There was a debian bugreport which was filed in 2005 . It was patched but
it seems that nobody forwarded the patch to the openvpn project itself.
The problem is quite simple:
The dashes for options (the double dashes) are not escaped. This causes
trouble in relationship with utf-8 .
Since the bugreport was closed it was patched within the debian/ubuntu
packages itself. I've attached the patch to get it atleast reviewed by the
openvpn project itself.
See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296133> for details.
sf.net tracker:
<https://sourceforge.net/tracker/?func=detail&aid=2935611&group_id=48978&atid=454721>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Tested-by: Jan Just Keijser <janjust@nikhef.nl>
Tested-by: Pavel Shramov <shramov@mexmat.net>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
... | ... |
@@ -97,25 +97,25 @@ with a relatively lightweight footprint. |
97 | 97 |
.SH OPTIONS |
98 | 98 |
OpenVPN allows any option to be placed either on the command line |
99 | 99 |
or in a configuration file. Though all command line options are preceded |
100 |
-by a double-leading-dash ("--"), this prefix can be removed when |
|
100 |
+by a double-leading-dash ("\-\-"), this prefix can be removed when |
|
101 | 101 |
an option is placed in a configuration file. |
102 | 102 |
.\"********************************************************* |
103 | 103 |
.TP |
104 |
-.B --help |
|
104 |
+.B \-\-help |
|
105 | 105 |
Show options. |
106 | 106 |
.\"********************************************************* |
107 | 107 |
.TP |
108 |
-.B --config file |
|
108 |
+.B \-\-config file |
|
109 | 109 |
Load additional config options from |
110 | 110 |
.B file |
111 | 111 |
where each line corresponds to one command line option, |
112 |
-but with the leading '--' removed. |
|
112 |
+but with the leading '\-\-' removed. |
|
113 | 113 |
|
114 | 114 |
If |
115 |
-.B --config file |
|
115 |
+.B \-\-config file |
|
116 | 116 |
is the only option to the openvpn command, |
117 | 117 |
the |
118 |
-.B --config |
|
118 |
+.B \-\-config |
|
119 | 119 |
can be removed, and the command can be given as |
120 | 120 |
.B openvpn file |
121 | 121 |
|
... | ... |
@@ -187,25 +187,25 @@ secret static.key |
187 | 187 |
.\"********************************************************* |
188 | 188 |
.SS Tunnel Options: |
189 | 189 |
.TP |
190 |
-.B --mode m |
|
190 |
+.B \-\-mode m |
|
191 | 191 |
Set OpenVPN major mode. By default, OpenVPN runs in |
192 | 192 |
point-to-point mode ("p2p"). OpenVPN 2.0 introduces |
193 | 193 |
a new mode ("server") which implements a multi-client |
194 | 194 |
server capability. |
195 | 195 |
.\"********************************************************* |
196 | 196 |
.TP |
197 |
-.B --local host |
|
197 |
+.B \-\-local host |
|
198 | 198 |
Local host name or IP address for bind. |
199 | 199 |
If specified, OpenVPN will bind to this address only. |
200 | 200 |
If unspecified, OpenVPN will bind to all interfaces. |
201 | 201 |
.\"********************************************************* |
202 | 202 |
.TP |
203 |
-.B --remote host [port] [proto] |
|
203 |
+.B \-\-remote host [port] [proto] |
|
204 | 204 |
Remote host name or IP address. On the client, multiple |
205 |
-.B --remote |
|
205 |
+.B \-\-remote |
|
206 | 206 |
options may be specified for redundancy, each referring |
207 | 207 |
to a different OpenVPN server. Specifying multiple |
208 |
-.B --remote |
|
208 |
+.B \-\-remote |
|
209 | 209 |
options for this purpose is a special case of the more |
210 | 210 |
general connection-profile feature. See the |
211 | 211 |
.B <connection> |
... | ... |
@@ -214,7 +214,7 @@ documentation below. |
214 | 214 |
The OpenVPN client will try to connect to a server at |
215 | 215 |
.B host:port |
216 | 216 |
in the order specified by the list of |
217 |
-.B --remote |
|
217 |
+.B \-\-remote |
|
218 | 218 |
options. |
219 | 219 |
|
220 | 220 |
.B proto |
... | ... |
@@ -229,18 +229,18 @@ one server. |
229 | 229 |
|
230 | 230 |
Note that since UDP is connectionless, connection failure |
231 | 231 |
is defined by the |
232 |
-.B --ping |
|
232 |
+.B \-\-ping |
|
233 | 233 |
and |
234 |
-.B --ping-restart |
|
234 |
+.B \-\-ping-restart |
|
235 | 235 |
options. |
236 | 236 |
|
237 | 237 |
Note the following corner case: If you use multiple |
238 |
-.B --remote |
|
238 |
+.B \-\-remote |
|
239 | 239 |
options, AND you are dropping root privileges on |
240 | 240 |
the client with |
241 |
-.B --user |
|
241 |
+.B \-\-user |
|
242 | 242 |
and/or |
243 |
-.B --group, |
|
243 |
+.B \-\-group, |
|
244 | 244 |
AND the client is running a non-Windows OS, if the client needs |
245 | 245 |
to switch to a different server, and that server pushes |
246 | 246 |
back different TUN/TAP or route settings, the client may lack |
... | ... |
@@ -248,7 +248,7 @@ the necessary privileges to close and reopen the TUN/TAP interface. |
248 | 248 |
This could cause the client to exit with a fatal error. |
249 | 249 |
|
250 | 250 |
If |
251 |
-.B --remote |
|
251 |
+.B \-\-remote |
|
252 | 252 |
is unspecified, OpenVPN will listen |
253 | 253 |
for packets from any IP address, but will not act on those packets unless |
254 | 254 |
they pass all authentication tests. This requirement for authentication |
... | ... |
@@ -257,7 +257,7 @@ trusted IP addresses (it is very easy to forge a source IP address on |
257 | 257 |
a UDP packet). |
258 | 258 |
|
259 | 259 |
When used in TCP mode, |
260 |
-.B --remote |
|
260 |
+.B \-\-remote |
|
261 | 261 |
will act as a filter, rejecting connections from any host which does |
262 | 262 |
not match |
263 | 263 |
.B host. |
... | ... |
@@ -283,7 +283,7 @@ and |
283 | 283 |
An OpenVPN client will try each connection profile sequentially |
284 | 284 |
until it achieves a successful connection. |
285 | 285 |
|
286 |
-.B --remote-random |
|
286 |
+.B \-\-remote-random |
|
287 | 287 |
can be used to initially "scramble" the connection |
288 | 288 |
list. |
289 | 289 |
|
... | ... |
@@ -387,15 +387,15 @@ only consider profiles using protocol |
387 | 387 |
('tcp'|'udp'). |
388 | 388 |
.\"********************************************************* |
389 | 389 |
.TP |
390 |
-.B --remote-random |
|
390 |
+.B \-\-remote-random |
|
391 | 391 |
When multiple |
392 |
-.B --remote |
|
392 |
+.B \-\-remote |
|
393 | 393 |
address/ports are specified, or if connection profiles are being |
394 | 394 |
used, initially randomize the order of the list |
395 | 395 |
as a kind of basic load-balancing measure. |
396 | 396 |
.\"********************************************************* |
397 | 397 |
.TP |
398 |
-.B --proto p |
|
398 |
+.B \-\-proto p |
|
399 | 399 |
Use protocol |
400 | 400 |
.B p |
401 | 401 |
for communicating with remote host. |
... | ... |
@@ -409,17 +409,17 @@ or |
409 | 409 |
The default protocol is |
410 | 410 |
.B udp |
411 | 411 |
when |
412 |
-.B --proto |
|
412 |
+.B \-\-proto |
|
413 | 413 |
is not specified. |
414 | 414 |
|
415 | 415 |
For UDP operation, |
416 |
-.B --proto udp |
|
416 |
+.B \-\-proto udp |
|
417 | 417 |
should be specified on both peers. |
418 | 418 |
|
419 | 419 |
For TCP operation, one peer must use |
420 |
-.B --proto tcp-server |
|
420 |
+.B \-\-proto tcp-server |
|
421 | 421 |
and the other must use |
422 |
-.B --proto tcp-client. |
|
422 |
+.B \-\-proto tcp-client. |
|
423 | 423 |
A peer started with |
424 | 424 |
.B tcp-server |
425 | 425 |
will wait indefinitely for an incoming connection. A peer |
... | ... |
@@ -427,9 +427,9 @@ started with |
427 | 427 |
.B tcp-client |
428 | 428 |
will attempt to connect, and if that fails, will sleep for 5 |
429 | 429 |
seconds (adjustable via the |
430 |
-.B --connect-retry |
|
430 |
+.B \-\-connect-retry |
|
431 | 431 |
option) and try again infinite or up to N retries (adjustable via the |
432 |
-.B --connect-retry-max |
|
432 |
+.B \-\-connect-retry-max |
|
433 | 433 |
option). Both TCP client and server will simulate |
434 | 434 |
a SIGUSR1 restart signal if either side resets the connection. |
435 | 435 |
|
... | ... |
@@ -449,9 +449,9 @@ application-level UDP protocols, or tunneling protocols which don't |
449 | 449 |
possess a built-in reliability layer. |
450 | 450 |
.\"********************************************************* |
451 | 451 |
.TP |
452 |
-.B --connect-retry n |
|
452 |
+.B \-\-connect-retry n |
|
453 | 453 |
For |
454 |
-.B --proto tcp-client, |
|
454 |
+.B \-\-proto tcp-client, |
|
455 | 455 |
take |
456 | 456 |
.B n |
457 | 457 |
as the |
... | ... |
@@ -459,16 +459,16 @@ number of seconds to wait |
459 | 459 |
between connection retries (default=5). |
460 | 460 |
.\"********************************************************* |
461 | 461 |
.TP |
462 |
-.B --connect-retry-max n |
|
462 |
+.B \-\-connect-retry-max n |
|
463 | 463 |
For |
464 |
-.B --proto tcp-client, |
|
464 |
+.B \-\-proto tcp-client, |
|
465 | 465 |
take |
466 | 466 |
.B n |
467 | 467 |
as the |
468 | 468 |
number of retries of connection attempt (default=infinite). |
469 | 469 |
.\"********************************************************* |
470 | 470 |
.TP |
471 |
-.B --auto-proxy |
|
471 |
+.B \-\-auto-proxy |
|
472 | 472 |
Try to sense HTTP or SOCKS proxy settings automatically. |
473 | 473 |
If no settings are present, a direct connection will be attempted. |
474 | 474 |
If both HTTP and SOCKS settings are present, HTTP will be preferred. |
... | ... |
@@ -480,7 +480,7 @@ InternetQueryOption API. |
480 | 480 |
This option exists in OpenVPN 2.1 or higher. |
481 | 481 |
.\"********************************************************* |
482 | 482 |
.TP |
483 |
-.B --http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method] |
|
483 |
+.B \-\-http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method] |
|
484 | 484 |
Connect to remote host through an HTTP proxy at address |
485 | 485 |
.B server |
486 | 486 |
and port |
... | ... |
@@ -515,32 +515,32 @@ determine the authentication method, but to reject weak |
515 | 515 |
authentication protocols such as HTTP Basic Authentication. |
516 | 516 |
.\"********************************************************* |
517 | 517 |
.TP |
518 |
-.B --http-proxy-retry |
|
518 |
+.B \-\-http-proxy-retry |
|
519 | 519 |
Retry indefinitely on HTTP proxy errors. If an HTTP proxy error |
520 | 520 |
occurs, simulate a SIGUSR1 reset. |
521 | 521 |
.\"********************************************************* |
522 | 522 |
.TP |
523 |
-.B --http-proxy-timeout n |
|
523 |
+.B \-\-http-proxy-timeout n |
|
524 | 524 |
Set proxy timeout to |
525 | 525 |
.B n |
526 | 526 |
seconds, default=5. |
527 | 527 |
.\"********************************************************* |
528 | 528 |
.TP |
529 |
-.B --http-proxy-option type [parm] |
|
529 |
+.B \-\-http-proxy-option type [parm] |
|
530 | 530 |
Set extended HTTP proxy options. |
531 | 531 |
Repeat to set multiple options. |
532 | 532 |
|
533 |
-.B VERSION version -- |
|
533 |
+.B VERSION version \-\- |
|
534 | 534 |
Set HTTP version number to |
535 | 535 |
.B version |
536 | 536 |
(default=1.0). |
537 | 537 |
|
538 |
-.B AGENT user-agent -- |
|
538 |
+.B AGENT user-agent \-\- |
|
539 | 539 |
Set HTTP "User-Agent" string to |
540 | 540 |
.B user-agent. |
541 | 541 |
.\"********************************************************* |
542 | 542 |
.TP |
543 |
-.B --socks-proxy server [port] |
|
543 |
+.B \-\-socks-proxy server [port] |
|
544 | 544 |
Connect to remote host through a Socks5 proxy at address |
545 | 545 |
.B server |
546 | 546 |
and port |
... | ... |
@@ -548,14 +548,14 @@ and port |
548 | 548 |
(default=1080). |
549 | 549 |
.\"********************************************************* |
550 | 550 |
.TP |
551 |
-.B --socks-proxy-retry |
|
551 |
+.B \-\-socks-proxy-retry |
|
552 | 552 |
Retry indefinitely on Socks proxy errors. If a Socks proxy error |
553 | 553 |
occurs, simulate a SIGUSR1 reset. |
554 | 554 |
.\"********************************************************* |
555 | 555 |
.TP |
556 |
-.B --resolv-retry n |
|
556 |
+.B \-\-resolv-retry n |
|
557 | 557 |
If hostname resolve fails for |
558 |
-.B --remote, |
|
558 |
+.B \-\-remote, |
|
559 | 559 |
retry resolve for |
560 | 560 |
.B n |
561 | 561 |
seconds before failing. |
... | ... |
@@ -565,18 +565,18 @@ Set |
565 | 565 |
to "infinite" to retry indefinitely. |
566 | 566 |
|
567 | 567 |
By default, |
568 |
-.B --resolv-retry infinite |
|
568 |
+.B \-\-resolv-retry infinite |
|
569 | 569 |
is enabled. You can disable by setting n=0. |
570 | 570 |
.\"********************************************************* |
571 | 571 |
.TP |
572 |
-.B --float |
|
572 |
+.B \-\-float |
|
573 | 573 |
Allow remote peer to change its IP address and/or port number, such as due to |
574 | 574 |
DHCP (this is the default if |
575 |
-.B --remote |
|
575 |
+.B \-\-remote |
|
576 | 576 |
is not used). |
577 |
-.B --float |
|
577 |
+.B \-\-float |
|
578 | 578 |
when specified with |
579 |
-.B --remote |
|
579 |
+.B \-\-remote |
|
580 | 580 |
allows an OpenVPN session to initially connect to a peer |
581 | 581 |
at a known address, however if packets arrive from a new |
582 | 582 |
address and pass all authentication tests, the new address |
... | ... |
@@ -585,14 +585,14 @@ you are connecting to a peer which holds a dynamic address |
585 | 585 |
such as a dial-in user or DHCP client. |
586 | 586 |
|
587 | 587 |
Essentially, |
588 |
-.B --float |
|
588 |
+.B \-\-float |
|
589 | 589 |
tells OpenVPN to accept authenticated packets |
590 | 590 |
from any address, not only the address which was specified in the |
591 |
-.B --remote |
|
591 |
+.B \-\-remote |
|
592 | 592 |
option. |
593 | 593 |
.\"********************************************************* |
594 | 594 |
.TP |
595 |
-.B --ipchange cmd |
|
595 |
+.B \-\-ipchange cmd |
|
596 | 596 |
Execute shell command |
597 | 597 |
.B cmd |
598 | 598 |
when our remote ip-address is initially authenticated or |
... | ... |
@@ -603,11 +603,11 @@ Execute as: |
603 | 603 |
.B cmd ip_address port_number |
604 | 604 |
|
605 | 605 |
Don't use |
606 |
-.B --ipchange |
|
606 |
+.B \-\-ipchange |
|
607 | 607 |
in |
608 |
-.B --mode server |
|
608 |
+.B \-\-mode server |
|
609 | 609 |
mode. Use a |
610 |
-.B --client-connect |
|
610 |
+.B \-\-client-connect |
|
611 | 611 |
script instead. |
612 | 612 |
|
613 | 613 |
See the "Environmental Variables" section below for |
... | ... |
@@ -642,41 +642,41 @@ reestablish a connection with its most recently authenticated |
642 | 642 |
peer on its new IP address. |
643 | 643 |
.\"********************************************************* |
644 | 644 |
.TP |
645 |
-.B --port port |
|
645 |
+.B \-\-port port |
|
646 | 646 |
TCP/UDP port number for both local and remote. The current |
647 | 647 |
default of 1194 represents the official IANA port number |
648 | 648 |
assignment for OpenVPN and has been used since version 2.0-beta17. |
649 | 649 |
Previous versions used port 5000 as the default. |
650 | 650 |
.\"********************************************************* |
651 | 651 |
.TP |
652 |
-.B --lport port |
|
652 |
+.B \-\-lport port |
|
653 | 653 |
TCP/UDP port number for bind. |
654 | 654 |
.\"********************************************************* |
655 | 655 |
.TP |
656 |
-.B --rport port |
|
656 |
+.B \-\-rport port |
|
657 | 657 |
TCP/UDP port number for remote. |
658 | 658 |
.\"********************************************************* |
659 | 659 |
.TP |
660 |
-.B --bind |
|
660 |
+.B \-\-bind |
|
661 | 661 |
Bind to local address and port. This is the default unless any of |
662 |
-.B --proto tcp-client |
|
662 |
+.B \-\-proto tcp-client |
|
663 | 663 |
, |
664 |
-.B --http-proxy |
|
664 |
+.B \-\-http-proxy |
|
665 | 665 |
or |
666 |
-.B --socks-proxy |
|
666 |
+.B \-\-socks-proxy |
|
667 | 667 |
are used. |
668 | 668 |
.\"********************************************************* |
669 | 669 |
.TP |
670 |
-.B --nobind |
|
670 |
+.B \-\-nobind |
|
671 | 671 |
Do not bind to local address and port. The IP stack will allocate |
672 | 672 |
a dynamic port for returning packets. Since the value of the dynamic port |
673 | 673 |
could not be known in advance by a peer, this option is only suitable for |
674 | 674 |
peers which will be initiating connections by using the |
675 |
-.B --remote |
|
675 |
+.B \-\-remote |
|
676 | 676 |
option. |
677 | 677 |
.\"********************************************************* |
678 | 678 |
.TP |
679 |
-.B --dev tunX | tapX | null |
|
679 |
+.B \-\-dev tunX | tapX | null |
|
680 | 680 |
TUN/TAP virtual network device ( |
681 | 681 |
.B X |
682 | 682 |
can be omitted for a dynamic device.) |
... | ... |
@@ -694,7 +694,7 @@ devices encapsulate IPv4 or IPv6 (OSI Layer 3) while |
694 | 694 |
devices encapsulate Ethernet 802.3 (OSI Layer 2). |
695 | 695 |
.\"********************************************************* |
696 | 696 |
.TP |
697 |
-.B --dev-type device-type |
|
697 |
+.B \-\-dev-type device-type |
|
698 | 698 |
Which device type are we using? |
699 | 699 |
.B device-type |
700 | 700 |
should be |
... | ... |
@@ -704,60 +704,60 @@ or |
704 | 704 |
.B tap |
705 | 705 |
(OSI Layer 2). |
706 | 706 |
Use this option only if the TUN/TAP device used with |
707 |
-.B --dev |
|
707 |
+.B \-\-dev |
|
708 | 708 |
does not begin with |
709 | 709 |
.B tun |
710 | 710 |
or |
711 | 711 |
.B tap. |
712 | 712 |
.\"********************************************************* |
713 | 713 |
.TP |
714 |
-.B --topology mode |
|
714 |
+.B \-\-topology mode |
|
715 | 715 |
Configure virtual addressing topology when running in |
716 |
-.B --dev tun |
|
716 |
+.B \-\-dev tun |
|
717 | 717 |
mode. This directive has no meaning in |
718 |
-.B --dev tap |
|
718 |
+.B \-\-dev tap |
|
719 | 719 |
mode, which always uses a |
720 | 720 |
.B subnet |
721 | 721 |
topology. |
722 | 722 |
|
723 | 723 |
If you set this directive on the server, the |
724 |
-.B --server |
|
724 |
+.B \-\-server |
|
725 | 725 |
and |
726 |
-.B --server-bridge |
|
726 |
+.B \-\-server-bridge |
|
727 | 727 |
directives will automatically push your chosen topology setting to clients |
728 | 728 |
as well. This directive can also be manually pushed to clients. Like the |
729 |
-.B --dev |
|
729 |
+.B \-\-dev |
|
730 | 730 |
directive, this directive must always be compatible between client and server. |
731 | 731 |
|
732 | 732 |
.B mode |
733 | 733 |
can be one of: |
734 | 734 |
|
735 |
-.B net30 -- |
|
735 |
+.B net30 \-\- |
|
736 | 736 |
Use a point-to-point topology, by allocating one /30 subnet per client. |
737 | 737 |
This is designed to allow point-to-point semantics when some |
738 | 738 |
or all of the connecting clients might be Windows systems. This is the |
739 | 739 |
default on OpenVPN 2.0. |
740 | 740 |
|
741 |
-.B p2p -- |
|
741 |
+.B p2p \-\- |
|
742 | 742 |
Use a point-to-point topology where the remote endpoint of the client's |
743 | 743 |
tun interface always points to the local endpoint of the server's tun interface. |
744 | 744 |
This mode allocates a single IP address per connecting client. |
745 | 745 |
Only use |
746 | 746 |
when none of the connecting clients are Windows systems. This mode |
747 | 747 |
is functionally equivalent to the |
748 |
-.B --ifconfig-pool-linear |
|
748 |
+.B \-\-ifconfig-pool-linear |
|
749 | 749 |
directive which is available in OpenVPN 2.0 and is now deprecated. |
750 | 750 |
|
751 |
-.B subnet -- |
|
751 |
+.B subnet \-\- |
|
752 | 752 |
Use a subnet rather than a point-to-point topology by |
753 | 753 |
configuring the tun interface with a local IP address and subnet mask, |
754 | 754 |
similar to the topology used in |
755 |
-.B --dev tap |
|
755 |
+.B \-\-dev tap |
|
756 | 756 |
and ethernet bridging mode. |
757 | 757 |
This mode allocates a single IP address per connecting client and works on |
758 | 758 |
Windows as well. Only available when server and clients are OpenVPN 2.1 or |
759 | 759 |
higher, or OpenVPN 2.0.x which has been manually patched with the |
760 |
-.B --topology |
|
760 |
+.B \-\-topology |
|
761 | 761 |
directive code. When used on Windows, requires version 8.2 or higher |
762 | 762 |
of the TAP-Win32 driver. When used on *nix, requires that the tun |
763 | 763 |
driver supports an |
... | ... |
@@ -767,26 +767,26 @@ command which sets a subnet instead of a remote endpoint IP address. |
767 | 767 |
This option exists in OpenVPN 2.1 or higher. |
768 | 768 |
.\"********************************************************* |
769 | 769 |
.TP |
770 |
-.B --tun-ipv6 |
|
770 |
+.B \-\-tun-ipv6 |
|
771 | 771 |
Build a tun link capable of forwarding IPv6 traffic. |
772 | 772 |
Should be used in conjunction with |
773 |
-.B --dev tun |
|
773 |
+.B \-\-dev tun |
|
774 | 774 |
or |
775 |
-.B --dev tunX. |
|
775 |
+.B \-\-dev tunX. |
|
776 | 776 |
A warning will be displayed |
777 | 777 |
if no specific IPv6 TUN support for your OS has been compiled into OpenVPN. |
778 | 778 |
.\"********************************************************* |
779 | 779 |
.TP |
780 |
-.B --dev-node node |
|
780 |
+.B \-\-dev-node node |
|
781 | 781 |
Explicitly set the device node rather than using |
782 | 782 |
/dev/net/tun, /dev/tun, /dev/tap, etc. If OpenVPN |
783 | 783 |
cannot figure out whether |
784 | 784 |
.B node |
785 | 785 |
is a TUN or TAP device based on the name, you should |
786 | 786 |
also specify |
787 |
-.B --dev-type tun |
|
787 |
+.B \-\-dev-type tun |
|
788 | 788 |
or |
789 |
-.B --dev-type tap. |
|
789 |
+.B \-\-dev-type tap. |
|
790 | 790 |
|
791 | 791 |
On Windows systems, select the TAP-Win32 adapter which |
792 | 792 |
is named |
... | ... |
@@ -794,24 +794,24 @@ is named |
794 | 794 |
in the Network Connections Control Panel or the |
795 | 795 |
raw GUID of the adapter enclosed by braces. |
796 | 796 |
The |
797 |
-.B --show-adapters |
|
797 |
+.B \-\-show-adapters |
|
798 | 798 |
option under Windows can also be used |
799 | 799 |
to enumerate all available TAP-Win32 |
800 | 800 |
adapters and will show both the network |
801 | 801 |
connections control panel name and the GUID for |
802 | 802 |
each TAP-Win32 adapter. |
803 | 803 |
.TP |
804 |
-.B --lladdr address |
|
804 |
+.B \-\-lladdr address |
|
805 | 805 |
Specify the link layer address, more commonly known as the MAC address. |
806 | 806 |
Only applied to TAP devices. |
807 | 807 |
.\"********************************************************* |
808 | 808 |
.TP |
809 |
-.B --iproute cmd |
|
809 |
+.B \-\-iproute cmd |
|
810 | 810 |
Set alternate command to execute instead of default iproute2 command. |
811 | 811 |
May be used in order to execute OpenVPN in unprivileged environment. |
812 | 812 |
.\"********************************************************* |
813 | 813 |
.TP |
814 |
-.B --ifconfig l rn |
|
814 |
+.B \-\-ifconfig l rn |
|
815 | 815 |
Set TUN/TAP adapter parameters. |
816 | 816 |
.B l |
817 | 817 |
is the IP address of the local VPN endpoint. |
... | ... |
@@ -826,7 +826,7 @@ which is being created or connected to. |
826 | 826 |
For TUN devices, which facilitate virtual |
827 | 827 |
point-to-point IP connections, |
828 | 828 |
the proper usage of |
829 |
-.B --ifconfig |
|
829 |
+.B \-\-ifconfig |
|
830 | 830 |
is to use two private IP addresses |
831 | 831 |
which are not a member of any |
832 | 832 |
existing subnet which is in use. |
... | ... |
@@ -840,7 +840,7 @@ you will be pinging across the VPN. |
840 | 840 |
For TAP devices, which provide |
841 | 841 |
the ability to create virtual |
842 | 842 |
ethernet segments, |
843 |
-.B --ifconfig |
|
843 |
+.B \-\-ifconfig |
|
844 | 844 |
is used to set an IP address and |
845 | 845 |
subnet mask just as a physical |
846 | 846 |
ethernet adapter would be |
... | ... |
@@ -861,42 +861,42 @@ standard interface to the different |
861 | 861 |
ifconfig implementations on different |
862 | 862 |
platforms. |
863 | 863 |
|
864 |
-.B --ifconfig |
|
864 |
+.B \-\-ifconfig |
|
865 | 865 |
parameters which are IP addresses can |
866 | 866 |
also be specified as a DNS or /etc/hosts |
867 | 867 |
file resolvable name. |
868 | 868 |
|
869 | 869 |
For TAP devices, |
870 |
-.B --ifconfig |
|
870 |
+.B \-\-ifconfig |
|
871 | 871 |
should not be used if the TAP interface will be |
872 | 872 |
getting an IP address lease from a DHCP |
873 | 873 |
server. |
874 | 874 |
.\"********************************************************* |
875 | 875 |
.TP |
876 |
-.B --ifconfig-noexec |
|
876 |
+.B \-\-ifconfig-noexec |
|
877 | 877 |
Don't actually execute ifconfig/netsh commands, instead |
878 | 878 |
pass |
879 |
-.B --ifconfig |
|
879 |
+.B \-\-ifconfig |
|
880 | 880 |
parameters to scripts using environmental variables. |
881 | 881 |
.\"********************************************************* |
882 | 882 |
.TP |
883 |
-.B --ifconfig-nowarn |
|
883 |
+.B \-\-ifconfig-nowarn |
|
884 | 884 |
Don't output an options consistency check warning |
885 | 885 |
if the |
886 |
-.B --ifconfig |
|
886 |
+.B \-\-ifconfig |
|
887 | 887 |
option on this side of the |
888 | 888 |
connection doesn't match the remote side. This is useful |
889 | 889 |
when you want to retain the overall benefits of the |
890 | 890 |
options consistency check (also see |
891 |
-.B --disable-occ |
|
891 |
+.B \-\-disable-occ |
|
892 | 892 |
option) while only disabling the ifconfig component of |
893 | 893 |
the check. |
894 | 894 |
|
895 | 895 |
For example, |
896 | 896 |
if you have a configuration where the local host uses |
897 |
-.B --ifconfig |
|
897 |
+.B \-\-ifconfig |
|
898 | 898 |
but the remote host does not, use |
899 |
-.B --ifconfig-nowarn |
|
899 |
+.B \-\-ifconfig-nowarn |
|
900 | 900 |
on the local host. |
901 | 901 |
|
902 | 902 |
