
3123 
-.B --opt-verify
3123 
+.B \-\-opt-verify
3124 3124 
 Clients that connect with options that are incompatible
3125 3125 
 with those of the server will be disconnected.
3126 3126
... ... 
@@ -3130,16 +3130,16 @@ comp-lzo, fragment, keydir, cipher, auth, keysize, secret,
3130 3130 
 no-replay, no-iv, tls-auth, key-method, tls-server, and tls-client.
3131 3131
3132 3132 
 This option requires that
3133 
-.B --disable-occ
3133 
+.B \-\-disable-occ
3134 3134 
 NOT be used.
3135 3135 
 .\"*********************************************************
3136 3136 
 .TP
3137 
-.B --auth-user-pass-optional
3137 
+.B \-\-auth-user-pass-optional
3138 3138 
 Allow connections by clients that do not specify a username/password.
3139 3139 
 Normally, when
3140 
-.B --auth-user-pass-verify
3140 
+.B \-\-auth-user-pass-verify
3141 3141 
 or
3142 
-.B --management-client-auth
3142 
+.B \-\-management-client-auth
3143 3143 
 is specified (or an authentication plugin module), the
3144 3144 
 OpenVPN server daemon will require connecting clients to specify a
3145 3145 
 username and password.  This option makes the submission of a username/password
... ... 
@@ -3152,35 +3152,35 @@ to empty strings ("").  The authentication module/script MUST have logic
3152 3152 
 to detect this condition and respond accordingly.
3153 3153 
 .\"*********************************************************
3154 3154 
 .TP
3155 
-.B --client-cert-not-required
3155 
+.B \-\-client-cert-not-required
3156 3156 
 Don't require client certificate, client will authenticate
3157 3157 
 using username/password only.  Be aware that using this directive
3158 3158 
 is less secure than requiring certificates from all clients.
3159 3159
3160 3160 
 If you use this directive, the
3161 3161 
 entire responsibility of authentication will rest on your
3162 
-.B --auth-user-pass-verify
3162 
+.B \-\-auth-user-pass-verify
3163 3163 
 script, so keep in mind that bugs in your script
3164 3164 
 could potentially compromise the security of your VPN.
3165 3165
3166 3166 
 If you don't use this directive, but you also specify an
3167 
-.B --auth-user-pass-verify
3167 
+.B \-\-auth-user-pass-verify
3168 3168 
 script, then OpenVPN will perform double authentication.  The
3169 3169 
 client certificate verification AND the
3170 
-.B --auth-user-pass-verify
3170 
+.B \-\-auth-user-pass-verify
3171 3171 
 script will need to succeed in order for a client to be
3172 3172 
 authenticated and accepted onto the VPN.
3173 3173 
 .\"*********************************************************
3174 3174 
 .TP
3175 
-.B --username-as-common-name
3175 
+.B \-\-username-as-common-name
3176 3176 
 For
3177 
-.B --auth-user-pass-verify
3177 
+.B \-\-auth-user-pass-verify
3178 3178 
 authentication, use
3179 3179 
 the authenticated username as the common name,
3180 3180 
 rather than the common name from the client cert.
3181 3181 
 .\"*********************************************************
3182 3182 
 .TP
3183 
-.B --no-name-remapping
3183 
+.B \-\-no-name-remapping
3184 3184 
 Allow Common Name, X509 Subject, and username strings to include
3185 3185 
 any printable character including space, but excluding control
3186 3186 
 characters such as tab, newline, and carriage-return.
... ... 
@@ -3201,7 +3201,7 @@ disable the remapping feature.  Don't use this option unless you
3201 3201 
 know what you are doing!
3202 3202 
 .\"*********************************************************
3203 3203 
 .TP
3204 
-.B --port-share host port
3204 
+.B \-\-port-share host port
3205 3205 
 When run in TCP server mode, share the OpenVPN port with
3206 3206 
 another application, such as an HTTPS server.  If OpenVPN
3207 3207 
 senses a connection to its port which is using a non-OpenVPN
... ... 
@@ -3216,13 +3216,13 @@ Not implemented on Windows.
3216 3216 
 .SS Client Mode
3217 3217 
 Use client mode when connecting to an OpenVPN server
3218 3218 
 which has
3219 
-.B --server, --server-bridge,
3219 
+.B \-\-server, \-\-server-bridge,
3220 3220 
 or
3221 
-.B --mode server
3221 
+.B \-\-mode server
3222 3222 
 in it's configuration.
3223 3223 
 .\"*********************************************************
3224 3224 
 .TP
3225 
-.B --client
3225 
+.B \-\-client
3226 3226 
 A helper directive designed to simplify the configuration
3227 3227 
 of OpenVPN's client mode.  This directive is equivalent to:
3228 3228
... ... 
@@ -3236,33 +3236,33 @@ of OpenVPN's client mode.  This directive is equivalent to:
3236 3236 
 .fi
3237 3237 
 .\"*********************************************************
3238 3238 
 .TP
3239 
-.B --pull
3239 
+.B \-\-pull
3240 3240 
 This option must be used on a client which is connecting
3241 3241 
 to a multi-client server.  It indicates to OpenVPN that it
3242 3242 
 should accept options pushed by the server, provided they
3243 3243 
 are part of the legal set of pushable options (note that the
3244 
-.B --pull
3244 
+.B \-\-pull
3245 3245 
 option is implied by
3246 
-.B --client
3246 
+.B \-\-client
3247 3247 
 ).
3248 3248
3249 3249 
 In particular,
3250 
-.B --pull
3250 
+.B \-\-pull
3251 3251 
 allows the server to push routes to the client, so you should
3252 3252 
 not use
3253 
-.B --pull
3253 
+.B \-\-pull
3254 3254 
 or
3255 
-.B --client
3255 
+.B \-\-client
3256 3256 
 in situations where you don't trust the server to have control
3257 3257 
 over the client's routing table.
3258 3258 
 .\"*********************************************************
3259 3259 
 .TP
3260 
-.B --auth-user-pass [up]
3260 
+.B \-\-auth-user-pass [up]
3261 3261 
 Authenticate with server using username/password.
3262 3262 
 .B up
3263 3263 
 is a file containing username/password on 2 lines (Note: OpenVPN
3264 3264 
 will only read passwords from a file if it has been built
3265 
-with the --enable-password-save configure option, or on Windows
3265 
+with the \-\-enable-password-save configure option, or on Windows
3266 3266 
 by defining ENABLE_PASSWORD_SAVE in config-win32.h).
3267 3267
3268 3268 
 If
... ... 
@@ -3271,12 +3271,12 @@ is omitted, username/password will be prompted from the
3271 3271 
 console.
3272 3272
3273 3273 
 The server configuration must specify an
3274 
-.B --auth-user-pass-verify
3274 
+.B \-\-auth-user-pass-verify
3275 3275 
 script to verify the username/password provided by
3276 3276 
 the client.
3277 3277 
 .\"*********************************************************
3278 3278 
 .TP
3279 
-.B --auth-retry type
3279 
+.B \-\-auth-retry type
3280 3280 
 Controls how OpenVPN responds to username/password verification
3281 3281 
 errors such as the client-side response to an AUTH_FAILED message from the server
3282 3282 
 or verification failure of the private key password.
... ... 
@@ -3287,40 +3287,40 @@ of error.
3287 3287
3288 3288 
 An AUTH_FAILED message is generated by the server if the client
3289 3289 
 fails
3290 
-.B --auth-user-pass
3290 
+.B \-\-auth-user-pass
3291 3291 
 authentication, or if the server-side
3292 
-.B --client-connect
3292 
+.B \-\-client-connect
3293 3293 
 script returns an error status when the client
3294 3294 
 tries to connect.
3295 3295
3296 3296 
 .B type
3297 3297 
 can be one of:
3298 3298
3299 
-.B none --
3299 
+.B none \-\-
3300 3300 
 Client will exit with a fatal error (this is the default).
3301 3301 
 .br
3302 
-.B nointeract --
3302 
+.B nointeract \-\-
3303 3303 
 Client will retry the connection without requerying for an
3304 
-.B --auth-user-pass
3304 
+.B \-\-auth-user-pass
3305 3305 
 username/password.  Use this option for unattended clients.
3306 3306 
 .br
3307 
-.B interact --
3307 
+.B interact \-\-
3308 3308 
 Client will requery for an
3309 
-.B --auth-user-pass
3309 
+.B \-\-auth-user-pass
3310 3310 
 username/password and/or private key password before attempting a reconnection.
3311 3311
3312 3312 
 Note that while this option cannot be pushed, it can be controlled
3313 3313 
 from the management interface.
3314 3314 
 .\"*********************************************************
3315 3315 
 .TP
3316 
-.B --server-poll-timeout n
3316 
+.B \-\-server-poll-timeout n
3317 3317 
 when polling possible remote servers to connect to
3318 3318 
 in a round-robin fashion, spend no more than
3319 3319 
 .B n
3320 3320 
 seconds waiting for a response before trying the next server.
3321 3321 
 .\"*********************************************************
3322 3322 
 .TP
3323 
-.B --explicit-exit-notify [n]
3323 
+.B \-\-explicit-exit-notify [n]
3324 3324 
 In UDP client mode or point-to-point mode, send server/peer an exit notification
3325 3325 
 if tunnel is restarted or OpenVPN process is exited.  In client mode, on
3326 3326 
 exit/restart, this
... ... 
@@ -3335,12 +3335,12 @@ These options are meaningful for both Static & TLS-negotiated key modes
3335 3335 
 (must be compatible between peers).
3336 3336 
 .\"*********************************************************
3337 3337 
 .TP
3338 
-.B --secret file [direction]
3338 
+.B \-\-secret file [direction]
3339 3339 
 Enable Static Key encryption mode (non-TLS).
3340 3340 
 Use pre-shared secret
3341 3341 
 .B file
3342 3342 
 which was generated with
3343 
-.B --genkey.
3343 
+.B \-\-genkey.
3344 3344
3345 3345 
 The optional
3346 3346 
 .B direction
... ... 
@@ -3371,7 +3371,7 @@ supports the
3371 3371 
 .B direction
3372 3372 
 parameter, will also support 2048 bit key file generation
3373 3373 
 using the
3374 
-.B --genkey
3374 
+.B \-\-genkey
3375 3375 
 option.
3376 3376
3377 3377 
 Static key encryption mode has certain advantages,
... ... 
@@ -3401,7 +3401,7 @@ would see nothing
3401 3401 
 but random-looking data.
3402 3402 
 .\"*********************************************************
3403 3403 
 .TP
3404 
-.B --auth alg
3404 
+.B \-\-auth alg
3405 3405 
 Authenticate packets with HMAC using message
3406 3406 
 digest algorithm
3407 3407 
 .B alg.
... ... 
@@ -3416,7 +3416,7 @@ OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC the resulting ci
3416 3416
3417 3417 
 In static-key encryption mode, the HMAC key
3418 3418 
 is included in the key file generated by
3419 
-.B --genkey.
3419 
+.B \-\-genkey.
3420 3420 
 In TLS mode, the HMAC key is dynamically generated and shared
3421 3421 
 between peers via the TLS control channel.  If OpenVPN receives a packet with
3422 3422 
 a bad HMAC it will drop the packet.
... ... 
@@ -3429,7 +3429,7 @@ For more information on HMAC see
3429 3429 
 .I http://www.cs.ucsd.edu/users/mihir/papers/hmac.html
3430 3430 
 .\"*********************************************************
3431 3431 
 .TP
3432 
-.B --cipher alg
3432 
+.B \-\-cipher alg
3433 3433 
 Encrypt packets with cipher algorithm
3434 3434 
 .B alg.
3435 3435 
 The default is
... ... 
@@ -3444,7 +3444,7 @@ For more information on blowfish, see
3444 3444
3445 3445 
 To see other ciphers that are available with
3446 3446 
 OpenVPN, use the
3447 
-.B --show-ciphers
3447 
+.B \-\-show-ciphers
3448 3448 
 option.
3449 3449
3450 3450 
 OpenVPN supports the CBC, CFB, and OFB cipher modes,
... ... 
@@ -3456,10 +3456,10 @@ Set
3456 3456 
 to disable encryption.
3457 3457 
 .\"*********************************************************
3458 3458 
 .TP
3459 
-.B --keysize n
3459 
+.B \-\-keysize n
3460 3460 
 Size of cipher key in bits (optional).