This option will also silence warnings about potential |
... | ... |
@@ -904,7 +904,7 @@ address conflicts which occasionally annoy more experienced |
904 | 904 |
users by triggering "false positive" warnings. |
905 | 905 |
.\"********************************************************* |
906 | 906 |
.TP |
907 |
-.B --route network/IP [netmask] [gateway] [metric] |
|
907 |
+.B \-\-route network/IP [netmask] [gateway] [metric] |
|
908 | 908 |
Add route to routing table after connection is established. |
909 | 909 |
Multiple routes can be specified. Routes will be |
910 | 910 |
automatically torn down in reverse order prior to |
... | ... |
@@ -918,20 +918,20 @@ while at the same time providing portable semantics |
918 | 918 |
across OpenVPN's platform space. |
919 | 919 |
|
920 | 920 |
.B netmask |
921 |
-default -- 255.255.255.255 |
|
921 |
+default \-\- 255.255.255.255 |
|
922 | 922 |
|
923 | 923 |
.B gateway |
924 |
-default -- taken from |
|
925 |
-.B --route-gateway |
|
924 |
+default \-\- taken from |
|
925 |
+.B \-\-route-gateway |
|
926 | 926 |
or the second parameter to |
927 |
-.B --ifconfig |
|
927 |
+.B \-\-ifconfig |
|
928 | 928 |
when |
929 |
-.B --dev tun |
|
929 |
+.B \-\-dev tun |
|
930 | 930 |
is specified. |
931 | 931 |
|
932 | 932 |
.B metric |
933 |
-default -- taken from |
|
934 |
-.B --route-metric |
|
933 |
+default \-\- taken from |
|
934 |
+.B \-\-route-metric |
|
935 | 935 |
otherwise 0. |
936 | 936 |
|
937 | 937 |
The default can be specified by leaving an option blank or setting |
... | ... |
@@ -946,37 +946,37 @@ also be specified as a DNS or /etc/hosts |
946 | 946 |
file resolvable name, or as one of three special keywords: |
947 | 947 |
|
948 | 948 |
.B vpn_gateway |
949 |
+\-\- The remote VPN endpoint address |
|
949 | 950 |
(derived either from |
950 |
-.B --route-gateway |
|
951 |
+.B \-\-route-gateway |
|
951 | 952 |
or the second parameter to |
952 |
-.B --ifconfig |
|
953 |
+.B \-\-ifconfig |
|
953 | 954 |
when |
954 |
-.B --dev tun |
|
955 |
+.B \-\-dev tun |
|
955 | 956 |
is specified). |
956 | 957 |
|
957 | 958 |
.B net_gateway |
959 |
+\-\- The pre-existing IP default gateway, read from the routing |
|
958 | 960 |
table (not supported on all OSes). |
959 | 961 |
|
960 | 962 |
.B remote_host |
961 |
-.B --remote |
|
963 |
+\-\- The |
|
964 |
+.B \-\-remote |
|
962 | 965 |
address if OpenVPN is being run in client mode, and is undefined in server mode. |
963 | 966 |
.\"********************************************************* |
964 | 967 |
.TP |
965 |
-.B --max-routes n |
|
968 |
+.B \-\-max-routes n |
|
966 | 969 |
Allow a maximum number of n |
967 |
-.B --route |
|
970 |
+.B \-\-route |
|
968 | 971 |
options to be specified, either in the local configuration file, |
969 | 972 |
or pulled from an OpenVPN server. By default, n=100. |
970 | 973 |
.\"********************************************************* |
971 | 974 |
.TP |
972 |
-.B --route-gateway gw|'dhcp' |
|
975 |
+.B \-\-route-gateway gw|'dhcp' |
|
973 | 976 |
Specify a default gateway |
974 | 977 |
.B gw |
975 | 978 |
for use with |
976 |
-.B --route. |
|
979 |
+.B \-\-route. |
|
977 | 980 |
|
978 | 981 |
If |
979 | 982 |
.B dhcp |
... | ... |
@@ -985,14 +985,14 @@ the gateway address will be extracted from a DHCP |
985 | 985 |
negotiation with the OpenVPN server-side LAN. |
986 | 986 |
.\"********************************************************* |
987 | 987 |
.TP |
988 |
-.B --route-metric m |
|
988 |
+.B \-\-route-metric m |
|
989 | 989 |
Specify a default metric |
990 | 990 |
.B m |
991 | 991 |
for use with |
992 |
-.B --route. |
|
992 |
+.B \-\-route. |
|
993 | 993 |
.\"********************************************************* |
994 | 994 |
.TP |
995 |
-.B --route-delay [n] [w] |
|
995 |
+.B \-\-route-delay [n] [w] |
|
996 | 996 |
Delay |
997 | 997 |
.B n |
998 | 998 |
seconds (default=0) after connection |
... | ... |
@@ -1000,16 +1000,16 @@ establishment, before adding routes. If |
1000 | 1000 |
.B n |
1001 | 1001 |
is 0, routes will be added immediately upon connection |
1002 | 1002 |
establishment. If |
1003 |
-.B --route-delay |
|
1003 |
+.B \-\-route-delay |
|
1004 | 1004 |
is omitted, routes will be added immediately after TUN/TAP device |
1005 | 1005 |
open and |
1006 |
-.B --up |
|
1006 |
+.B \-\-up |
|
1007 | 1007 |
script execution, before any |
1008 |
-.B --user |
|
1008 |
+.B \-\-user |
|
1009 | 1009 |
or |
1010 |
-.B --group |
|
1010 |
+.B \-\-group |
|
1011 | 1011 |
privilege downgrade (or |
1012 |
-.B --chroot |
|
1012 |
+.B \-\-chroot |
|
1013 | 1013 |
execution.) |
1014 | 1014 |
|
1015 | 1015 |
This option is designed to be useful in scenarios where DHCP is |
... | ... |
@@ -1018,18 +1018,18 @@ tap adapter addresses. The delay will give the DHCP handshake |
1018 | 1018 |
time to complete before routes are added. |
1019 | 1019 |
|
1020 | 1020 |
On Windows, |
1021 |
-.B --route-delay |
|
1021 |
+.B \-\-route-delay |
|
1022 | 1022 |
tries to be more intelligent by waiting |
1023 | 1023 |
.B w |
1024 | 1024 |
seconds (w=30 by default) |
1025 | 1025 |
for the TAP-Win32 adapter to come up before adding routes. |
1026 | 1026 |
.\"********************************************************* |
1027 | 1027 |
.TP |
1028 |
-.B --route-up cmd |
|
1028 |
+.B \-\-route-up cmd |
|
1029 | 1029 |
Execute shell command |
1030 | 1030 |
.B cmd |
1031 | 1031 |
after routes are added, subject to |
1032 |
-.B --route-delay. |
|
1032 |
+.B \-\-route-delay. |
|
1033 | 1033 |
|
1034 | 1034 |
See the "Environmental Variables" section below for |
1035 | 1035 |
additional parameters passed as environmental variables. |
... | ... |
@@ -1039,17 +1039,17 @@ Note that |
1039 | 1039 |
can be a shell command with multiple arguments. |
1040 | 1040 |
.\"********************************************************* |
1041 | 1041 |
.TP |
1042 |
-.B --route-noexec |
|
1042 |
+.B \-\-route-noexec |
|
1043 | 1043 |
Don't add or remove routes automatically. Instead pass routes to |
1044 |
-.B --route-up |
|
1044 |
+.B \-\-route-up |
|
1045 | 1045 |
script using environmental variables. |
1046 | 1046 |
.\"********************************************************* |
1047 | 1047 |
.TP |
1048 |
-.B --route-nopull |
|
1048 |
+.B \-\-route-nopull |
|
1049 | 1049 |
When used with |
1050 |
-.B --client |
|
1050 |
+.B \-\-client |
|
1051 | 1051 |
or |
1052 |
-.B --pull, |
|
1052 |
+.B \-\-pull, |
|
1053 | 1053 |
accept options pushed by server EXCEPT for routes. |
1054 | 1054 |
|
1055 | 1055 |
When used on the client, this option effectively bars the |
... | ... |
@@ -1058,16 +1058,16 @@ however note that this option still allows the server |
1058 | 1058 |
to set the TCP/IP properties of the client's TUN/TAP interface. |
1059 | 1059 |
.\"********************************************************* |
1060 | 1060 |
.TP |
1061 |
-.B --allow-pull-fqdn |
|
1061 |
+.B \-\-allow-pull-fqdn |
|
1062 | 1062 |
Allow client to pull DNS names from server (rather than being limited |
1063 | 1063 |
to IP address) for |
1064 |
-.B --ifconfig, |
|
1065 |
-.B --route, |
|
1064 |
+.B \-\-ifconfig, |
|
1065 |
+.B \-\-route, |
|
1066 | 1066 |
and |
1067 |
-.B --route-gateway. |
|
1067 |
+.B \-\-route-gateway. |
|
1068 | 1068 |
.\"********************************************************* |
1069 | 1069 |
.TP |
1070 |
-.B --redirect-gateway flags... |
|
1070 |
+.B \-\-redirect-gateway flags... |
|
1071 | 1071 |
(Experimental) Automatically execute routing commands to cause all outgoing IP traffic |
1072 | 1072 |
to be redirected over the VPN. |
1073 | 1073 |
|
... | ... |
@@ -1075,7 +1075,7 @@ This option performs three steps: |
1075 | 1075 |
|
1076 | 1076 |
.B (1) |
1077 | 1077 |
Create a static route for the |
1078 |
-.B --remote |
|
1078 |
+.B \-\-remote |
|
1079 | 1079 |
address which forwards to the pre-existing default gateway. |
1080 | 1080 |
This is done so that |
1081 | 1081 |
.B (3) |
... | ... |
@@ -1086,11 +1086,11 @@ Delete the default gateway route. |
1086 | 1086 |
|
1087 | 1087 |
.B (3) |
1088 | 1088 |
Set the new default gateway to be the VPN endpoint address (derived either from |
1089 |
-.B --route-gateway |
|
1089 |
+.B \-\-route-gateway |
|
1090 | 1090 |
or the second parameter to |
1091 |
-.B --ifconfig |
|
1091 |
+.B \-\-ifconfig |
|
1092 | 1092 |
when |
1093 |
-.B --dev tun |
|
1093 |
+.B \-\-dev tun |
|
1094 | 1094 |
is specified). |
1095 | 1095 |
|
1096 | 1096 |
When the tunnel is torn down, all of the above steps are reversed so |
... | ... |
@@ -1098,7 +1098,7 @@ that the original default route is restored. |
1098 | 1098 |
|
1099 | 1099 |
Option flags: |
1100 | 1100 |
|
1101 |
-.B local -- |
|
1101 |
+.B local \-\- |
|
1102 | 1102 |
Add the |
1103 | 1103 |
.B local |
1104 | 1104 |
flag if both OpenVPN servers are directly connected via a common subnet, |
... | ... |
@@ -1108,19 +1108,19 @@ flag will cause step |
1108 | 1108 |
.B 1 |
1109 | 1109 |
above to be omitted. |
1110 | 1110 |
|
1111 |
-.B def1 -- |
|
1111 |
+.B def1 \-\- |
|
1112 | 1112 |
Use this flag to override |
1113 | 1113 |
the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 |
1114 | 1114 |
rather than 0.0.0.0/0. This has the benefit of overriding |
1115 | 1115 |
but not wiping out the original default gateway. |
1116 | 1116 |
|
1117 |
-.B bypass-dhcp -- |
|
1117 |
+.B bypass-dhcp \-\- |
|
1118 | 1118 |
Add a direct route to the DHCP server (if it is non-local) which |
1119 | 1119 |
bypasses the tunnel |
1120 | 1120 |
(Available on Windows clients, may not be available |
1121 | 1121 |
on non-Windows clients). |
1122 | 1122 |
|
1123 |
-.B bypass-dns -- |
|
1123 |
+.B bypass-dns \-\- |
|
1124 | 1124 |
Add a direct route to the DNS server(s) (if they are non-local) which |
1125 | 1125 |
bypasses the tunnel |
1126 | 1126 |
(Available on Windows clients, may not be available |
... | ... |
@@ -1129,13 +1129,13 @@ on non-Windows clients). |
1129 | 1129 |
Using the def1 flag is highly recommended. |
1130 | 1130 |
.\"********************************************************* |
1131 | 1131 |
.TP |
1132 |
-.B --link-mtu n |
|
1132 |
+.B \-\-link-mtu n |
|
1133 | 1133 |
Sets an upper bound on the size of UDP packets which are sent |
1134 | 1134 |
between OpenVPN peers. It's best not to set this parameter unless |
1135 | 1135 |
you know what you're doing. |
1136 | 1136 |
.\"********************************************************* |
1137 | 1137 |
.TP |
1138 |
-.B --tun-mtu n |
|
1138 |
+.B \-\-tun-mtu n |
|
1139 | 1139 |
Take the TUN device MTU to be |
1140 | 1140 |
.B n |
1141 | 1141 |
and derive the link MTU |
... | ... |
@@ -1151,17 +1151,17 @@ MTU problems often manifest themselves as connections which |
1151 | 1151 |
hang during periods of active usage. |
1152 | 1152 |
|
1153 | 1153 |
It's best to use the |
1154 |
-.B --fragment |
|
1154 |
+.B \-\-fragment |
|
1155 | 1155 |
and/or |
1156 |
-.B --mssfix |
|
1156 |
+.B \-\-mssfix |
|
1157 | 1157 |
options to deal with MTU sizing issues. |
1158 | 1158 |
.\"********************************************************* |
1159 | 1159 |
.TP |
1160 |
-.B --tun-mtu-extra n |
|
1160 |
+.B \-\-tun-mtu-extra n |
|
1161 | 1161 |
Assume that the TUN/TAP device might return as many as |
1162 | 1162 |
.B n |
1163 | 1163 |
bytes more than the |
1164 |
-.B --tun-mtu |
|
1164 |
+.B \-\-tun-mtu |
|
1165 | 1165 |
size on read. This parameter defaults to 0, which is sufficient for |
1166 | 1166 |
most TUN devices. TAP devices may introduce additional overhead in excess |
1167 | 1167 |
of the MTU size, and a setting of 32 is the default when TAP devices are used. |
... | ... |
@@ -1169,34 +1169,34 @@ This parameter only controls internal OpenVPN buffer sizing, |
1169 | 1169 |
so there is no transmission overhead associated with using a larger value. |
1170 | 1170 |
.\"********************************************************* |
1171 | 1171 |
.TP |
1172 |
-.B --mtu-disc type |
|
1172 |
+.B \-\-mtu-disc type |
|
1173 | 1173 |
Should we do Path MTU discovery on TCP/UDP channel? Only supported on OSes such |
1174 | 1174 |
as Linux that supports the necessary system call to set. |
1175 | 1175 |
|
1176 | 1176 |
.B 'no' |
1177 |
+\-\- Never send DF (Don't Fragment) frames |
|
1177 | 1178 |
.br |
1178 | 1179 |
.B 'maybe' |
1180 |
+\-\- Use per-route hints |
|
1179 | 1181 |
.br |
1180 | 1182 |
.B 'yes' |
1183 |
+\-\- Always DF (Don't Fragment) |
|
1181 | 1184 |
.br |
1182 | 1185 |
.\"********************************************************* |
1183 | 1186 |
.TP |
1184 |
-.B --mtu-test |
|
1187 |
+.B \-\-mtu-test |
|
1185 | 1188 |
To empirically measure MTU on connection startup, |
1186 | 1189 |
add the |
1187 |
-.B --mtu-test |
|
1190 |
+.B \-\-mtu-test |
|
1188 | 1191 |
option to your configuration. |
1189 | 1192 |
OpenVPN will send ping packets of various sizes |
1190 | 1193 |
to the remote peer and measure the largest packets |
1191 | 1194 |
which were successfully received. The |
1192 |
-.B --mtu-test |
|
1195 |
+.B \-\-mtu-test |
|
1193 | 1196 |
process normally takes about 3 minutes to complete. |
1194 | 1197 |
.\"********************************************************* |
1195 | 1198 |
.TP |
1196 |
-.B --fragment max |
|
1199 |
+.B \-\-fragment max |
|
1197 | 1200 |
Enable internal datagram fragmentation so |
1198 | 1201 |
that no UDP datagrams are sent which |
1199 | 1202 |
are larger than |
... | ... |
@@ -1206,24 +1206,24 @@ bytes. |
1206 | 1206 |
The |
1207 | 1207 |
.B max |
1208 | 1208 |
parameter is interpreted in the same way as the |
1209 |
-.B --link-mtu |
|
1209 |
+.B \-\-link-mtu |
|
1210 | 1210 |
parameter, i.e. the UDP packet size after encapsulation |
1211 | 1211 |
overhead has been added in, but not including |
1212 | 1212 |
the UDP header itself. |
1213 | 1213 |
|
1214 | 1214 |
The |
1215 |
-.B --fragment |
|
1215 |
+.B \-\-fragment |
|
1216 | 1216 |
option only makes sense when you are using the UDP protocol ( |
1217 |
-.B --proto udp |
|
1217 |
+.B \-\-proto udp |
|
1218 | 1218 |
). |
1219 | 1219 |
|
1220 |
-.B --fragment |
|
1220 |
+.B \-\-fragment |
|
1221 | 1221 |
adds 4 bytes of overhead per datagram. |
1222 | 1222 |
|
1223 | 1223 |
See the |
1224 |
-.B --mssfix |
|
1224 |
+.B \-\-mssfix |
|
1225 | 1225 |
option below for an important related option to |
1226 |
-.B --fragment. |
|
1226 |
+.B \-\-fragment. |
|
1227 | 1227 |
|
1228 | 1228 |
It should also be noted that this option is not meant to replace |
1229 | 1229 |
UDP fragmentation at the IP stack level. It is only meant as a |
... | ... |
@@ -1236,7 +1236,7 @@ internal fragmentation capability may be your only option, such |
1236 | 1236 |
as tunneling a UDP multicast stream which requires fragmentation. |
1237 | 1237 |
.\"********************************************************* |
1238 | 1238 |
.TP |
1239 |
-.B --mssfix max |
|
1239 |
+.B \-\-mssfix max |
|
1240 | 1240 |
Announce to TCP sessions running over the tunnel that they should limit |
1241 | 1241 |
their send packet sizes such that after OpenVPN has encapsulated them, |
1242 | 1242 |
the resulting UDP packet size that OpenVPN sends to its peer will not |
... | ... |
@@ -1247,33 +1247,33 @@ bytes. |
1247 | 1247 |
The |
1248 | 1248 |
.B max |
1249 | 1249 |
parameter is interpreted in the same way as the |
1250 |
-.B --link-mtu |
|
1250 |
+.B \-\-link-mtu |
|
1251 | 1251 |
parameter, i.e. the UDP packet size after encapsulation |
1252 | 1252 |
overhead has been added in, but not including |
1253 | 1253 |
the UDP header itself. |
1254 | 1254 |
|
1255 | 1255 |
The |
1256 |
-.B --mssfix |
|
1256 |
+.B \-\-mssfix |
|
1257 | 1257 |
option only makes sense when you are using the UDP protocol |
1258 | 1258 |
for OpenVPN peer-to-peer communication, i.e. |
1259 |
-.B --proto udp. |
|
1259 |
+.B \-\-proto udp. |
|
1260 | 1260 |
|
1261 |
-.B --mssfix |
|
1261 |
+.B \-\-mssfix |
|
1262 | 1262 |
and |
1263 |
-.B --fragment |
|
1263 |
+.B \-\-fragment |
|
1264 | 1264 |
can be ideally used together, where |
1265 |
-.B --mssfix |
|
1265 |
+.B \-\-mssfix |
|
1266 | 1266 |
will try to keep TCP from needing |
1267 | 1267 |
packet fragmentation in the first place, |
1268 | 1268 |
and if big packets come through anyhow |
1269 | 1269 |
(from protocols other than TCP), |
1270 |
-.B --fragment |
|
1270 |
+.B \-\-fragment |
|
1271 | 1271 |
will internally fragment them. |
1272 | 1272 |
|
1273 | 1273 |
Both |
1274 |
-.B --fragment |
|
1274 |
+.B \-\-fragment |
|
1275 | 1275 |
and |
1276 |
-.B --mssfix |
|
1276 |
+.B \-\-mssfix |
|
1277 | 1277 |
are designed to work around cases where Path MTU discovery |
1278 | 1278 |
is broken on the network path between OpenVPN peers. |
1279 | 1279 |
|
... | ... |
@@ -1282,35 +1282,35 @@ connection which successfully starts, but then stalls |
1282 | 1282 |
during active usage. |
1283 | 1283 |
|
1284 | 1284 |
If |
1285 |
-.B --fragment |
|
1285 |
+.B \-\-fragment |
|
1286 | 1286 |
and |
1287 |
-.B --mssfix |
|
1287 |
+.B \-\-mssfix |
|
1288 | 1288 |
are used together, |
1289 |
-.B --mssfix |
|
1289 |
+.B \-\-mssfix |
|
1290 | 1290 |
will take its default |
1291 | 1291 |
.B max |
1292 | 1292 |
parameter from the |
1293 |
-.B --fragment max |
|
1293 |
+.B \-\-fragment max |
|
1294 | 1294 |
option. |
1295 | 1295 |
|
1296 | 1296 |
Therefore, one could lower the maximum UDP packet size |
1297 | 1297 |
to 1300 (a good first try for solving MTU-related |
1298 | 1298 |
connection problems) with the following options: |
1299 | 1299 |
|
1300 |
-.B --tun-mtu 1500 --fragment 1300 --mssfix |
|
1300 |
+.B \-\-tun-mtu 1500 \-\-fragment 1300 \-\-mssfix |
|
1301 | 1301 |
.\"********************************************************* |
1302 | 1302 |
.TP |
1303 |
-.B --sndbuf size |
|
1303 |
+.B \-\-sndbuf size |
|
1304 | 1304 |
Set the TCP/UDP socket send buffer size. |
1305 | 1305 |
Currently defaults to 65536 bytes. |
1306 | 1306 |
.\"********************************************************* |
1307 | 1307 |
.TP |
1308 |
-.B --rcvbuf size |
|
1308 |
+.B \-\-rcvbuf size |
|
1309 | 1309 |
Set the TCP/UDP socket receive buffer size. |
1310 | 1310 |
Currently defaults to 65536 bytes. |
1311 | 1311 |
.\"********************************************************* |
1312 | 1312 |
.TP |
1313 |
-.B --socket-flags flags... |
|
1313 |
+.B \-\-socket-flags flags... |
|
1314 | 1314 |
Apply the given flags to the OpenVPN transport socket. |
1315 | 1315 |
Currently, only |
1316 | 1316 |
.B TCP_NODELAY |
... | ... |
@@ -1327,12 +1327,12 @@ This option is pushable from server to client, and should be used |
1327 | 1327 |
on both client and server for maximum effect. |
1328 | 1328 |
.\"********************************************************* |
1329 | 1329 |
.TP |
1330 |
-.B --txqueuelen n |
|
1330 |
+.B \-\-txqueuelen n |
|
1331 | 1331 |
(Linux only) Set the TX queue length on the TUN/TAP interface. |
1332 | 1332 |
Currently defaults to 100. |
1333 | 1333 |
.\"********************************************************* |
1334 | 1334 |
.TP |
1335 |
-.B --shaper n |
|
1335 |
+.B \-\-shaper n |
|
1336 | 1336 |
Limit bandwidth of outgoing tunnel data to |
1337 | 1337 |
.B n |
1338 | 1338 |
bytes per second on the TCP/UDP port. |
... | ... |
@@ -1368,7 +1368,7 @@ OpenVPN allows |
1368 | 1368 |
to be between 100 bytes/sec and 100 Mbytes/sec. |
1369 | 1369 |
.\"********************************************************* |
1370 | 1370 |
.TP |
1371 |
-.B --inactive n [bytes] |
|
1371 |
+.B \-\-inactive n [bytes] |
|
1372 | 1372 |
Causes OpenVPN to exit after |
1373 | 1373 |
.B n |
1374 | 1374 |
seconds of inactivity on the TUN/TAP device. The time length |
... | ... |
@@ -1382,18 +1382,18 @@ produces a combined in/out byte count that is less than |
1382 | 1382 |
.B bytes. |
1383 | 1383 |
.\"********************************************************* |
1384 | 1384 |
.TP |
1385 |
-.B --ping n |
|
1385 |
+.B \-\-ping n |
|
1386 | 1386 |
Ping remote over the TCP/UDP control channel |
1387 | 1387 |
if no packets have been sent for at least |
1388 | 1388 |
.B n |
1389 | 1389 |
seconds (specify |
1390 |
-.B --ping |
|
1390 |
+.B \-\-ping |
|
1391 | 1391 |
on both peers to cause ping packets to be sent in both directions since |
1392 | 1392 |
OpenVPN ping packets are not echoed like IP ping packets). |
1393 | 1393 |
When used in one of OpenVPN's secure modes (where |
1394 |
-.B --secret, --tls-server, |
|
1394 |
+.B \-\-secret, \-\-tls-server, |
|
1395 | 1395 |
or |
1396 |
-.B --tls-client |
|
1396 |
+.B \-\-tls-client |
|
1397 | 1397 |
is specified), the ping packet |
1398 | 1398 |
will be cryptographically secure. |
1399 | 1399 |
|
... | ... |
@@ -1406,33 +1406,33 @@ pass will not time out. |
1406 | 1406 |
|
1407 | 1407 |
(2) To provide a basis for the remote to test the existence |
1408 | 1408 |
of its peer using the |
1409 |
-.B --ping-exit |
|
1409 |
+.B \-\-ping-exit |
|
1410 | 1410 |
option. |
1411 | 1411 |
.\"********************************************************* |
1412 | 1412 |
.TP |
1413 |
-.B --ping-exit n |
|
1413 |
+.B \-\-ping-exit n |
|
1414 | 1414 |
Causes OpenVPN to exit after |
1415 | 1415 |
.B n |
1416 | 1416 |
seconds pass without reception of a ping |
1417 | 1417 |
or other packet from remote. |
1418 | 1418 |
This option can be combined with |
1419 |
-.B --inactive, --ping, |
|
1419 |
+.B \-\-inactive, \-\-ping, |
|
1420 | 1420 |
and |
1421 |
-.B --ping-exit |
|
1421 |
+.B \-\-ping-exit |
|
1422 | 1422 |
to create a two-tiered inactivity disconnect. |
1423 | 1423 |
|
1424 | 1424 |
For example, |
1425 | 1425 |
|
1426 |
-.B openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60 |
|
1426 |
+.B openvpn [options...] \-\-inactive 3600 \-\-ping 10 \-\-ping-exit 60 |
|
1427 | 1427 |
|
1428 | 1428 |
when used on both peers will cause OpenVPN to exit within 60 |
1429 | 1429 |
seconds if its peer disconnects, but will exit after one |
1430 | 1430 |
hour if no actual tunnel data is exchanged. |
1431 | 1431 |
.\"********************************************************* |
1432 | 1432 |
.TP |
1433 |
-.B --ping-restart n |
|
1433 |
+.B \-\-ping-restart n |
|
1434 | 1434 |
Similar to |
1435 |
-.B --ping-exit, |
|
1435 |
+.B \-\-ping-exit, |
|
1436 | 1436 |
but trigger a |
1437 | 1437 |
.B SIGUSR1 |
1438 | 1438 |
restart after |
... | ... |
@@ -1451,13 +1451,13 @@ as |
1451 | 1451 |
|
1452 | 1452 |
If the peer cannot be reached, a restart will be triggered, causing |
1453 | 1453 |
the hostname used with |
1454 |
-.B --remote |
|
1454 |
+.B \-\-remote |
|
1455 | 1455 |
to be re-resolved (if |
1456 |
-.B --resolv-retry |
|
1456 |
+.B \-\-resolv-retry |
|
1457 | 1457 |
is also specified). |
1458 | 1458 |
|
1459 | 1459 |
In server mode, |
1460 |
-.B --ping-restart, --inactive, |
|
1460 |
+.B \-\-ping-restart, \-\-inactive, |
|
1461 | 1461 |
or any other type of internally generated signal will always be |
1462 | 1462 |
applied to |
1463 | 1463 |
individual client instance objects, never to whole server itself. |
... | ... |
@@ -1466,14 +1466,14 @@ which would normally cause a restart, will cause the deletion |
1466 | 1466 |
of the client instance object instead. |
1467 | 1467 |
|
1468 | 1468 |
In client mode, the |
1469 |
-.B --ping-restart |
|
1469 |
+.B \-\-ping-restart |
|
1470 | 1470 |
parameter is set to 120 seconds by default. This default will |
1471 | 1471 |
hold until the client pulls a replacement value from the server, based on |
1472 | 1472 |
the |
1473 |
-.B --keepalive |
|
1473 |
+.B \-\-keepalive |
|
1474 | 1474 |
setting in the server configuration. |
1475 | 1475 |
To disable the 120 second default, set |
1476 |
-.B --ping-restart 0 |
|
1476 |
+.B \-\-ping-restart 0 |
|
1477 | 1477 |
on the client. |
1478 | 1478 |
|
1479 | 1479 |
See the signals section below for more information |
... | ... |
@@ -1483,27 +1483,27 @@ on |
1483 | 1483 |
Note that the behavior of |
1484 | 1484 |
.B SIGUSR1 |
1485 | 1485 |
can be modified by the |
1486 |
-.B --persist-tun, --persist-key, --persist-local-ip, |
|
1486 |
+.B \-\-persist-tun, \-\-persist-key, \-\-persist-local-ip, |
|
1487 | 1487 |
and |
1488 |
-.B --persist-remote-ip |
|
1488 |
+.B \-\-persist-remote-ip |
|
1489 | 1489 |
options. |
1490 | 1490 |
|
1491 | 1491 |
Also note that |
1492 |
-.B --ping-exit |
|
1492 |
+.B \-\-ping-exit |
|
1493 | 1493 |
and |
1494 |
-.B --ping-restart |
|
1494 |
+.B \-\-ping-restart |
|
1495 | 1495 |
are mutually exclusive and cannot be used together. |
1496 | 1496 |
.\"********************************************************* |
1497 | 1497 |
.TP |
1498 |
-.B --keepalive n m |
|
1498 |
+.B \-\-keepalive n m |
|
1499 | 1499 |
A helper directive designed to simplify the expression of |
1500 |
-.B --ping |
|
1500 |
+.B \-\-ping |
|
1501 | 1501 |
and |
1502 |
-.B --ping-restart |
|
1502 |
+.B \-\-ping-restart |
|
1503 | 1503 |
in server mode configurations. |
1504 | 1504 |
|
1505 | 1505 |
For example, |
1506 |
-.B --keepalive 10 60 |
|
1506 |
+.B \-\-keepalive 10 60 |
|
1507 | 1507 |
expands as follows: |
1508 | 1508 |
|
1509 | 1509 |
.nf |
... | ... |
@@ -1522,24 +1522,24 @@ expands as follows: |
1522 | 1522 |
.fi |
1523 | 1523 |
.\"********************************************************* |
1524 | 1524 |
.TP |
1525 |
-.B --ping-timer-rem |
|
1525 |
+.B \-\-ping-timer-rem |
|
1526 | 1526 |
Run the |
1527 |
-.B --ping-exit |
|
1527 |
+.B \-\-ping-exit |
|
1528 | 1528 |
/ |
1529 |
-.B --ping-restart |
|
1529 |
+.B \-\-ping-restart |
|
1530 | 1530 |
timer only if we have a remote address. Use this option if you are |
1531 | 1531 |
starting the daemon in listen mode (i.e. without an explicit |
1532 |
-.B --remote |
|
1532 |
+.B \-\-remote |
|
1533 | 1533 |
peer), and you don't want to start clocking timeouts until a remote |
1534 | 1534 |
peer connects. |
1535 | 1535 |
.\"********************************************************* |
1536 | 1536 |
.TP |
1537 |
-.B --persist-tun |
|
1537 |
+.B \-\-persist-tun |
|
1538 | 1538 |
Don't close and reopen TUN/TAP device or run up/down scripts |
1539 | 1539 |
across |
1540 | 1540 |
.B SIGUSR1 |
1541 | 1541 |
or |
1542 |
-.B --ping-restart |
|
1542 |
+.B \-\-ping-restart |
|
1543 | 1543 |
restarts. |
1544 | 1544 |
|
1545 | 1545 |
.B SIGUSR1 |
... | ... |
@@ -1549,14 +1549,14 @@ but which offers finer-grained control over |
1549 | 1549 |
reset options. |
1550 | 1550 |
.\"********************************************************* |
1551 | 1551 |
.TP |
1552 |
-.B --persist-key |
|
1552 |
+.B \-\-persist-key |
|
1553 | 1553 |
Don't re-read key files across |
1554 | 1554 |
.B SIGUSR1 |
1555 | 1555 |
or |
1556 |
-.B --ping-restart. |
|
1556 |
+.B \-\-ping-restart. |
|
1557 | 1557 |
|
1558 | 1558 |
This option can be combined with |
1559 |
-.B --user nobody |
|
1559 |
+.B \-\-user nobody |
|
1560 | 1560 |
to allow restarts triggered by the |
1561 | 1561 |
.B SIGUSR1 |
1562 | 1562 |
signal. |
... | ... |
@@ -1569,29 +1569,29 @@ This option solves the problem by persisting keys across |
1569 | 1569 |
resets, so they don't need to be re-read. |
1570 | 1570 |
.\"********************************************************* |
1571 | 1571 |
.TP |
1572 |
-.B --persist-local-ip |
|
1572 |
+.B \-\-persist-local-ip |
|
1573 | 1573 |
Preserve initially resolved local IP address and port number |
1574 | 1574 |
across |
1575 | 1575 |
.B SIGUSR1 |
1576 | 1576 |
or |
1577 |
-.B --ping-restart |
|
1577 |
+.B \-\-ping-restart |
|
1578 | 1578 |
restarts. |
1579 | 1579 |
.\"********************************************************* |
1580 | 1580 |
.TP |
1581 |
-.B --persist-remote-ip |
|
1581 |
+.B \-\-persist-remote-ip |
|
1582 | 1582 |
Preserve most recently authenticated remote IP address and port number |
1583 | 1583 |
across |
1584 | 1584 |
.B SIGUSR1 |
1585 | 1585 |
or |
1586 |
-.B --ping-restart |
|
1586 |
+.B \-\-ping-restart |
|
1587 | 1587 |
restarts. |
1588 | 1588 |
.\"********************************************************* |
1589 | 1589 |
.TP |
1590 |
-.B --mlock |
|
1590 |
+.B \-\-mlock |
|
1591 | 1591 |
Disable paging by calling the POSIX mlockall function. |
1592 | 1592 |
Requires that OpenVPN be initially run as root (though |
1593 | 1593 |
OpenVPN can subsequently downgrade its UID using the |
1594 |
-.B --user |
|
1594 |
+.B \-\-user |
|
1595 | 1595 |
option). |
1596 | 1596 |
|
1597 | 1597 |
Using this option ensures that key material and tunnel |
... | ... |
@@ -1603,33 +1603,33 @@ would not be able to scan the system swap file to |
1603 | 1603 |
recover previously used |
1604 | 1604 |
ephemeral keys, which are used for a period of time |
1605 | 1605 |
governed by the |
1606 |
-.B --reneg |
|
1606 |
+.B \-\-reneg |
|
1607 | 1607 |
options (see below), then are discarded. |
1608 | 1608 |
|
1609 | 1609 |
The downside |
1610 | 1610 |
of using |
1611 |
-.B --mlock |
|
1611 |
+.B \-\-mlock |
|
1612 | 1612 |
is that it will reduce the amount of physical |
1613 | 1613 |
memory available to other applications. |
1614 | 1614 |
.\"********************************************************* |
1615 | 1615 |
.TP |
1616 |
-.B --up cmd |
|
1616 |
+.B \-\-up cmd |
|
1617 | 1617 |
Shell command to run after successful TUN/TAP device open |
1618 | 1618 |
(pre |
1619 |
-.B --user |
|
1619 |
+.B \-\-user |
|
1620 | 1620 |
UID change). The up script is useful for specifying route |
1621 | 1621 |
commands which route IP traffic destined for |
1622 | 1622 |
private subnets which exist at the other |
1623 | 1623 |
end of the VPN connection into the tunnel. |
1624 | 1624 |
|
1625 | 1625 |
For |
1626 |
-.B --dev tun |
|
1626 |
+.B \-\-dev tun |
|
1627 | 1627 |
execute as: |
1628 | 1628 |
|
1629 | 1629 |
.B cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip [ init | restart ] |
1630 | 1630 |
|
1631 | 1631 |
For |
1632 |
-.B --dev tap |
|
1632 |
+.B \-\-dev tap |
|
1633 | 1633 |
execute as: |
1634 | 1634 |
|
1635 | 1635 |
.B cmd tap_dev tap_mtu link_mtu ifconfig_local_ip ifconfig_netmask [ init | restart ] |
... | ... |
@@ -1654,62 +1654,62 @@ In this context, the last command line parameter passed to the script |
1654 | 1654 |
will be |
1655 | 1655 |
.I init. |
1656 | 1656 |
If the |
1657 |
-.B --up-restart |
|
1657 |
+.B \-\-up-restart |
|
1658 | 1658 |
option is also used, the up script will be called for restarts as |
1659 | 1659 |
well. A restart is considered to be a partial reinitialization |
1660 | 1660 |
of OpenVPN where the TUN/TAP instance is preserved (the |
1661 |
-.B --persist-tun |
|
1661 |
+.B \-\-persist-tun |
|
1662 | 1662 |
option will enable such preservation). A restart |
1663 | 1663 |
can be generated by a SIGUSR1 signal, a |
1664 |
-.B --ping-restart |
|
1664 |
+.B \-\-ping-restart |
|
1665 | 1665 |
timeout, or a connection reset when the TCP protocol is enabled |
1666 | 1666 |
with the |
1667 |
-.B --proto |
|
1667 |
+.B \-\-proto |
|
1668 | 1668 |
option. If a restart occurs, and |
1669 |
-.B --up-restart |
|
1669 |
+.B \-\-up-restart |
|
1670 | 1670 |
has been specified, the up script will be called with |
1671 | 1671 |
.I restart |
1672 | 1672 |
as the last parameter. |
1673 | 1673 |
|
1674 | 1674 |
The following standalone example shows how the |
1675 |
-.B --up |
|
1675 |
+.B \-\-up |
|
1676 | 1676 |
script can be called in both an initialization and restart context. |
1677 | 1677 |
(NOTE: for security reasons, don't run the following example unless UDP port |
1678 | 1678 |
9999 is blocked by your firewall. Also, the example will run indefinitely, |
1679 | 1679 |
so you should abort with control-c). |
1680 | 1680 |
|
1681 |
-.B openvpn --dev tun --port 9999 --verb 4 --ping-restart 10 --up 'echo up' --down 'echo down' --persist-tun --up-restart |
|
1681 |
+.B openvpn \-\-dev tun \-\-port 9999 \-\-verb 4 \-\-ping-restart 10 \-\-up 'echo up' \-\-down 'echo down' \-\-persist-tun \-\-up-restart |
|
1682 | 1682 |
|
1683 | 1683 |
Note that OpenVPN also provides the |
1684 |
-.B --ifconfig |
|
1684 |
+.B \-\-ifconfig |
|
1685 | 1685 |
option to automatically ifconfig the TUN device, |
1686 | 1686 |
eliminating the need to define an |
1687 |
-.B --up |
|
1687 |
+.B \-\-up |
|
1688 | 1688 |
script, unless you also want to configure routes |
1689 | 1689 |
in the |
1690 |
-.B --up |
|
1690 |
+.B \-\-up |
|
1691 | 1691 |
script. |
1692 | 1692 |
|
1693 | 1693 |
If |
1694 |
-.B --ifconfig |
|
1694 |
+.B \-\-ifconfig |
|
1695 | 1695 |
is also specified, OpenVPN will pass the ifconfig local |
1696 | 1696 |
and remote endpoints on the command line to the |
1697 |
-.B --up |
|
1697 |
+.B \-\-up |
|
1698 | 1698 |
script so that they can be used to configure routes such as: |
1699 | 1699 |
|
1700 | 1700 |
.B route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 |
1701 | 1701 |
.\"********************************************************* |
1702 | 1702 |
.TP |
1703 |
-.B --up-delay |
|
1703 |
+.B \-\-up-delay |
|
1704 | 1704 |
Delay TUN/TAP open and possible |
1705 |
-.B --up |
|
1705 |
+.B \-\-up |
|
1706 | 1706 |
script execution |
1707 | 1707 |
until after TCP/UDP connection establishment with peer. |
1708 | 1708 |
|
1709 | 1709 |
In |
1710 |
-.B --proto udp |
|
1710 |
+.B \-\-proto udp |
|
1711 | 1711 |
mode, this option normally requires the use of |
1712 |
-.B --ping |
|
1712 |
+.B \-\-ping |
|
1713 | 1713 |
to allow connection initiation to be sensed in the absence |
1714 | 1714 |
of tunnel data, since UDP is a "connectionless" protocol. |
1715 | 1715 |
|
... | ... |
@@ -1718,50 +1718,50 @@ transitioning to "connected" until connection establishment, |
1718 | 1718 |
i.e. the receipt of the first authenticated packet from the peer. |
1719 | 1719 |
.\"********************************************************* |
1720 | 1720 |
.TP |
1721 |
-.B --down cmd |
|
1721 |
+.B \-\-down cmd |
|
1722 | 1722 |
Shell command to run after TUN/TAP device close |
1723 | 1723 |
(post |
1724 |
-.B --user |
|
1724 |
+.B \-\-user |
|
1725 | 1725 |
UID change and/or |
1726 |
-.B --chroot |
|
1726 |
+.B \-\-chroot |
|
1727 | 1727 |
). Called with the same parameters and environmental |
1728 | 1728 |
variables as the |
1729 |
-.B --up |
|
1729 |
+.B \-\-up |
|
1730 | 1730 |
option above. |
1731 | 1731 |
|
1732 | 1732 |
Note that if you reduce privileges by using |
1733 |
-.B --user |
|
1733 |
+.B \-\-user |
|
1734 | 1734 |
and/or |
1735 |
-.B --group, |
|
1735 |
+.B \-\-group, |
|
1736 | 1736 |
your |
1737 |
-.B --down |
|
1737 |
+.B \-\-down |
|
1738 | 1738 |
script will also run at reduced privilege. |
1739 | 1739 |
.\"********************************************************* |
1740 | 1740 |
.TP |
1741 |
-.B --down-pre |
|
1741 |
+.B \-\-down-pre |
|
1742 | 1742 |
Call |
1743 |
-.B --down |
|
1743 |
+.B \-\-down |
|
1744 | 1744 |
cmd/script before, rather than after, TUN/TAP close. |
1745 | 1745 |
.\"********************************************************* |
1746 | 1746 |
.TP |
1747 |
-.B --up-restart |
|
1747 |
+.B \-\-up-restart |
|
1748 | 1748 |
Enable the |
1749 |
-.B --up |
|
1749 |
+.B \-\-up |
|
1750 | 1750 |
and |
1751 |
-.B --down |
|
1751 |
+.B \-\-down |
|
1752 | 1752 |
scripts to be called for restarts as well as initial program start. |
1753 | 1753 |
This option is described more fully above in the |
1754 |
-.B --up |
|
1754 |
+.B \-\-up |
|
1755 | 1755 |
option documentation. |
1756 | 1756 |
.\"********************************************************* |
1757 | 1757 |
.TP |
1758 |
-.B --setenv name value |
|
1758 |
+.B \-\-setenv name value |
|
1759 | 1759 |
Set a custom environmental variable |
1760 | 1760 |
.B name=value |
1761 | 1761 |
to pass to script. |
1762 | 1762 |
.\"********************************************************* |
1763 | 1763 |
.TP |
1764 |
-.B --setenv FORWARD_COMPATIBLE 1 |
|
1764 |
+.B \-\-setenv FORWARD_COMPATIBLE 1 |
|
1765 | 1765 |
Relax config file syntax checking so that unknown directives |
1766 | 1766 |
will trigger a warning but not a fatal error, |
1767 | 1767 |
on the assumption that a given unknown directive might be valid |
... | ... |
@@ -1774,7 +1774,7 @@ new software features to gracefully degrade when encountered by |
1774 | 1774 |
older software versions. |
1775 | 1775 |
.\"********************************************************* |
1776 | 1776 |
.TP |
1777 |
-.B --setenv-safe name value |
|
1777 |
+.B \-\-setenv-safe name value |
|
1778 | 1778 |
Set a custom environmental variable |
1779 | 1779 |
.B OPENVPN_name=value |
1780 | 1780 |
to pass to script. |
... | ... |
@@ -1785,23 +1785,23 @@ is a safety precaution to prevent a LD_PRELOAD style attack |
1785 | 1785 |
from a malicious or compromised server. |
1786 | 1786 |
.\"********************************************************* |
1787 | 1787 |
.TP |
1788 |
-.B --script-security level [method] |
|
1788 |
+.B \-\-script-security level [method] |
|
1789 | 1789 |
This directive offers policy-level control over OpenVPN's usage of external programs |
1790 | 1790 |
and scripts. Lower |
1791 | 1791 |
.B level |
1792 | 1792 |
values are more restrictive, higher values are more permissive. Settings for |
1793 | 1793 |
.B level: |
1794 | 1794 |
|
1795 |
-.B 0 -- |
|
1795 |
+.B 0 \-\- |
|
1796 | 1796 |
Strictly no calling of external programs. |
1797 | 1797 |
.br |
1798 |
-.B 1 -- |
|
1798 |
+.B 1 \-\- |
|
1799 | 1799 |
(Default) Only call built-in executables such as ifconfig, ip, route, or netsh. |
1800 | 1800 |
.br |
1801 |
-.B 2 -- |
|
1801 |
+.B 2 \-\- |
|
1802 | 1802 |
Allow calling of built-in executables and user-defined scripts. |
1803 | 1803 |
.br |
1804 |
-.B 3 -- |
|
1804 |
+.B 3 \-\- |
|
1805 | 1805 |
Allow passwords to be passed to scripts via environmental variables (potentially unsafe). |
1806 | 1806 |
|
1807 | 1807 |
The |
... | ... |
@@ -1810,33 +1810,33 @@ parameter indicates how OpenVPN should call external commands and scripts. |
1810 | 1810 |
Settings for |
1811 | 1811 |
.B method: |
1812 | 1812 |
|
1813 |
-.B execve -- |
|
1813 |
+.B execve \-\- |
|
1814 | 1814 |
(default) Use execve() function on Unix family OSes and CreateProcess() on Windows. |
1815 | 1815 |
.br |
1816 |
-.B system -- |
|
1816 |
+.B system \-\- |
|
1817 | 1817 |
Use system() function (deprecated and less safe since the external program command |
1818 | 1818 |
line is subject to shell expansion). |
1819 | 1819 |
|
1820 | 1820 |
The |
1821 |
-.B --script-security |
|
1821 |
+.B \-\-script-security |
|
1822 | 1822 |
option was introduced in OpenVPN 2.1_rc9. For configuration file compatibility |
1823 | 1823 |
with previous OpenVPN versions, use: |
1824 |
-.B --script-security 3 system |
|
1824 |
+.B \-\-script-security 3 system |
|
1825 | 1825 |
.\"********************************************************* |
1826 | 1826 |
.TP |
1827 |
-.B --disable-occ |
|
1827 |
+.B \-\-disable-occ |
|
1828 | 1828 |
Don't output a warning message if option inconsistencies are detected between |
1829 | 1829 |
peers. An example of an option inconsistency would be where one peer uses |
1830 |
-.B --dev tun |
|
1830 |
+.B \-\-dev tun |
|
1831 | 1831 |
while the other peer uses |
1832 |
-.B --dev tap. |
|
1832 |
+.B \-\-dev tap. |
|
1833 | 1833 |
|
1834 | 1834 |
Use of this option is discouraged, but is provided as |
1835 | 1835 |
a temporary fix in situations where a recent version of OpenVPN must |
1836 | 1836 |
connect to an old version. |
1837 | 1837 |
.\"********************************************************* |
1838 | 1838 |
.TP |
1839 |
-.B --user user |
|
1839 |
+.B \-\-user user |
|
1840 | 1840 |
Change the user ID of the OpenVPN process to |
1841 | 1841 |
.B user |
1842 | 1842 |
after initialization, dropping privileges in the process. |
... | ... |
@@ -1858,7 +1858,7 @@ you want to reset an OpenVPN daemon with a |
1858 | 1858 |
signal |
1859 | 1859 |
(for example in response |
1860 | 1860 |
to a DHCP reset), you should make use of one or more of the |
1861 |
-.B --persist |
|
1861 |
+.B \-\-persist |
|
1862 | 1862 |
options to ensure that OpenVPN doesn't need to execute any privileged |
1863 | 1863 |
operations in order to restart (such as re-reading key files |
1864 | 1864 |
or running |
... | ... |
@@ -1866,16 +1866,16 @@ or running |
1866 | 1866 |
on the TUN device). |
1867 | 1867 |
.\"********************************************************* |
1868 | 1868 |
.TP |
1869 |
-.B --group group |
|
1869 |
+.B \-\-group group |
|
1870 | 1870 |
Similar to the |
1871 |
-.B --user |
|
1871 |
+.B \-\-user |
|
1872 | 1872 |
option, |
1873 | 1873 |
this option changes the group ID of the OpenVPN process to |
1874 | 1874 |
.B group |
1875 | 1875 |
after initialization. |
1876 | 1876 |
.\"********************************************************* |
1877 | 1877 |
.TP |
1878 |
-.B --cd dir |
|
1878 |
+.B \-\-cd dir |
|
1879 | 1879 |
Change directory to |
1880 | 1880 |
.B dir |
1881 | 1881 |
prior to reading any files such as |
... | ... |
@@ -1887,16 +1887,16 @@ to the current directory such as "." or "..". |
1887 | 1887 |
|
1888 | 1888 |
This option is useful when you are running |
1889 | 1889 |
OpenVPN in |
1890 |
-.B --daemon |
|
1890 |
+.B \-\-daemon |
|
1891 | 1891 |
mode, and you want to consolidate all of |
1892 | 1892 |
your OpenVPN control files in one location. |
1893 | 1893 |
.\"********************************************************* |
1894 | 1894 |
.TP |
1895 |
-.B --chroot dir |
|
1895 |
+.B \-\-chroot dir |
|
1896 | 1896 |
Chroot to |
1897 | 1897 |
.B dir |
1898 | 1898 |
after initialization. |
1899 |
-.B --chroot |
|
1899 |
+.B \-\-chroot |
|
1900 | 1900 |
essentially redefines |
1901 | 1901 |
.B dir |
1902 | 1902 |
as being the top |
... | ... |
@@ -1915,22 +1915,22 @@ complications can result when scripts or restarts |
1915 | 1915 |
are executed after the chroot operation. |
1916 | 1916 |
.\"********************************************************* |
1917 | 1917 |
.TP |
1918 |
-.B --setcon context |
|
1918 |
+.B \-\-setcon context |
|
1919 | 1919 |
Apply SELinux |
1920 | 1920 |
.B context |
1921 | 1921 |
after initialization. This |
1922 | 1922 |
essentially provides the ability to restrict OpenVPN's |
1923 | 1923 |
rights to only network I/O operations, thanks to |
1924 | 1924 |
SELinux. This goes further than |
1925 |
-.B --user |
|
1925 |
+.B \-\-user |
|
1926 | 1926 |
and |
1927 |
-.B --chroot |
|
1927 |
+.B \-\-chroot |
|
1928 | 1928 |
in that those two, while being great security features, |
1929 | 1929 |
unfortunately do not protect against privilege escalation |
1930 | 1930 |
by exploitation of a vulnerable system call. You can of |
1931 | 1931 |
course combine all three, but please note that since |
1932 | 1932 |
setcon requires access to /proc you will have to provide |
1933 |
-it inside the chroot directory (e.g. with mount --bind). |
|
1933 |
+it inside the chroot directory (e.g. with mount \-\-bind). |
|
1934 | 1934 |
|
1935 | 1935 |
Since the setcon operation is delayed until after |
1936 | 1936 |
initialization, OpenVPN can be restricted to just |
... | ... |
@@ -1942,13 +1942,13 @@ allow many things required only during initialization. |
1942 | 1942 |
Like with chroot, complications can result when scripts |
1943 | 1943 |
or restarts are executed after the setcon operation, |
1944 | 1944 |
which is why you should really consider using the |
1945 |
-.B --persist-key |
|
1945 |
+.B \-\-persist-key |
|
1946 | 1946 |
and |
1947 |
-.B --persist-tun |
|
1947 |
+.B \-\-persist-tun |
|
1948 | 1948 |
options. |
1949 | 1949 |
.\"********************************************************* |
1950 | 1950 |
.TP |
1951 |
-.B --daemon [progname] |
|
1951 |
+.B \-\-daemon [progname] |
|
1952 | 1952 |
Become a daemon after all initialization functions are completed. |
1953 | 1953 |
This option will cause all message and error output to |
1954 | 1954 |
be sent to the syslog file (such as /var/log/messages), |
... | ... |
@@ -1957,10 +1957,10 @@ ifconfig commands, |
1957 | 1957 |
which will go to /dev/null unless otherwise redirected. |
1958 | 1958 |
The syslog redirection occurs immediately at the point |
1959 | 1959 |
that |
1960 |
-.B --daemon |
|
1960 |
+.B \-\-daemon |
|
1961 | 1961 |
is parsed on the command line even though |
1962 | 1962 |
the daemonization point occurs later. If one of the |
1963 |
-.B --log |
|
1963 |
+.B \-\-log |
|
1964 | 1964 |
options is present, it will supercede syslog |
1965 | 1965 |
redirection. |
1966 | 1966 |
|
... | ... |
@@ -1976,7 +1976,7 @@ When unspecified, |
1976 | 1976 |
defaults to "openvpn". |
1977 | 1977 |
|
1978 | 1978 |
When OpenVPN is run with the |
1979 |
-.B --daemon |
|
1979 |
+.B \-\-daemon |
|
1980 | 1980 |
option, it will try to delay daemonization until the majority of initialization |
1981 | 1981 |
functions which are capable of generating fatal errors are complete. This means |
1982 | 1982 |
that initialization scripts can test the return status of the |
... | ... |
@@ -1986,20 +1986,20 @@ has correctly initialized and entered the packet forwarding event loop. |
1986 | 1986 |
In OpenVPN, the vast majority of errors which occur after initialization are non-fatal. |
1987 | 1987 |
.\"********************************************************* |
1988 | 1988 |
.TP |
1989 |
-.B --syslog [progname] |
|
1989 |
+.B \-\-syslog [progname] |
|
1990 | 1990 |
Direct log output to system logger, but do not become a daemon. |
1991 | 1991 |
See |
1992 |
-.B --daemon |
|
1992 |
+.B \-\-daemon |
|
1993 | 1993 |
directive above for description of |
1994 | 1994 |
.B progname |
1995 | 1995 |
parameter. |
1996 | 1996 |
.\"********************************************************* |
1997 | 1997 |
.TP |
1998 |
-.B --passtos |
|
1998 |
+.B \-\-passtos |
|
1999 | 1999 |
Set the TOS field of the tunnel packet to what the payload's TOS is. |
2000 | 2000 |
.\"********************************************************* |
2001 | 2001 |
.TP |
2002 |
-.B --inetd [wait|nowait] [progname] |
|
2002 |
+.B \-\-inetd [wait|nowait] [progname] |
|
2003 | 2003 |
Use this option when OpenVPN is being run from the inetd or |
2004 | 2004 |
.BR xinetd(8) |
2005 | 2005 |
server. |
... | ... |
@@ -2010,7 +2010,7 @@ option must match what is specified in the inetd/xinetd |
2010 | 2010 |
config file. The |
2011 | 2011 |
.B nowait |
2012 | 2012 |
mode can only be used with |
2013 |
-.B --proto tcp-server. |
|
2013 |
+.B \-\-proto tcp-server. |
|
2014 | 2014 |
The default is |
2015 | 2015 |
.B wait. |
2016 | 2016 |
The |
... | ... |
@@ -2022,16 +2022,16 @@ see the OpenVPN FAQ: |
2022 | 2022 |
.I http://openvpn.net/faq.html#oneport |
2023 | 2023 |
|
2024 | 2024 |
This option precludes the use of |
2025 |
-.B --daemon, --local, |
|
2025 |
+.B \-\-daemon, \-\-local, |
|
2026 | 2026 |
or |
2027 |
-.B --remote. |
|
2027 |
+.B \-\-remote. |
|
2028 | 2028 |
Note that this option causes message and error output to be handled in the same |
2029 | 2029 |
way as the |
2030 |
-.B --daemon |
|
2030 |
+.B \-\-daemon |
|
2031 | 2031 |
option. The optional |
2032 | 2032 |
.B progname |
2033 | 2033 |
parameter is also handled exactly as in |
2034 |
-.B --daemon. |
|
2034 |
+.B \-\-daemon. |
|
2035 | 2035 |
|
2036 | 2036 |
Also note that in |
2037 | 2037 |
.B wait |
... | ... |
@@ -2041,7 +2041,7 @@ on using OpenVPN with xinetd: |
2041 | 2041 |
.I http://openvpn.net/1xhowto.html |
2042 | 2042 |
.\"********************************************************* |
2043 | 2043 |
.TP |
2044 |
-.B --log file |
|
2044 |
+.B \-\-log file |
|
2045 | 2045 |
Output logging messages to |
2046 | 2046 |
.B file, |
2047 | 2047 |
including output to stdout/stderr which |
... | ... |
@@ -2052,44 +2052,44 @@ already exists it will be truncated. |
2052 | 2052 |
This option takes effect |
2053 | 2053 |
immediately when it is parsed in the command line |
2054 | 2054 |
and will supercede syslog output if |
2055 |
-.B --daemon |
|
2055 |
+.B \-\-daemon |
|
2056 | 2056 |
or |
2057 |
-.B --inetd |
|
2057 |
+.B \-\-inetd |
|
2058 | 2058 |
is also specified. |
2059 | 2059 |
This option is persistent over the entire course of |
2060 | 2060 |
an OpenVPN instantiation and will not be reset by SIGHUP, |
2061 | 2061 |
SIGUSR1, or |
2062 |
-.B --ping-restart. |
|
2062 |
+.B \-\-ping-restart. |
|
2063 | 2063 |
|
2064 | 2064 |
Note that on Windows, when OpenVPN is started as a service, |
2065 | 2065 |
logging occurs by default without the need to specify |
2066 | 2066 |
this option. |
2067 | 2067 |
.\"********************************************************* |
2068 | 2068 |
.TP |
2069 |
-.B --log-append file |
|
2069 |
+.B \-\-log-append file |
|
2070 | 2070 |
Append logging messages to |
2071 | 2071 |
.B file. |
2072 | 2072 |
If |
2073 | 2073 |
.B file |
2074 | 2074 |
does not exist, it will be created. |
2075 | 2075 |
This option behaves exactly like |
2076 |
-.B --log |
|
2076 |
+.B \-\-log |
|
2077 | 2077 |
except that it appends to rather |
2078 | 2078 |
than truncating the log file. |
2079 | 2079 |
.\"********************************************************* |
2080 | 2080 |
.TP |
2081 |
-.B --suppress-timestamps |
|
2081 |
+.B \-\-suppress-timestamps |
|
2082 | 2082 |
Avoid writing timestamps to log messages, even when they |
2083 | 2083 |
otherwise would be prepended. In particular, this applies to |
2084 | 2084 |
log messages sent to stdout. |
2085 | 2085 |
.\"********************************************************* |
2086 | 2086 |
.TP |
2087 |
-.B --writepid file |
|
2087 |
+.B \-\-writepid file |
|
2088 | 2088 |
Write OpenVPN's main process ID to |
2089 | 2089 |
.B file. |
2090 | 2090 |
.\"********************************************************* |
2091 | 2091 |
.TP |
2092 |
-.B --nice n |
|
2092 |
+.B \-\-nice n |
|
2093 | 2093 |
Change process priority after initialization |
2094 | 2094 |
( |
2095 | 2095 |
.B n |
... | ... |
@@ -2098,14 +2098,14 @@ greater than 0 is lower priority, |
2098 | 2098 |
less than zero is higher priority). |
2099 | 2099 |
.\"********************************************************* |
2100 | 2100 |
.\".TP |
2101 |
-.\".B --nice-work n |
|
2101 |
+.\".B \-\-nice-work n |
|
2102 | 2102 |
.\"Change priority of background TLS work thread. The TLS thread |
2103 | 2103 |
.\"feature is enabled when OpenVPN is built |
2104 | 2104 |
.\"with pthread support, and you are running OpenVPN |
2105 | 2105 |
.\"in TLS mode (i.e. with |
2106 |
-.\".B --tls-client |
|
2106 |
+.\".B \-\-tls-client |
|
2107 | 2107 |
.\"or |
2108 |
-.\".B --tls-server |
|
2108 |
+.\".B \-\-tls-server |
|
2109 | 2109 |
.\"specified). |
2110 | 2110 |
.\" |
2111 | 2111 |
.\"Using a TLS thread offloads the CPU-intensive process of SSL/TLS-based |
... | ... |
@@ -2115,12 +2115,12 @@ less than zero is higher priority). |
2115 | 2115 |
.\"The parameter |
2116 | 2116 |
.\".B n |
2117 | 2117 |
.\"is interpreted exactly as with the |
2118 |
-.\".B --nice |
|
2118 |
+.\".B \-\-nice |
|
2119 | 2119 |
.\"option above, but in relation to the work thread rather |
2120 | 2120 |
.\"than the main thread. |
2121 | 2121 |
.\"********************************************************* |
2122 | 2122 |
.TP |
2123 |
-.B --fast-io |
|
2123 |
+.B \-\-fast-io |
|
2124 | 2124 |
(Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding |
2125 | 2125 |
a call to poll/epoll/select prior to the write operation. The purpose |
2126 | 2126 |
of such a call would normally be to block until the device |
... | ... |
@@ -2131,13 +2131,13 @@ by avoiding the poll/epoll/select call, improving CPU efficiency |
2131 | 2131 |
by 5% to 10%. |
2132 | 2132 |
|
2133 | 2133 |
This option can only be used on non-Windows systems, when |
2134 |
-.B --proto udp |
|
2134 |
+.B \-\-proto udp |
|
2135 | 2135 |
is specified, and when |
2136 |
-.B --shaper |
|
2136 |
+.B \-\-shaper |
|
2137 | 2137 |