3461 3461 
 If unspecified, defaults to cipher-specific default.  The
3462 
-.B --show-ciphers
3462 
+.B \-\-show-ciphers
3463 3463 
 option (see below) shows all available OpenSSL ciphers,
3464 3464 
 their default key sizes, and whether the key size can
3465 3465 
 be changed.  Use care in changing a cipher's default
... ... 
@@ -3469,7 +3469,7 @@ larger key may offer no real guarantee of greater
3469 3469 
 security, or may even reduce security.
3470 3470 
 .\"*********************************************************
3471 3471 
 .TP
3472 
-.B --prng alg [nsl]
3472 
+.B \-\-prng alg [nsl]
3473 3473 
 (Advanced) For PRNG (Pseudo-random number generator),
3474 3474 
 use digest algorithm
3475 3475 
 .B alg
... ... 
@@ -3484,19 +3484,19 @@ to disable the PRNG and use the OpenSSL RAND_bytes function
3484 3484 
 instead for all of OpenVPN's pseudo-random number needs.
3485 3485 
 .\"*********************************************************
3486 3486 
 .TP
3487 
-.B --engine [engine-name]
3487 
+.B \-\-engine [engine-name]
3488 3488 
 Enable OpenSSL hardware-based crypto engine functionality.
3489 3489
3490 3490 
 If
3491 3491 
 .B engine-name
3492 3492 
 is specified,
3493 3493 
 use a specific crypto engine.  Use the
3494 
-.B --show-engines
3494 
+.B \-\-show-engines
3495 3495 
 standalone option to list the crypto engines which are
3496 3496 
 supported by OpenSSL.
3497 3497 
 .\"*********************************************************
3498 3498 
 .TP
3499 
-.B --no-replay
3499 
+.B \-\-no-replay
3500 3500 
 (Advanced) Disable OpenVPN's protection against replay attacks.
3501 3501 
 Don't use this option unless you are prepared to make
3502 3502 
 a tradeoff of greater efficiency in exchange for less
... ... 
@@ -3540,7 +3540,7 @@ algorithm used
3540 3540 
 by IPSec.
3541 3541 
 .\"*********************************************************
3542 3542 
 .TP
3543 
-.B --replay-window n [t]
3543 
+.B \-\-replay-window n [t]
3544 3544 
 Use a replay protection sliding-window of size
3545 3545 
 .B n
3546 3546 
 and a time window of
... ... 
@@ -3555,9 +3555,9 @@ is 15 seconds.
3555 3555
3556 3556 
 This option is only relevant in UDP mode, i.e.
3557 3557 
 when either
3558 
-.B --proto udp
3558 
+.B \-\-proto udp
3559 3559 
 is specifed, or no
3560 
-.B --proto
3560 
+.B \-\-proto
3561 3561 
 option is specified.
3562 3562
3563 3563 
 When OpenVPN tunnels IP packets over UDP, there is the possibility that
... ... 
@@ -3569,7 +3569,7 @@ the TCP/IP protocol stack, provided they satisfy several constraints.
3569 3569
3570 3570 
 .B (a)
3571 3571 
 The packet cannot be a replay (unless
3572 
-.B --no-replay
3572 
+.B \-\-no-replay
3573 3573 
 is specified, which disables replay protection altogether).
3574 3574
3575 3575 
 .B (b)
... ... 
@@ -3591,7 +3591,7 @@ a larger value for
3591 3591 
 Satellite links in particular often require this.
3592 3592
3593 3593 
 If you run OpenVPN at
3594 
-.B --verb 4,
3594 
+.B \-\-verb 4,
3595 3595 
 you will see the message "Replay-window backtrack occurred [x]"
3596 3596 
 every time the maximum sequence number backtrack seen thus far
3597 3597 
 increases.  This can be used to calibrate
... ... 
@@ -3627,7 +3627,7 @@ parameters of what is to be expected from the physical IP layer.  The problem
3627 3627 
 is easily fixed by simply using TCP as the VPN transport layer.
3628 3628 
 .\"*********************************************************
3629 3629 
 .TP
3630 
-.B --mute-replay-warnings
3630 
+.B \-\-mute-replay-warnings
3631 3631 
 Silence the output of replay warnings, which are a common
3632 3632 
 false alarm on WiFi networks.  This option preserves
3633 3633 
 the security of the replay protection code without
... ... 
@@ -3635,7 +3635,7 @@ the verbosity associated with warnings about duplicate
3635 3635 
 packets.
3636 3636 
 .\"*********************************************************
3637 3637 
 .TP
3638 
-.B --replay-persist file
3638 
+.B \-\-replay-persist file
3639 3639 
 Persist replay-protection state across sessions using
3640 3640 
 .B file
3641 3641 
 to save and reload the state.
... ... 
@@ -3643,7 +3643,7 @@ to save and reload the state.
3643 3643 
 This option will strengthen protection against replay attacks,
3644 3644 
 especially when you are using OpenVPN in a dynamic context (such
3645 3645 
 as with
3646 
-.B --inetd)
3646 
+.B \-\-inetd)
3647 3647 
 when OpenVPN sessions are frequently started and stopped.
3648 3648
3649 3649 
 This option will keep a disk copy of the current replay protection
... ... 
@@ -3654,12 +3654,12 @@ which were already received by the prior session.
3654 3654
3655 3655 
 This option only makes sense when replay protection is enabled
3656 3656 
 (the default) and you are using either
3657 
-.B --secret
3657 
+.B \-\-secret
3658 3658 
 (shared-secret key mode) or TLS mode with
3659 
-.B --tls-auth.
3659 
+.B \-\-tls-auth.
3660 3660 
 .\"*********************************************************
3661 3661 
 .TP
3662 
-.B --no-iv
3662 
+.B \-\-no-iv
3663 3663 
 (Advanced) Disable OpenVPN's use of IV (cipher initialization vector).
3664 3664 
 Don't use this option unless you are prepared to make
3665 3665 
 a tradeoff of greater efficiency in exchange for less
... ... 
@@ -3680,24 +3680,24 @@ space-saving optimization that uses the unique identifier for
3680 3680 
 datagram replay protection as the IV.
3681 3681 
 .\"*********************************************************
3682 3682 
 .TP
3683 
-.B --test-crypto
3683 
+.B \-\-test-crypto
3684 3684 
 Do a self-test of OpenVPN's crypto options by encrypting and
3685 3685 
 decrypting test packets using the data channel encryption options
3686 3686 
 specified above.  This option does not require a peer to function,
3687 3687 
 and therefore can be specified without
3688 
-.B --dev
3688 
+.B \-\-dev
3689 3689 
 or
3690 
-.B --remote.
3690 
+.B \-\-remote.
3691 3691
3692 3692 
 The typical usage of
3693 
-.B --test-crypto
3693 
+.B \-\-test-crypto
3694 3694 
 would be something like this:
3695 3695
3696 
-.B openvpn --test-crypto --secret key
3696 
+.B openvpn \-\-test-crypto \-\-secret key
3697 3697
3698 3698 
 or
3699 3699
3700 
-.B openvpn --test-crypto --secret key --verb 9
3700 
+.B openvpn \-\-test-crypto \-\-secret key \-\-verb 9
3701 3701
3702 3702 
 This option is very useful to test OpenVPN after it has been ported to
3703 3703 
 a new platform, or to isolate problems in the compiler, OpenSSL
... ... 
@@ -3721,17 +3721,17 @@ including certificate-based authentication and Diffie Hellman forward secrecy.
3721 3721
3722 3722 
 To use TLS mode, each peer that runs OpenVPN should have its own local
3723 3723 
 certificate/key pair (
3724 
-.B --cert
3724 
+.B \-\-cert
3725 3725 
 and
3726 
-.B --key
3726 
+.B \-\-key
3727 3727 
 ), signed by the root certificate which is specified
3728 3728 
 in
3729 
-.B --ca.
3729 
+.B \-\-ca.
3730 3730
3731 3731 
 When two OpenVPN peers connect, each presents its local certificate to the
3732 3732 
 other.  Each peer will then check that its partner peer presented a
3733 3733 
 certificate which was signed by the master root certificate as specified in
3734 
-.B --ca.
3734 
+.B \-\-ca.
3735 3735
3736 3736 
 If that check on both peers succeeds, then the TLS negotiation
3737 3737 
 will succeed, both OpenVPN
... ... 
@@ -3748,18 +3748,18 @@ The easy-rsa package is also rendered in web form here:
3748 3748 
 .I http://openvpn.net/easyrsa.html
3749 3749 
 .\"*********************************************************
3750 3750 
 .TP
3751 
-.B --tls-server
3751 
+.B \-\-tls-server
3752 3752 
 Enable TLS and assume server role during TLS handshake.  Note that
3753 3753 
 OpenVPN is designed as a peer-to-peer application.  The designation
3754 3754 
 of client or server is only for the purpose of negotiating the TLS
3755 3755 
 control channel.
3756 3756 
 .\"*********************************************************
3757 3757 
 .TP
3758 
-.B --tls-client
3758 
+.B \-\-tls-client
3759 3759 
 Enable TLS and assume client role during TLS handshake.
3760 3760 
 .\"*********************************************************
3761 3761 
 .TP
3762 
-.B --ca file
3762 
+.B \-\-ca file
3763 3763 
 Certificate authority (CA) file in .pem format, also referred to as the
3764 3764 
 .I root
3765 3765 
 certificate.  This file can have multiple
... ... 
@@ -3781,10 +3781,10 @@ production environment, since by virtue of the fact that
3781 3781 
 they are distributed with OpenVPN, they are totally insecure.
3782 3782 
 .\"*********************************************************
3783 3783 
 .TP
3784 
-.B --dh file
3784 
+.B \-\-dh file
3785 3785 
 File containing Diffie Hellman parameters
3786 3786 
 in .pem format (required for
3787 
-.B --tls-server
3787 
+.B \-\-tls-server
3788 3788 
 only). Use
3789 3789
3790 3790 
 .B openssl dhparam -out dh1024.pem 1024
... ... 
@@ -3794,15 +3794,15 @@ included with the OpenVPN distribution.  Diffie Hellman parameters
3794 3794 
 may be considered public.
3795 3795 
 .\"*********************************************************
3796 3796 
 .TP
3797 
-.B --cert file
3798 
-Local peer's signed certificate in .pem format -- must be signed
3797 
+.B \-\-cert file
3798 
+Local peer's signed certificate in .pem format \-\- must be signed
3799 3799 
 by a certificate authority whose certificate is in
3800 
-.B --ca file.
3800 
+.B \-\-ca file.
3801 3801 
 Each peer in an OpenVPN link running in TLS mode should have its own
3802 3802 
 certificate and private key file.  In addition, each certificate should
3803 3803 
 have been signed by the key of a certificate
3804 3804 
 authority whose public key resides in the
3805 
-.B --ca
3805 
+.B \-\-ca
3806 3806 
 certificate authority file.
3807 3807 
 You can easily make your own certificate authority (see above) or pay money
3808 3808 
 to use a commercial service such as thawte.com (in which case you will be
... ... 
@@ -3827,7 +3827,7 @@ Note that the
3827 3827 
 command reads the location of the certificate authority key from its
3828 3828 
 configuration file such as
3829 3829 
 .B /usr/share/ssl/openssl.cnf
3830 
+\-\- note also
3830 3831 
 that for certificate authority functions, you must set up the files
3831 3832 
 .B index.txt
3832 3833 
 (may be empty) and
... ... 
@@ -3838,90 +3838,90 @@ that for certificate authority functions, you must set up the files
3838 3838 
 ).
3839 3839 
 .\"*********************************************************
3840 3840 
 .TP
3841 
-.B --key file
3841 
+.B \-\-key file
3842 3842 
 Local peer's private key in .pem format.  Use the private key which was generated
3843 3843 
 when you built your peer's certificate (see
3844 3844 
 .B -cert file
3845 3845 
 above).
3846 3846 
 .\"*********************************************************
3847 3847 
 .TP
3848 
-.B --pkcs12 file
3848 
+.B \-\-pkcs12 file
3849 3849 
 Specify a PKCS #12 file containing local private key,
3850 3850 
 local certificate, and root CA certificate.
3851 3851 
 This option can be used instead of
3852 
-.B --ca, --cert,
3852 
+.B \-\-ca, \-\-cert,
3853 3853 
 and
3854 
-.B --key.
3854 
+.B \-\-key.
3855 3855 
 .\"*********************************************************
3856 3856 
 .TP
3857 
-.B --pkcs11-cert-private [0|1]...