is NOT specified. |
2138 | 2138 |
.\"********************************************************* |
2139 | 2139 |
.TP |
2140 |
-.B --multihome |
|
2140 |
+.B \-\-multihome |
|
2141 | 2141 |
Configure a multi-homed UDP server. This option can be used when |
2142 | 2142 |
OpenVPN has been configured to listen on all interfaces, and will |
2143 | 2143 |
attempt to bind client sessions to the interface on which packets |
... | ... |
@@ -2146,13 +2146,13 @@ of the same interface. Note that this option is only relevant for |
2146 | 2146 |
UDP servers and currently is only implemented on Linux. |
2147 | 2147 |
|
2148 | 2148 |
Note: clients connecting to a |
2149 |
-.B --multihome |
|
2149 |
+.B \-\-multihome |
|
2150 | 2150 |
server should always use the |
2151 |
-.B --nobind |
|
2151 |
+.B \-\-nobind |
|
2152 | 2152 |
option. |
2153 | 2153 |
.\"********************************************************* |
2154 | 2154 |
.TP |
2155 |
-.B --echo [parms...] |
|
2155 |
+.B \-\-echo [parms...] |
|
2156 | 2156 |
Echo |
2157 | 2157 |
.B parms |
2158 | 2158 |
to log output. |
... | ... |
@@ -2161,7 +2161,7 @@ Designed to be used to send messages to a controlling application |
2161 | 2161 |
which is receiving the OpenVPN log output. |
2162 | 2162 |
.\"********************************************************* |
2163 | 2163 |
.TP |
2164 |
-.B --remap-usr1 signal |
|
2164 |
+.B \-\-remap-usr1 signal |
|
2165 | 2165 |
Control whether internally or externally |
2166 | 2166 |
generated SIGUSR1 signals are remapped to |
2167 | 2167 |
SIGHUP (restart without persisting state) or |
... | ... |
@@ -2172,20 +2172,20 @@ can be set to "SIGHUP" or "SIGTERM". By default, no remapping |
2172 | 2172 |
occurs. |
2173 | 2173 |
.\"********************************************************* |
2174 | 2174 |
.TP |
2175 |
-.B --verb n |
|
2175 |
+.B \-\-verb n |
|
2176 | 2176 |
Set output verbosity to |
2177 | 2177 |
.B n |
2178 | 2178 |
(default=1). Each level shows all info from the previous levels. |
2179 | 2179 |
Level 3 is recommended if you want a good summary |
2180 | 2180 |
of what's happening without being swamped by output. |
2181 | 2181 |
|
2182 |
-.B 0 -- |
|
2182 |
+.B 0 \-\- |
|
2183 | 2183 |
No output except fatal errors. |
2184 | 2184 |
.br |
2185 |
-.B 1 to 4 -- |
|
2185 |
+.B 1 to 4 \-\- |
|
2186 | 2186 |
Normal usage range. |
2187 | 2187 |
.br |
2188 |
-.B 5 -- |
|
2188 |
+.B 5 \-\- |
|
2189 | 2189 |
Output |
2190 | 2190 |
.B R |
2191 | 2191 |
and |
... | ... |
@@ -2193,12 +2193,12 @@ and |
2193 | 2193 |
characters to the console for each packet read and write, uppercase is |
2194 | 2194 |
used for TCP/UDP packets and lowercase is used for TUN/TAP packets. |
2195 | 2195 |
.br |
2196 |
-.B 6 to 11 -- |
|
2196 |
+.B 6 to 11 \-\- |
|
2197 | 2197 |
Debug info range (see errlevel.h for additional |
2198 | 2198 |
information on debug levels). |
2199 | 2199 |
.\"********************************************************* |
2200 | 2200 |
.TP |
2201 |
-.B --status file [n] |
|
2201 |
+.B \-\-status file [n] |
|
2202 | 2202 |
Write operational status to |
2203 | 2203 |
.B file |
2204 | 2204 |
every |
... | ... |
@@ -2210,21 +2210,21 @@ Status can also be written to the syslog by sending a |
2210 | 2210 |
signal. |
2211 | 2211 |
.\"********************************************************* |
2212 | 2212 |
.TP |
2213 |
-.B --status-version [n] |
|
2213 |
+.B \-\-status-version [n] |
|
2214 | 2214 |
Choose the status file format version number. Currently |
2215 | 2215 |
.B n |
2216 | 2216 |
can be 1, 2, or 3 and defaults to 1. |
2217 | 2217 |
.\"********************************************************* |
2218 | 2218 |
.TP |
2219 |
-.B --mute n |
|
2219 |
+.B \-\-mute n |
|
2220 | 2220 |
Log at most |
2221 | 2221 |
.B n |
2222 | 2222 |
consecutive messages in the same category. This is useful to |
2223 | 2223 |
limit repetitive logging of similar message types. |
2224 | 2224 |
.\"********************************************************* |
2225 | 2225 |
.TP |
2226 |
-.B --comp-lzo [mode] |
|
2227 |
-Use fast LZO compression -- may add up to 1 byte per |
|
2226 |
+.B \-\-comp-lzo [mode] |
|
2227 |
+Use fast LZO compression \-\- may add up to 1 byte per |
|
2228 | 2228 |
packet for incompressible data. |
2229 | 2229 |
.B mode |
2230 | 2230 |
may be "yes", "no", or "adaptive" (default). |
... | ... |
@@ -2234,16 +2234,16 @@ compression on or off for individual clients. |
2234 | 2234 |
|
2235 | 2235 |
First, make sure the client-side config file enables selective |
2236 | 2236 |
compression by having at least one |
2237 |
-.B --comp-lzo |
|
2237 |
+.B \-\-comp-lzo |
|
2238 | 2238 |
directive, such as |
2239 |
-.B --comp-lzo no. |
|
2239 |
+.B \-\-comp-lzo no. |
|
2240 | 2240 |
This will turn off compression by default, |
2241 | 2241 |
but allow a future directive push from the server to |
2242 | 2242 |
dynamically change the |
2243 | 2243 |
on/off/adaptive setting. |
2244 | 2244 |
|
2245 | 2245 |
Next in a |
2246 |
-.B --client-config-dir |
|
2246 |
+.B \-\-client-config-dir |
|
2247 | 2247 |
file, specify the compression setting for the client, |
2248 | 2248 |
for example: |
2249 | 2249 |
|
... | ... |
@@ -2262,12 +2262,12 @@ setting for the server |
2262 | 2262 |
side of the link, the second sets the client side. |
2263 | 2263 |
.\"********************************************************* |
2264 | 2264 |
.TP |
2265 |
-.B --comp-noadapt |
|
2265 |
+.B \-\-comp-noadapt |
|
2266 | 2266 |
When used in conjunction with |
2267 |
-.B --comp-lzo, |
|
2267 |
+.B \-\-comp-lzo, |
|
2268 | 2268 |
this option will disable OpenVPN's adaptive compression algorithm. |
2269 | 2269 |
Normally, adaptive compression is enabled with |
2270 |
-.B --comp-lzo. |
|
2270 |
+.B \-\-comp-lzo. |
|
2271 | 2271 |
|
2272 | 2272 |
Adaptive compression tries to optimize the case where you have |
2273 | 2273 |
compression enabled, but you are sending predominantly uncompressible |
... | ... |
@@ -2279,7 +2279,7 @@ the compression efficiency will be very low, triggering openvpn to disable |
2279 | 2279 |
compression for a period of time until the next re-sample test. |
2280 | 2280 |
.\"********************************************************* |
2281 | 2281 |
.TP |
2282 |
-.B --management IP port [pw-file] |
|
2282 |
+.B \-\-management IP port [pw-file] |
|
2283 | 2283 |
Enable a TCP server on |
2284 | 2284 |
.B IP:port |
2285 | 2285 |
to handle daemon management functions. |
... | ... |
@@ -2298,9 +2298,9 @@ and set |
2298 | 2298 |
.B port |
2299 | 2299 |
to 'unix'. While the default behavior is to create a unix domain socket |
2300 | 2300 |
that may be connected to by any process, the |
2301 |
-.B --management-client-user |
|
2301 |
+.B \-\-management-client-user |
|
2302 | 2302 |
and |
2303 |
-.B --management-client-group |
|
2303 |
+.B \-\-management-client-group |
|
2304 | 2304 |
directives can be used to restrict access. |
2305 | 2305 |
|
2306 | 2306 |
The management interface provides a special mode where the TCP |
... | ... |
@@ -2329,24 +2329,24 @@ be set to 127.0.0.1 |
2329 | 2329 |
server to local clients. |
2330 | 2330 |
.\"********************************************************* |
2331 | 2331 |
.TP |
2332 |
-.B --management-query-passwords |
|
2332 |
+.B \-\-management-query-passwords |
|
2333 | 2333 |
Query management channel for private key password and |
2334 |
-.B --auth-user-pass |
|
2334 |
+.B \-\-auth-user-pass |
|
2335 | 2335 |
username/password. Only query the management channel |
2336 | 2336 |
for inputs which ordinarily would have been queried from the |
2337 | 2337 |
console. |
2338 | 2338 |
.\"********************************************************* |
2339 | 2339 |
.TP |
2340 |
-.B --management-forget-disconnect |
|
2340 |
+.B \-\-management-forget-disconnect |
|
2341 | 2341 |
Make OpenVPN forget passwords when management session |
2342 | 2342 |
disconnects. |
2343 | 2343 |
|
2344 | 2344 |
This directive does not affect the |
2345 |
-.B --http-proxy |
|
2345 |
+.B \-\-http-proxy |
|
2346 | 2346 |
username/password. It is always cached. |
2347 | 2347 |
.\"********************************************************* |
2348 | 2348 |
.TP |
2349 |
-.B --management-hold |
|
2349 |
+.B \-\-management-hold |
|
2350 | 2350 |
Start OpenVPN in a hibernating state, until a client |
2351 | 2351 |
of the management interface explicitly starts it |
2352 | 2352 |
with the |
... | ... |
@@ -2354,45 +2354,45 @@ with the |
2354 | 2354 |
command. |
2355 | 2355 |
.\"********************************************************* |
2356 | 2356 |
.TP |
2357 |
-.B --management-signal |
|
2357 |
+.B \-\-management-signal |
|
2358 | 2358 |
Send SIGUSR1 signal to OpenVPN if management session disconnects. |
2359 | 2359 |
This is useful when you wish to disconnect an OpenVPN session on |
2360 | 2360 |
user logoff. |
2361 | 2361 |
.\"********************************************************* |
2362 | 2362 |
.TP |
2363 |
-.B --management-log-cache n |
|
2363 |
+.B \-\-management-log-cache n |
|
2364 | 2364 |
Cache the most recent |
2365 | 2365 |
.B n |
2366 | 2366 |
lines of log file history for usage |
2367 | 2367 |
by the management channel. |
2368 | 2368 |
.\"********************************************************* |
2369 | 2369 |
.TP |
2370 |
-.B --management-client-auth |
|
2370 |
+.B \-\-management-client-auth |
|
2371 | 2371 |
Gives management interface client the responsibility |
2372 | 2372 |
to authenticate clients after their client certificate |
2373 | 2373 |
has been verified. See management-notes.txt in OpenVPN |
2374 | 2374 |
distribution for detailed notes. |
2375 | 2375 |
.\"********************************************************* |
2376 | 2376 |
.TP |
2377 |
-.B --management-client-pf |
|
2377 |
+.B \-\-management-client-pf |
|
2378 | 2378 |
Management interface clients must specify a packet |
2379 | 2379 |
filter file for each connecting client. See management-notes.txt |
2380 | 2380 |
in OpenVPN distribution for detailed notes. |
2381 | 2381 |
.\"********************************************************* |
2382 | 2382 |
.TP |
2383 |
-.B --management-client-user u |
|
2383 |
+.B \-\-management-client-user u |
|
2384 | 2384 |
When the management interface is listening on a unix domain socket, |
2385 | 2385 |
only allow connections from user |
2386 | 2386 |
.B u. |
2387 | 2387 |
.\"********************************************************* |
2388 | 2388 |
.TP |
2389 |
-.B --management-client-group g |
|
2389 |
+.B \-\-management-client-group g |
|
2390 | 2390 |
When the management interface is listening on a unix domain socket, |
2391 | 2391 |
only allow connections from group |
2392 | 2392 |
.B g. |
2393 | 2393 |
.\"********************************************************* |
2394 | 2394 |
.TP |
2395 |
-.B --plugin module-pathname [init-string] |
|
2395 |
+.B \-\-plugin module-pathname [init-string] |
|
2396 | 2396 |
Load plug-in module from the file |
2397 | 2397 |
.B module-pathname, |
2398 | 2398 |
passing |
... | ... |
@@ -2428,7 +2428,7 @@ the connection to be authenticated. |
2428 | 2428 |
.SS Server Mode |
2429 | 2429 |
Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode |
2430 | 2430 |
is supported, and can be enabled with the |
2431 |
-.B --mode server |
|
2431 |
+.B \-\-mode server |
|
2432 | 2432 |
option. In server mode, OpenVPN will listen on a single |
2433 | 2433 |
port for incoming client connections. All client |
2434 | 2434 |
connections will be routed through a single tun or tap |
... | ... |
@@ -2438,7 +2438,7 @@ on sufficiently fast hardware. SSL/TLS authentication must |
2438 | 2438 |
be used in this mode. |
2439 | 2439 |
.\"********************************************************* |
2440 | 2440 |
.TP |
2441 |
-.B --server network netmask |
|
2441 |
+.B \-\-server network netmask |
|
2442 | 2442 |
A helper directive designed to simplify the configuration |
2443 | 2443 |
of OpenVPN's server mode. This directive will set up an |
2444 | 2444 |
OpenVPN server which will allocate addresses to clients |
... | ... |
@@ -2448,7 +2448,7 @@ for use as the server-side endpoint of the local |
2448 | 2448 |
TUN/TAP interface. |
2449 | 2449 |
|
2450 | 2450 |
For example, |
2451 |
-.B --server 10.8.0.0 255.255.255.0 |
|
2451 |
+.B \-\-server 10.8.0.0 255.255.255.0 |
|
2452 | 2452 |
expands as follows: |
2453 | 2453 |
|
2454 | 2454 |
.nf |
... | ... |
@@ -2478,23 +2478,23 @@ expands as follows: |
2478 | 2478 |
.fi |
2479 | 2479 |
|
2480 | 2480 |
Don't use |
2481 |
-.B --server |
|
2481 |
+.B \-\-server |
|
2482 | 2482 |
if you are ethernet bridging. Use |
2483 |
-.B --server-bridge |
|
2483 |
+.B \-\-server-bridge |
|
2484 | 2484 |
instead. |
2485 | 2485 |
.\"********************************************************* |
2486 | 2486 |
.TP |
2487 |
-.B --server-bridge gateway netmask pool-start-IP pool-end-IP |
|
2487 |
+.B \-\-server-bridge gateway netmask pool-start-IP pool-end-IP |
|
2488 | 2488 |
.TP |
2489 |
-.B --server-bridge ['nogw'] |
|
2489 |
+.B \-\-server-bridge ['nogw'] |
|
2490 | 2490 |
|
2491 | 2491 |
A helper directive similar to |
2492 |
-.B --server |
|
2492 |
+.B \-\-server |
|
2493 | 2493 |
which is designed to simplify the configuration |
2494 | 2494 |
of OpenVPN's server mode in ethernet bridging configurations. |
2495 | 2495 |
|
2496 | 2496 |
If |
2497 |
-.B --server-bridge |
|
2497 |
+.B \-\-server-bridge |
|
2498 | 2498 |
is used without any parameters, it will enable a DHCP-proxy |
2499 | 2499 |
mode, where connecting OpenVPN clients will receive an IP |
2500 | 2500 |
address for their TAP adapter from the DHCP server running |
... | ... |
@@ -2522,7 +2522,7 @@ IP/netmask on the bridge interface. The |
2522 | 2522 |
and |
2523 | 2523 |
.B netmask |
2524 | 2524 |
parameters to |
2525 |
-.B --server-bridge |
|
2525 |
+.B \-\-server-bridge |
|
2526 | 2526 |
can be set to either the IP/netmask of the |
2527 | 2527 |
bridge interface, or the IP/netmask of the |
2528 | 2528 |
default gateway/router on the bridged |
... | ... |
@@ -2554,7 +2554,7 @@ push "route-gateway 10.8.0.4" |
2554 | 2554 |
.fi |
2555 | 2555 |
|
2556 | 2556 |
In another example, |
2557 |
-.B --server-bridge |
|
2557 |
+.B \-\-server-bridge |
|
2558 | 2558 |
(without parameters) expands as follows: |
2559 | 2559 |
|
2560 | 2560 |
.nf |
... | ... |
@@ -2569,7 +2569,7 @@ push "route-gateway dhcp" |
2569 | 2569 |
.fi |
2570 | 2570 |
|
2571 | 2571 |
Or |
2572 |
-.B --server-bridge nogw |
|
2572 |
+.B \-\-server-bridge nogw |
|
2573 | 2573 |
expands as follows: |
2574 | 2574 |
|
2575 | 2575 |
.nf |
... | ... |
@@ -2582,13 +2582,13 @@ tls-server |
2582 | 2582 |
.fi |
2583 | 2583 |
.\"********************************************************* |
2584 | 2584 |
.TP |
2585 |
-.B --push "option" |
|
2585 |
+.B \-\-push "option" |
|
2586 | 2586 |
Push a config file option back to the client for remote |
2587 | 2587 |
execution. Note that |
2588 | 2588 |
.B |
2589 | 2589 |
option |
2590 | 2590 |
must be enclosed in double quotes (""). The client must specify |
2591 |
-.B --pull |
|
2591 |
+.B \-\-pull |
|
2592 | 2592 |
in its config file. The set of options which can be |
2593 | 2593 |
pushed is limited by both feasibility and security. |
2594 | 2594 |
Some options such as those which would execute scripts |
... | ... |
@@ -2599,44 +2599,44 @@ cannot be pushed because the client needs to know |
2599 | 2599 |
them before the connection to the server can be initiated. |
2600 | 2600 |
|
2601 | 2601 |
This is a partial list of options which can currently be pushed: |
2602 |
-.B --route, --route-gateway, --route-delay, --redirect-gateway, |
|
2603 |
-.B --ip-win32, --dhcp-option, |
|
2604 |
-.B --inactive, --ping, --ping-exit, --ping-restart, |
|
2605 |
-.B --setenv, |
|
2606 |
-.B --persist-key, --persist-tun, --echo, |
|
2607 |
-.B --comp-lzo, |
|
2608 |
-.B --socket-flags, |
|
2609 |
-.B --sndbuf, --rcvbuf |
|
2602 |
+.B \-\-route, \-\-route-gateway, \-\-route-delay, \-\-redirect-gateway, |
|
2603 |
+.B \-\-ip-win32, \-\-dhcp-option, |
|
2604 |
+.B \-\-inactive, \-\-ping, \-\-ping-exit, \-\-ping-restart, |
|
2605 |
+.B \-\-setenv, |
|
2606 |
+.B \-\-persist-key, \-\-persist-tun, \-\-echo, |
|
2607 |
+.B \-\-comp-lzo, |
|
2608 |
+.B \-\-socket-flags, |
|
2609 |
+.B \-\-sndbuf, \-\-rcvbuf |
|
2610 | 2610 |
.\"********************************************************* |
2611 | 2611 |
.TP |
2612 |
-.B --push-reset |
|
2612 |
+.B \-\-push-reset |
|
2613 | 2613 |
Don't inherit the global push list for a specific client instance. |
2614 | 2614 |
Specify this option in a client-specific context such |
2615 | 2615 |
as with a |
2616 |
-.B --client-config-dir |
|
2616 |
+.B \-\-client-config-dir |
|
2617 | 2617 |
configuration file. This option will ignore |
2618 |
-.B --push |
|
2618 |
+.B \-\-push |
|
2619 | 2619 |
options at the global config file level. |
2620 | 2620 |
.\"********************************************************* |
2621 | 2621 |
.TP |
2622 |
-.B --disable |
|
2622 |
+.B \-\-disable |
|
2623 | 2623 |
Disable a particular client (based on the common name) |
2624 | 2624 |
from connecting. Don't use this option to disable a client |
2625 | 2625 |
due to key or password compromise. Use a CRL (certificate |
2626 | 2626 |
revocation list) instead (see the |
2627 |
-.B --crl-verify |
|
2627 |
+.B \-\-crl-verify |
|
2628 | 2628 |
option). |
2629 | 2629 |
|
2630 | 2630 |
This option must be associated with a specific client instance, |
2631 | 2631 |
which means that it must be specified either in a client |
2632 | 2632 |
instance config file using |
2633 |
-.B --client-config-dir |
|
2633 |
+.B \-\-client-config-dir |
|
2634 | 2634 |
or dynamically generated using a |
2635 |
-.B --client-connect |
|
2635 |
+.B \-\-client-connect |
|
2636 | 2636 |
script. |
2637 | 2637 |
.\"********************************************************* |
2638 | 2638 |
.TP |
2639 |
-.B --ifconfig-pool start-IP end-IP [netmask] |
|
2639 |
+.B \-\-ifconfig-pool start-IP end-IP [netmask] |
|
2640 | 2640 |
Set aside a pool of subnets to be |
2641 | 2641 |
dynamically allocated to connecting clients, similar |
2642 | 2642 |
to a DHCP server. For tun-style |
... | ... |
@@ -2649,7 +2649,7 @@ parameter will also be pushed to clients. |
2649 | 2649 |
|
2650 | 2650 |
.\"********************************************************* |
2651 | 2651 |
.TP |
2652 |
-.B --ifconfig-pool-persist file [seconds] |
|
2652 |
+.B \-\-ifconfig-pool-persist file [seconds] |
|
2653 | 2653 |
Persist/unpersist ifconfig-pool |
2654 | 2654 |
data to |
2655 | 2655 |
.B file, |
... | ... |
@@ -2664,7 +2664,7 @@ IP address assigned to them from the ifconfig-pool. |
2664 | 2664 |
Maintaining a long-term |
2665 | 2665 |
association is good for clients because it allows them |
2666 | 2666 |
to effectively use the |
2667 |
-.B --persist-tun |
|
2667 |
+.B \-\-persist-tun |
|
2668 | 2668 |
option. |
2669 | 2669 |
|
2670 | 2670 |
.B file |
... | ... |
@@ -2685,32 +2685,32 @@ suggestions only, based on past associations between |
2685 | 2685 |
a common name and IP address. They do not guarantee that the given common |
2686 | 2686 |
name will always receive the given IP address. If you want guaranteed |
2687 | 2687 |
assignment, use |
2688 |
-.B --ifconfig-push |
|
2688 |
+.B \-\-ifconfig-push |
|
2689 | 2689 |
.\"********************************************************* |
2690 | 2690 |
.TP |
2691 |
-.B --ifconfig-pool-linear |
|
2691 |
+.B \-\-ifconfig-pool-linear |
|
2692 | 2692 |
Modifies the |
2693 |
-.B --ifconfig-pool |
|
2693 |
+.B \-\-ifconfig-pool |
|
2694 | 2694 |
directive to |
2695 | 2695 |
allocate individual TUN interface addresses for |
2696 | 2696 |
clients rather than /30 subnets. NOTE: This option |
2697 | 2697 |
is incompatible with Windows clients. |
2698 | 2698 |
|
2699 | 2699 |
This option is deprecated, and should be replaced with |
2700 |
-.B --topology p2p |
|
2700 |
+.B \-\-topology p2p |
|
2701 | 2701 |
which is functionally equivalent. |
2702 | 2702 |
.\"********************************************************* |
2703 | 2703 |
.TP |
2704 |
-.B --ifconfig-push local remote-netmask |
|
2704 |
+.B \-\-ifconfig-push local remote-netmask |
|
2705 | 2705 |
Push virtual IP endpoints for client tunnel, |
2706 |
-overriding the --ifconfig-pool dynamic allocation. |
|
2706 |
+overriding the \-\-ifconfig-pool dynamic allocation. |
|
2707 | 2707 |
|
2708 | 2708 |
The parameters |
2709 | 2709 |
.B local |
2710 | 2710 |
and |
2711 | 2711 |
.B remote-netmask |
2712 | 2712 |
are set according to the |
2713 |
-.B --ifconfig |
|
2713 |
+.B \-\-ifconfig |
|
2714 | 2714 |
directive which you want to execute on the client machine to |
2715 | 2715 |
configure the remote end of the tunnel. Note that the parameters |
2716 | 2716 |
.B local |
... | ... |
@@ -2723,13 +2723,13 @@ on the server at the time of client connection. |
2723 | 2723 |
This option must be associated with a specific client instance, |
2724 | 2724 |
which means that it must be specified either in a client |
2725 | 2725 |
instance config file using |
2726 |
-.B --client-config-dir |
|
2726 |
+.B \-\-client-config-dir |
|
2727 | 2727 |
or dynamically generated using a |
2728 |
-.B --client-connect |
|
2728 |
+.B \-\-client-connect |
|
2729 | 2729 |
script. |
2730 | 2730 |
|
2731 | 2731 |
Remember also to include a |
2732 |
-.B --route |
|
2732 |
+.B \-\-route |
|
2733 | 2733 |
directive in the main OpenVPN config file which encloses |
2734 | 2734 |
.B local, |
2735 | 2735 |
so that the kernel will know to route it |
... | ... |
@@ -2739,23 +2739,23 @@ OpenVPN's internal client IP address selection algorithm works as |
2739 | 2739 |
follows: |
2740 | 2740 |
|
2741 | 2741 |
.B 1 |
2742 |
-.B --client-connect script |
|
2742 |
+\-\- Use |
|
2743 |
+.B \-\-client-connect script |
|
2743 | 2744 |
generated file for static IP (first choice). |
2744 | 2745 |
.br |
2745 | 2746 |
.B 2 |
2746 |
-.B --client-config-dir |
|
2747 |
+\-\- Use |
|
2748 |
+.B \-\-client-config-dir |
|
2747 | 2749 |
file for static IP (next choice). |
2748 | 2750 |
.br |
2749 | 2751 |
.B 3 |
2750 |
-.B --ifconfig-pool |
|
2752 |
+\-\- Use |
|
2753 |
+.B \-\-ifconfig-pool |
|
2751 | 2754 |
allocation for dynamic IP (last choice). |
2752 | 2755 |
.br |
2753 | 2756 |
.\"********************************************************* |
2754 | 2757 |
.TP |
2755 |
-.B --iroute network [netmask] |
|
2758 |
+.B \-\-iroute network [netmask] |
|
2756 | 2759 |
Generate an internal route to a specific |
2757 | 2760 |
client. The |
2758 | 2761 |
.B netmask |
... | ... |
@@ -2766,36 +2766,36 @@ the server to a particular client, regardless |
2766 | 2766 |
of where the client is connecting from. Remember |
2767 | 2767 |
that you must also add the route to the system |
2768 | 2768 |
routing table as well (such as by using the |
2769 |
-.B --route |
|
2769 |
+.B \-\-route |
|
2770 | 2770 |
directive). The reason why two routes are needed |
2771 | 2771 |
is that the |
2772 |
-.B --route |
|
2772 |
+.B \-\-route |
|
2773 | 2773 |
directive routes the packet from the kernel |
2774 | 2774 |
to OpenVPN. Once in OpenVPN, the |
2775 |
-.B --iroute |
|
2775 |
+.B \-\-iroute |
|
2776 | 2776 |
directive routes to the specific client. |
2777 | 2777 |
|
2778 | 2778 |
This option must be specified either in a client |
2779 | 2779 |
instance config file using |
2780 |
-.B --client-config-dir |
|
2780 |
+.B \-\-client-config-dir |
|
2781 | 2781 |
or dynamically generated using a |
2782 |
-.B --client-connect |
|
2782 |
+.B \-\-client-connect |
|
2783 | 2783 |
script. |
2784 | 2784 |
|
2785 | 2785 |
The |
2786 |
-.B --iroute |
|
2786 |
+.B \-\-iroute |
|
2787 | 2787 |
directive also has an important interaction with |
2788 |
-.B --push |
|
2788 |
+.B \-\-push |
|
2789 | 2789 |
"route ...". |
2790 |
-.B --iroute |
|
2790 |
+.B \-\-iroute |
|
2791 | 2791 |
essentially defines a subnet which is owned by a |
2792 | 2792 |
particular client (we will call this client A). |
2793 | 2793 |
If you would like other clients to be able to reach A's |
2794 | 2794 |
subnet, you can use |
2795 |
-.B --push |
|
2795 |
+.B \-\-push |
|
2796 | 2796 |
"route ..." |
2797 | 2797 |
together with |
2798 |
-.B --client-to-client |
|
2798 |
+.B \-\-client-to-client |
|
2799 | 2799 |
to effect this. In order for all clients to see |
2800 | 2800 |
A's subnet, OpenVPN must push this route to all clients |
2801 | 2801 |
EXCEPT for A, since the subnet is already owned by A. |
... | ... |
@@ -2804,11 +2804,11 @@ not pushing a route to a client |
2804 | 2804 |
if it matches one of the client's iroutes. |
2805 | 2805 |
.\"********************************************************* |
2806 | 2806 |
.TP |
2807 |
-.B --client-to-client |
|
2807 |
+.B \-\-client-to-client |
|
2808 | 2808 |
Because the OpenVPN server mode handles multiple clients |
2809 | 2809 |
through a single tun or tap interface, it is effectively |
2810 | 2810 |
a router. The |
2811 |
-.B --client-to-client |
|
2811 |
+.B \-\-client-to-client |
|
2812 | 2812 |
flag tells OpenVPN to internally route client-to-client |
2813 | 2813 |
traffic rather than pushing all client-originating traffic |
2814 | 2814 |
to the TUN/TAP interface. |
... | ... |
@@ -2820,13 +2820,13 @@ if you want to firewall tunnel traffic using |
2820 | 2820 |
custom, per-client rules. |
2821 | 2821 |
.\"********************************************************* |
2822 | 2822 |
.TP |
2823 |
-.B --duplicate-cn |
|
2823 |
+.B \-\-duplicate-cn |
|
2824 | 2824 |
Allow multiple clients with the same common name to concurrently connect. |
2825 | 2825 |
In the absence of this option, OpenVPN will disconnect a client instance |
2826 | 2826 |
upon connection of a new client having the same common name. |
2827 | 2827 |
.\"********************************************************* |
2828 | 2828 |
.TP |
2829 |
-.B --client-connect script |
|
2829 |
+.B \-\-client-connect script |
|
2830 | 2830 |
Run |
2831 | 2831 |
.B script |
2832 | 2832 |
on client connection. The script is passed the common name |
... | ... |
@@ -2842,7 +2842,7 @@ to be applied on the server when the client connects, |
2842 | 2842 |
it should write it to the file named by $1. |
2843 | 2843 |
|
2844 | 2844 |
See the |
2845 |
-.B --client-config-dir |
|
2845 |
+.B \-\-client-config-dir |
|
2846 | 2846 |
option below for options which |
2847 | 2847 |
can be legally used in a dynamically generated config file. |
2848 | 2848 |
|
... | ... |
@@ -2854,18 +2854,18 @@ returns a non-zero error status, it will cause the client |
2854 | 2854 |
to be disconnected. |
2855 | 2855 |
.\"********************************************************* |
2856 | 2856 |
.TP |
2857 |
-.B --client-disconnect |
|
2857 |
+.B \-\-client-disconnect |
|
2858 | 2858 |
Like |
2859 |
-.B --client-connect |
|
2859 |
+.B \-\-client-connect |
|
2860 | 2860 |
but called on client instance shutdown. Will not be called |
2861 | 2861 |
unless the |
2862 |
-.B --client-connect |
|
2862 |
+.B \-\-client-connect |
|
2863 | 2863 |
script and plugins (if defined) |
2864 | 2864 |
were previously called on this instance with |
2865 | 2865 |
successful (0) status returns. |
2866 | 2866 |
|
2867 | 2867 |
The exception to this rule is if the |
2868 |
-.B --client-disconnect |
|
2868 |
+.B \-\-client-disconnect |
|
2869 | 2869 |
script or plugins are cascaded, and at least one client-connect |
2870 | 2870 |
function succeeded, then ALL of the client-disconnect functions for |
2871 | 2871 |
scripts and plugins will be called on client instance object deletion, |
... | ... |
@@ -2874,7 +2874,7 @@ an error status. |
2874 | 2874 |
.B |
2875 | 2875 |
.\"********************************************************* |
2876 | 2876 |
.TP |
2877 |
-.B --client-config-dir dir |
|
2877 |
+.B \-\-client-config-dir dir |
|
2878 | 2878 |
Specify a directory |
2879 | 2879 |
.B dir |
2880 | 2880 |
for custom client config files. After |
... | ... |
@@ -2888,9 +2888,9 @@ will instead try to open and parse a default file called |
2888 | 2888 |
|
2889 | 2889 |
This file can specify a fixed IP address for a given |
2890 | 2890 |
client using |
2891 |
-.B --ifconfig-push, |
|
2891 |
+.B \-\-ifconfig-push, |
|
2892 | 2892 |
as well as fixed subnets owned by the client using |
2893 |
-.B --iroute. |
|
2893 |
+.B \-\-iroute. |
|
2894 | 2894 |
|
2895 | 2895 |
One of the useful properties of this option is that it |
2896 | 2896 |
allows client configuration files to be conveniently |
... | ... |
@@ -2899,28 +2899,28 @@ without needing to restart the server. |
2899 | 2899 |
|
2900 | 2900 |
The following |
2901 | 2901 |
options are legal in a client-specific context: |
2902 |
-.B --push, --push-reset, --iroute, --ifconfig-push, |
|
2902 |
+.B \-\-push, \-\-push-reset, \-\-iroute, \-\-ifconfig-push, |
|
2903 | 2903 |
and |
2904 |
-.B --config. |
|
2904 |
+.B \-\-config. |
|
2905 | 2905 |
.\"********************************************************* |
2906 | 2906 |
.TP |
2907 |
-.B --ccd-exclusive |
|
2907 |
+.B \-\-ccd-exclusive |
|
2908 | 2908 |
Require, as a |
2909 | 2909 |
condition of authentication, that a connecting client has a |
2910 |
-.B --client-config-dir |
|
2910 |
+.B \-\-client-config-dir |
|
2911 | 2911 |
file. |
2912 | 2912 |
.\"********************************************************* |
2913 | 2913 |
.TP |
2914 |
-.B --tmp-dir dir |
|
2914 |
+.B \-\-tmp-dir dir |
|
2915 | 2915 |
Specify a directory |
2916 | 2916 |
.B dir |
2917 | 2917 |
for temporary files. This directory will be used by |
2918 |
-.B --client-connect |
|
2918 |
+.B \-\-client-connect |
|
2919 | 2919 |
scripts to dynamically generate client-specific |
2920 | 2920 |
configuration files. |
2921 | 2921 |
.\"********************************************************* |
2922 | 2922 |
.TP |
2923 |
-.B --hash-size r v |
|
2923 |
+.B \-\-hash-size r v |
|
2924 | 2924 |
Set the size of the real address hash table to |
2925 | 2925 |
.B r |
2926 | 2926 |
and the virtual address table to |
... | ... |
@@ -2928,13 +2928,13 @@ and the virtual address table to |
2928 | 2928 |
By default, both tables are sized at 256 buckets. |
2929 | 2929 |
.\"********************************************************* |
2930 | 2930 |
.TP |
2931 |
-.B --bcast-buffers n |
|
2931 |
+.B \-\-bcast-buffers n |
|
2932 | 2932 |
Allocate |
2933 | 2933 |
.B n |
2934 | 2934 |
buffers for broadcast datagrams (default=256). |
2935 | 2935 |
.\"********************************************************* |
2936 | 2936 |
.TP |
2937 |
-.B --tcp-queue-limit n |
|
2937 |
+.B \-\-tcp-queue-limit n |
|
2938 | 2938 |
Maximum number of output packets queued before TCP (default=64). |
2939 | 2939 |
|
2940 | 2940 |
When OpenVPN is tunneling data from a TUN/TAP device to a |
... | ... |
@@ -2946,7 +2946,7 @@ OpenVPN will start to drop outgoing packets directed |
2946 | 2946 |
at this client. |
2947 | 2947 |
.\"********************************************************* |
2948 | 2948 |
.TP |
2949 |
-.B --tcp-nodelay |
|
2949 |
+.B \-\-tcp-nodelay |
|
2950 | 2950 |
This macro sets the TCP_NODELAY socket flag on the server |
2951 | 2951 |
as well as pushes it to connecting clients. The TCP_NODELAY |
2952 | 2952 |
flag disables the Nagle algorithm on TCP sockets causing |
... | ... |
@@ -2969,13 +2969,13 @@ The macro expands as follows: |
2969 | 2969 |
.fi |
2970 | 2970 |
.\"********************************************************* |
2971 | 2971 |
.TP |
2972 |
-.B --max-clients n |
|
2972 |
+.B \-\-max-clients n |
|
2973 | 2973 |
Limit server to a maximum of |
2974 | 2974 |
.B n |
2975 | 2975 |
concurrent clients. |
2976 | 2976 |
.\"********************************************************* |
2977 | 2977 |
.TP |
2978 |
-.B --max-routes-per-client n |
|
2978 |
+.B \-\-max-routes-per-client n |
|
2979 | 2979 |
Allow a maximum of |
2980 | 2980 |
.B n |
2981 | 2981 |
internal routes per client (default=256). |
... | ... |
@@ -2985,9 +2985,9 @@ server with packets appearing to come from many unique MAC addresses, |
2985 | 2985 |
forcing the server to deplete |
2986 | 2986 |
virtual memory as its internal routing table expands. |
2987 | 2987 |
This directive can be used in a |
2988 |
-.B --client-config-dir |
|
2988 |
+.B \-\-client-config-dir |
|
2989 | 2989 |
file or auto-generated by a |
2990 |
-.B --client-connect |
|
2990 |
+.B \-\-client-connect |
|
2991 | 2991 |
script to override the global value for a particular client. |
2992 | 2992 |
|
2993 | 2993 |
Note that this |
... | ... |
@@ -2995,7 +2995,7 @@ directive affects OpenVPN's internal routing table, not the |
2995 | 2995 |
kernel routing table. |
2996 | 2996 |
.\"********************************************************* |
2997 | 2997 |
.TP |
2998 |
-.B --connect-freq n sec |
|
2998 |
+.B \-\-connect-freq n sec |
|
2999 | 2999 |
Allow a maximum of |
3000 | 3000 |
.B n |
3001 | 3001 |
new connections per |
... | ... |
@@ -3009,12 +3009,12 @@ DoS scenario, legitimate connections might also be refused. |
3009 | 3009 |
|
3010 | 3010 |
For the best protection against DoS attacks in server mode, |
3011 | 3011 |
use |
3012 |
-.B --proto udp |
|
3012 |
+.B \-\-proto udp |
|
3013 | 3013 |
and |
3014 |
-.B --tls-auth. |
|
3014 |
+.B \-\-tls-auth. |
|
3015 | 3015 |
.\"********************************************************* |
3016 | 3016 |
.TP |
3017 |
-.B --learn-address cmd |
|
3017 |
+.B \-\-learn-address cmd |
|
3018 | 3018 |
Run script or shell command |
3019 | 3019 |
.B cmd |
3020 | 3020 |
to validate client virtual addresses or routes. |
... | ... |
@@ -3022,19 +3022,19 @@ to validate client virtual addresses or routes. |
3022 | 3022 |
.B cmd |
3023 | 3023 |
will be executed with 3 parameters: |
3024 | 3024 |
|
3025 |
-.B [1] operation -- |
|
3025 |
+.B [1] operation \-\- |
|
3026 | 3026 |
"add", "update", or "delete" based on whether or not |
3027 | 3027 |
the address is being added to, modified, or deleted from |
3028 | 3028 |
OpenVPN's internal routing table. |
3029 | 3029 |
.br |
3030 |
-.B [2] address -- |
|
3030 |
+.B [2] address \-\- |
|
3031 | 3031 |
The address being learned or unlearned. This can be |
3032 | 3032 |
an IPv4 address such as "198.162.10.14", an IPv4 subnet |
3033 | 3033 |
such as "198.162.10.0/24", or an ethernet MAC address (when |
3034 |
-.B --dev tap |
|
3034 |
+.B \-\-dev tap |
|
3035 | 3035 |
is being used) such as "00:FF:01:02:03:04". |
3036 | 3036 |
.br |
3037 |
-.B [3] common name -- |
|
3037 |
+.B [3] common name \-\- |
|
3038 | 3038 |
The common name on the certificate associated with the |
3039 | 3039 |
client linked to this address. Only present for "add" |
3040 | 3040 |
or "update" operations, not "delete". |
... | ... |
@@ -3054,7 +3054,7 @@ policies with regard to the client's high-level common name, |
3054 | 3054 |
rather than the low level client virtual addresses. |
3055 | 3055 |
.\"********************************************************* |
3056 | 3056 |
.TP |
3057 |
-.B --auth-user-pass-verify script method |
|
3057 |
+.B \-\-auth-user-pass-verify script method |
|
3058 | 3058 |
Require the client to provide a username/password (possibly |
3059 | 3059 |
in addition to a client certificate) for authentication. |
3060 | 3060 |
|
... | ... |
@@ -3085,10 +3085,10 @@ will be passed as an argument to |
3085 | 3085 |
and the file will be automatically deleted by OpenVPN after |
3086 | 3086 |
the script returns. The location of the temporary file is |
3087 | 3087 |
controlled by the |
3088 |
-.B --tmp-dir |
|
3088 |
+.B \-\-tmp-dir |
|
3089 | 3089 |
option, and will default to the current directory if unspecified. |
3090 | 3090 |
For security, consider setting |
3091 |
-.B --tmp-dir |
|
3091 |
+.B \-\-tmp-dir |
|
3092 | 3092 |
to a volatile storage medium such as |
3093 | 3093 |
.B /dev/shm |
3094 | 3094 |
(if available) to prevent the username/password file from touching the hard drive. |
... | ... |
@@ -3120,7 +3120,7 @@ For a sample script that performs PAM authentication, see |
3120 | 3120 |
in the OpenVPN source distribution. |
3121 | 3121 |
.\"********************************************************* |
3122 | 3122 |
.TP |
3123 |
-.B --opt-verify |
|
3123 |
+.B \-\-opt-verify |
|
3124 | 3124 |
Clients that connect with options that are incompatible |
3125 | 3125 |
with those of the server will be disconnected. |
3126 | 3126 |
|
... | ... |
@@ -3130,16 +3130,16 @@ comp-lzo, fragment, keydir, cipher, auth, keysize, secret, |
3130 | 3130 |
no-replay, no-iv, tls-auth, key-method, tls-server, and tls-client. |
3131 | 3131 |
|
3132 | 3132 |
This option requires that |
3133 |
-.B --disable-occ |
|
3133 |
+.B \-\-disable-occ |
|
3134 | 3134 |
NOT be used. |
3135 | 3135 |
.\"********************************************************* |
3136 | 3136 |
.TP |
3137 |
-.B --auth-user-pass-optional |
|
3137 |
+.B \-\-auth-user-pass-optional |
|
3138 | 3138 |
Allow connections by clients that do not specify a username/password. |
3139 | 3139 |
Normally, when |
3140 |
-.B --auth-user-pass-verify |
|
3140 |
+.B \-\-auth-user-pass-verify |
|
3141 | 3141 |
or |
3142 |
-.B --management-client-auth |
|
3142 |
+.B \-\-management-client-auth |
|
3143 | 3143 |
is specified (or an authentication plugin module), the |
3144 | 3144 |
OpenVPN server daemon will require connecting clients to specify a |
3145 | 3145 |
username and password. This option makes the submission of a username/password |
... | ... |
@@ -3152,35 +3152,35 @@ to empty strings (""). The authentication module/script MUST have logic |
3152 | 3152 |
to detect this condition and respond accordingly. |
3153 | 3153 |
.\"********************************************************* |
3154 | 3154 |
.TP |
3155 |
-.B --client-cert-not-required |
|
3155 |
+.B \-\-client-cert-not-required |
|
3156 | 3156 |
Don't require client certificate, client will authenticate |
3157 | 3157 |
using username/password only. Be aware that using this directive |
3158 | 3158 |
is less secure than requiring certificates from all clients. |
3159 | 3159 |
|
3160 | 3160 |
If you use this directive, the |
3161 | 3161 |
entire responsibility of authentication will rest on your |
3162 |
-.B --auth-user-pass-verify |
|
3162 |
+.B \-\-auth-user-pass-verify |
|
3163 | 3163 |
script, so keep in mind that bugs in your script |
3164 | 3164 |
could potentially compromise the security of your VPN. |
3165 | 3165 |
|
3166 | 3166 |
If you don't use this directive, but you also specify an |
3167 |
-.B --auth-user-pass-verify |
|
3167 |
+.B \-\-auth-user-pass-verify |
|
3168 | 3168 |
script, then OpenVPN will perform double authentication. The |
3169 | 3169 |
client certificate verification AND the |
3170 |
-.B --auth-user-pass-verify |
|
3170 |
+.B \-\-auth-user-pass-verify |
|
3171 | 3171 |
script will need to succeed in order for a client to be |
3172 | 3172 |
authenticated and accepted onto the VPN. |
3173 | 3173 |
.\"********************************************************* |
3174 | 3174 |
.TP |
3175 |
-.B --username-as-common-name |
|
3175 |
+.B \-\-username-as-common-name |
|
3176 | 3176 |
For |
3177 |
-.B --auth-user-pass-verify |
|
3177 |
+.B \-\-auth-user-pass-verify |
|
3178 | 3178 |
authentication, use |
3179 | 3179 |
the authenticated username as the common name, |
3180 | 3180 |
rather than the common name from the client cert. |
3181 | 3181 |
.\"********************************************************* |
3182 | 3182 |
.TP |
3183 |
-.B --no-name-remapping |
|
3183 |
+.B \-\-no-name-remapping |
|
3184 | 3184 |
Allow Common Name, X509 Subject, and username strings to include |
3185 | 3185 |
any printable character including space, but excluding control |
3186 | 3186 |
characters such as tab, newline, and carriage-return. |
... | ... |
@@ -3201,7 +3201,7 @@ disable the remapping feature. Don't use this option unless you |
3201 | 3201 |
know what you are doing! |
3202 | 3202 |
.\"********************************************************* |
3203 | 3203 |
.TP |
3204 |
-.B --port-share host port |
|
3204 |
+.B \-\-port-share host port |
|
3205 | 3205 |
When run in TCP server mode, share the OpenVPN port with |
3206 | 3206 |
another application, such as an HTTPS server. If OpenVPN |
3207 | 3207 |
senses a connection to its port which is using a non-OpenVPN |
... | ... |
@@ -3216,13 +3216,13 @@ Not implemented on Windows. |
3216 | 3216 |
.SS Client Mode |
3217 | 3217 |
Use client mode when connecting to an OpenVPN server |
3218 | 3218 |
which has |
3219 |
-.B --server, --server-bridge, |
|
3219 |
+.B \-\-server, \-\-server-bridge, |
|
3220 | 3220 |
or |
3221 |
-.B --mode server |
|
3221 |
+.B \-\-mode server |
|
3222 | 3222 |
in it's configuration. |
3223 | 3223 |
.\"********************************************************* |
3224 | 3224 |
.TP |
3225 |
-.B --client |
|
3225 |
+.B \-\-client |
|
3226 | 3226 |
A helper directive designed to simplify the configuration |
3227 | 3227 |
of OpenVPN's client mode. This directive is equivalent to: |
3228 | 3228 |
|
... | ... |
@@ -3236,33 +3236,33 @@ of OpenVPN's client mode. This directive is equivalent to: |
3236 | 3236 |
.fi |
3237 | 3237 |
.\"********************************************************* |
3238 | 3238 |
.TP |
3239 |
-.B --pull |
|
3239 |
+.B \-\-pull |
|
3240 | 3240 |
This option must be used on a client which is connecting |
3241 | 3241 |
to a multi-client server. It indicates to OpenVPN that it |
3242 | 3242 |
should accept options pushed by the server, provided they |
3243 | 3243 |
are part of the legal set of pushable options (note that the |
3244 |
-.B --pull |
|
3244 |
+.B \-\-pull |
|
3245 | 3245 |
option is implied by |
3246 |
-.B --client |
|
3246 |
+.B \-\-client |
|
3247 | 3247 |
). |
3248 | 3248 |
|
3249 | 3249 |
In particular, |
3250 |
-.B --pull |
|
3250 |
+.B \-\-pull |
|
3251 | 3251 |
allows the server to push routes to the client, so you should |
3252 | 3252 |
not use |
3253 |
-.B --pull |
|
3253 |
+.B \-\-pull |
|
3254 | 3254 |
or |
3255 |
-.B --client |
|
3255 |
+.B \-\-client |
|
3256 | 3256 |
in situations where you don't trust the server to have control |
3257 | 3257 |
over the client's routing table. |
3258 | 3258 |
.\"********************************************************* |
3259 | 3259 |
.TP |
3260 |
-.B --auth-user-pass [up] |
|
3260 |
+.B \-\-auth-user-pass [up] |
|
3261 | 3261 |
Authenticate with server using username/password. |
3262 | 3262 |
.B up |
3263 | 3263 |
is a file containing username/password on 2 lines (Note: OpenVPN |
3264 | 3264 |
will only read passwords from a file if it has been built |
3265 |
-with the --enable-password-save configure option, or on Windows |
|
3265 |
+with the \-\-enable-password-save configure option, or on Windows |
|
3266 | 3266 |
by defining ENABLE_PASSWORD_SAVE in config-win32.h). |
3267 | 3267 |
|
3268 | 3268 |
If |
... | ... |
@@ -3271,12 +3271,12 @@ is omitted, username/password will be prompted from the |
3271 | 3271 |
console. |
3272 | 3272 |
|
3273 | 3273 |
The server configuration must specify an |
3274 |
-.B --auth-user-pass-verify |
|
3274 |
+.B \-\-auth-user-pass-verify |
|
3275 | 3275 |
script to verify the username/password provided by |
3276 | 3276 |
the client. |
3277 | 3277 |
.\"********************************************************* |
3278 | 3278 |
.TP |
3279 |
-.B --auth-retry type |
|
3279 |
+.B \-\-auth-retry type |
|
3280 | 3280 |
Controls how OpenVPN responds to username/password verification |
3281 | 3281 |
errors such as the client-side response to an AUTH_FAILED message from the server |
3282 | 3282 |
or verification failure of the private key password. |
... | ... |
@@ -3287,40 +3287,40 @@ of error. |
3287 | 3287 |
|
3288 | 3288 |
An AUTH_FAILED message is generated by the server if the client |
3289 | 3289 |
fails |
3290 |
-.B --auth-user-pass |
|
3290 |
+.B \-\-auth-user-pass |
|
3291 | 3291 |
authentication, or if the server-side |
3292 |
-.B --client-connect |
|
3292 |
+.B \-\-client-connect |
|
3293 | 3293 |
script returns an error status when the client |
3294 | 3294 |
tries to connect. |
3295 | 3295 |
|
3296 | 3296 |
.B type |
3297 | 3297 |
can be one of: |
3298 | 3298 |
|
3299 |
-.B none -- |
|
3299 |
+.B none \-\- |
|
3300 | 3300 |
Client will exit with a fatal error (this is the default). |
3301 | 3301 |
.br |
3302 |
-.B nointeract -- |
|
3302 |
+.B nointeract \-\- |
|
3303 | 3303 |
Client will retry the connection without requerying for an |
3304 |
-.B --auth-user-pass |
|
3304 |
+.B \-\-auth-user-pass |
|
3305 | 3305 |
username/password. Use this option for unattended clients. |
3306 | 3306 |
.br |
3307 |
-.B interact -- |
|
3307 |
+.B interact \-\- |
|
3308 | 3308 |
Client will requery for an |
3309 |
-.B --auth-user-pass |
|
3309 |
+.B \-\-auth-user-pass |
|
3310 | 3310 |
username/password and/or private key password before attempting a reconnection. |
3311 | 3311 |
|
3312 | 3312 |
Note that while this option cannot be pushed, it can be controlled |
3313 | 3313 |
from the management interface. |
3314 | 3314 |
.\"********************************************************* |
3315 | 3315 |
.TP |
3316 |
-.B --server-poll-timeout n |
|
3316 |
+.B \-\-server-poll-timeout n |
|
3317 | 3317 |
when polling possible remote servers to connect to |
3318 | 3318 |
in a round-robin fashion, spend no more than |
3319 | 3319 |
.B n |
3320 | 3320 |
seconds waiting for a response before trying the next server. |
3321 | 3321 |
.\"********************************************************* |
3322 | 3322 |
.TP |
3323 |
-.B --explicit-exit-notify [n] |
|
3323 |
+.B \-\-explicit-exit-notify [n] |
|
3324 | 3324 |
In UDP client mode or point-to-point mode, send server/peer an exit notification |
3325 | 3325 |
if tunnel is restarted or OpenVPN process is exited. In client mode, on |
3326 | 3326 |
exit/restart, this |
... | ... |
@@ -3335,12 +3335,12 @@ These options are meaningful for both Static & TLS-negotiated key modes |
3335 | 3335 |
(must be compatible between peers). |
3336 | 3336 |
.\"********************************************************* |
3337 | 3337 |
.TP |
3338 |
-.B --secret file [direction] |
|
3338 |
+.B \-\-secret file [direction] |
|
3339 | 3339 |
Enable Static Key encryption mode (non-TLS). |
3340 | 3340 |
Use pre-shared secret |
3341 | 3341 |
.B file |
3342 | 3342 |
which was generated with |
3343 |
-.B --genkey. |
|
3343 |
+.B \-\-genkey. |
|
3344 | 3344 |
|
3345 | 3345 |
The optional |
3346 | 3346 |
.B direction |
... | ... |
@@ -3371,7 +3371,7 @@ supports the |
3371 | 3371 |
.B direction |
3372 | 3372 |
parameter, will also support 2048 bit key file generation |
3373 | 3373 |
using the |
3374 |
-.B --genkey |
|
3374 |
+.B \-\-genkey |
|
3375 | 3375 |
option. |
3376 | 3376 |
|
3377 | 3377 |
Static key encryption mode has certain advantages, |
... | ... |
@@ -3401,7 +3401,7 @@ would see nothing |
3401 | 3401 |
but random-looking data. |
3402 | 3402 |
.\"********************************************************* |
3403 | 3403 |
.TP |
3404 |
-.B --auth alg |
|
3404 |
+.B \-\-auth alg |
|
3405 | 3405 |
Authenticate packets with HMAC using message |
3406 | 3406 |
digest algorithm |
3407 | 3407 |
.B alg. |
... | ... |
@@ -3416,7 +3416,7 @@ OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC the resulting ci |
3416 | 3416 |
|
3417 | 3417 |
In static-key encryption mode, the HMAC key |
3418 | 3418 |
is included in the key file generated by |
3419 |
-.B --genkey. |
|
3419 |
+.B \-\-genkey. |
|
3420 | 3420 |
In TLS mode, the HMAC key is dynamically generated and shared |
3421 | 3421 |
between peers via the TLS control channel. If OpenVPN receives a packet with |
3422 | 3422 |
a bad HMAC it will drop the packet. |
... | ... |
@@ -3429,7 +3429,7 @@ For more information on HMAC see |
3429 | 3429 |
.I http://www.cs.ucsd.edu/users/mihir/papers/hmac.html |
3430 | 3430 |
.\"********************************************************* |
3431 | 3431 |
.TP |
3432 |
-.B --cipher alg |
|
3432 |
+.B \-\-cipher alg |
|
3433 | 3433 |
Encrypt packets with cipher algorithm |
3434 | 3434 |
.B alg. |
3435 | 3435 |
The default is |
... | ... |
@@ -3444,7 +3444,7 @@ For more information on blowfish, see |
3444 | 3444 |
|
3445 | 3445 |
To see other ciphers that are available with |
3446 | 3446 |
OpenVPN, use the |
3447 |
-.B --show-ciphers |
|
3447 |
+.B \-\-show-ciphers |
|
3448 | 3448 |
option. |
3449 | 3449 |
|
3450 | 3450 |
OpenVPN supports the CBC, CFB, and OFB cipher modes, |
... | ... |
@@ -3456,10 +3456,10 @@ Set |
3456 | 3456 |
to disable encryption. |
3457 | 3457 |
.\"********************************************************* |
3458 | 3458 |
.TP |
3459 |
-.B --keysize n |
|
3459 |
+.B \-\-keysize n |
|
3460 | 3460 |
Size of cipher key in bits (optional). |
3461 | 3461 |
If unspecified, defaults to cipher-specific default. The |
3462 |
-.B --show-ciphers |
|
3462 |
+.B \-\-show-ciphers |
|
3463 | 3463 |
option (see below) shows all available OpenSSL ciphers, |
3464 | 3464 |
their default key sizes, and whether the key size can |
3465 | 3465 |
be changed. Use care in changing a cipher's default |
... | ... |
@@ -3469,7 +3469,7 @@ larger key may offer no real guarantee of greater |
3469 | 3469 |
security, or may even reduce security. |
3470 | 3470 |
.\"********************************************************* |
3471 | 3471 |
.TP |
3472 |
-.B --prng alg [nsl] |
|
3472 |
+.B \-\-prng alg [nsl] |
|
3473 | 3473 |
(Advanced) For PRNG (Pseudo-random number generator), |
3474 | 3474 |
use digest algorithm |
3475 | 3475 |
.B alg |
... | ... |
@@ -3484,19 +3484,19 @@ to disable the PRNG and use the OpenSSL RAND_bytes function |
3484 | 3484 |
instead for all of OpenVPN's pseudo-random number needs. |
3485 | 3485 |
.\"********************************************************* |
3486 | 3486 |
.TP |
3487 |
-.B --engine [engine-name] |
|
3487 |
+.B \-\-engine [engine-name] |
|
3488 | 3488 |
Enable OpenSSL hardware-based crypto engine functionality. |
3489 | 3489 |
|
3490 | 3490 |
If |
3491 | 3491 |
.B engine-name |
3492 | 3492 |
is specified, |
3493 | 3493 |
use a specific crypto engine. Use the |
3494 |
-.B --show-engines |
|
3494 |
+.B \-\-show-engines |
|
3495 | 3495 |
standalone option to list the crypto engines which are |
3496 | 3496 |
supported by OpenSSL. |
3497 | 3497 |
.\"********************************************************* |
3498 | 3498 |
.TP |
3499 |
-.B --no-replay |
|
3499 |
+.B \-\-no-replay |
|
3500 | 3500 |
(Advanced) Disable OpenVPN's protection against replay attacks. |
3501 | 3501 |
Don't use this option unless you are prepared to make |
3502 | 3502 |
a tradeoff of greater efficiency in exchange for less |
... | ... |
@@ -3540,7 +3540,7 @@ algorithm used |
3540 | 3540 |
by IPSec. |
3541 | 3541 |
.\"********************************************************* |
3542 | 3542 |
.TP |
3543 |
-.B --replay-window n [t] |
|
3543 |
+.B \-\-replay-window n [t] |
|
3544 | 3544 |
Use a replay protection sliding-window of size |
3545 | 3545 |
.B n |
3546 | 3546 |
and a time window of |
... | ... |
@@ -3555,9 +3555,9 @@ is 15 seconds. |
3555 | 3555 |
|
3556 | 3556 |
This option is only relevant in UDP mode, i.e. |
3557 | 3557 |
when either |
3558 |
-.B --proto udp |
|
3558 |
+.B \-\-proto udp |
|
3559 | 3559 |
is specifed, or no |
3560 |
-.B --proto |
|
3560 |
+.B \-\-proto |
|
3561 | 3561 |
option is specified. |
3562 | 3562 |
|
3563 | 3563 |
When OpenVPN tunnels IP packets over UDP, there is the possibility that |
... | ... |
@@ -3569,7 +3569,7 @@ the TCP/IP protocol stack, provided they satisfy several constraints. |