3857 
+.B \-\-pkcs11-cert-private [0|1]...
3858 3858 
 Set if access to certificate object should be performed after login.
3859 3859 
 Every provider has its own setting.
3860 3860 
 .\"*********************************************************
3861 3861 
 .TP
3862 
-.B --pkcs11-id name
3862 
+.B \-\-pkcs11-id name
3863 3863 
 Specify the serialized certificate id to be used. The id can be gotten
3864 3864 
 by the standalone
3865 
-.B --show-pkcs11-ids
3865 
+.B \-\-show-pkcs11-ids
3866 3866 
 option.
3867 3867 
 .\"*********************************************************
3868 3868 
 .TP
3869 
-.B --pkcs11-id-management
3869 
+.B \-\-pkcs11-id-management
3870 3870 
 Acquire PKCS#11 id from management interface. In this case a NEED-STR 'pkcs11-id-request'
3871 3871 
 real-time message will be triggered, application may use pkcs11-id-count command to
3872 3872 
 retrieve available number of certificates, and pkcs11-id-get command to retrieve certificate
3873 3873 
 id and certificate body.
3874 3874 
 .\"*********************************************************
3875 3875 
 .TP
3876 
-.B --pkcs11-pin-cache seconds
3876 
+.B \-\-pkcs11-pin-cache seconds
3877 3877 
 Specify how many seconds the PIN can be cached, the default is until the token is removed.
3878 3878 
 .\"*********************************************************
3879 3879 
 .TP
3880 
-.B --pkcs11-protected-authentication [0|1]...
3880 
+.B \-\-pkcs11-protected-authentication [0|1]...
3881 3881 
 Use PKCS#11 protected authentication path, useful for biometric and external
3882 3882 
 keypad devices.
3883 3883 
 Every provider has its own setting.
3884 3884 
 .\"*********************************************************
3885 3885 
 .TP
3886 
-.B --pkcs11-providers provider...
3886 
+.B \-\-pkcs11-providers provider...
3887 3887 
 Specify a RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) providers
3888 3888 
 to load.
3889 3889 
 This option can be used instead of
3890 
-.B --cert, --key,
3890 
+.B \-\-cert, \-\-key,
3891 3891 
 and
3892 
-.B --pkcs12.
3892 
+.B \-\-pkcs12.
3893 3893 
 .\"*********************************************************
3894 3894 
 .TP
3895 
-.B --pkcs11-private-mode mode...
3895 
+.B \-\-pkcs11-private-mode mode...
3896 3896 
 Specify which method to use in order to perform private key operations.
3897 3897 
 A different mode can be specified for each provider.
3898 3898 
 Mode is encoded as hex number, and can be a mask one of the following:
3899 3899
3900 3900 
 .B 0
3901 
-(default) -- Try to determind automatically.
3901 
+(default) \-\- Try to determind automatically.
3902 3902 
 .br
3903 3903 
 .B 1
3904 
+\-\- Use sign.
3904 3905 
 .br
3905 3906 
 .B 2
3907 
+\-\- Use sign recover.
3906 3908 
 .br
3907 3909 
 .B 4
3910 
+\-\- Use decrypt.
3908 3911 
 .br
3909 3912 
 .B 8
3913 
+\-\- Use unwrap.
3910 3914 
 .br
3911 3915 
 .\"*********************************************************
3912 3916 
 .TP
3913 
-.B --cryptoapicert select-string
3917 
+.B \-\-cryptoapicert select-string
3914 3918 
 Load the certificate and private key from the
3915 3919 
 Windows Certificate System Store (Windows Only).
3916 3920
3917 3921 
 Use this option instead of
3918 
-.B --cert
3922 
+.B \-\-cert
3919 3923 
 and
3920 
-.B --key.
3924 
+.B \-\-key.
3921 3925
3922 3926 
 This makes
3923 3927 
 it possible to use any smart card, supported by Windows, but also any
... ... 
@@ -3947,7 +3947,7 @@ Certificate Store GUI.
3947 3947
3948 3948 
 .\"*********************************************************
3949 3949 
 .TP
3950 
-.B --key-method m
3950 
+.B \-\-key-method m
3951 3951 
 Use data channel key negotiation method
3952 3952 
 .B m.
3953 3953 
 The key method must match on both sides of the connection.
... ... 
@@ -3975,16 +3975,16 @@ of keying occur:
3975 3975 
 of the connection producing certificates and verifying the certificate
3976 3976 
 (or other authentication info provided) of
3977 3977 
 the other side.  The
3978 
-.B --key-method
3978 
+.B \-\-key-method
3979 3979 
 parameter has no effect on this process.
3980 3980
3981 3981 
 (2) After the TLS connection is established, the tunnel session keys are
3982 3982 
 separately negotiated over the existing secure TLS channel.  Here,
3983 
-.B --key-method
3983 
+.B \-\-key-method
3984 3984 
 determines the derivation of the tunnel session keys.
3985 3985 
 .\"*********************************************************
3986 3986 
 .TP
3987 
-.B --tls-cipher l
3987 
+.B \-\-tls-cipher l
3988 3988 
 A list
3989 3989 
 .B l
3990 3990 
 of allowable TLS ciphers delimited by a colon (":").
... ... 
@@ -3994,11 +3994,11 @@ version rollback attack where a man-in-the-middle attacker tries
3994 3994 
 to force two peers to negotiate to the lowest level
3995 3995 
 of security they both support.
3996 3996 
 Use
3997 
-.B --show-tls
3997 
+.B \-\-show-tls
3998 3998 
 to see a list of supported TLS ciphers.
3999 3999 
 .\"*********************************************************
4000 4000 
 .TP
4001 
-.B --tls-timeout n
4001 
+.B \-\-tls-timeout n
4002 4002 
 Packet retransmit timeout on TLS control channel
4003 4003 
 if no acknowledgment from remote within
4004 4004 
 .B n
... ... 
@@ -4015,7 +4015,7 @@ the higher level network protocols running on top of the tunnel
4015 4015 
 such as TCP expect this role to be left to them.
4016 4016 
 .\"*********************************************************
4017 4017 
 .TP
4018 
-.B --reneg-bytes n
4018 
+.B \-\-reneg-bytes n
4019 4019 
 Renegotiate data channel key after
4020 4020 
 .B n
4021 4021 
 bytes sent or received (disabled by default).
... ... 
@@ -4025,13 +4025,13 @@ a number of seconds.  A key renegotiation will be forced
4025 4025 
 if any of these three criteria are met by either peer.
4026 4026 
 .\"*********************************************************
4027 4027 
 .TP
4028 
-.B --reneg-pkts n
4028 
+.B \-\-reneg-pkts n
4029 4029 
 Renegotiate data channel key after
4030 4030 
 .B n
4031 4031 
 packets sent and received (disabled by default).
4032 4032 
 .\"*********************************************************
4033 4033 
 .TP
4034 
-.B --reneg-sec n
4034 
+.B \-\-reneg-sec n
4035 4035 
 Renegotiate data channel key after
4036 4036 
 .B n
4037 4037 
 seconds (default=3600).
... ... 
@@ -4042,16 +4042,16 @@ cause the end user to be challenged to reauthorize once per hour.
4042 4042 
 Also, keep in mind that this option can be used on both the client and server,
4043 4043 
 and whichever uses the lower value will be the one to trigger the renegotiation.
4044 4044 
 A common mistake is to set
4045 
-.B --reneg-sec
4045 
+.B \-\-reneg-sec
4046 4046 
 to a higher value on either the client or server, while the other side of the connection
4047 4047 
 is still using the default value of 3600 seconds, meaning that the renegotiation will
4048 
-still occur once per 3600 seconds.  The solution is to increase --reneg-sec on both the
4048 
+still occur once per 3600 seconds.  The solution is to increase \-\-reneg-sec on both the
4049 4049 
 client and server, or set it to 0 on one side of the connection (to disable), and to
4050 4050 
 your chosen value on the other side.
4051 4051 
 .\"*********************************************************
4052 4052 
 .TP
4053 
-.B --hand-window n
4054 
-Handshake Window -- the TLS-based key exchange must finalize within
4053 
+.B \-\-hand-window n
4054 
+Handshake Window \-\- the TLS-based key exchange must finalize within
4055 4055 
 .B n
4056 4056 
 seconds
4057 4057 
 of handshake initiation by any peer (default = 60 seconds).
... ... 
@@ -4059,47 +4059,47 @@ If the handshake fails
4059 4059 
 we will attempt to reset our connection with our peer and try again.
4060 4060 
 Even in the event of handshake failure we will still use
4061 4061 
 our expiring key for up to
4062 
-.B --tran-window
4062 
+.B \-\-tran-window
4063 4063 
 seconds to maintain continuity of transmission of tunnel
4064 4064 
 data.
4065 4065 
 .\"*********************************************************
4066 4066 
 .TP
4067 
-.B --tran-window n
4068 
-Transition window -- our old key can live this many seconds
4067 
+.B \-\-tran-window n
4068 
+Transition window \-\- our old key can live this many seconds
4069 4069 
 after a new a key renegotiation begins (default = 3600 seconds).
4070 4070 
 This feature allows for a graceful transition from old to new
4071 4071 
 key, and removes the key renegotiation sequence from the critical
4072 4072 
 path of tunnel data forwarding.
4073 4073 
 .\"*********************************************************
4074 4074 
 .TP
4075 
-.B --single-session
4075 
+.B \-\-single-session
4076 4076 
 After initially connecting to a remote peer, disallow any new connections.
4077 4077 
 Using this
4078 4078 
 option means that a remote peer cannot connect, disconnect, and then
4079 4079 
 reconnect.
4080 4080
4081 4081 
 If the daemon is reset by a signal or
4082 
-.B --ping-restart,
4082 
+.B \-\-ping-restart,
4083 4083 
 it will allow one new connection.
4084 4084
4085 
-.B --single-session
4085 
+.B \-\-single-session
4086 4086 
 can be used with
4087 
-.B --ping-exit
4087 
+.B \-\-ping-exit
4088 4088 
 or
4089 
-.B --inactive
4089 
+.B \-\-inactive
4090 4090 
 to create a single dynamic session that will exit when finished.
4091 4091 
 .\"*********************************************************
4092 4092 
 .TP
4093 
-.B --tls-exit
4093 
+.B \-\-tls-exit
4094 4094 
 Exit on TLS negotiation failure.
4095 4095 
 .\"*********************************************************
4096 4096 
 .TP
4097 
-.B --tls-auth file [direction]
4097 
+.B \-\-tls-auth file [direction]
4098 4098 
 Add an additional layer of HMAC authentication on top of the TLS
4099 4099 
 control channel to protect against DoS attacks.
4100 4100
4101 4101 
 In a nutshell,
4102 
-.B --tls-auth
4102 
+.B \-\-tls-auth
4103 4103 
 enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port,
4104 4104 
 where TLS control channel packets
4105 4105 
 bearing an incorrect HMAC signature can be dropped immediately without
... ... 
@@ -4110,7 +4110,7 @@ response.
4110 4110
4111 4111 
 .B (1)
4112 4112 
 An OpenVPN static key file generated by
4113 
-.B --genkey
4113 
+.B \-\-genkey
4114 4114 
 (required if
4115 4115 
 .B direction
4116 4116 
 parameter is used).
... ... 
@@ -4128,19 +4128,19 @@ OpenVPN will first try format (1), and if the file fails to parse as
4128 4128 
 a static key file, format (2) will be used.
4129 4129
4130 4130 
 See the
4131 
-.B --secret
4131 
+.B \-\-secret
4132 4132 
 option for more information on the optional
4133 4133 
 .B direction
4134 4134 
 parameter.
4135 4135
4136 
-.B --tls-auth
4136 
+.B \-\-tls-auth
4137 4137 
 is recommended when you are running OpenVPN in a mode where
4138 4138 
 it is listening for packets from any IP address, such as when
4139 
-.B --remote
4139 
+.B \-\-remote
4140 4140 
 is not specified, or
4141 
-.B --remote
4141 
+.B \-\-remote
4142 4142 
 is specified with
4143 
-.B --float.
4143 
+.B \-\-float.
4144 4144
4145 4145 
 The rationale for
4146 4146 
 this feature is as follows.  TLS requires a multi-packet exchange
... ... 
@@ -4167,7 +4167,7 @@ An important rule of thumb in reducing vulnerability to DoS attacks is to
4167 4167 
 minimize the amount of resources a potential, but as yet unauthenticated,
4168 4168 
 client is able to consume.