3569 | 3569 |
|
3570 | 3570 |
.B (a) |
3571 | 3571 |
The packet cannot be a replay (unless |
3572 |
-.B --no-replay |
|
3572 |
+.B \-\-no-replay |
|
3573 | 3573 |
is specified, which disables replay protection altogether). |
3574 | 3574 |
|
3575 | 3575 |
.B (b) |
... | ... |
@@ -3591,7 +3591,7 @@ a larger value for |
3591 | 3591 |
Satellite links in particular often require this. |
3592 | 3592 |
|
3593 | 3593 |
If you run OpenVPN at |
3594 |
-.B --verb 4, |
|
3594 |
+.B \-\-verb 4, |
|
3595 | 3595 |
you will see the message "Replay-window backtrack occurred [x]" |
3596 | 3596 |
every time the maximum sequence number backtrack seen thus far |
3597 | 3597 |
increases. This can be used to calibrate |
... | ... |
@@ -3627,7 +3627,7 @@ parameters of what is to be expected from the physical IP layer. The problem |
3627 | 3627 |
is easily fixed by simply using TCP as the VPN transport layer. |
3628 | 3628 |
.\"********************************************************* |
3629 | 3629 |
.TP |
3630 |
-.B --mute-replay-warnings |
|
3630 |
+.B \-\-mute-replay-warnings |
|
3631 | 3631 |
Silence the output of replay warnings, which are a common |
3632 | 3632 |
false alarm on WiFi networks. This option preserves |
3633 | 3633 |
the security of the replay protection code without |
... | ... |
@@ -3635,7 +3635,7 @@ the verbosity associated with warnings about duplicate |
3635 | 3635 |
packets. |
3636 | 3636 |
.\"********************************************************* |
3637 | 3637 |
.TP |
3638 |
-.B --replay-persist file |
|
3638 |
+.B \-\-replay-persist file |
|
3639 | 3639 |
Persist replay-protection state across sessions using |
3640 | 3640 |
.B file |
3641 | 3641 |
to save and reload the state. |
... | ... |
@@ -3643,7 +3643,7 @@ to save and reload the state. |
3643 | 3643 |
This option will strengthen protection against replay attacks, |
3644 | 3644 |
especially when you are using OpenVPN in a dynamic context (such |
3645 | 3645 |
as with |
3646 |
-.B --inetd) |
|
3646 |
+.B \-\-inetd) |
|
3647 | 3647 |
when OpenVPN sessions are frequently started and stopped. |
3648 | 3648 |
|
3649 | 3649 |
This option will keep a disk copy of the current replay protection |
... | ... |
@@ -3654,12 +3654,12 @@ which were already received by the prior session. |
3654 | 3654 |
|
3655 | 3655 |
This option only makes sense when replay protection is enabled |
3656 | 3656 |
(the default) and you are using either |
3657 |
-.B --secret |
|
3657 |
+.B \-\-secret |
|
3658 | 3658 |
(shared-secret key mode) or TLS mode with |
3659 |
-.B --tls-auth. |
|
3659 |
+.B \-\-tls-auth. |
|
3660 | 3660 |
.\"********************************************************* |
3661 | 3661 |
.TP |
3662 |
-.B --no-iv |
|
3662 |
+.B \-\-no-iv |
|
3663 | 3663 |
(Advanced) Disable OpenVPN's use of IV (cipher initialization vector). |
3664 | 3664 |
Don't use this option unless you are prepared to make |
3665 | 3665 |
a tradeoff of greater efficiency in exchange for less |
... | ... |
@@ -3680,24 +3680,24 @@ space-saving optimization that uses the unique identifier for |
3680 | 3680 |
datagram replay protection as the IV. |
3681 | 3681 |
.\"********************************************************* |
3682 | 3682 |
.TP |
3683 |
-.B --test-crypto |
|
3683 |
+.B \-\-test-crypto |
|
3684 | 3684 |
Do a self-test of OpenVPN's crypto options by encrypting and |
3685 | 3685 |
decrypting test packets using the data channel encryption options |
3686 | 3686 |
specified above. This option does not require a peer to function, |
3687 | 3687 |
and therefore can be specified without |
3688 |
-.B --dev |
|
3688 |
+.B \-\-dev |
|
3689 | 3689 |
or |
3690 |
-.B --remote. |
|
3690 |
+.B \-\-remote. |
|
3691 | 3691 |
|
3692 | 3692 |
The typical usage of |
3693 |
-.B --test-crypto |
|
3693 |
+.B \-\-test-crypto |
|
3694 | 3694 |
would be something like this: |
3695 | 3695 |
|
3696 |
-.B openvpn --test-crypto --secret key |
|
3696 |
+.B openvpn \-\-test-crypto \-\-secret key |
|
3697 | 3697 |
|
3698 | 3698 |
or |
3699 | 3699 |
|
3700 |
-.B openvpn --test-crypto --secret key --verb 9 |
|
3700 |
+.B openvpn \-\-test-crypto \-\-secret key \-\-verb 9 |
|
3701 | 3701 |
|
3702 | 3702 |
This option is very useful to test OpenVPN after it has been ported to |
3703 | 3703 |
a new platform, or to isolate problems in the compiler, OpenSSL |
... | ... |
@@ -3721,17 +3721,17 @@ including certificate-based authentication and Diffie Hellman forward secrecy. |
3721 | 3721 |
|
3722 | 3722 |
To use TLS mode, each peer that runs OpenVPN should have its own local |
3723 | 3723 |
certificate/key pair ( |
3724 |
-.B --cert |
|
3724 |
+.B \-\-cert |
|
3725 | 3725 |
and |
3726 |
-.B --key |
|
3726 |
+.B \-\-key |
|
3727 | 3727 |
), signed by the root certificate which is specified |
3728 | 3728 |
in |
3729 |
-.B --ca. |
|
3729 |
+.B \-\-ca. |
|
3730 | 3730 |
|
3731 | 3731 |
When two OpenVPN peers connect, each presents its local certificate to the |
3732 | 3732 |
other. Each peer will then check that its partner peer presented a |
3733 | 3733 |
certificate which was signed by the master root certificate as specified in |
3734 |
-.B --ca. |
|
3734 |
+.B \-\-ca. |
|
3735 | 3735 |
|
3736 | 3736 |
If that check on both peers succeeds, then the TLS negotiation |
3737 | 3737 |
will succeed, both OpenVPN |
... | ... |
@@ -3748,18 +3748,18 @@ The easy-rsa package is also rendered in web form here: |
3748 | 3748 |
.I http://openvpn.net/easyrsa.html |
3749 | 3749 |
.\"********************************************************* |
3750 | 3750 |
.TP |
3751 |
-.B --tls-server |
|
3751 |
+.B \-\-tls-server |
|
3752 | 3752 |
Enable TLS and assume server role during TLS handshake. Note that |
3753 | 3753 |
OpenVPN is designed as a peer-to-peer application. The designation |
3754 | 3754 |
of client or server is only for the purpose of negotiating the TLS |
3755 | 3755 |
control channel. |
3756 | 3756 |
.\"********************************************************* |
3757 | 3757 |
.TP |
3758 |
-.B --tls-client |
|
3758 |
+.B \-\-tls-client |
|
3759 | 3759 |
Enable TLS and assume client role during TLS handshake. |
3760 | 3760 |
.\"********************************************************* |
3761 | 3761 |
.TP |
3762 |
-.B --ca file |
|
3762 |
+.B \-\-ca file |
|
3763 | 3763 |
Certificate authority (CA) file in .pem format, also referred to as the |
3764 | 3764 |
.I root |
3765 | 3765 |
certificate. This file can have multiple |
... | ... |
@@ -3781,10 +3781,10 @@ production environment, since by virtue of the fact that |
3781 | 3781 |
they are distributed with OpenVPN, they are totally insecure. |
3782 | 3782 |
.\"********************************************************* |
3783 | 3783 |
.TP |
3784 |
-.B --dh file |
|
3784 |
+.B \-\-dh file |
|
3785 | 3785 |
File containing Diffie Hellman parameters |
3786 | 3786 |
in .pem format (required for |
3787 |
-.B --tls-server |
|
3787 |
+.B \-\-tls-server |
|
3788 | 3788 |
only). Use |
3789 | 3789 |
|
3790 | 3790 |
.B openssl dhparam -out dh1024.pem 1024 |
... | ... |
@@ -3794,15 +3794,15 @@ included with the OpenVPN distribution. Diffie Hellman parameters |
3794 | 3794 |
may be considered public. |
3795 | 3795 |
.\"********************************************************* |
3796 | 3796 |
.TP |
3797 |
-.B --cert file |
|
3798 |
-Local peer's signed certificate in .pem format -- must be signed |
|
3797 |
+.B \-\-cert file |
|
3798 |
+Local peer's signed certificate in .pem format \-\- must be signed |
|
3799 | 3799 |
by a certificate authority whose certificate is in |
3800 |
-.B --ca file. |
|
3800 |
+.B \-\-ca file. |
|
3801 | 3801 |
Each peer in an OpenVPN link running in TLS mode should have its own |
3802 | 3802 |
certificate and private key file. In addition, each certificate should |
3803 | 3803 |
have been signed by the key of a certificate |
3804 | 3804 |
authority whose public key resides in the |
3805 |
-.B --ca |
|
3805 |
+.B \-\-ca |
|
3806 | 3806 |
certificate authority file. |
3807 | 3807 |
You can easily make your own certificate authority (see above) or pay money |
3808 | 3808 |
to use a commercial service such as thawte.com (in which case you will be |
... | ... |
@@ -3827,7 +3827,7 @@ Note that the |
3827 | 3827 |
command reads the location of the certificate authority key from its |
3828 | 3828 |
configuration file such as |
3829 | 3829 |
.B /usr/share/ssl/openssl.cnf |
3830 |
+\-\- note also |
|
3830 | 3831 |
that for certificate authority functions, you must set up the files |
3831 | 3832 |
.B index.txt |
3832 | 3833 |
(may be empty) and |
... | ... |
@@ -3838,90 +3838,90 @@ that for certificate authority functions, you must set up the files |
3838 | 3838 |
). |
3839 | 3839 |
.\"********************************************************* |
3840 | 3840 |
.TP |
3841 |
-.B --key file |
|
3841 |
+.B \-\-key file |
|
3842 | 3842 |
Local peer's private key in .pem format. Use the private key which was generated |
3843 | 3843 |
when you built your peer's certificate (see |
3844 | 3844 |
.B -cert file |
3845 | 3845 |
above). |
3846 | 3846 |
.\"********************************************************* |
3847 | 3847 |
.TP |
3848 |
-.B --pkcs12 file |
|
3848 |
+.B \-\-pkcs12 file |
|
3849 | 3849 |
Specify a PKCS #12 file containing local private key, |
3850 | 3850 |
local certificate, and root CA certificate. |
3851 | 3851 |
This option can be used instead of |
3852 |
-.B --ca, --cert, |
|
3852 |
+.B \-\-ca, \-\-cert, |
|
3853 | 3853 |
and |
3854 |
-.B --key. |
|
3854 |
+.B \-\-key. |
|
3855 | 3855 |
.\"********************************************************* |
3856 | 3856 |
.TP |
3857 |
-.B --pkcs11-cert-private [0|1]... |
|
3857 |
+.B \-\-pkcs11-cert-private [0|1]... |
|
3858 | 3858 |
Set if access to certificate object should be performed after login. |
3859 | 3859 |
Every provider has its own setting. |
3860 | 3860 |
.\"********************************************************* |
3861 | 3861 |
.TP |
3862 |
-.B --pkcs11-id name |
|
3862 |
+.B \-\-pkcs11-id name |
|
3863 | 3863 |
Specify the serialized certificate id to be used. The id can be gotten |
3864 | 3864 |
by the standalone |
3865 |
-.B --show-pkcs11-ids |
|
3865 |
+.B \-\-show-pkcs11-ids |
|
3866 | 3866 |
option. |
3867 | 3867 |
.\"********************************************************* |
3868 | 3868 |
.TP |
3869 |
-.B --pkcs11-id-management |
|
3869 |
+.B \-\-pkcs11-id-management |
|
3870 | 3870 |
Acquire PKCS#11 id from management interface. In this case a NEED-STR 'pkcs11-id-request' |
3871 | 3871 |
real-time message will be triggered, application may use pkcs11-id-count command to |
3872 | 3872 |
retrieve available number of certificates, and pkcs11-id-get command to retrieve certificate |
3873 | 3873 |
id and certificate body. |
3874 | 3874 |
.\"********************************************************* |
3875 | 3875 |
.TP |
3876 |
-.B --pkcs11-pin-cache seconds |
|
3876 |
+.B \-\-pkcs11-pin-cache seconds |
|
3877 | 3877 |
Specify how many seconds the PIN can be cached, the default is until the token is removed. |
3878 | 3878 |
.\"********************************************************* |
3879 | 3879 |
.TP |
3880 |
-.B --pkcs11-protected-authentication [0|1]... |
|
3880 |
+.B \-\-pkcs11-protected-authentication [0|1]... |
|
3881 | 3881 |
Use PKCS#11 protected authentication path, useful for biometric and external |
3882 | 3882 |
keypad devices. |
3883 | 3883 |
Every provider has its own setting. |
3884 | 3884 |
.\"********************************************************* |
3885 | 3885 |
.TP |
3886 |
-.B --pkcs11-providers provider... |
|
3886 |
+.B \-\-pkcs11-providers provider... |
|
3887 | 3887 |
Specify a RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) providers |
3888 | 3888 |
to load. |
3889 | 3889 |
This option can be used instead of |
3890 |
-.B --cert, --key, |
|
3890 |
+.B \-\-cert, \-\-key, |
|
3891 | 3891 |
and |
3892 |
-.B --pkcs12. |
|
3892 |
+.B \-\-pkcs12. |
|
3893 | 3893 |
.\"********************************************************* |
3894 | 3894 |
.TP |
3895 |
-.B --pkcs11-private-mode mode... |
|
3895 |
+.B \-\-pkcs11-private-mode mode... |
|
3896 | 3896 |
Specify which method to use in order to perform private key operations. |
3897 | 3897 |
A different mode can be specified for each provider. |
3898 | 3898 |
Mode is encoded as hex number, and can be a mask one of the following: |
3899 | 3899 |
|
3900 | 3900 |
.B 0 |
3901 |
-(default) -- Try to determind automatically. |
|
3901 |
+(default) \-\- Try to determind automatically. |
|
3902 | 3902 |
.br |
3903 | 3903 |
.B 1 |
3904 |
+\-\- Use sign. |
|
3904 | 3905 |
.br |
3905 | 3906 |
.B 2 |
3907 |
+\-\- Use sign recover. |
|
3906 | 3908 |
.br |
3907 | 3909 |
.B 4 |
3910 |
+\-\- Use decrypt. |
|
3908 | 3911 |
.br |
3909 | 3912 |
.B 8 |
3913 |
+\-\- Use unwrap. |
|
3910 | 3914 |
.br |
3911 | 3915 |
.\"********************************************************* |
3912 | 3916 |
.TP |
3913 |
-.B --cryptoapicert select-string |
|
3917 |
+.B \-\-cryptoapicert select-string |
|
3914 | 3918 |
Load the certificate and private key from the |
3915 | 3919 |
Windows Certificate System Store (Windows Only). |
3916 | 3920 |
|
3917 | 3921 |
Use this option instead of |
3918 |
-.B --cert |
|
3922 |
+.B \-\-cert |
|
3919 | 3923 |
and |
3920 |
-.B --key. |
|
3924 |
+.B \-\-key. |
|
3921 | 3925 |
|
3922 | 3926 |
This makes |
3923 | 3927 |
it possible to use any smart card, supported by Windows, but also any |
... | ... |
@@ -3947,7 +3947,7 @@ Certificate Store GUI. |
3947 | 3947 |
|
3948 | 3948 |
.\"********************************************************* |
3949 | 3949 |
.TP |
3950 |
-.B --key-method m |
|
3950 |
+.B \-\-key-method m |
|
3951 | 3951 |
Use data channel key negotiation method |
3952 | 3952 |
.B m. |
3953 | 3953 |
The key method must match on both sides of the connection. |
... | ... |
@@ -3975,16 +3975,16 @@ of keying occur: |
3975 | 3975 |
of the connection producing certificates and verifying the certificate |
3976 | 3976 |
(or other authentication info provided) of |
3977 | 3977 |
the other side. The |
3978 |
-.B --key-method |
|
3978 |
+.B \-\-key-method |
|
3979 | 3979 |
parameter has no effect on this process. |
3980 | 3980 |
|
3981 | 3981 |
(2) After the TLS connection is established, the tunnel session keys are |
3982 | 3982 |
separately negotiated over the existing secure TLS channel. Here, |
3983 |
-.B --key-method |
|
3983 |
+.B \-\-key-method |
|
3984 | 3984 |
determines the derivation of the tunnel session keys. |
3985 | 3985 |
.\"********************************************************* |
3986 | 3986 |
.TP |
3987 |
-.B --tls-cipher l |
|
3987 |
+.B \-\-tls-cipher l |
|
3988 | 3988 |
A list |
3989 | 3989 |
.B l |
3990 | 3990 |
of allowable TLS ciphers delimited by a colon (":"). |
... | ... |
@@ -3994,11 +3994,11 @@ version rollback attack where a man-in-the-middle attacker tries |
3994 | 3994 |
to force two peers to negotiate to the lowest level |
3995 | 3995 |
of security they both support. |
3996 | 3996 |
Use |
3997 |
-.B --show-tls |
|
3997 |
+.B \-\-show-tls |
|
3998 | 3998 |
to see a list of supported TLS ciphers. |
3999 | 3999 |
.\"********************************************************* |
4000 | 4000 |
.TP |
4001 |
-.B --tls-timeout n |
|
4001 |
+.B \-\-tls-timeout n |
|
4002 | 4002 |
Packet retransmit timeout on TLS control channel |
4003 | 4003 |
if no acknowledgment from remote within |
4004 | 4004 |
.B n |
... | ... |
@@ -4015,7 +4015,7 @@ the higher level network protocols running on top of the tunnel |
4015 | 4015 |
such as TCP expect this role to be left to them. |
4016 | 4016 |
.\"********************************************************* |
4017 | 4017 |
.TP |
4018 |
-.B --reneg-bytes n |
|
4018 |
+.B \-\-reneg-bytes n |
|
4019 | 4019 |
Renegotiate data channel key after |
4020 | 4020 |
.B n |
4021 | 4021 |
bytes sent or received (disabled by default). |
... | ... |
@@ -4025,13 +4025,13 @@ a number of seconds. A key renegotiation will be forced |
4025 | 4025 |
if any of these three criteria are met by either peer. |
4026 | 4026 |
.\"********************************************************* |
4027 | 4027 |
.TP |
4028 |
-.B --reneg-pkts n |
|
4028 |
+.B \-\-reneg-pkts n |
|
4029 | 4029 |
Renegotiate data channel key after |
4030 | 4030 |
.B n |
4031 | 4031 |
packets sent and received (disabled by default). |
4032 | 4032 |
.\"********************************************************* |
4033 | 4033 |
.TP |
4034 |
-.B --reneg-sec n |
|
4034 |
+.B \-\-reneg-sec n |
|
4035 | 4035 |
Renegotiate data channel key after |
4036 | 4036 |
.B n |
4037 | 4037 |
seconds (default=3600). |
... | ... |
@@ -4042,16 +4042,16 @@ cause the end user to be challenged to reauthorize once per hour. |
4042 | 4042 |
Also, keep in mind that this option can be used on both the client and server, |
4043 | 4043 |
and whichever uses the lower value will be the one to trigger the renegotiation. |
4044 | 4044 |
A common mistake is to set |
4045 |
-.B --reneg-sec |
|
4045 |
+.B \-\-reneg-sec |
|
4046 | 4046 |
to a higher value on either the client or server, while the other side of the connection |
4047 | 4047 |
is still using the default value of 3600 seconds, meaning that the renegotiation will |
4048 |
-still occur once per 3600 seconds. The solution is to increase --reneg-sec on both the |
|
4048 |
+still occur once per 3600 seconds. The solution is to increase \-\-reneg-sec on both the |
|
4049 | 4049 |
client and server, or set it to 0 on one side of the connection (to disable), and to |
4050 | 4050 |
your chosen value on the other side. |
4051 | 4051 |
.\"********************************************************* |
4052 | 4052 |
.TP |
4053 |
-.B --hand-window n |
|
4054 |
-Handshake Window -- the TLS-based key exchange must finalize within |
|
4053 |
+.B \-\-hand-window n |
|
4054 |
+Handshake Window \-\- the TLS-based key exchange must finalize within |
|
4055 | 4055 |
.B n |
4056 | 4056 |
seconds |
4057 | 4057 |
of handshake initiation by any peer (default = 60 seconds). |
... | ... |
@@ -4059,47 +4059,47 @@ If the handshake fails |
4059 | 4059 |
we will attempt to reset our connection with our peer and try again. |
4060 | 4060 |
Even in the event of handshake failure we will still use |
4061 | 4061 |
our expiring key for up to |
4062 |
-.B --tran-window |
|
4062 |
+.B \-\-tran-window |
|
4063 | 4063 |
seconds to maintain continuity of transmission of tunnel |
4064 | 4064 |
data. |
4065 | 4065 |
.\"********************************************************* |
4066 | 4066 |
.TP |
4067 |
-.B --tran-window n |
|
4068 |
-Transition window -- our old key can live this many seconds |
|
4067 |
+.B \-\-tran-window n |
|
4068 |
+Transition window \-\- our old key can live this many seconds |
|
4069 | 4069 |
after a new a key renegotiation begins (default = 3600 seconds). |
4070 | 4070 |
This feature allows for a graceful transition from old to new |
4071 | 4071 |
key, and removes the key renegotiation sequence from the critical |
4072 | 4072 |
path of tunnel data forwarding. |
4073 | 4073 |
.\"********************************************************* |
4074 | 4074 |
.TP |
4075 |
-.B --single-session |
|
4075 |
+.B \-\-single-session |
|
4076 | 4076 |
After initially connecting to a remote peer, disallow any new connections. |
4077 | 4077 |
Using this |
4078 | 4078 |
option means that a remote peer cannot connect, disconnect, and then |
4079 | 4079 |
reconnect. |
4080 | 4080 |
|
4081 | 4081 |
If the daemon is reset by a signal or |
4082 |
-.B --ping-restart, |
|
4082 |
+.B \-\-ping-restart, |
|
4083 | 4083 |
it will allow one new connection. |
4084 | 4084 |
|
4085 |
-.B --single-session |
|
4085 |
+.B \-\-single-session |
|
4086 | 4086 |
can be used with |
4087 |
-.B --ping-exit |
|
4087 |
+.B \-\-ping-exit |
|
4088 | 4088 |
or |
4089 |
-.B --inactive |
|
4089 |
+.B \-\-inactive |
|
4090 | 4090 |
to create a single dynamic session that will exit when finished. |
4091 | 4091 |
.\"********************************************************* |
4092 | 4092 |
.TP |
4093 |
-.B --tls-exit |
|
4093 |
+.B \-\-tls-exit |
|
4094 | 4094 |
Exit on TLS negotiation failure. |
4095 | 4095 |
.\"********************************************************* |
4096 | 4096 |
.TP |
4097 |
-.B --tls-auth file [direction] |
|
4097 |
+.B \-\-tls-auth file [direction] |
|
4098 | 4098 |
Add an additional layer of HMAC authentication on top of the TLS |
4099 | 4099 |
control channel to protect against DoS attacks. |
4100 | 4100 |
|
4101 | 4101 |
In a nutshell, |
4102 |
-.B --tls-auth |
|
4102 |
+.B \-\-tls-auth |
|
4103 | 4103 |
enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, |
4104 | 4104 |
where TLS control channel packets |
4105 | 4105 |
bearing an incorrect HMAC signature can be dropped immediately without |
... | ... |
@@ -4110,7 +4110,7 @@ response. |
4110 | 4110 |
|
4111 | 4111 |
.B (1) |
4112 | 4112 |
An OpenVPN static key file generated by |
4113 |
-.B --genkey |
|
4113 |
+.B \-\-genkey |
|
4114 | 4114 |
(required if |
4115 | 4115 |
.B direction |
4116 | 4116 |
parameter is used). |
... | ... |
@@ -4128,19 +4128,19 @@ OpenVPN will first try format (1), and if the file fails to parse as |
4128 | 4128 |
a static key file, format (2) will be used. |
4129 | 4129 |
|
4130 | 4130 |
See the |
4131 |
-.B --secret |
|
4131 |
+.B \-\-secret |
|
4132 | 4132 |
option for more information on the optional |
4133 | 4133 |
.B direction |
4134 | 4134 |
parameter. |
4135 | 4135 |
|
4136 |
-.B --tls-auth |
|
4136 |
+.B \-\-tls-auth |
|
4137 | 4137 |
is recommended when you are running OpenVPN in a mode where |
4138 | 4138 |
it is listening for packets from any IP address, such as when |
4139 |
-.B --remote |
|
4139 |
+.B \-\-remote |
|
4140 | 4140 |
is not specified, or |
4141 |
-.B --remote |
|
4141 |
+.B \-\-remote |
|
4142 | 4142 |
is specified with |
4143 |
-.B --float. |
|
4143 |
+.B \-\-float. |
|
4144 | 4144 |
|
4145 | 4145 |
The rationale for |
4146 | 4146 |
this feature is as follows. TLS requires a multi-packet exchange |
... | ... |
@@ -4167,7 +4167,7 @@ An important rule of thumb in reducing vulnerability to DoS attacks is to |
4167 | 4167 |
minimize the amount of resources a potential, but as yet unauthenticated, |
4168 | 4168 |
client is able to consume. |
4169 | 4169 |
|
4170 |
-.B --tls-auth |
|
4170 |
+.B \-\-tls-auth |
|
4171 | 4171 |
does this by signing every TLS control channel packet with an HMAC signature, |
4172 | 4172 |
including packets which are sent before the TLS level has had a chance |
4173 | 4173 |
to authenticate the peer. |
... | ... |
@@ -4175,20 +4175,20 @@ The result is that packets without |
4175 | 4175 |
the correct signature can be dropped immediately upon reception, |
4176 | 4176 |
before they have a chance to consume additional system resources |
4177 | 4177 |
such as by initiating a TLS handshake. |
4178 |
-.B --tls-auth |
|
4178 |
+.B \-\-tls-auth |
|
4179 | 4179 |
can be strengthened by adding the |
4180 |
-.B --replay-persist |
|
4180 |
+.B \-\-replay-persist |
|
4181 | 4181 |
option which will keep OpenVPN's replay protection state |
4182 | 4182 |
in a file so that it is not lost across restarts. |
4183 | 4183 |
|
4184 | 4184 |
It should be emphasized that this feature is optional and that the |
4185 | 4185 |
passphrase/key file used with |
4186 |
-.B --tls-auth |
|
4186 |
+.B \-\-tls-auth |
|
4187 | 4187 |
gives a peer nothing more than the power to initiate a TLS |
4188 | 4188 |
handshake. It is not used to encrypt or authenticate any tunnel data. |
4189 | 4189 |
.\"********************************************************* |
4190 | 4190 |
.TP |
4191 |
-.B --askpass [file] |
|
4191 |
+.B \-\-askpass [file] |
|
4192 | 4192 |
Get certificate password from console or |
4193 | 4193 |
.B file |
4194 | 4194 |
before we daemonize. |
... | ... |
@@ -4197,7 +4197,7 @@ For the extremely |
4197 | 4197 |
security conscious, it is possible to protect your private key with |
4198 | 4198 |
a password. Of course this means that every time the OpenVPN |
4199 | 4199 |
daemon is started you must be there to type the password. The |
4200 |
-.B --askpass |
|
4200 |
+.B \-\-askpass |
|
4201 | 4201 |
option allows you to start OpenVPN from the command line. It will |
4202 | 4202 |
query you for a password before it daemonizes. To protect a private |
4203 | 4203 |
key with a password you should omit the |
... | ... |
@@ -4214,15 +4214,15 @@ Keep in mind that storing your password in a file |
4214 | 4214 |
to a certain extent invalidates the extra security provided by |
4215 | 4215 |
using an encrypted key (Note: OpenVPN |
4216 | 4216 |
will only read passwords from a file if it has been built |
4217 |
-with the --enable-password-save configure option, or on Windows |
|
4217 |
+with the \-\-enable-password-save configure option, or on Windows |
|
4218 | 4218 |
by defining ENABLE_PASSWORD_SAVE in config-win32.h). |
4219 | 4219 |
.\"********************************************************* |
4220 | 4220 |
.TP |
4221 |
-.B --auth-nocache |
|
4221 |
+.B \-\-auth-nocache |
|
4222 | 4222 |
Don't cache |
4223 |
-.B --askpass |
|
4223 |
+.B \-\-askpass |
|
4224 | 4224 |
or |
4225 |
-.B --auth-user-pass |
|
4225 |
+.B \-\-auth-user-pass |
|
4226 | 4226 |
username/passwords in virtual memory. |
4227 | 4227 |
|
4228 | 4228 |
If specified, this directive will cause OpenVPN to immediately |
... | ... |
@@ -4232,19 +4232,19 @@ from stdin, which may be multiple times during the duration of an |
4232 | 4232 |
OpenVPN session. |
4233 | 4233 |
|
4234 | 4234 |
This directive does not affect the |
4235 |
-.B --http-proxy |
|
4235 |
+.B \-\-http-proxy |
|
4236 | 4236 |
username/password. It is always cached. |
4237 | 4237 |