4169 4169
4170 
-.B --tls-auth
4170 
+.B \-\-tls-auth
4171 4171 
 does this by signing every TLS control channel packet with an HMAC signature,
4172 4172 
 including packets which are sent before the TLS level has had a chance
4173 4173 
 to authenticate the peer.
... ... 
@@ -4175,20 +4175,20 @@ The result is that packets without
4175 4175 
 the correct signature can be dropped immediately upon reception,
4176 4176 
 before they have a chance to consume additional system resources
4177 4177 
 such as by initiating a TLS handshake.
4178 
-.B --tls-auth
4178 
+.B \-\-tls-auth
4179 4179 
 can be strengthened by adding the
4180 
-.B --replay-persist
4180 
+.B \-\-replay-persist
4181 4181 
 option which will keep OpenVPN's replay protection state
4182 4182 
 in a file so that it is not lost across restarts.
4183 4183
4184 4184 
 It should be emphasized that this feature is optional and that the
4185 4185 
 passphrase/key file used with
4186 
-.B --tls-auth
4186 
+.B \-\-tls-auth
4187 4187 
 gives a peer nothing more than the power to initiate a TLS
4188 4188 
 handshake.  It is not used to encrypt or authenticate any tunnel data.
4189 4189 
 .\"*********************************************************
4190 4190 
 .TP
4191 
-.B --askpass [file]
4191 
+.B \-\-askpass [file]
4192 4192 
 Get certificate password from console or
4193 4193 
 .B file
4194 4194 
 before we daemonize.
... ... 
@@ -4197,7 +4197,7 @@ For the extremely
4197 4197 
 security conscious, it is possible to protect your private key with
4198 4198 
 a password.  Of course this means that every time the OpenVPN
4199 4199 
 daemon is started you must be there to type the password.  The
4200 
-.B --askpass
4200 
+.B \-\-askpass
4201 4201 
 option allows you to start OpenVPN from the command line.  It will
4202 4202 
 query you for a password before it daemonizes.  To protect a private
4203 4203 
 key with a password you should omit the
... ... 
@@ -4214,15 +4214,15 @@ Keep in mind that storing your password in a file
4214 4214 
 to a certain extent invalidates the extra security provided by
4215 4215 
 using an encrypted key (Note: OpenVPN
4216 4216 
 will only read passwords from a file if it has been built
4217 
-with the --enable-password-save configure option, or on Windows
4217 
+with the \-\-enable-password-save configure option, or on Windows
4218 4218 
 by defining ENABLE_PASSWORD_SAVE in config-win32.h).
4219 4219 
 .\"*********************************************************
4220 4220 
 .TP
4221 
-.B --auth-nocache
4221 
+.B \-\-auth-nocache
4222 4222 
 Don't cache
4223 
-.B --askpass
4223 
+.B \-\-askpass
4224 4224 
 or
4225 
-.B --auth-user-pass
4225 
+.B \-\-auth-user-pass
4226 4226 
 username/passwords in virtual memory.
4227 4227
4228 4228 
 If specified, this directive will cause OpenVPN to immediately
... ... 
@@ -4232,19 +4232,19 @@ from stdin, which may be multiple times during the duration of an
4232 4232 
 OpenVPN session.
4233 4233
4234 4234 
 This directive does not affect the
4235 
-.B --http-proxy
4235 
+.B \-\-http-proxy
4236 4236 
 username/password.  It is always cached.
4237 4237 
 .\"*********************************************************
4238 4238 
 .TP
4239 
-.B --tls-verify cmd
4239 
+.B \-\-tls-verify cmd
4240 4240 
 Execute shell command
4241 4241 
 .B cmd
4242 4242 
 to verify the X509 name of a
4243 4243 
 pending TLS connection that has otherwise passed all other
4244 4244 
 tests of certification (except for revocation via
4245 
-.B --crl-verify
4245 
+.B \-\-crl-verify
4246 4246 
 directive; the revocation test occurs after the
4247 
-.B --tls-verify
4247 
+.B \-\-tls-verify
4248 4248 
 test).
4249 4249
4250 4250 
 .B cmd
... ... 
@@ -4277,7 +4277,7 @@ to
4277 4277 
 to build a command line which will be passed to the script.
4278 4278 
 .\"*********************************************************
4279 4279 
 .TP
4280 
-.B --tls-remote name
4280 
+.B \-\-tls-remote name
4281 4281 
 Accept connections only from a host with X509 name
4282 4282 
 or common name equal to
4283 4283 
 .B name.
... ... 
@@ -4294,24 +4294,24 @@ a third party, such as a commercial web CA.
4294 4294 
 Name can also be a common name prefix, for example if you
4295 4295 
 want a client to only accept connections to "Server-1",
4296 4296 
 "Server-2", etc., you can simply use
4297 
-.B --tls-remote Server
4297 
+.B \-\-tls-remote Server
4298 4298
4299 4299 
 Using a common name prefix is a useful alternative to managing
4300 4300 
 a CRL (Certificate Revocation List) on the client, since it allows the client
4301 4301 
 to refuse all certificates except for those associated
4302 4302 
 with designated servers.
4303 4303
4304 
-.B --tls-remote
4304 
+.B \-\-tls-remote
4305 4305 
 is a useful replacement for the
4306 
-.B --tls-verify
4306 
+.B \-\-tls-verify
4307 4307 
 option to verify the remote host, because
4308 
-.B --tls-remote
4308 
+.B \-\-tls-remote
4309 4309 
 works in a
4310 
-.B --chroot
4310 
+.B \-\-chroot
4311 4311 
 environment too.
4312 4312 
 .\"*********************************************************
4313 4313 
 .TP
4314 
-.B --ns-cert-type client|server
4314 
+.B \-\-ns-cert-type client|server
4315 4315 
 Require that peer certificate was signed with an explicit
4316 4316 
 .B nsCertType
4317 4317 
 designation of "client" or "server".
... ... 
@@ -4326,19 +4326,19 @@ field set to "server".
4326 4326
4327 4327 
 If the server certificate's nsCertType field is set
4328 4328 
 to "server", then the clients can verify this with
4329 
-.B --ns-cert-type server.
4329 
+.B \-\-ns-cert-type server.
4330 4330
4331 4331 
 This is an important security precaution to protect against
4332 4332 
 a man-in-the-middle attack where an authorized client
4333 4333 
 attempts to connect to another client by impersonating the server.
4334 4334 
 The attack is easily prevented by having clients verify
4335 4335 
 the server certificate using any one of
4336 
-.B --ns-cert-type, --tls-remote,
4336 
+.B \-\-ns-cert-type, \-\-tls-remote,
4337 4337 
 or
4338 
-.B --tls-verify.
4338 
+.B \-\-tls-verify.
4339 4339 
 .\"*********************************************************
4340 4340 
 .TP
4341 
-.B --remote-cert-ku v...
4341 
+.B \-\-remote-cert-ku v...
4342 4342 
 Require that peer certificate was signed with an explicit
4343 4343 
 .B key usage.
4344 4344
... ... 
@@ -4349,7 +4349,7 @@ The key usage should be encoded in hex, more than one key
4349 4349 
 usage can be specified.
4350 4350 
 .\"*********************************************************
4351 4351 
 .TP
4352 
-.B --remote-cert-eku oid
4352 
+.B \-\-remote-cert-eku oid
4353 4353 
 Require that peer certificate was signed with an explicit
4354 4354 
 .B extended key usage.
4355 4355
... ... 
@@ -4360,7 +4360,7 @@ The extended key usage should be encoded in oid notation, or
4360 4360 
 OpenSSL symbolic representation.
4361 4361 
 .\"*********************************************************
4362 4362 
 .TP
4363 
-.B --remote-cert-tls client|server
4363 
+.B \-\-remote-cert-tls client|server
4364 4364 
 Require that peer certificate was signed with an explicit
4365 4365 
 .B key usage
4366 4366 
 and
... ... 
@@ -4371,18 +4371,18 @@ This is a useful security option for clients, to ensure that
4371 4371 
 the host they connect to is a designated server.
4372 4372
4373 4373 
 The
4374 
-.B --remote-cert-tls client
4374 
+.B \-\-remote-cert-tls client
4375 4375 
 option is equivalent to
4376 4376 
 .B
4377 
+\-\-remote-cert-ku 80 08 88 \-\-remote-cert-eku "TLS Web Client Authentication"
4377 4378
4378 4379 
 The key usage is digitalSignature and/or keyAgreement.
4379 4380
4380 4381 
 The
4381 
-.B --remote-cert-tls server
4382 
+.B \-\-remote-cert-tls server
4382 4383 
 option is equivalent to
4383 4384 
 .B
4385 
+\-\-remote-cert-ku a0 88 \-\-remote-cert-eku "TLS Web Server Authentication"
4384 4386
4385 4387 
 The key usage is digitalSignature and ( keyEncipherment or keyAgreement ).
4386 4388
... ... 
@@ -4391,12 +4391,12 @@ a man-in-the-middle attack where an authorized client
4391 4391 
 attempts to connect to another client by impersonating the server.
4392 4392 
 The attack is easily prevented by having clients verify
4393 4393 
 the server certificate using any one of
4394 
-.B --remote-cert-tls, --tls-remote,
4394 
+.B \-\-remote-cert-tls, \-\-tls-remote,
4395 4395 
 or
4396 
-.B --tls-verify.
4396 
+.B \-\-tls-verify.
4397 4397 
 .\"*********************************************************
4398 4398 
 .TP
4399 
-.B --crl-verify crl
4399 
+.B \-\-crl-verify crl
4400 4400 
 Check peer certificate against the file
4401 4401 
 .B crl
4402 4402 
 in PEM format.
... ... 
@@ -4416,28 +4416,28 @@ if the root certificate key itself was compromised.
4416 4416 
 .SS SSL Library information:
4417 4417 
 .\"*********************************************************
4418 4418 
 .TP
4419 
-.B --show-ciphers
4419 
+.B \-\-show-ciphers
4420 4420 
 (Standalone)
4421 4421 
 Show all cipher algorithms to use with the
4422 
-.B --cipher
4422 
+.B \-\-cipher
4423 4423 
 option.
4424 4424 
 .\"*********************************************************
4425 4425 
 .TP
4426 
-.B --show-digests
4426 
+.B \-\-show-digests
4427 4427 
 (Standalone)
4428 4428 
 Show all message digest algorithms to use with the
4429 
-.B --auth
4429 
+.B \-\-auth
4430 4430 
 option.
4431 4431 
 .\"*********************************************************
4432 4432 
 .TP
4433 
-.B --show-tls
4433 
+.B \-\-show-tls
4434 4434 
 (Standalone)
4435 4435 
 Show all TLS ciphers (TLS used only as a control channel).  The TLS
4436 4436 
 ciphers will be sorted from highest preference (most secure) to
4437 4437 
 lowest.
4438 4438 
 .\"*********************************************************
4439 4439 
 .TP
4440 
-.B --show-engines
4440 
+.B \-\-show-engines
4441 4441 
 (Standalone)
4442 4442 
 Show currently available hardware-based crypto acceleration
4443 4443 
 engines supported by the OpenSSL library.
... ... 
@@ -4446,18 +4446,18 @@ engines supported by the OpenSSL library.
4446 4446 
 Used only for non-TLS static key encryption mode.
4447 4447 
 .\"*********************************************************
4448 4448 
 .TP
4449 
-.B --genkey
4449 
+.B \-\-genkey
4450 4450 
 (Standalone)
4451 4451 
 Generate a random key to be used as a shared secret,
4452 4452 
 for use with the
4453 
-.B --secret
4453 
+.B \-\-secret
4454 4454 
 option.  This file must be shared with the
4455 4455 
 peer over a pre-existing secure channel such as
4456 4456 
 .BR scp (1)
4457 4457 
 .
4458 4458 
 .\"*********************************************************
4459 4459 
 .TP
4460 
-.B --secret file
4460 
+.B \-\-secret file
4461 4461 
 Write key to
4462 4462 
 .B file.
4463 4463 
 .\"*********************************************************
... ... 
@@ -4466,7 +4466,7 @@ Available with linux 2.4.7+.  These options comprise a standalone mode
4466 4466 
 of OpenVPN which can be used to create and delete persistent tunnels.
4467 4467 
 .\"*********************************************************
4468 4468 
 .TP
4469 
-.B --mktun
4469 
+.B \-\-mktun
4470 4470 
 (Standalone)
4471 4471 
 Create a persistent tunnel on platforms which support them such
4472 4472 
 as Linux.  Normally TUN/TAP tunnels exist only for
... ... 