.\"********************************************************* |
4238 | 4238 |
.TP |
4239 |
-.B --tls-verify cmd |
|
4239 |
+.B \-\-tls-verify cmd |
|
4240 | 4240 |
Execute shell command |
4241 | 4241 |
.B cmd |
4242 | 4242 |
to verify the X509 name of a |
4243 | 4243 |
pending TLS connection that has otherwise passed all other |
4244 | 4244 |
tests of certification (except for revocation via |
4245 |
-.B --crl-verify |
|
4245 |
+.B \-\-crl-verify |
|
4246 | 4246 |
directive; the revocation test occurs after the |
4247 |
-.B --tls-verify |
|
4247 |
+.B \-\-tls-verify |
|
4248 | 4248 |
test). |
4249 | 4249 |
|
4250 | 4250 |
.B cmd |
... | ... |
@@ -4277,7 +4277,7 @@ to |
4277 | 4277 |
to build a command line which will be passed to the script. |
4278 | 4278 |
.\"********************************************************* |
4279 | 4279 |
.TP |
4280 |
-.B --tls-remote name |
|
4280 |
+.B \-\-tls-remote name |
|
4281 | 4281 |
Accept connections only from a host with X509 name |
4282 | 4282 |
or common name equal to |
4283 | 4283 |
.B name. |
... | ... |
@@ -4294,24 +4294,24 @@ a third party, such as a commercial web CA. |
4294 | 4294 |
Name can also be a common name prefix, for example if you |
4295 | 4295 |
want a client to only accept connections to "Server-1", |
4296 | 4296 |
"Server-2", etc., you can simply use |
4297 |
-.B --tls-remote Server |
|
4297 |
+.B \-\-tls-remote Server |
|
4298 | 4298 |
|
4299 | 4299 |
Using a common name prefix is a useful alternative to managing |
4300 | 4300 |
a CRL (Certificate Revocation List) on the client, since it allows the client |
4301 | 4301 |
to refuse all certificates except for those associated |
4302 | 4302 |
with designated servers. |
4303 | 4303 |
|
4304 |
-.B --tls-remote |
|
4304 |
+.B \-\-tls-remote |
|
4305 | 4305 |
is a useful replacement for the |
4306 |
-.B --tls-verify |
|
4306 |
+.B \-\-tls-verify |
|
4307 | 4307 |
option to verify the remote host, because |
4308 |
-.B --tls-remote |
|
4308 |
+.B \-\-tls-remote |
|
4309 | 4309 |
works in a |
4310 |
-.B --chroot |
|
4310 |
+.B \-\-chroot |
|
4311 | 4311 |
environment too. |
4312 | 4312 |
.\"********************************************************* |
4313 | 4313 |
.TP |
4314 |
-.B --ns-cert-type client|server |
|
4314 |
+.B \-\-ns-cert-type client|server |
|
4315 | 4315 |
Require that peer certificate was signed with an explicit |
4316 | 4316 |
.B nsCertType |
4317 | 4317 |
designation of "client" or "server". |
... | ... |
@@ -4326,19 +4326,19 @@ field set to "server". |
4326 | 4326 |
|
4327 | 4327 |
If the server certificate's nsCertType field is set |
4328 | 4328 |
to "server", then the clients can verify this with |
4329 |
-.B --ns-cert-type server. |
|
4329 |
+.B \-\-ns-cert-type server. |
|
4330 | 4330 |
|
4331 | 4331 |
This is an important security precaution to protect against |
4332 | 4332 |
a man-in-the-middle attack where an authorized client |
4333 | 4333 |
attempts to connect to another client by impersonating the server. |
4334 | 4334 |
The attack is easily prevented by having clients verify |
4335 | 4335 |
the server certificate using any one of |
4336 |
-.B --ns-cert-type, --tls-remote, |
|
4336 |
+.B \-\-ns-cert-type, \-\-tls-remote, |
|
4337 | 4337 |
or |
4338 |
-.B --tls-verify. |
|
4338 |
+.B \-\-tls-verify. |
|
4339 | 4339 |
.\"********************************************************* |
4340 | 4340 |
.TP |
4341 |
-.B --remote-cert-ku v... |
|
4341 |
+.B \-\-remote-cert-ku v... |
|
4342 | 4342 |
Require that peer certificate was signed with an explicit |
4343 | 4343 |
.B key usage. |
4344 | 4344 |
|
... | ... |
@@ -4349,7 +4349,7 @@ The key usage should be encoded in hex, more than one key |
4349 | 4349 |
usage can be specified. |
4350 | 4350 |
.\"********************************************************* |
4351 | 4351 |
.TP |
4352 |
-.B --remote-cert-eku oid |
|
4352 |
+.B \-\-remote-cert-eku oid |
|
4353 | 4353 |
Require that peer certificate was signed with an explicit |
4354 | 4354 |
.B extended key usage. |
4355 | 4355 |
|
... | ... |
@@ -4360,7 +4360,7 @@ The extended key usage should be encoded in oid notation, or |
4360 | 4360 |
OpenSSL symbolic representation. |
4361 | 4361 |
.\"********************************************************* |
4362 | 4362 |
.TP |
4363 |
-.B --remote-cert-tls client|server |
|
4363 |
+.B \-\-remote-cert-tls client|server |
|
4364 | 4364 |
Require that peer certificate was signed with an explicit |
4365 | 4365 |
.B key usage |
4366 | 4366 |
and |
... | ... |
@@ -4371,18 +4371,18 @@ This is a useful security option for clients, to ensure that |
4371 | 4371 |
the host they connect to is a designated server. |
4372 | 4372 |
|
4373 | 4373 |
The |
4374 |
-.B --remote-cert-tls client |
|
4374 |
+.B \-\-remote-cert-tls client |
|
4375 | 4375 |
option is equivalent to |
4376 | 4376 |
.B |
4377 |
+\-\-remote-cert-ku 80 08 88 \-\-remote-cert-eku "TLS Web Client Authentication" |
|
4377 | 4378 |
|
4378 | 4379 |
The key usage is digitalSignature and/or keyAgreement. |
4379 | 4380 |
|
4380 | 4381 |
The |
4381 |
-.B --remote-cert-tls server |
|
4382 |
+.B \-\-remote-cert-tls server |
|
4382 | 4383 |
option is equivalent to |
4383 | 4384 |
.B |
4385 |
+\-\-remote-cert-ku a0 88 \-\-remote-cert-eku "TLS Web Server Authentication" |
|
4384 | 4386 |
|
4385 | 4387 |
The key usage is digitalSignature and ( keyEncipherment or keyAgreement ). |
4386 | 4388 |
|
... | ... |
@@ -4391,12 +4391,12 @@ a man-in-the-middle attack where an authorized client |
4391 | 4391 |
attempts to connect to another client by impersonating the server. |
4392 | 4392 |
The attack is easily prevented by having clients verify |
4393 | 4393 |
the server certificate using any one of |
4394 |
-.B --remote-cert-tls, --tls-remote, |
|
4394 |
+.B \-\-remote-cert-tls, \-\-tls-remote, |
|
4395 | 4395 |
or |
4396 |
-.B --tls-verify. |
|
4396 |
+.B \-\-tls-verify. |
|
4397 | 4397 |
.\"********************************************************* |
4398 | 4398 |
.TP |
4399 |
-.B --crl-verify crl |
|
4399 |
+.B \-\-crl-verify crl |
|
4400 | 4400 |
Check peer certificate against the file |
4401 | 4401 |
.B crl |
4402 | 4402 |
in PEM format. |
... | ... |
@@ -4416,28 +4416,28 @@ if the root certificate key itself was compromised. |
4416 | 4416 |
.SS SSL Library information: |
4417 | 4417 |
.\"********************************************************* |
4418 | 4418 |
.TP |
4419 |
-.B --show-ciphers |
|
4419 |
+.B \-\-show-ciphers |
|
4420 | 4420 |
(Standalone) |
4421 | 4421 |
Show all cipher algorithms to use with the |
4422 |
-.B --cipher |
|
4422 |
+.B \-\-cipher |
|
4423 | 4423 |
option. |
4424 | 4424 |
.\"********************************************************* |
4425 | 4425 |
.TP |
4426 |
-.B --show-digests |
|
4426 |
+.B \-\-show-digests |
|
4427 | 4427 |
(Standalone) |
4428 | 4428 |
Show all message digest algorithms to use with the |
4429 |
-.B --auth |
|
4429 |
+.B \-\-auth |
|
4430 | 4430 |
option. |
4431 | 4431 |
.\"********************************************************* |
4432 | 4432 |
.TP |
4433 |
-.B --show-tls |
|
4433 |
+.B \-\-show-tls |
|
4434 | 4434 |
(Standalone) |
4435 | 4435 |
Show all TLS ciphers (TLS used only as a control channel). The TLS |
4436 | 4436 |
ciphers will be sorted from highest preference (most secure) to |
4437 | 4437 |
lowest. |
4438 | 4438 |
.\"********************************************************* |
4439 | 4439 |
.TP |
4440 |
-.B --show-engines |
|
4440 |
+.B \-\-show-engines |
|
4441 | 4441 |
(Standalone) |
4442 | 4442 |
Show currently available hardware-based crypto acceleration |
4443 | 4443 |
engines supported by the OpenSSL library. |
... | ... |
@@ -4446,18 +4446,18 @@ engines supported by the OpenSSL library. |
4446 | 4446 |
Used only for non-TLS static key encryption mode. |
4447 | 4447 |
.\"********************************************************* |
4448 | 4448 |
.TP |
4449 |
-.B --genkey |
|
4449 |
+.B \-\-genkey |
|
4450 | 4450 |
(Standalone) |
4451 | 4451 |
Generate a random key to be used as a shared secret, |
4452 | 4452 |
for use with the |
4453 |
-.B --secret |
|
4453 |
+.B \-\-secret |
|
4454 | 4454 |
option. This file must be shared with the |
4455 | 4455 |
peer over a pre-existing secure channel such as |
4456 | 4456 |
.BR scp (1) |
4457 | 4457 |
. |
4458 | 4458 |
.\"********************************************************* |
4459 | 4459 |
.TP |
4460 |
-.B --secret file |
|
4460 |
+.B \-\-secret file |
|
4461 | 4461 |
Write key to |
4462 | 4462 |
.B file. |
4463 | 4463 |
.\"********************************************************* |
... | ... |
@@ -4466,7 +4466,7 @@ Available with linux 2.4.7+. These options comprise a standalone mode |
4466 | 4466 |
of OpenVPN which can be used to create and delete persistent tunnels. |
4467 | 4467 |
.\"********************************************************* |
4468 | 4468 |
.TP |
4469 |
-.B --mktun |
|
4469 |
+.B \-\-mktun |
|
4470 | 4470 |
(Standalone) |
4471 | 4471 |
Create a persistent tunnel on platforms which support them such |
4472 | 4472 |
as Linux. Normally TUN/TAP tunnels exist only for |
... | ... |
@@ -4477,9 +4477,9 @@ only when they are deleted or the machine is rebooted. |
4477 | 4477 |
|
4478 | 4478 |
One of the advantages of persistent tunnels is that they eliminate the |
4479 | 4479 |
need for separate |
4480 |
-.B --up |
|
4480 |
+.B \-\-up |
|
4481 | 4481 |
and |
4482 |
-.B --down |
|
4482 |
+.B \-\-down |
|
4483 | 4483 |
scripts to run the appropriate |
4484 | 4484 |
.BR ifconfig (8) |
4485 | 4485 |
and |
... | ... |
@@ -4491,40 +4491,40 @@ Another advantage is that open connections through the TUN/TAP-based tunnel |
4491 | 4491 |
will not be reset if the OpenVPN peer restarts. This can be useful to |
4492 | 4492 |
provide uninterrupted connectivity through the tunnel in the event of a DHCP |
4493 | 4493 |
reset of the peer's public IP address (see the |
4494 |
-.B --ipchange |
|
4494 |
+.B \-\-ipchange |
|
4495 | 4495 |
option above). |
4496 | 4496 |
|
4497 | 4497 |
One disadvantage of persistent tunnels is that it is harder to automatically |
4498 | 4498 |
configure their MTU value (see |
4499 |
-.B --link-mtu |
|
4499 |
+.B \-\-link-mtu |
|
4500 | 4500 |
and |
4501 |
-.B --tun-mtu |
|
4501 |
+.B \-\-tun-mtu |
|
4502 | 4502 |
above). |
4503 | 4503 |
|
4504 | 4504 |
On some platforms such as Windows, TAP-Win32 tunnels are persistent by |
4505 | 4505 |
default. |
4506 | 4506 |
.\"********************************************************* |
4507 | 4507 |
.TP |
4508 |
-.B --rmtun |
|
4508 |
+.B \-\-rmtun |
|
4509 | 4509 |
(Standalone) |
4510 | 4510 |
Remove a persistent tunnel. |
4511 | 4511 |
.\"********************************************************* |
4512 | 4512 |
.TP |
4513 |
-.B --dev tunX | tapX |
|
4513 |
+.B \-\-dev tunX | tapX |
|
4514 | 4514 |
TUN/TAP device |
4515 | 4515 |
.\"********************************************************* |
4516 | 4516 |
.TP |
4517 |
-.B --user user |
|
4517 |
+.B \-\-user user |
|
4518 | 4518 |
Optional user to be owner of this tunnel. |
4519 | 4519 |
.\"********************************************************* |
4520 | 4520 |
.TP |
4521 |
-.B --group group |
|
4521 |
+.B \-\-group group |
|
4522 | 4522 |
Optional group to be owner of this tunnel. |
4523 | 4523 |
.\"********************************************************* |
4524 | 4524 |
.SS Windows-Specific Options: |
4525 | 4525 |
.\"********************************************************* |
4526 | 4526 |
.TP |
4527 |
-.B --win-sys path|'env' |
|
4527 |
+.B \-\-win-sys path|'env' |
|
4528 | 4528 |
Set the Windows system directory pathname to use when looking for system |
4529 | 4529 |
executables such as |
4530 | 4530 |
.B route.exe |
... | ... |
@@ -4540,23 +4540,23 @@ indicates that the pathname should be read from the |
4540 | 4540 |
environmental variable. |
4541 | 4541 |
.\"********************************************************* |
4542 | 4542 |
.TP |
4543 |
-.B --ip-win32 method |
|
4543 |
+.B \-\-ip-win32 method |
|
4544 | 4544 |
When using |
4545 |
-.B --ifconfig |
|
4545 |
+.B \-\-ifconfig |
|
4546 | 4546 |
on Windows, set the TAP-Win32 adapter |
4547 | 4547 |
IP address and netmask using |
4548 | 4548 |
.B method. |
4549 | 4549 |
Don't use this option unless you are also using |
4550 |
-.B --ifconfig. |
|
4550 |
+.B \-\-ifconfig. |
|
4551 | 4551 |
|
4552 |
-.B manual -- |
|
4552 |
+.B manual \-\- |
|
4553 | 4553 |
Don't set the IP address or netmask automatically. |
4554 | 4554 |
Instead output a message |
4555 | 4555 |
to the console telling the user to configure the |
4556 | 4556 |
adapter manually and indicating the IP/netmask which |
4557 | 4557 |
OpenVPN expects the adapter to be set to. |
4558 | 4558 |
|
4559 |
-.B dynamic [offset] [lease-time] -- |
|
4559 |
+.B dynamic [offset] [lease-time] \-\- |
|
4560 | 4560 |
Automatically set the IP address and netmask by replying to |
4561 | 4561 |
DHCP query messages generated by the kernel. This mode is |
4562 | 4562 |
probably the "cleanest" solution |
... | ... |
@@ -4566,13 +4566,13 @@ this mode: (1) The TCP/IP properties for the TAP-Win32 |
4566 | 4566 |
adapter must be set to "Obtain an IP address automatically," and |
4567 | 4567 |
(2) OpenVPN needs to claim an IP address in the subnet for use |
4568 | 4568 |
as the virtual DHCP server address. By default in |
4569 |
-.B --dev tap |
|
4569 |
+.B \-\-dev tap |
|
4570 | 4570 |
mode, OpenVPN will |
4571 | 4571 |
take the normally unused first address in the subnet. For example, |
4572 | 4572 |
if your subnet is 192.168.4.0 netmask 255.255.255.0, then |
4573 | 4573 |
OpenVPN will take the IP address 192.168.4.0 to use as the |
4574 | 4574 |
virtual DHCP server address. In |
4575 |
-.B --dev tun |
|
4575 |
+.B \-\-dev tun |
|
4576 | 4576 |
mode, OpenVPN will cause the DHCP server to masquerade as if it were |
4577 | 4577 |
coming from the remote endpoint. The optional offset parameter is |
4578 | 4578 |
an integer which is > -256 and < 256 and which defaults to 0. |
... | ... |
@@ -4594,13 +4594,13 @@ because it prevents routes involving the TAP-Win32 adapter from |
4594 | 4594 |
being lost when the system goes to sleep. The default |
4595 | 4595 |
lease time is one year. |
4596 | 4596 |
|
4597 |
-.B netsh -- |
|
4597 |
+.B netsh \-\- |
|
4598 | 4598 |
Automatically set the IP address and netmask using |
4599 | 4599 |
the Windows command-line "netsh" |
4600 | 4600 |
command. This method appears to work correctly on |
4601 | 4601 |
Windows XP but not Windows 2000. |
4602 | 4602 |
|
4603 |
-.B ipapi -- |
|
4603 |
+.B ipapi \-\- |
|
4604 | 4604 |
Automatically set the IP address and netmask using the |
4605 | 4605 |
Windows IP Helper API. This approach |
4606 | 4606 |
does not have ideal semantics, though testing has indicated |
... | ... |
@@ -4609,7 +4609,7 @@ it is best to leave the TCP/IP properties for the TAP-Win32 |
4609 | 4609 |
adapter in their default state, i.e. "Obtain an IP address |
4610 | 4610 |
automatically." |
4611 | 4611 |
|
4612 |
-.B adaptive -- |
|
4612 |
+.B adaptive \-\- |
|
4613 | 4613 |
(Default) Try |
4614 | 4614 |
.B dynamic |
4615 | 4615 |
method initially and fail over to |
... | ... |
@@ -4639,55 +4639,55 @@ mode to restore the TAP-Win32 adapter TCP/IP properties |
4639 | 4639 |
to a DHCP configuration. |
4640 | 4640 |
.\"********************************************************* |
4641 | 4641 |
.TP |
4642 |
-.B --route-method m |
|
4642 |
+.B \-\-route-method m |
|
4643 | 4643 |
Which method |
4644 | 4644 |
.B m |
4645 | 4645 |
to use for adding routes on Windows? |
4646 | 4646 |
|
4647 | 4647 |
.B adaptive |
4648 |
-(default) -- Try IP helper API first. If that fails, fall |
|
4648 |
+(default) \-\- Try IP helper API first. If that fails, fall |
|
4649 | 4649 |
back to the route.exe shell command. |
4650 | 4650 |
.br |
4651 | 4651 |
.B ipapi |
4652 |
+\-\- Use IP helper API. |
|
4652 | 4653 |
.br |
4653 | 4654 |
.B exe |
4655 |
+\-\- Call the route.exe shell command. |
|
4654 | 4656 |
.\"********************************************************* |
4655 | 4657 |
.TP |
4656 |
-.B --dhcp-option type [parm] |
|
4658 |
+.B \-\-dhcp-option type [parm] |
|
4657 | 4659 |
Set extended TAP-Win32 TCP/IP properties, must |
4658 | 4660 |
be used with |
4659 |
-.B --ip-win32 dynamic |
|
4661 |
+.B \-\-ip-win32 dynamic |
|
4660 | 4662 |
or |
4661 |
-.B --ip-win32 adaptive. |
|
4663 |
+.B \-\-ip-win32 adaptive. |
|
4662 | 4664 |
This option can be used to set additional TCP/IP properties |
4663 | 4665 |
on the TAP-Win32 adapter, and is particularly useful for |
4664 | 4666 |
configuring an OpenVPN client to access a Samba server |
4665 | 4667 |
across the VPN. |
4666 | 4668 |
|
4667 |
-.B DOMAIN name -- |
|
4669 |
+.B DOMAIN name \-\- |
|
4668 | 4670 |
Set Connection-specific DNS Suffix. |
4669 | 4671 |
|
4670 |
-.B DNS addr -- |
|
4672 |
+.B DNS addr \-\- |
|
4671 | 4673 |
Set primary domain name server address. Repeat |
4672 | 4674 |
this option to set secondary DNS server addresses. |
4673 | 4675 |
|
4674 |
-.B WINS addr -- |
|
4676 |
+.B WINS addr \-\- |
|
4675 | 4677 |
Set primary WINS server address (NetBIOS over TCP/IP Name Server). |
4676 | 4678 |
Repeat this option to set secondary WINS server addresses. |
4677 | 4679 |
|
4678 |
-.B NBDD addr -- |
|
4680 |
+.B NBDD addr \-\- |
|
4679 | 4681 |
Set primary NBDD server address (NetBIOS over TCP/IP Datagram Distribution Server) |
4680 | 4682 |
Repeat this option |
4681 | 4683 |
to set secondary NBDD server addresses. |
4682 | 4684 |
|
4683 |
-.B NTP addr -- |
|
4685 |
+.B NTP addr \-\- |
|
4684 | 4686 |
Set primary NTP server address (Network Time Protocol). |
4685 | 4687 |
Repeat this option |
4686 | 4688 |
to set secondary NTP server addresses. |
4687 | 4689 |
|
4688 |
-.B NBT type -- |
|
4690 |
+.B NBT type \-\- |
|
4689 | 4691 |
Set NetBIOS over TCP/IP Node type. Possible options: |
4690 | 4692 |
.B 1 |
4691 | 4693 |
= b-node (broadcasts), |
... | ... |
@@ -4700,7 +4700,7 @@ then query name server), and |
4700 | 4700 |
.B 8 |
4701 | 4701 |
= h-node (query name server, then broadcast). |
4702 | 4702 |
|
4703 |
-.B NBS scope-id -- |
|
4703 |
+.B NBS scope-id \-\- |
|
4704 | 4704 |
Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended |
4705 | 4705 |
naming service for the NetBIOS over TCP/IP (Known as NBT) module. The |
4706 | 4706 |
primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on |
... | ... |
@@ -4712,19 +4712,19 @@ computers to use the same computer name, as they have different |
4712 | 4712 |
scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique. |
4713 | 4713 |
(This description of NetBIOS scopes courtesy of NeonSurge@abyss.com) |
4714 | 4714 |
|
4715 |
-.B DISABLE-NBT -- |
|
4715 |
+.B DISABLE-NBT \-\- |
|
4716 | 4716 |
Disable Netbios-over-TCP/IP. |
4717 | 4717 |
|
4718 | 4718 |
Note that if |
4719 |
-.B --dhcp-option |
|
4719 |
+.B \-\-dhcp-option |
|
4720 | 4720 |
is pushed via |
4721 |
-.B --push |
|
4721 |
+.B \-\-push |
|
4722 | 4722 |
to a non-windows client, the option will be saved in the client's |
4723 | 4723 |
environment before the up script is called, under |
4724 | 4724 |
the name "foreign_option_{n}". |
4725 | 4725 |
.\"********************************************************* |
4726 | 4726 |
.TP |
4727 |
-.B --tap-sleep n |
|
4727 |
+.B \-\-tap-sleep n |
|
4728 | 4728 |
Cause OpenVPN to sleep for |
4729 | 4729 |
.B n |
4730 | 4730 |
seconds immediately after the TAP-Win32 adapter state |
... | ... |
@@ -4732,21 +4732,21 @@ is set to "connected". |
4732 | 4732 |
|
4733 | 4733 |
This option is intended to be used to troubleshoot problems |
4734 | 4734 |
with the |
4735 |
-.B --ifconfig |
|
4735 |
+.B \-\-ifconfig |
|
4736 | 4736 |
and |
4737 |
-.B --ip-win32 |
|
4737 |
+.B \-\-ip-win32 |
|
4738 | 4738 |
options, and is used to give |
4739 | 4739 |
the TAP-Win32 adapter time to come up before |
4740 | 4740 |
Windows IP Helper API operations are applied to it. |
4741 | 4741 |
.\"********************************************************* |
4742 | 4742 |
.TP |
4743 |
-.B --show-net-up |
|
4743 |
+.B \-\-show-net-up |
|
4744 | 4744 |
Output OpenVPN's view of the system routing table and network |
4745 | 4745 |
adapter list to the syslog or log file after the TUN/TAP adapter |
4746 | 4746 |
has been brought up and any routes have been added. |
4747 | 4747 |
.\"********************************************************* |
4748 | 4748 |
.TP |
4749 |
-.B --dhcp-renew |
|
4749 |
+.B \-\-dhcp-renew |
|
4750 | 4750 |
Ask Windows to renew the TAP adapter lease on startup. |
4751 | 4751 |
This option is normally unnecessary, as Windows automatically |
4752 | 4752 |
triggers a DHCP renegotiation on the TAP adapter when it |
... | ... |
@@ -4755,28 +4755,28 @@ Media Status property to "Always Connected", you may need this |
4755 | 4755 |
flag. |
4756 | 4756 |
.\"********************************************************* |
4757 | 4757 |
.TP |
4758 |
-.B --dhcp-release |
|
4758 |
+.B \-\-dhcp-release |
|
4759 | 4759 |
Ask Windows to release the TAP adapter lease on shutdown. |
4760 | 4760 |
This option has the same caveats as |
4761 |
-.B --dhcp-renew |
|
4761 |
+.B \-\-dhcp-renew |
|
4762 | 4762 |
above. |
4763 | 4763 |
.\"********************************************************* |
4764 | 4764 |
.TP |
4765 |
-.B --register-dns |
|
4765 |
+.B \-\-register-dns |
|
4766 | 4766 |
Run net stop dnscache, net start dnscache, ipconfig /flushdns |
4767 | 4767 |
and ipconfig /registerdns on connection initiation. |
4768 | 4768 |
This is known to kick Windows into |
4769 | 4769 |
recognizing pushed DNS servers. |
4770 | 4770 |
.\"********************************************************* |
4771 | 4771 |
.TP |
4772 |
-.B --pause-exit |
|
4772 |
+.B \-\-pause-exit |
|
4773 | 4773 |
Put up a "press any key to continue" message on the console prior |
4774 | 4774 |
to OpenVPN program exit. This option is automatically used by the |
4775 | 4775 |
Windows explorer when OpenVPN is run on a configuration |
4776 | 4776 |
file using the right-click explorer menu. |
4777 | 4777 |
.\"********************************************************* |
4778 | 4778 |
.TP |
4779 |
-.B --service exit-event [0|1] |
|
4779 |
+.B \-\-service exit-event [0|1] |
|
4780 | 4780 |
Should be used when OpenVPN is being automatically executed by another |
4781 | 4781 |
program in such |
4782 | 4782 |
a context that no interaction with the user via display or keyboard |
... | ... |
@@ -4799,26 +4799,26 @@ parameter. In any case, the controlling process can signal |
4799 | 4799 |
causing all such OpenVPN processes to exit. |
4800 | 4800 |
|
4801 | 4801 |
When executing an OpenVPN process using the |
4802 |
-.B --service |
|
4802 |
+.B \-\-service |
|
4803 | 4803 |
directive, OpenVPN will probably not have a console |
4804 | 4804 |
window to output status/error |
4805 | 4805 |
messages, therefore it is useful to use |
4806 |
-.B --log |
|
4806 |
+.B \-\-log |
|
4807 | 4807 |
or |
4808 |
-.B --log-append |
|
4808 |
+.B \-\-log-append |
|
4809 | 4809 |
to write these messages to a file. |
4810 | 4810 |
.\"********************************************************* |
4811 | 4811 |
.TP |
4812 |
-.B --show-adapters |
|
4812 |
+.B \-\-show-adapters |
|
4813 | 4813 |
(Standalone) |
4814 | 4814 |
Show available TAP-Win32 adapters which can be selected using the |
4815 |
-.B --dev-node |
|
4815 |
+.B \-\-dev-node |
|
4816 | 4816 |
option. On non-Windows systems, the |
4817 | 4817 |
.BR ifconfig (8) |
4818 | 4818 |
command provides similar functionality. |
4819 | 4819 |
.\"********************************************************* |
4820 | 4820 |
.TP |
4821 |
-.B --allow-nonadmin [TAP-adapter] |
|
4821 |
+.B \-\-allow-nonadmin [TAP-adapter] |
|
4822 | 4822 |
(Standalone) |
4823 | 4823 |
Set |
4824 | 4824 |
.B TAP-adapter |
... | ... |
@@ -4833,10 +4833,10 @@ and reloaded. |
4833 | 4833 |
This directive can only be used by an administrator. |
4834 | 4834 |
.\"********************************************************* |
4835 | 4835 |
.TP |
4836 |
-.B --show-valid-subnets |
|
4836 |
+.B \-\-show-valid-subnets |
|
4837 | 4837 |
(Standalone) |
4838 | 4838 |
Show valid subnets for |
4839 |
-.B --dev tun |
|
4839 |
+.B \-\-dev tun |
|
4840 | 4840 |
emulation. Since the TAP-Win32 driver |
4841 | 4841 |
exports an ethernet interface to Windows, and since TUN devices are |
4842 | 4842 |
point-to-point in nature, it is necessary for the TAP-Win32 driver |
... | ... |
@@ -4846,7 +4846,7 @@ Namely, the point-to-point endpoints used in TUN device emulation |
4846 | 4846 |
must be the middle two addresses of a /30 subnet (netmask 255.255.255.252). |
4847 | 4847 |
.\"********************************************************* |
4848 | 4848 |
.TP |
4849 |
-.B --show-net |
|
4849 |
+.B \-\-show-net |
|
4850 | 4850 |
(Standalone) |
4851 | 4851 |
Show OpenVPN's view of the system routing table and network |
4852 | 4852 |
adapter list. |
... | ... |
@@ -4854,12 +4854,12 @@ adapter list. |
4854 | 4854 |
.SS PKCS#11 Standalone Options: |
4855 | 4855 |
.\"********************************************************* |
4856 | 4856 |
.TP |
4857 |
-.B --show-pkcs11-ids provider [cert_private] |
|
4857 |
+.B \-\-show-pkcs11-ids provider [cert_private] |
|
4858 | 4858 |
(Standalone) |
4859 | 4859 |
Show PKCS#11 token object list. Specify cert_private as 1 |
4860 | 4860 |
if certificates are stored as private objects. |
4861 | 4861 |
|
4862 |
-.B --verb |
|
4862 |
+.B \-\-verb |
|
4863 | 4863 |
option can be used BEFORE this option to produce debugging information. |
4864 | 4864 |
.\"********************************************************* |
4865 | 4865 |
.SH SCRIPTING AND ENVIRONMENTAL VARIABLES |
... | ... |