@@ -4477,9 +4477,9 @@ only when they are deleted or the machine is rebooted.
4477 4477
4478 4478 
 One of the advantages of persistent tunnels is that they eliminate the
4479 4479 
 need for separate
4480 
-.B --up
4480 
+.B \-\-up
4481 4481 
 and
4482 
-.B --down
4482 
+.B \-\-down
4483 4483 
 scripts to run the appropriate
4484 4484 
 .BR ifconfig (8)
4485 4485 
 and
... ... 
@@ -4491,40 +4491,40 @@ Another advantage is that open connections through the TUN/TAP-based tunnel
4491 4491 
 will not be reset if the OpenVPN peer restarts.  This can be useful to
4492 4492 
 provide uninterrupted connectivity through the tunnel in the event of a DHCP
4493 4493 
 reset of the peer's public IP address (see the
4494 
-.B --ipchange
4494 
+.B \-\-ipchange
4495 4495 
 option above).
4496 4496
4497 4497 
 One disadvantage of persistent tunnels is that it is harder to automatically
4498 4498 
 configure their MTU value (see
4499 
-.B --link-mtu
4499 
+.B \-\-link-mtu
4500 4500 
 and
4501 
-.B --tun-mtu
4501 
+.B \-\-tun-mtu
4502 4502 
 above).
4503 4503
4504 4504 
 On some platforms such as Windows, TAP-Win32 tunnels are persistent by
4505 4505 
 default.
4506 4506 
 .\"*********************************************************
4507 4507 
 .TP
4508 
-.B --rmtun
4508 
+.B \-\-rmtun
4509 4509 
 (Standalone)
4510 4510 
 Remove a persistent tunnel.
4511 4511 
 .\"*********************************************************
4512 4512 
 .TP
4513 
-.B --dev tunX | tapX
4513 
+.B \-\-dev tunX | tapX
4514 4514 
 TUN/TAP device
4515 4515 
 .\"*********************************************************
4516 4516 
 .TP
4517 
-.B --user user
4517 
+.B \-\-user user
4518 4518 
 Optional user to be owner of this tunnel.
4519 4519 
 .\"*********************************************************
4520 4520 
 .TP
4521 
-.B --group group
4521 
+.B \-\-group group
4522 4522 
 Optional group to be owner of this tunnel.
4523 4523 
 .\"*********************************************************
4524 4524 
 .SS Windows-Specific Options:
4525 4525 
 .\"*********************************************************
4526 4526 
 .TP
4527 
-.B --win-sys path|'env'
4527 
+.B \-\-win-sys path|'env'
4528 4528 
 Set the Windows system directory pathname to use when looking for system
4529 4529 
 executables such as
4530 4530 
 .B route.exe
... ... 
@@ -4540,23 +4540,23 @@ indicates that the pathname should be read from the
4540 4540 
 environmental variable.
4541 4541 
 .\"*********************************************************
4542 4542 
 .TP
4543 
-.B --ip-win32 method
4543 
+.B \-\-ip-win32 method
4544 4544 
 When using
4545 
-.B --ifconfig
4545 
+.B \-\-ifconfig
4546 4546 
 on Windows, set the TAP-Win32 adapter
4547 4547 
 IP address and netmask using
4548 4548 
 .B method.
4549 4549 
 Don't use this option unless you are also using
4550 
-.B --ifconfig.
4550 
+.B \-\-ifconfig.
4551 4551
4552 
-.B manual --
4552 
+.B manual \-\-
4553 4553 
 Don't set the IP address or netmask automatically.
4554 4554 
 Instead output a message
4555 4555 
 to the console telling the user to configure the
4556 4556 
 adapter manually and indicating the IP/netmask which
4557 4557 
 OpenVPN expects the adapter to be set to.
4558 4558
4559 
-.B dynamic [offset] [lease-time] --
4559 
+.B dynamic [offset] [lease-time] \-\-
4560 4560 
 Automatically set the IP address and netmask by replying to
4561 4561 
 DHCP query messages generated by the kernel.  This mode is
4562 4562 
 probably the "cleanest" solution
... ... 
@@ -4566,13 +4566,13 @@ this mode: (1) The TCP/IP properties for the TAP-Win32
4566 4566 
 adapter must be set to "Obtain an IP address automatically," and
4567 4567 
 (2) OpenVPN needs to claim an IP address in the subnet for use
4568 4568 
 as the virtual DHCP server address.  By default in
4569 
-.B --dev tap
4569 
+.B \-\-dev tap
4570 4570 
 mode, OpenVPN will
4571 4571 
 take the normally unused first address in the subnet.  For example,
4572 4572 
 if your subnet is 192.168.4.0 netmask 255.255.255.0, then
4573 4573 
 OpenVPN will take the IP address 192.168.4.0 to use as the
4574 4574 
 virtual DHCP server address.  In
4575 
-.B --dev tun
4575 
+.B \-\-dev tun
4576 4576 
 mode, OpenVPN will cause the DHCP server to masquerade as if it were
4577 4577 
 coming from the remote endpoint.  The optional offset parameter is
4578 4578 
 an integer which is > -256 and < 256 and which defaults to 0.
... ... 
@@ -4594,13 +4594,13 @@ because it prevents routes involving the TAP-Win32 adapter from
4594 4594 
 being lost when the system goes to sleep.  The default
4595 4595 
 lease time is one year.
4596 4596
4597 
-.B netsh --
4597 
+.B netsh \-\-
4598 4598 
 Automatically set the IP address and netmask using
4599 4599 
 the Windows command-line "netsh"
4600 4600 
 command.  This method appears to work correctly on
4601 4601 
 Windows XP but not Windows 2000.
4602 4602
4603 
-.B ipapi --
4603 
+.B ipapi \-\-
4604 4604 
 Automatically set the IP address and netmask using the
4605 4605 
 Windows IP Helper API.  This approach
4606 4606 
 does not have ideal semantics, though testing has indicated
... ... 
@@ -4609,7 +4609,7 @@ it is best to leave the TCP/IP properties for the TAP-Win32
4609 4609 
 adapter in their default state, i.e. "Obtain an IP address
4610 4610 
 automatically."
4611 4611
4612 
-.B adaptive --
4612 
+.B adaptive \-\-
4613 4613 
 (Default) Try
4614 4614 
 .B dynamic
4615 4615 
 method initially and fail over to
... ... 
@@ -4639,55 +4639,55 @@ mode to restore the TAP-Win32 adapter TCP/IP properties
4639 4639 
 to a DHCP configuration.
4640 4640 
 .\"*********************************************************
4641 4641 
 .TP
4642 
-.B --route-method m
4642 
+.B \-\-route-method m
4643 4643 
 Which method
4644 4644 
 .B m
4645 4645 
 to use for adding routes on Windows?
4646 4646
4647 4647 
 .B adaptive
4648 
-(default) -- Try IP helper API first.  If that fails, fall
4648 
+(default) \-\- Try IP helper API first.  If that fails, fall
4649 4649 
 back to the route.exe shell command.
4650 4650 
 .br
4651 4651 
 .B ipapi
4652 
+\-\- Use IP helper API.
4652 4653 
 .br
4653 4654 
 .B exe
4655 
+\-\- Call the route.exe shell command.
4654 4656 
 .\"*********************************************************
4655 4657 
 .TP
4656 
-.B --dhcp-option type [parm]
4658 
+.B \-\-dhcp-option type [parm]
4657 4659 
 Set extended TAP-Win32 TCP/IP properties, must
4658 4660 
 be used with
4659 
-.B --ip-win32 dynamic
4661 
+.B \-\-ip-win32 dynamic
4660 4662 
 or
4661 
-.B --ip-win32 adaptive.
4663 
+.B \-\-ip-win32 adaptive.
4662 4664 
 This option can be used to set additional TCP/IP properties
4663 4665 
 on the TAP-Win32 adapter, and is particularly useful for
4664 4666 
 configuring an OpenVPN client to access a Samba server
4665 4667 
 across the VPN.
4666 4668
4667 
-.B DOMAIN name --
4669 
+.B DOMAIN name \-\-
4668 4670 
 Set Connection-specific DNS Suffix.
4669 4671
4670 
-.B DNS addr --
4672 
+.B DNS addr \-\-
4671 4673 
 Set primary domain name server address.  Repeat
4672 4674 
 this option to set secondary DNS server addresses.
4673 4675
4674 
-.B WINS addr --
4676 
+.B WINS addr \-\-
4675 4677 
 Set primary WINS server address (NetBIOS over TCP/IP Name Server).
4676 4678 
 Repeat this option to set secondary WINS server addresses.
4677 4679
4678 
-.B NBDD addr --
4680 
+.B NBDD addr \-\-
4679 4681 
 Set primary NBDD server address (NetBIOS over TCP/IP Datagram Distribution Server)
4680 4682 
 Repeat this option
4681 4683 
 to set secondary NBDD server addresses.
4682 4684
4683 
-.B NTP addr --
4685 
+.B NTP addr \-\-
4684 4686 
 Set primary NTP server address (Network Time Protocol).
4685 4687 
 Repeat this option
4686 4688 
 to set secondary NTP server addresses.
4687 4689
4688 
-.B NBT type --
4690 
+.B NBT type \-\-
4689 4691 
 Set NetBIOS over TCP/IP Node type.  Possible options:
4690 4692 
 .B 1
4691 4693 
 = b-node (broadcasts),
... ... 
@@ -4700,7 +4700,7 @@ then query name server), and
4700 4700 
 .B 8
4701 4701 
 = h-node (query name server, then broadcast).
4702 4702
4703 
-.B NBS scope-id --
4703 
+.B NBS scope-id \-\-
4704 4704 
 Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended
4705 4705 
 naming service for the NetBIOS over TCP/IP (Known as NBT) module. The
4706 4706 
 primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on
... ... 
@@ -4712,19 +4712,19 @@ computers to use the same computer name, as they have different
4712 4712 
 scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.
4713 4713 
 (This description of NetBIOS scopes courtesy of NeonSurge@abyss.com)
4714 4714
4715 
-.B DISABLE-NBT --
4715 
+.B DISABLE-NBT \-\-
4716 4716 
 Disable Netbios-over-TCP/IP.
4717 4717
4718 4718 
 Note that if
4719 
-.B --dhcp-option
4719 
+.B \-\-dhcp-option
4720 4720 
 is pushed via
4721 
-.B --push
4721 
+.B \-\-push
4722 4722 
 to a non-windows client, the option will be saved in the client's
4723 4723 
 environment before the up script is called, under
4724 4724 
 the name "foreign_option_{n}".
4725 4725 
 .\"*********************************************************
4726 4726 
 .TP
4727 
-.B --tap-sleep n
4727 
+.B \-\-tap-sleep n
4728 4728 
 Cause OpenVPN to sleep for
4729 4729 
 .B n
4730 4730 
 seconds immediately after the TAP-Win32 adapter state
... ... 
@@ -4732,21 +4732,21 @@ is set to "connected".
4732 4732
4733 4733 
 This option is intended to be used to troubleshoot problems
4734 4734 
 with the
4735 
-.B --ifconfig
4735 
+.B \-\-ifconfig
4736 4736 
 and
4737 
-.B --ip-win32
4737 
+.B \-\-ip-win32
4738 4738 
 options, and is used to give
4739 4739 
 the TAP-Win32 adapter time to come up before
4740 4740 
 Windows IP Helper API operations are applied to it.
4741 4741 
 .\"*********************************************************
4742 4742 
 .TP
4743 
-.B --show-net-up
4743 
+.B \-\-show-net-up
4744 4744 
 Output OpenVPN's view of the system routing table and network
4745 4745 
 adapter list to the syslog or log file after the TUN/TAP adapter
4746 4746 
 has been brought up and any routes have been added.
4747 4747 
 .\"*********************************************************
4748 4748 
 .TP
4749 
-.B --dhcp-renew
4749 
+.B \-\-dhcp-renew
4750 4750 
 Ask Windows to renew the TAP adapter lease on startup.
4751 4751 
 This option is normally unnecessary, as Windows automatically
4752 4752 
 triggers a DHCP renegotiation on the TAP adapter when it
... ... 
@@ -4755,28 +4755,28 @@ Media Status property to "Always Connected", you may need this
4755 4755 
 flag.
4756 4756 
 .\"*********************************************************
4757 4757 
 .TP
4758 
-.B --dhcp-release
4758 
+.B \-\-dhcp-release
4759 4759 
 Ask Windows to release the TAP adapter lease on shutdown.
4760 4760 
 This option has the same caveats as
4761 
-.B --dhcp-renew
4761 
+.B \-\-dhcp-renew
4762 4762 
 above.
4763 4763 
 .\"*********************************************************
4764 4764 
 .TP
4765 
-.B --register-dns
4765 
+.B \-\-register-dns
4766 4766 
 Run net stop dnscache, net start dnscache, ipconfig /flushdns
4767 4767 
 and ipconfig /registerdns on connection initiation.
4768 4768 
 This is known to kick Windows into
4769 4769 
 recognizing pushed DNS servers.
4770 4770 
 .\"*********************************************************
4771 4771 
 .TP
4772 
-.B --pause-exit
4772 
+.B \-\-pause-exit
4773 4773 
 Put up a "press any key to continue" message on the console prior
4774 4774 
 to OpenVPN program exit.  This option is automatically used by the
4775 4775 
 Windows explorer when OpenVPN is run on a configuration
4776 4776 
 file using the right-click explorer menu.
4777 4777 
 .\"*********************************************************
4778 4778 
 .TP
4779 
-.B --service exit-event [0|1]
4779 
+.B \-\-service exit-event [0|1]
4780 4780 
 Should be used when OpenVPN is being automatically executed by another
4781 4781 
 program in such
4782 4782 
 a context that no interaction with the user via display or keyboard
... ... 
@@ -4799,26 +4799,26 @@ parameter.  In any case, the controlling process can signal
4799 4799 
 causing all such OpenVPN processes to exit.
4800 4800
4801 4801 
 When executing an OpenVPN process using the
4802 
-.B --service
4802 
+.B \-\-service
4803 4803 
 directive, OpenVPN will probably not have a console
4804 4804 
 window to output status/error
4805 4805 
 messages, therefore it is useful to use
4806 
-.B --log
4806 
+.B \-\-log
4807 4807 
 or
4808 
-.B --log-append
4808 
+.B \-\-log-append
4809 4809 
 to write these messages to a file.
4810 4810 
 .\"*********************************************************
4811 4811 
 .TP
4812 
-.B --show-adapters
4812 
+.B \-\-show-adapters
4813 4813 
 (Standalone)
4814 4814 
 Show available TAP-Win32 adapters which can be selected using the
4815 
-.B --dev-node
4815 
+.B \-\-dev-node
4816 4816 
 option.  On non-Windows systems, the
4817 4817 
 .BR ifconfig (8)
4818 4818 
 command provides similar functionality.
4819 4819 
 .\"*********************************************************
4820 4820 
 .TP
4821 
-.B --allow-nonadmin [TAP-adapter]
4821 
+.B \-\-allow-nonadmin [TAP-adapter]
4822 4822 
 (Standalone)
4823 4823 
 Set
4824 4824 
 .B TAP-adapter
... ... 
@@ -4833,10 +4833,10 @@ and reloaded.
4833 4833 
 This directive can only be used by an administrator.
4834 4834 
 .\"*********************************************************
4835 4835 
 .TP
4836 
-.B --show-valid-subnets
4836 
+.B \-\-show-valid-subnets
4837 4837 
 (Standalone)
4838 4838 
 Show valid subnets for
4839 
-.B --dev tun
4839 
+.B \-\-dev tun
4840 4840 
 emulation.  Since the TAP-Win32 driver
4841 4841 
 exports an ethernet interface to Windows, and since TUN devices are
4842 4842 
 point-to-point in nature, it is necessary for the TAP-Win32 driver
... ... 
@@ -4846,7 +4846,7 @@ Namely, the point-to-point endpoints used in TUN device emulation
4846 4846 
 must be the middle two addresses of a /30 subnet (netmask 255.255.255.252).
4847 4847 
 .\"*********************************************************
4848 4848 
 .TP
4849 
-.B --show-net
4849 
+.B \-\-show-net
4850 4850 
 (Standalone)
4851 4851 
 Show OpenVPN's view of the system routing table and network
4852 4852 
 adapter list.
... ... 
@@ -4854,12 +4854,12 @@ adapter list.
4854 4854 
 .SS PKCS#11 Standalone Options:
4855 4855 
 .\"*********************************************************
4856 4856 
 .TP
4857 
-.B --show-pkcs11-ids provider [cert_private]
4857 
+.B \-\-show-pkcs11-ids provider [cert_private]
4858 4858 
 (Standalone)
4859 4859 
 Show PKCS#11 token object list. Specify cert_private as 1
4860 4860 
 if certificates are stored as private objects.
4861 4861
4862 
-.B --verb
4862 
+.B \-\-verb
4863 4863 
 option can be used BEFORE this option to produce debugging information.
4864 4864 
 .\"*********************************************************
4865 4865 
 .SH SCRIPTING AND ENVIRONMENTAL VARIABLES
... ... 
@@ -4869,52 +4869,52 @@ of environmental variables for use by user-defined scripts.
4869 4869 
 .SS Script Order of Execution
4870 4870 
 .\"*********************************************************
4871 4871 
 .TP
4872 
-.B --up
4872 
+.B \-\-up
4873 4873 
 Executed after TCP/UDP socket bind and TUN/TAP open.
4874 4874 
 .\"*********************************************************
4875 4875 
 .TP
4876 
-.B --tls-verify
4876 
+.B \-\-tls-verify
4877 4877 
 Executed when we have a still untrusted remote peer.
4878 4878 
 .\"*********************************************************
4879 4879 
 .TP
4880 
-.B --ipchange
4880 
+.B \-\-ipchange
4881 4881 
 Executed after connection authentication, or remote IP address change.
4882 4882 
 .\"*********************************************************
4883 4883 
 .TP
4884 
-.B --client-connect
4884 
+.B \-\-client-connect
4885 4885 
 Executed in
4886 
-.B --mode server
4886 
+.B \-\-mode server
4887 4887 
 mode immediately after client authentication.
4888 4888 
 .\"*********************************************************
4889 4889 
 .TP
4890 
-.B --route-up
4890 
+.B \-\-route-up
4891 4891 
 Executed after connection authentication, either
4892 4892 
 immediately after, or some number of seconds after
4893 4893 
 as defined by the
4894 
-.B --route-delay
4894 
+.B \-\-route-delay
4895 4895 
 option.
4896 4896 
 .\"*********************************************************
4897 4897 
 .TP
4898 
-.B --client-disconnect
4898 
+.B \-\-client-disconnect
4899 4899 
 Executed in
4900 
-.B --mode server
4900 
+.B \-\-mode server
4901 4901 
 mode on client instance shutdown.
4902 4902 
 .\"*********************************************************
4903 4903 
 .TP
4904 
-.B --down
4904 
+.B \-\-down
4905 4905 
 Executed after TCP/UDP and TUN/TAP close.
4906 4906 
 .\"*********************************************************
4907 4907 
 .TP
4908 
-.B --learn-address
4908 
+.B \-\-learn-address
4909 4909 
 Executed in
4910 
-.B --mode server
4910 
+.B \-\-mode server
4911 4911 
 mode whenever an IPv4 address/route or MAC address is added to OpenVPN's
4912 4912 
 internal routing table.
4913 4913 
 .\"*********************************************************
4914 4914 
 .TP
4915 
-.B --auth-user-pass-verify
4915 
+.B \-\-auth-user-pass-verify
4916 4916 
 Executed in
4917 
-.B --mode server
4917 
+.B \-\-mode server
4918 4918 
 mode on new client connections, when the client is
4919 4919 
 still untrusted.
4920 4920 
 .\"*********************************************************
... ... 
@@ -4938,7 +4938,7 @@ Can string remapping be disabled?
4938 4938
4939 4939 
 .B A:
4940 4940 
 Yes, by using the
4941 
-.B --no-name-remapping
4941 
+.B \-\-no-name-remapping
4942 4942 
 option, however this should be considered an advanced option.
4943 4943
4944 4944 
 Here is a brief rundown of OpenVPN's current string types and the
... ... 
@@ -4954,17 +4954,17 @@ true.
4954 4954 
 Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at
4955 4955 
 ('@').
4956 4956
4957 
-.B --auth-user-pass username:
4957 
+.B \-\-auth-user-pass username:
4958 4958 
 Same as Common Name, with one exception: starting with OpenVPN 2.0.1,
4959 4959 
 the username is passed to the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin in its raw form,
4960 4960 
 without string remapping.
4961 4961
4962 
-.B --auth-user-pass password:
4962 
+.B \-\-auth-user-pass password:
4963 4963 
 Any "printable" character except CR or LF.
4964 4964 
 Printable is defined to be a character which will cause the C library
4965 4965 
 isprint() function to return true.
4966 4966
4967 
-.B --client-config-dir filename as derived from common name or username:
4967 
+.B \-\-client-config-dir filename as derived from common name or username:
4968 4968 
 Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or
4969 4969 
 ".." as standalone strings.  As of 2.0.1-rc6, the at ('@') character has
4970 4970 
 been added as well for compatibility with the common name character class.
... ... 
@@ -4994,45 +4994,45 @@ which refer to different client instances.
4994 4994 
 .B bytes_received
4995 4995 
 Total number of bytes received from client during VPN session.
4996 4996 
 Set prior to execution of the
4997 
-.B --client-disconnect
4997 
+.B \-\-client-disconnect
4998 4998 
 script.
4999 4999 
 .\"*********************************************************
5000 5000 
 .TP
5001 5001 
 .B bytes_sent
5002 5002 
 Total number of bytes sent to client during VPN session.
5003 5003 
 Set prior to execution of the
5004 
-.B --client-disconnect
5004 
+.B \-\-client-disconnect
5005 5005 
 script.
5006 5006 
 .\"*********************************************************
5007 5007 
 .TP
5008 5008 
 .B common_name
5009 5009 
 The X509 common name of an authenticated client.
5010 5010 
 Set prior to execution of
5011 
-.B --client-connect, --client-disconnect,
5011 
+.B \-\-client-connect, \-\-client-disconnect,
5012 5012 
 and
5013 
-.B --auth-user-pass-verify
5013 
+.B \-\-auth-user-pass-verify
5014 5014 
 scripts.
5015 5015 
 .\"*********************************************************
5016 5016 
 .TP
5017 5017 
 .B config
5018 5018 
 Name of first
5019 
-.B --config
5019 
+.B \-\-config
5020 5020 
 file.
5021 5021 
 Set on program initiation and reset on SIGHUP.
5022 5022 
 .\"*********************************************************
5023 5023 
 .TP
5024 5024 
 .B daemon
5025 5025 
 Set to "1" if the
5026 
-.B --daemon
5026 
+.B \-\-daemon
5027 5027 
 directive is specified, or "0" otherwise.
5028 5028 
 Set on program initiation and reset on SIGHUP.
5029 5029 
 .\"*********************************************************
5030 5030 
 .TP
5031 5031 
 .B daemon_log_redirect
5032 5032 
 Set to "1" if the
5033 
-.B --log
5033 
+.B \-\-log
5034 5034 
 or
5035 
-.B --log-append
5035 
+.B \-\-log-append
5036 5036 
 directives are specified, or "0" otherwise.
5037 5037 
 Set on program initiation and reset on SIGHUP.
5038 5038 
 .\"*********************************************************
... ... 
@@ -5041,30 +5041,30 @@ Set on program initiation and reset on SIGHUP.
5041 5041 
 The actual name of the TUN/TAP device, including
5042 5042 
 a unit number if it exists.
5043 5043 
 Set prior to
5044 
-.B --up
5044 
+.B \-\-up
5045 5045 
 or
5046 
-.B --down
5046 
+.B \-\-down
5047 5047 
 script execution.
5048 5048 
 .\"*********************************************************
5049 5049 
 .TP
5050 5050 
 .B foreign_option_{n}
5051 5051 
 An option pushed via
5052 
-.B --push
5052 
+.B \-\-push
5053 5053 
 to a client which does not natively support it,
5054 5054 
 such as
5055 
-.B --dhcp-option
5055 
+.B \-\-dhcp-option
5056 5056 
 on a non-Windows system, will be recorded to this
5057 5057 
 environmental variable sequence prior to
5058 
-.B --up
5058 
+.B \-\-up
5059 5059 
 script execution.
5060 5060 
 .\"*********************************************************
5061 5061 
 .TP
5062 5062 
 .B ifconfig_broadcast
5063 5063 
 The broadcast address for the virtual
5064 5064 
 ethernet segment which is derived from the
5065 
-.B --ifconfig
5065 
+.B \-\-ifconfig
5066 5066 
 option when
5067 
-.B --dev tap
5067 
+.B \-\-dev tap
5068 5068 
 is used.
5069 5069 
 Set prior to OpenVPN calling the
5070 5070 
 .I ifconfig
... ... 
@@ -5072,13 +5072,13 @@ or
5072 5072 
 .I netsh
5073 5073 
 (windows version of ifconfig) commands which
5074 5074 
 normally occurs prior to
5075 
-.B --up
5075 
+.B \-\-up
5076 5076 
 script execution.
5077 5077 
 .\"*********************************************************
5078 5078 
 .TP
5079 5079 
 .B ifconfig_local
5080 5080 
 The local VPN endpoint IP address specified in the
5081 
-.B --ifconfig
5081 
+.B \-\-ifconfig
5082 5082 
 option (first parameter).
5083 5083 
 Set prior to OpenVPN calling the
5084 5084 
 .I ifconfig
... ... 
@@ -5086,15 +5086,15 @@ or
5086 5086 
 .I netsh
5087 5087 
 (windows version of ifconfig) commands which
5088 5088 
 normally occurs prior to
5089 
-.B --up
5089 
+.B \-\-up
5090 5090 
 script execution.
5091 5091 
 .\"*********************************************************
5092 5092 
 .TP
5093 5093 
 .B ifconfig_remote
5094 5094 
 The remote VPN endpoint IP address specified in the
5095 
-.B --ifconfig
5095 
+.B \-\-ifconfig
5096 5096 
 option (second parameter) when
5097 
-.B --dev tun
5097 
+.B \-\-dev tun
5098 5098 
 is used.
5099 5099 
 Set prior to OpenVPN calling the
5100 5100 
 .I ifconfig
... ... 
@@ -5102,16 +5102,16 @@ or
5102 5102 
 .I netsh
5103 5103 
 (windows version of ifconfig) commands which
5104 5104 
 normally occurs prior to
5105 
-.B --up
5105 
+.B \-\-up
5106 5106 
 script execution.
5107 5107 
 .\"*********************************************************
5108 5108 
 .TP
5109 5109 
 .B ifconfig_netmask
5110 5110 
 The subnet mask of the virtual ethernet segment
5111 5111 
 that is specified as the second parameter to
5112 
-.B --ifconfig
5112 
+.B \-\-ifconfig
5113 5113 
 when
5114 
-.B --dev tap
5114 
+.B \-\-dev tap
5115 5115 
 is being used.
5116 5116 
 Set prior to OpenVPN calling the
5117 5117 
 .I ifconfig
... ... 
@@ -5119,61 +5119,61 @@ or
5119 5119 
 .I netsh
5120 5120 
 (windows version of ifconfig) commands which
5121 5121 
 normally occurs prior to
5122 
-.B --up
5122 
+.B \-\-up
5123 5123 
 script execution.
5124 5124 
 .\"*********************************************************
5125 5125 
 .TP
5126 5126 
 .B ifconfig_pool_local_ip
5127 5127 
 The local
5128 5128 
 virtual IP address for the TUN/TAP tunnel taken from an
5129 
-.B --ifconfig-push
5129 
+.B \-\-ifconfig-push
5130 5130 
 directive if specified, or otherwise from
5131 5131 
 the ifconfig pool (controlled by the
5132 
-.B --ifconfig-pool
5132 
+.B \-\-ifconfig-pool
5133 5133 
 config file directive).
5134 5134 
 Only set for
5135 
-.B --dev tun
5135 
+.B \-\-dev tun
5136 5136 
 tunnels.
5137 5137 
 This option is set on the server prior to execution
5138 5138 
 of the
5139 
-.B --client-connect
5139 
+.B \-\-client-connect
5140 5140 
 and
5141 
-.B --client-disconnect
5141 
+.B \-\-client-disconnect
5142 5142 
 scripts.
5143 5143 
 .\"*********************************************************
5144 5144 
 .TP
5145 5145 
 .B ifconfig_pool_netmask
5146 5146 
 The
5147 5147 
 virtual IP netmask for the TUN/TAP tunnel taken from an
5148 
-.B --ifconfig-push
5148 
+.B \-\-ifconfig-push
5149 5149 
 directive if specified, or otherwise from
5150 5150 
 the ifconfig pool (controlled by the
5151 
-.B --ifconfig-pool
5151 
+.B \-\-ifconfig-pool
5152 5152 
 config file directive).
5153 5153 
 Only set for
5154 
-.B --dev tap
5154 
+.B \-\-dev tap
5155 5155 
 tunnels.
5156 5156 
 This option is set on the server prior to execution
5157 5157 
 of the
5158 
-.B --client-connect
5158 
+.B \-\-client-connect
5159 5159 
 and
5160 
-.B --client-disconnect
5160 
+.B \-\-client-disconnect
5161 5161 
 scripts.
5162 5162 
 .\"*********************************************************
5163 5163 
 .TP
5164 5164 
 .B ifconfig_pool_remote_ip
5165 5165 
 The remote
5166 5166 
 virtual IP address for the TUN/TAP tunnel taken from an
5167 
-.B --ifconfig-push
5167 
+.B \-\-ifconfig-push
5168 5168 
 directive if specified, or otherwise from
5169 5169 
 the ifconfig pool (controlled by the
5170 
-.B --ifconfig-pool
5170 
+.B \-\-ifconfig-pool
5171 5171 
 config file directive).
5172 5172 
 This option is set on the server prior to execution
5173 5173 
 of the
5174 
-.B --client-connect
5174 
+.B \-\-client-connect
5175 5175 
 and
5176 
-.B --client-disconnect
5176 
+.B \-\-client-disconnect
5177 5177 
 scripts.
5178 5178 
 .\"*********************************************************
5179 5179 
 .TP
... ... 
@@ -5181,31 +5181,31 @@ scripts.
5181 5181 
 The maximum packet size (not including the IP header)
5182 5182 
 of tunnel data in UDP tunnel transport mode.
5183 5183 
 Set prior to
5184 
-.B --up
5184 
+.B \-\-up
5185 5185 
 or
5186 
-.B --down
5186 
+.B \-\-down
5187 5187 
 script execution.
5188 5188 
 .\"*********************************************************
5189 5189 
 .TP
5190 5190 
 .B local
5191 5191 
 The
5192 
-.B --local
5192 
+.B \-\-local
5193 5193 
 parameter.
5194 5194 
 Set on program initiation and reset on SIGHUP.
5195 5195 
 .\"*********************************************************
5196 5196 
 .TP
5197 5197 
 .B local_port
5198 5198 
 The local port number, specified by
5199 
-.B --port
5199 
+.B \-\-port
5200 5200 
 or
5201 
-.B --lport.
5201 
+.B \-\-lport.
5202 5202 
 Set on program initiation and reset on SIGHUP.
5203 5203 
 .\"*********************************************************
5204 5204 
 .TP
5205 5205 
 .B password
5206 5206 
 The password provided by a connecting client.
5207 5207 
 Set prior to
5208 
-.B --auth-user-pass-verify
5208 
+.B \-\-auth-user-pass-verify
5209 5209 
 script execution only when the
5210 5210 
 .B via-env
5211 5211 
 modifier is specified, and deleted from the environment
... ... 
@@ -5214,23 +5214,23 @@ after the script returns.
5214 5214 
 .TP
5215 5215 
 .B proto
5216 5216 
 The
5217 
-.B --proto
5217 
+.B \-\-proto
5218 5218 
 parameter.
5219 5219 
 Set on program initiation and reset on SIGHUP.
5220 5220 
 .\"*********************************************************
5221 5221 
 .TP
5222 5222 
 .B remote_{n}
5223 5223 
 The
5224 
-.B --remote
5224 
+.B \-\-remote
5225 5225 
 parameter.
5226 5226 
 Set on program initiation and reset on SIGHUP.
5227 5227 
 .\"*********************************************************
5228 5228 
 .TP
5229 5229 
 .B remote_port_{n}
5230 5230 
 The remote port number, specified by
5231 
-.B --port
5231 
+.B \-\-port
5232 5232 
 or
5233 
-.B --rport.
5233 
+.B \-\-rport.
5234 5234 
 Set on program initiation and reset on SIGHUP.
5235 5235 
 .\"*********************************************************
5236 5236 
 .TP
... ... 
@@ -5238,29 +5238,29 @@ Set on program initiation and reset on SIGHUP.
5238 5238 
 The pre-existing default IP gateway in the system routing
5239 5239 
 table.
5240 5240 
 Set prior to
5241 
-.B --up
5241 
+.B \-\-up
5242 5242 
 script execution.
5243 5243 
 .\"*********************************************************
5244 5244 
 .TP
5245 5245 
 .B route_vpn_gateway
5246 5246 
 The default gateway used by
5247 
-.B --route
5247 
+.B \-\-route
5248 5248 
 options, as specified in either the
5249 
-.B --route-gateway
5249 
+.B \-\-route-gateway
5250 5250 
 option or the second parameter to
5251 
-.B --ifconfig
5251 
+.B \-\-ifconfig
5252 5252 
 when
5253 
-.B --dev tun
5253 
+.B \-\-dev tun
5254 5254 
 is specified.
5255 5255 
 Set prior to
5256 
-.B --up
5256 
+.B \-\-up
5257 5257 
 script execution.
5258 5258 
 .\"*********************************************************
5259 5259 
 .TP
5260 5260 
 .B route_{parm}_{n}
5261 5261 
 A set of variables which define each route to be added, and
5262 5262 
 are set prior to
5263 
-.B --up
5263 
+.B \-\-up
5264 5264 
 script execution.
5265 5265
5266 5266 
 .B parm
... ... 
@@ -5279,7 +5279,7 @@ or configuration file.
5279 5279 
 Set to "init" or "restart" prior to up/down script execution.
5280 5280 
 For more information, see
5281 5281 
 documentation for
5282 
-.B --up.
5282 
+.B \-\-up.
5283 5283 
 .\"*********************************************************
5284 5284 
 .TP
5285 5285 
 .B script_type
... ... 
@@ -5295,15 +5295,15 @@ Set prior to execution of any script.
5295 5295 
 The reason for exit or restart.  Can be one of
5296 5296 
 .B sigusr1, sighup, sigterm, sigint, inactive
5297 5297 
 (controlled by
5298 
-.B --inactive
5298 
+.B \-\-inactive
5299 5299 
 option),
5300 5300 
 .B ping-exit
5301 5301 
 (controlled by
5302 
-.B --ping-exit
5302 
+.B \-\-ping-exit
5303 5303 
 option),
5304 5304 
 .B ping-restart
5305 5305 
 (controlled by
5306 
-.B --ping-restart
5306 
+.B \-\-ping-restart
5307 5307 
 option),
5308 5308 
 .B connection-reset
5309 5309 
 (triggered on TCP connection reset),
... ... 
@@ -5317,7 +5317,7 @@ or
5317 5317 
 Client connection timestamp, formatted as a human-readable
5318 5318 
 time string.
5319 5319 
 Set prior to execution of the
5320 
-.B --client-connect
5320 
+.B \-\-client-connect
5321 5321 
 script.
5322 5322 
 .\"*********************************************************
5323 5323 
 .TP
... ... 
@@ -5325,7 +5325,7 @@ script.
5325 5325 
 The duration (in seconds) of the client session which is now
5326 5326 
 disconnecting.
5327 5327 
 Set prior to execution of the
5328 
-.B --client-disconnect
5328 
+.B \-\-client-disconnect
5329 5329 
 script.
5330 5330 
 .\"*********************************************************
5331 5331 
 .TP
... ... 
@@ -5333,7 +5333,7 @@ script.
5333 5333 
 Client connection timestamp, formatted as a unix integer
5334 5334 
 date/time value.
5335 5335 
 Set prior to execution of the
5336 
-.B --client-connect
5336 
+.B \-\-client-connect
5337 5337 
 script.
5338 5338 
 .\"*********************************************************
5339 5339 
 .TP
... ... 
@@ -5343,7 +5343,7 @@ where
5343 5343 
 .B n
5344 5344 
 is the verification level.  Only set for TLS connections.  Set prior
5345 5345 
 to execution of
5346 
-.B --tls-verify
5346 
+.B \-\-tls-verify
5347 5347 
 script.
5348 5348 
 .\"*********************************************************
5349 5349 
 .TP
... ... 
@@ -5353,34 +5353,34 @@ where
5353 5353 
 .B n
5354 5354 
 is the verification level.  Only set for TLS connections.  Set prior
5355 5355 
 to execution of
5356 
-.B --tls-verify
5356 
+.B \-\-tls-verify
5357 5357 
 script.
5358 5358 
 .\"*********************************************************
5359 5359 
 .TP
5360 5360 
 .B tun_mtu
5361 5361 
 The MTU of the TUN/TAP device.
5362 5362 
 Set prior to
5363 
-.B --up
5363 
+.B \-\-up
5364 5364 
 or
5365 
-.B --down
5365 
+.B \-\-down
5366 5366 
 script execution.
5367 5367 
 .\"*********************************************************
5368 5368 
 .TP
5369 5369 
 .B trusted_ip
5370 5370 
 Actual IP address of connecting client or peer which has been authenticated.
5371 5371 
 Set prior to execution of
5372 
-.B --ipchange, --client-connect,
5372 
+.B \-\-ipchange, \-\-client-connect,
5373 5373 
 and
5374 
-.B --client-disconnect
5374 
+.B \-\-client-disconnect
5375 5375 
 scripts.
5376 5376 
 .\"*********************************************************
5377 5377 
 .TP
5378 5378 
 .B trusted_port
5379 5379 
 Actual port number of connecting client or peer which has been authenticated.
5380 5380 
 Set prior to execution of
5381 
-.B --ipchange, --client-connect,
5381 
+.B \-\-ipchange, \-\-client-connect,
5382 5382 
 and
5383 
-.B --client-disconnect
5383 
+.B \-\-client-disconnect
5384 5384 
 scripts.
5385 5385 
 .\"*********************************************************
5386 5386 
 .TP
... ... 
@@ -5389,12 +5389,12 @@ Actual IP address of connecting client or peer which has not been authenticated
5389 5389 
 yet.  Sometimes used to
5390 5390 
 .B nmap
5391 5391 
 the connecting host in a
5392 
-.B --tls-verify
5392 
+.B \-\-tls-verify
5393 5393 
 script to ensure it is firewalled properly.
5394 5394 
 Set prior to execution of
5395 
-.B --tls-verify
5395 
+.B \-\-tls-verify
5396 5396 
 and
5397 
-.B --auth-user-pass-verify
5397 
+.B \-\-auth-user-pass-verify
5398 5398 
 scripts.
5399 5399 
 .\"*********************************************************
5400 5400 
 .TP
... ... 
@@ -5402,16 +5402,16 @@ scripts.
5402 5402 
 Actual port number of connecting client or peer which has not been authenticated
5403 5403 
 yet.
5404 5404 
 Set prior to execution of
5405 
-.B --tls-verify
5405 
+.B \-\-tls-verify
5406 5406 
 and
5407 
-.B --auth-user-pass-verify
5407 
+.B \-\-auth-user-pass-verify
5408 5408 
 scripts.
5409 5409 
 .\"*********************************************************
5410 5410 
 .TP
5411 5411 
 .B username
5412 5412 
 The username provided by a connecting client.
5413 5413 
 Set prior to
5414 
-.B --auth-user-pass-verify
5414 
+.B \-\-auth-user-pass-verify
5415 5415 
 script execution only when the
5416 5416 
 .B via-env
5417 5417 
 modifier is specified.
... ... 
@@ -5423,7 +5423,7 @@ where
5423 5423 
 .B n
5424 5424 
 is the verification level.  Only set for TLS connections.  Set prior
5425 5425 
 to execution of
5426 
-.B --tls-verify
5426 
+.B \-\-tls-verify
5427 5427 
 script.  This variable is similar to
5428 5428 
 .B tls_id_{n}
5429 5429 
 except the component X509 subject fields are broken out, and
... ... 
@@ -5467,30 +5467,30 @@ Like
5467 5467 
 except don't re-read configuration file, and possibly don't close and reopen TUN/TAP
5468 5468 
 device, re-read key files, preserve local IP address/port, or preserve most recently authenticated
5469 5469 
 remote IP address/port based on
5470 
-.B --persist-tun, --persist-key, --persist-local-ip,
5470 
+.B \-\-persist-tun, \-\-persist-key, \-\-persist-local-ip,
5471 5471 
 and
5472 
-.B --persist-remote-ip
5472 
+.B \-\-persist-remote-ip
5473 5473 
 options respectively (see above).
5474 5474
5475 5475 
 This signal may also be internally generated by a timeout condition, governed
5476 5476 
 by the
5477 
-.B --ping-restart
5477 
+.B \-\-ping-restart
5478 5478 
 option.
5479 5479
5480 5480 
 This signal, when combined with
5481 
-.B --persist-remote-ip,
5481 
+.B \-\-persist-remote-ip,
5482 5482 
 may be
5483 5483 
 sent when the underlying parameters of the host's network interface change
5484 5484 
 such as when the host is a DHCP client and is assigned a new IP address.
5485 5485 
 See
5486 
-.B --ipchange
5486 
+.B \-\-ipchange
5487 5487 
 above for more information.
5488 5488 
 .\"*********************************************************
5489 5489 
 .TP
5490 5490 
 .B SIGUSR2
5491 5491 
 Causes OpenVPN to display its current statistics (to the syslog
5492 5492 
 file if
5493 
-.B --daemon
5493 
+.B \-\-daemon
5494 5494 
 is used, or stdout otherwise).
5495 5495 
 .\"*********************************************************
5496 5496 
 .TP
... ... 
@@ -5545,7 +5545,7 @@ If firewalls exist between
5545 5545 
 the two machines, they should be set to forward UDP port 1194
5546 5546 
 in both directions.  If you do not have control over the firewalls
5547 5547 
 between the two machines, you may still be able to use OpenVPN by adding
5548 
-.B --ping 15
5548 
+.B \-\-ping 15
5549 5549 
 to each of the
5550 5550 
 .B openvpn
5551 5551 
 commands used below in the examples (this will cause each peer to send out
... ... 
@@ -5614,11 +5614,11 @@ you will get a weird feedback loop.
5614 5614 
 .LP
5615 5615 
 On may:
5616 5616 
 .IP
5617 
-.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9
5617 
+.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 9
5618 5618 
 .LP
5619 5619 
 On june:
5620 5620 
 .IP
5621 
-.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9
5621 
+.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 9
5622 5622 
 .LP
5623 5623 
 Now verify the tunnel is working by pinging across the tunnel.
5624 5624 
 .LP
... ... 
@@ -5631,17 +5631,17 @@ On june:
5631 5631 
 .B ping 10.4.0.1
5632 5632 
 .LP
5633 5633 
 The
5634 
-.B --verb 9
5634 
+.B \-\-verb 9
5635 5635 
 option will produce verbose output, similar to the
5636 5636 
 .BR tcpdump (8)
5637 5637 
 program.  Omit the
5638 
-.B --verb 9
5638 
+.B \-\-verb 9
5639 5639 
 option to have OpenVPN run quietly.
5640 5640 
 .\"*********************************************************
5641 5641 
 .SS Example 2: A tunnel with static-key security (i.e. using a pre-shared secret)
5642 5642 
 First build a static key on may.
5643 5643 
 .IP
5644 
-.B openvpn --genkey --secret key
5644 
+.B openvpn \-\-genkey \-\-secret key
5645 5645 
 .LP
5646 5646 
 This command will build a random key file called
5647 5647 
 .B key
... ... 
@@ -5655,11 +5655,11 @@ program.
5655 5655 
 .LP
5656 5656 
 On may:
5657 5657 
 .IP
5658 
-.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key
5658 
+.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 5 \-\-secret key
5659 5659 
 .LP
5660 5660 
 On june:
5661 5661 
 .IP
5662 
-.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key
5662 
+.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 5 \-\-secret key
5663 5663 
 .LP
5664 5664 
 Now verify the tunnel is working by pinging across the tunnel.
5665 5665 
 .LP
... ... 
@@ -5681,10 +5681,10 @@ as the TLS server.
5681 5681
5682 5682 
 First, build a separate certificate/key pair
5683 5683 
 for both may and june (see above where
5684 
-.B --cert
5684 
+.B \-\-cert
5685 5685 
 is discussed for more info).  Then construct
5686 5686 
 Diffie Hellman parameters (see above where
5687 
-.B --dh
5687 
+.B \-\-dh
5688 5688 
 is discussed for more info).  You can also use the
5689 5689 
 included test files client.crt, client.key,
5690 5690 
 server.crt, server.key and ca.crt.
... ... 
@@ -5697,11 +5697,11 @@ parameters you can use the included file dh1024.pem.
5697 5697 
 .LP
5698 5698 
 On may:
5699 5699 
 .IP
5700 
-.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5
5700 
+.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-tls-client \-\-ca ca.crt \-\-cert client.crt \-\-key client.key \-\-reneg-sec 60 \-\-verb 5
5701 5701 
 .LP
5702 5702 
 On june:
5703 5703 
 .IP
5704 
-.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5
5704 
+.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-tls-server \-\-dh dh1024.pem \-\-ca ca.crt \-\-cert server.crt \-\-key server.key \-\-reneg-sec 60 \-\-verb 5
5705 5705 
 .LP
5706 5706 
 Now verify the tunnel is working by pinging across the tunnel.
5707 5707 
 .LP
... ... 
@@ -5714,16 +5714,16 @@ On june:
5714 5714 
 .B ping 10.4.0.1
5715 5715 
 .LP
5716 5716 
 Notice the
5717 
-.B --reneg-sec 60
5717 
+.B \-\-reneg-sec 60
5718 5718 
 option we used above.  That tells OpenVPN to renegotiate
5719 5719 
 the data channel keys every minute.
5720 5720 
 Since we used
5721 
-.B --verb 5
5721 
+.B \-\-verb 5
5722 5722 
 above, you will see status information on each new key negotiation.
5723 5723
5724 5724 
 For production operations, a key renegotiation interval of 60 seconds
5725 5725 
 is probably too frequent.  Omit the
5726 
-.B --reneg-sec 60
5726 
+.B \-\-reneg-sec 60
5727 5727 
 option to use OpenVPN's default key renegotiation interval of one hour.
5728 5728 
 .\"*********************************************************
5729 5729 
 .SS Routing:
... ... 
@@ -5759,7 +5759,7 @@ over the secure tunnel (or vice versa).
5759 5759
5760 5760 
 In a production environment, you could put the route command(s)
5761 5761 
 in a shell script and execute with the
5762 
-.B --up
5762 
+.B \-\-up
5763 5763 
 option.
5764 5764 
 .\"*********************************************************
5765 5765 
 .SH FIREWALLS
... ... 
@@ -5767,7 +5767,7 @@ OpenVPN's usage of a single UDP port makes it fairly firewall-friendly.
5767 5767 
 You should add an entry to your firewall rules to allow incoming OpenVPN
5768 5768 
 packets.  On Linux 2.4+:
5769 5769 
 .IP
5770 
-.B iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT
5770 
+.B iptables -A INPUT -p udp -s 1.2.3.4 \-\-dport 1194 -j ACCEPT
5771 5771 
 .LP
5772 5772 
 This will allow incoming packets on UDP port 1194 (OpenVPN's default UDP port)
5773 5773 
 from an OpenVPN peer at 1.2.3.4.
... ... 
@@ -5778,7 +5778,7 @@ address can be considered optional, since HMAC packet authentication
5778 5778 
 is a much more secure method of verifying the authenticity of
5779 5779 
 a packet source.  In that case:
5780 5780 
 .IP
5781 
-.B iptables -A INPUT -p udp --dport 1194 -j ACCEPT
5781 
+.B iptables -A INPUT -p udp \-\-dport 1194 -j ACCEPT
5782 5782 
 .LP
5783 5783 
 would be adequate and would not render the host inflexible with
5784 5784 
 respect to its peer having a dynamic IP address.
... ... 
@@ -5787,7 +5787,7 @@ OpenVPN also works well on stateful firewalls.  In some cases, you may
5787 5787 
 not need to add any static rules to the firewall list if you are
5788 5788 
 using a stateful firewall that knows how to track UDP connections.
5789 5789 
 If you specify
5790 
-.B --ping n,
5790 
+.B \-\-ping n,
5791 5791 
 OpenVPN will be guaranteed
5792 5792 
 to send a packet to its peer at least once every
5793 5793 
 .B n