@@ -4869,52 +4869,52 @@ of environmental variables for use by user-defined scripts. |
4869 | 4869 |
.SS Script Order of Execution |
4870 | 4870 |
.\"********************************************************* |
4871 | 4871 |
.TP |
4872 |
-.B --up |
|
4872 |
+.B \-\-up |
|
4873 | 4873 |
Executed after TCP/UDP socket bind and TUN/TAP open. |
4874 | 4874 |
.\"********************************************************* |
4875 | 4875 |
.TP |
4876 |
-.B --tls-verify |
|
4876 |
+.B \-\-tls-verify |
|
4877 | 4877 |
Executed when we have a still untrusted remote peer. |
4878 | 4878 |
.\"********************************************************* |
4879 | 4879 |
.TP |
4880 |
-.B --ipchange |
|
4880 |
+.B \-\-ipchange |
|
4881 | 4881 |
Executed after connection authentication, or remote IP address change. |
4882 | 4882 |
.\"********************************************************* |
4883 | 4883 |
.TP |
4884 |
-.B --client-connect |
|
4884 |
+.B \-\-client-connect |
|
4885 | 4885 |
Executed in |
4886 |
-.B --mode server |
|
4886 |
+.B \-\-mode server |
|
4887 | 4887 |
mode immediately after client authentication. |
4888 | 4888 |
.\"********************************************************* |
4889 | 4889 |
.TP |
4890 |
-.B --route-up |
|
4890 |
+.B \-\-route-up |
|
4891 | 4891 |
Executed after connection authentication, either |
4892 | 4892 |
immediately after, or some number of seconds after |
4893 | 4893 |
as defined by the |
4894 |
-.B --route-delay |
|
4894 |
+.B \-\-route-delay |
|
4895 | 4895 |
option. |
4896 | 4896 |
.\"********************************************************* |
4897 | 4897 |
.TP |
4898 |
-.B --client-disconnect |
|
4898 |
+.B \-\-client-disconnect |
|
4899 | 4899 |
Executed in |
4900 |
-.B --mode server |
|
4900 |
+.B \-\-mode server |
|
4901 | 4901 |
mode on client instance shutdown. |
4902 | 4902 |
.\"********************************************************* |
4903 | 4903 |
.TP |
4904 |
-.B --down |
|
4904 |
+.B \-\-down |
|
4905 | 4905 |
Executed after TCP/UDP and TUN/TAP close. |
4906 | 4906 |
.\"********************************************************* |
4907 | 4907 |
.TP |
4908 |
-.B --learn-address |
|
4908 |
+.B \-\-learn-address |
|
4909 | 4909 |
Executed in |
4910 |
-.B --mode server |
|
4910 |
+.B \-\-mode server |
|
4911 | 4911 |
mode whenever an IPv4 address/route or MAC address is added to OpenVPN's |
4912 | 4912 |
internal routing table. |
4913 | 4913 |
.\"********************************************************* |
4914 | 4914 |
.TP |
4915 |
-.B --auth-user-pass-verify |
|
4915 |
+.B \-\-auth-user-pass-verify |
|
4916 | 4916 |
Executed in |
4917 |
-.B --mode server |
|
4917 |
+.B \-\-mode server |
|
4918 | 4918 |
mode on new client connections, when the client is |
4919 | 4919 |
still untrusted. |
4920 | 4920 |
.\"********************************************************* |
... | ... |
@@ -4938,7 +4938,7 @@ Can string remapping be disabled? |
4938 | 4938 |
|
4939 | 4939 |
.B A: |
4940 | 4940 |
Yes, by using the |
4941 |
-.B --no-name-remapping |
|
4941 |
+.B \-\-no-name-remapping |
|
4942 | 4942 |
option, however this should be considered an advanced option. |
4943 | 4943 |
|
4944 | 4944 |
Here is a brief rundown of OpenVPN's current string types and the |
... | ... |
@@ -4954,17 +4954,17 @@ true. |
4954 | 4954 |
Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at |
4955 | 4955 |
('@'). |
4956 | 4956 |
|
4957 |
-.B --auth-user-pass username: |
|
4957 |
+.B \-\-auth-user-pass username: |
|
4958 | 4958 |
Same as Common Name, with one exception: starting with OpenVPN 2.0.1, |
4959 | 4959 |
the username is passed to the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin in its raw form, |
4960 | 4960 |
without string remapping. |
4961 | 4961 |
|
4962 |
-.B --auth-user-pass password: |
|
4962 |
+.B \-\-auth-user-pass password: |
|
4963 | 4963 |
Any "printable" character except CR or LF. |
4964 | 4964 |
Printable is defined to be a character which will cause the C library |
4965 | 4965 |
isprint() function to return true. |
4966 | 4966 |
|
4967 |
-.B --client-config-dir filename as derived from common name or username: |
|
4967 |
+.B \-\-client-config-dir filename as derived from common name or username: |
|
4968 | 4968 |
Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or |
4969 | 4969 |
".." as standalone strings. As of 2.0.1-rc6, the at ('@') character has |
4970 | 4970 |
been added as well for compatibility with the common name character class. |
... | ... |
@@ -4994,45 +4994,45 @@ which refer to different client instances. |
4994 | 4994 |
.B bytes_received |
4995 | 4995 |
Total number of bytes received from client during VPN session. |
4996 | 4996 |
Set prior to execution of the |
4997 |
-.B --client-disconnect |
|
4997 |
+.B \-\-client-disconnect |
|
4998 | 4998 |
script. |
4999 | 4999 |
.\"********************************************************* |
5000 | 5000 |
.TP |
5001 | 5001 |
.B bytes_sent |
5002 | 5002 |
Total number of bytes sent to client during VPN session. |
5003 | 5003 |
Set prior to execution of the |
5004 |
-.B --client-disconnect |
|
5004 |
+.B \-\-client-disconnect |
|
5005 | 5005 |
script. |
5006 | 5006 |
.\"********************************************************* |
5007 | 5007 |
.TP |
5008 | 5008 |
.B common_name |
5009 | 5009 |
The X509 common name of an authenticated client. |
5010 | 5010 |
Set prior to execution of |
5011 |
-.B --client-connect, --client-disconnect, |
|
5011 |
+.B \-\-client-connect, \-\-client-disconnect, |
|
5012 | 5012 |
and |
5013 |
-.B --auth-user-pass-verify |
|
5013 |
+.B \-\-auth-user-pass-verify |
|
5014 | 5014 |
scripts. |
5015 | 5015 |
.\"********************************************************* |
5016 | 5016 |
.TP |
5017 | 5017 |
.B config |
5018 | 5018 |
Name of first |
5019 |
-.B --config |
|
5019 |
+.B \-\-config |
|
5020 | 5020 |
file. |
5021 | 5021 |
Set on program initiation and reset on SIGHUP. |
5022 | 5022 |
.\"********************************************************* |
5023 | 5023 |
.TP |
5024 | 5024 |
.B daemon |
5025 | 5025 |
Set to "1" if the |
5026 |
-.B --daemon |
|
5026 |
+.B \-\-daemon |
|
5027 | 5027 |
directive is specified, or "0" otherwise. |
5028 | 5028 |
Set on program initiation and reset on SIGHUP. |
5029 | 5029 |
.\"********************************************************* |
5030 | 5030 |
.TP |
5031 | 5031 |
.B daemon_log_redirect |
5032 | 5032 |
Set to "1" if the |
5033 |
-.B --log |
|
5033 |
+.B \-\-log |
|
5034 | 5034 |
or |
5035 |
-.B --log-append |
|
5035 |
+.B \-\-log-append |
|
5036 | 5036 |
directives are specified, or "0" otherwise. |
5037 | 5037 |
Set on program initiation and reset on SIGHUP. |
5038 | 5038 |
.\"********************************************************* |
... | ... |
@@ -5041,30 +5041,30 @@ Set on program initiation and reset on SIGHUP. |
5041 | 5041 |
The actual name of the TUN/TAP device, including |
5042 | 5042 |
a unit number if it exists. |
5043 | 5043 |
Set prior to |
5044 |
-.B --up |
|
5044 |
+.B \-\-up |
|
5045 | 5045 |
or |
5046 |
-.B --down |
|
5046 |
+.B \-\-down |
|
5047 | 5047 |
script execution. |
5048 | 5048 |
.\"********************************************************* |
5049 | 5049 |
.TP |
5050 | 5050 |
.B foreign_option_{n} |
5051 | 5051 |
An option pushed via |
5052 |
-.B --push |
|
5052 |
+.B \-\-push |
|
5053 | 5053 |
to a client which does not natively support it, |
5054 | 5054 |
such as |
5055 |
-.B --dhcp-option |
|
5055 |
+.B \-\-dhcp-option |
|
5056 | 5056 |
on a non-Windows system, will be recorded to this |
5057 | 5057 |
environmental variable sequence prior to |
5058 |
-.B --up |
|
5058 |
+.B \-\-up |
|
5059 | 5059 |
script execution. |
5060 | 5060 |
.\"********************************************************* |
5061 | 5061 |
.TP |
5062 | 5062 |
.B ifconfig_broadcast |
5063 | 5063 |
The broadcast address for the virtual |
5064 | 5064 |
ethernet segment which is derived from the |
5065 |
-.B --ifconfig |
|
5065 |
+.B \-\-ifconfig |
|
5066 | 5066 |
option when |
5067 |
-.B --dev tap |
|
5067 |
+.B \-\-dev tap |
|
5068 | 5068 |
is used. |
5069 | 5069 |
Set prior to OpenVPN calling the |
5070 | 5070 |
.I ifconfig |
... | ... |
@@ -5072,13 +5072,13 @@ or |
5072 | 5072 |
.I netsh |
5073 | 5073 |
(windows version of ifconfig) commands which |
5074 | 5074 |
normally occurs prior to |
5075 |
-.B --up |
|
5075 |
+.B \-\-up |
|
5076 | 5076 |
script execution. |
5077 | 5077 |
.\"********************************************************* |
5078 | 5078 |
.TP |
5079 | 5079 |
.B ifconfig_local |
5080 | 5080 |
The local VPN endpoint IP address specified in the |
5081 |
-.B --ifconfig |
|
5081 |
+.B \-\-ifconfig |
|
5082 | 5082 |
option (first parameter). |
5083 | 5083 |
Set prior to OpenVPN calling the |
5084 | 5084 |
.I ifconfig |
... | ... |
@@ -5086,15 +5086,15 @@ or |
5086 | 5086 |
.I netsh |
5087 | 5087 |
(windows version of ifconfig) commands which |
5088 | 5088 |
normally occurs prior to |
5089 |
-.B --up |
|
5089 |
+.B \-\-up |
|
5090 | 5090 |
script execution. |
5091 | 5091 |
.\"********************************************************* |
5092 | 5092 |
.TP |
5093 | 5093 |
.B ifconfig_remote |
5094 | 5094 |
The remote VPN endpoint IP address specified in the |
5095 |
-.B --ifconfig |
|
5095 |
+.B \-\-ifconfig |
|
5096 | 5096 |
option (second parameter) when |
5097 |
-.B --dev tun |
|
5097 |
+.B \-\-dev tun |
|
5098 | 5098 |
is used. |
5099 | 5099 |
Set prior to OpenVPN calling the |
5100 | 5100 |
.I ifconfig |
... | ... |
@@ -5102,16 +5102,16 @@ or |
5102 | 5102 |
.I netsh |
5103 | 5103 |
(windows version of ifconfig) commands which |
5104 | 5104 |
normally occurs prior to |
5105 |
-.B --up |
|
5105 |
+.B \-\-up |
|
5106 | 5106 |
script execution. |
5107 | 5107 |
.\"********************************************************* |
5108 | 5108 |
.TP |
5109 | 5109 |
.B ifconfig_netmask |
5110 | 5110 |
The subnet mask of the virtual ethernet segment |
5111 | 5111 |
that is specified as the second parameter to |
5112 |
-.B --ifconfig |
|
5112 |
+.B \-\-ifconfig |
|
5113 | 5113 |
when |
5114 |
-.B --dev tap |
|
5114 |
+.B \-\-dev tap |
|
5115 | 5115 |
is being used. |
5116 | 5116 |
Set prior to OpenVPN calling the |
5117 | 5117 |
.I ifconfig |
... | ... |
@@ -5119,61 +5119,61 @@ or |
5119 | 5119 |
.I netsh |
5120 | 5120 |
(windows version of ifconfig) commands which |
5121 | 5121 |
normally occurs prior to |
5122 |
-.B --up |
|
5122 |
+.B \-\-up |
|
5123 | 5123 |
script execution. |
5124 | 5124 |
.\"********************************************************* |
5125 | 5125 |
.TP |
5126 | 5126 |
.B ifconfig_pool_local_ip |
5127 | 5127 |
The local |
5128 | 5128 |
virtual IP address for the TUN/TAP tunnel taken from an |
5129 |
-.B --ifconfig-push |
|
5129 |
+.B \-\-ifconfig-push |
|
5130 | 5130 |
directive if specified, or otherwise from |
5131 | 5131 |
the ifconfig pool (controlled by the |
5132 |
-.B --ifconfig-pool |
|
5132 |
+.B \-\-ifconfig-pool |
|
5133 | 5133 |
config file directive). |
5134 | 5134 |
Only set for |
5135 |
-.B --dev tun |
|
5135 |
+.B \-\-dev tun |
|
5136 | 5136 |
tunnels. |
5137 | 5137 |
This option is set on the server prior to execution |
5138 | 5138 |
of the |
5139 |
-.B --client-connect |
|
5139 |
+.B \-\-client-connect |
|
5140 | 5140 |
and |
5141 |
-.B --client-disconnect |
|
5141 |
+.B \-\-client-disconnect |
|
5142 | 5142 |
scripts. |
5143 | 5143 |
.\"********************************************************* |
5144 | 5144 |
.TP |
5145 | 5145 |
.B ifconfig_pool_netmask |
5146 | 5146 |
The |
5147 | 5147 |
virtual IP netmask for the TUN/TAP tunnel taken from an |
5148 |
-.B --ifconfig-push |
|
5148 |
+.B \-\-ifconfig-push |
|
5149 | 5149 |
directive if specified, or otherwise from |
5150 | 5150 |
the ifconfig pool (controlled by the |
5151 |
-.B --ifconfig-pool |
|
5151 |
+.B \-\-ifconfig-pool |
|
5152 | 5152 |
config file directive). |
5153 | 5153 |
Only set for |
5154 |
-.B --dev tap |
|
5154 |
+.B \-\-dev tap |
|
5155 | 5155 |
tunnels. |
5156 | 5156 |
This option is set on the server prior to execution |
5157 | 5157 |
of the |
5158 |
-.B --client-connect |
|
5158 |
+.B \-\-client-connect |
|
5159 | 5159 |
and |
5160 |
-.B --client-disconnect |
|
5160 |
+.B \-\-client-disconnect |
|
5161 | 5161 |
scripts. |
5162 | 5162 |
.\"********************************************************* |
5163 | 5163 |
.TP |
5164 | 5164 |
.B ifconfig_pool_remote_ip |
5165 | 5165 |
The remote |
5166 | 5166 |
virtual IP address for the TUN/TAP tunnel taken from an |
5167 |
-.B --ifconfig-push |
|
5167 |
+.B \-\-ifconfig-push |
|
5168 | 5168 |
directive if specified, or otherwise from |
5169 | 5169 |
the ifconfig pool (controlled by the |
5170 |
-.B --ifconfig-pool |
|
5170 |
+.B \-\-ifconfig-pool |
|
5171 | 5171 |
config file directive). |
5172 | 5172 |
This option is set on the server prior to execution |
5173 | 5173 |
of the |
5174 |
-.B --client-connect |
|
5174 |
+.B \-\-client-connect |
|
5175 | 5175 |
and |
5176 |
-.B --client-disconnect |
|
5176 |
+.B \-\-client-disconnect |
|
5177 | 5177 |
scripts. |
5178 | 5178 |
.\"********************************************************* |
5179 | 5179 |
.TP |
... | ... |
@@ -5181,31 +5181,31 @@ scripts. |
5181 | 5181 |
The maximum packet size (not including the IP header) |
5182 | 5182 |
of tunnel data in UDP tunnel transport mode. |
5183 | 5183 |
Set prior to |
5184 |
-.B --up |
|
5184 |
+.B \-\-up |
|
5185 | 5185 |
or |
5186 |
-.B --down |
|
5186 |
+.B \-\-down |
|
5187 | 5187 |
script execution. |
5188 | 5188 |
.\"********************************************************* |
5189 | 5189 |
.TP |
5190 | 5190 |
.B local |
5191 | 5191 |
The |
5192 |
-.B --local |
|
5192 |
+.B \-\-local |
|
5193 | 5193 |
parameter. |
5194 | 5194 |
Set on program initiation and reset on SIGHUP. |
5195 | 5195 |
.\"********************************************************* |
5196 | 5196 |
.TP |
5197 | 5197 |
.B local_port |
5198 | 5198 |
The local port number, specified by |
5199 |
-.B --port |
|
5199 |
+.B \-\-port |
|
5200 | 5200 |
or |
5201 |
-.B --lport. |
|
5201 |
+.B \-\-lport. |
|
5202 | 5202 |
Set on program initiation and reset on SIGHUP. |
5203 | 5203 |
.\"********************************************************* |
5204 | 5204 |
.TP |
5205 | 5205 |
.B password |
5206 | 5206 |
The password provided by a connecting client. |
5207 | 5207 |
Set prior to |
5208 |
-.B --auth-user-pass-verify |
|
5208 |
+.B \-\-auth-user-pass-verify |
|
5209 | 5209 |
script execution only when the |
5210 | 5210 |
.B via-env |
5211 | 5211 |
modifier is specified, and deleted from the environment |
... | ... |
@@ -5214,23 +5214,23 @@ after the script returns. |
5214 | 5214 |
.TP |
5215 | 5215 |
.B proto |
5216 | 5216 |
The |
5217 |
-.B --proto |
|
5217 |
+.B \-\-proto |
|
5218 | 5218 |
parameter. |
5219 | 5219 |
Set on program initiation and reset on SIGHUP. |
5220 | 5220 |
.\"********************************************************* |
5221 | 5221 |
.TP |
5222 | 5222 |
.B remote_{n} |
5223 | 5223 |
The |
5224 |
-.B --remote |
|
5224 |
+.B \-\-remote |
|
5225 | 5225 |
parameter. |
5226 | 5226 |
Set on program initiation and reset on SIGHUP. |
5227 | 5227 |
.\"********************************************************* |
5228 | 5228 |
.TP |
5229 | 5229 |
.B remote_port_{n} |
5230 | 5230 |
The remote port number, specified by |
5231 |
-.B --port |
|
5231 |
+.B \-\-port |
|
5232 | 5232 |
or |
5233 |
-.B --rport. |
|
5233 |
+.B \-\-rport. |
|
5234 | 5234 |
Set on program initiation and reset on SIGHUP. |
5235 | 5235 |
.\"********************************************************* |
5236 | 5236 |
.TP |
... | ... |
@@ -5238,29 +5238,29 @@ Set on program initiation and reset on SIGHUP. |
5238 | 5238 |
The pre-existing default IP gateway in the system routing |
5239 | 5239 |
table. |
5240 | 5240 |
Set prior to |
5241 |
-.B --up |
|
5241 |
+.B \-\-up |
|
5242 | 5242 |
script execution. |
5243 | 5243 |
.\"********************************************************* |
5244 | 5244 |
.TP |
5245 | 5245 |
.B route_vpn_gateway |
5246 | 5246 |
The default gateway used by |
5247 |
-.B --route |
|
5247 |
+.B \-\-route |
|
5248 | 5248 |
options, as specified in either the |
5249 |
-.B --route-gateway |
|
5249 |
+.B \-\-route-gateway |
|
5250 | 5250 |
option or the second parameter to |
5251 |
-.B --ifconfig |
|
5251 |
+.B \-\-ifconfig |
|
5252 | 5252 |
when |
5253 |
-.B --dev tun |
|
5253 |
+.B \-\-dev tun |
|
5254 | 5254 |
is specified. |
5255 | 5255 |
Set prior to |
5256 |
-.B --up |
|
5256 |
+.B \-\-up |
|
5257 | 5257 |
script execution. |
5258 | 5258 |
.\"********************************************************* |
5259 | 5259 |
.TP |
5260 | 5260 |
.B route_{parm}_{n} |
5261 | 5261 |
A set of variables which define each route to be added, and |
5262 | 5262 |
are set prior to |
5263 |
-.B --up |
|
5263 |
+.B \-\-up |
|
5264 | 5264 |
script execution. |
5265 | 5265 |
|
5266 | 5266 |
.B parm |
... | ... |
@@ -5279,7 +5279,7 @@ or configuration file. |
5279 | 5279 |
Set to "init" or "restart" prior to up/down script execution. |
5280 | 5280 |
For more information, see |
5281 | 5281 |
documentation for |
5282 |
-.B --up. |
|
5282 |
+.B \-\-up. |
|
5283 | 5283 |
.\"********************************************************* |
5284 | 5284 |
.TP |
5285 | 5285 |
.B script_type |
... | ... |
@@ -5295,15 +5295,15 @@ Set prior to execution of any script. |
5295 | 5295 |
The reason for exit or restart. Can be one of |
5296 | 5296 |
.B sigusr1, sighup, sigterm, sigint, inactive |
5297 | 5297 |
(controlled by |
5298 |
-.B --inactive |
|
5298 |
+.B \-\-inactive |
|
5299 | 5299 |
option), |
5300 | 5300 |
.B ping-exit |
5301 | 5301 |
(controlled by |
5302 |
-.B --ping-exit |
|
5302 |
+.B \-\-ping-exit |
|
5303 | 5303 |
option), |
5304 | 5304 |
.B ping-restart |
5305 | 5305 |
(controlled by |
5306 |
-.B --ping-restart |
|
5306 |
+.B \-\-ping-restart |
|
5307 | 5307 |
option), |
5308 | 5308 |
.B connection-reset |
5309 | 5309 |
(triggered on TCP connection reset), |
... | ... |
@@ -5317,7 +5317,7 @@ or |
5317 | 5317 |
Client connection timestamp, formatted as a human-readable |
5318 | 5318 |
time string. |
5319 | 5319 |
Set prior to execution of the |
5320 |
-.B --client-connect |
|
5320 |
+.B \-\-client-connect |
|
5321 | 5321 |
script. |
5322 | 5322 |
.\"********************************************************* |
5323 | 5323 |
.TP |
... | ... |
@@ -5325,7 +5325,7 @@ script. |
5325 | 5325 |
The duration (in seconds) of the client session which is now |
5326 | 5326 |
disconnecting. |
5327 | 5327 |
Set prior to execution of the |
5328 |
-.B --client-disconnect |
|
5328 |
+.B \-\-client-disconnect |
|
5329 | 5329 |
script. |
5330 | 5330 |
.\"********************************************************* |
5331 | 5331 |
.TP |
... | ... |
@@ -5333,7 +5333,7 @@ script. |
5333 | 5333 |
Client connection timestamp, formatted as a unix integer |
5334 | 5334 |
date/time value. |
5335 | 5335 |
Set prior to execution of the |
5336 |
-.B --client-connect |
|
5336 |
+.B \-\-client-connect |
|
5337 | 5337 |
script. |
5338 | 5338 |
.\"********************************************************* |
5339 | 5339 |
.TP |
... | ... |
@@ -5343,7 +5343,7 @@ where |
5343 | 5343 |
.B n |
5344 | 5344 |
is the verification level. Only set for TLS connections. Set prior |
5345 | 5345 |
to execution of |
5346 |
-.B --tls-verify |
|
5346 |
+.B \-\-tls-verify |
|
5347 | 5347 |
script. |
5348 | 5348 |
.\"********************************************************* |
5349 | 5349 |
.TP |
... | ... |
@@ -5353,34 +5353,34 @@ where |
5353 | 5353 |
.B n |
5354 | 5354 |
is the verification level. Only set for TLS connections. Set prior |
5355 | 5355 |
to execution of |
5356 |
-.B --tls-verify |
|
5356 |
+.B \-\-tls-verify |
|
5357 | 5357 |
script. |
5358 | 5358 |
.\"********************************************************* |
5359 | 5359 |
.TP |
5360 | 5360 |
.B tun_mtu |
5361 | 5361 |
The MTU of the TUN/TAP device. |
5362 | 5362 |
Set prior to |
5363 |
-.B --up |
|
5363 |
+.B \-\-up |
|
5364 | 5364 |
or |
5365 |
-.B --down |
|
5365 |
+.B \-\-down |
|
5366 | 5366 |
script execution. |
5367 | 5367 |
.\"********************************************************* |
5368 | 5368 |
.TP |
5369 | 5369 |
.B trusted_ip |
5370 | 5370 |
Actual IP address of connecting client or peer which has been authenticated. |
5371 | 5371 |
Set prior to execution of |
5372 |
-.B --ipchange, --client-connect, |
|
5372 |
+.B \-\-ipchange, \-\-client-connect, |
|
5373 | 5373 |
and |
5374 |
-.B --client-disconnect |
|
5374 |
+.B \-\-client-disconnect |
|
5375 | 5375 |
scripts. |
5376 | 5376 |
.\"********************************************************* |
5377 | 5377 |
.TP |
5378 | 5378 |
.B trusted_port |
5379 | 5379 |
Actual port number of connecting client or peer which has been authenticated. |
5380 | 5380 |
Set prior to execution of |
5381 |
-.B --ipchange, --client-connect, |
|
5381 |
+.B \-\-ipchange, \-\-client-connect, |
|
5382 | 5382 |
and |
5383 |
-.B --client-disconnect |
|
5383 |
+.B \-\-client-disconnect |
|
5384 | 5384 |
scripts. |
5385 | 5385 |
.\"********************************************************* |
5386 | 5386 |
.TP |
... | ... |
@@ -5389,12 +5389,12 @@ Actual IP address of connecting client or peer which has not been authenticated |
5389 | 5389 |
yet. Sometimes used to |
5390 | 5390 |
.B nmap |
5391 | 5391 |
the connecting host in a |
5392 |
-.B --tls-verify |
|
5392 |
+.B \-\-tls-verify |
|
5393 | 5393 |
script to ensure it is firewalled properly. |
5394 | 5394 |
Set prior to execution of |
5395 |
-.B --tls-verify |
|
5395 |
+.B \-\-tls-verify |
|
5396 | 5396 |
and |
5397 |
-.B --auth-user-pass-verify |
|
5397 |
+.B \-\-auth-user-pass-verify |
|
5398 | 5398 |
scripts. |
5399 | 5399 |
.\"********************************************************* |
5400 | 5400 |
.TP |
... | ... |
@@ -5402,16 +5402,16 @@ scripts. |
5402 | 5402 |
Actual port number of connecting client or peer which has not been authenticated |
5403 | 5403 |
yet. |
5404 | 5404 |
Set prior to execution of |
5405 |
-.B --tls-verify |
|
5405 |
+.B \-\-tls-verify |
|
5406 | 5406 |
and |
5407 |
-.B --auth-user-pass-verify |
|
5407 |
+.B \-\-auth-user-pass-verify |
|
5408 | 5408 |
scripts. |
5409 | 5409 |
.\"********************************************************* |
5410 | 5410 |
.TP |
5411 | 5411 |
.B username |
5412 | 5412 |
The username provided by a connecting client. |
5413 | 5413 |
Set prior to |
5414 |
-.B --auth-user-pass-verify |
|
5414 |
+.B \-\-auth-user-pass-verify |
|
5415 | 5415 |
script execution only when the |
5416 | 5416 |
.B via-env |
5417 | 5417 |
modifier is specified. |
... | ... |
@@ -5423,7 +5423,7 @@ where |
5423 | 5423 |
.B n |
5424 | 5424 |
is the verification level. Only set for TLS connections. Set prior |
5425 | 5425 |
to execution of |
5426 |
-.B --tls-verify |
|
5426 |
+.B \-\-tls-verify |
|
5427 | 5427 |
script. This variable is similar to |
5428 | 5428 |
.B tls_id_{n} |
5429 | 5429 |
except the component X509 subject fields are broken out, and |
... | ... |
@@ -5467,30 +5467,30 @@ Like |
5467 | 5467 |
except don't re-read configuration file, and possibly don't close and reopen TUN/TAP |
5468 | 5468 |
device, re-read key files, preserve local IP address/port, or preserve most recently authenticated |
5469 | 5469 |
remote IP address/port based on |
5470 |
-.B --persist-tun, --persist-key, --persist-local-ip, |
|
5470 |
+.B \-\-persist-tun, \-\-persist-key, \-\-persist-local-ip, |
|
5471 | 5471 |
and |
5472 |
-.B --persist-remote-ip |
|
5472 |
+.B \-\-persist-remote-ip |
|
5473 | 5473 |
options respectively (see above). |
5474 | 5474 |
|
5475 | 5475 |
This signal may also be internally generated by a timeout condition, governed |
5476 | 5476 |
by the |
5477 |
-.B --ping-restart |
|
5477 |
+.B \-\-ping-restart |
|
5478 | 5478 |
option. |
5479 | 5479 |
|
5480 | 5480 |
This signal, when combined with |
5481 |
-.B --persist-remote-ip, |
|
5481 |
+.B \-\-persist-remote-ip, |
|
5482 | 5482 |
may be |
5483 | 5483 |
sent when the underlying parameters of the host's network interface change |
5484 | 5484 |
such as when the host is a DHCP client and is assigned a new IP address. |
5485 | 5485 |
See |
5486 |
-.B --ipchange |
|
5486 |
+.B \-\-ipchange |
|
5487 | 5487 |
above for more information. |
5488 | 5488 |
.\"********************************************************* |
5489 | 5489 |
.TP |
5490 | 5490 |
.B SIGUSR2 |
5491 | 5491 |
Causes OpenVPN to display its current statistics (to the syslog |
5492 | 5492 |
file if |
5493 |
-.B --daemon |
|
5493 |
+.B \-\-daemon |
|
5494 | 5494 |
is used, or stdout otherwise). |
5495 | 5495 |
.\"********************************************************* |
5496 | 5496 |
.TP |
... | ... |
@@ -5545,7 +5545,7 @@ If firewalls exist between |
5545 | 5545 |
the two machines, they should be set to forward UDP port 1194 |
5546 | 5546 |
in both directions. If you do not have control over the firewalls |
5547 | 5547 |
between the two machines, you may still be able to use OpenVPN by adding |
5548 |
-.B --ping 15 |
|
5548 |
+.B \-\-ping 15 |
|
5549 | 5549 |
to each of the |
5550 | 5550 |
.B openvpn |
5551 | 5551 |
commands used below in the examples (this will cause each peer to send out |
... | ... |
@@ -5614,11 +5614,11 @@ you will get a weird feedback loop. |
5614 | 5614 |
.LP |
5615 | 5615 |
On may: |
5616 | 5616 |
.IP |
5617 |
-.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9 |
|
5617 |
+.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 9 |
|
5618 | 5618 |
.LP |
5619 | 5619 |
On june: |
5620 | 5620 |
.IP |
5621 |
-.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9 |
|
5621 |
+.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 9 |
|
5622 | 5622 |
.LP |
5623 | 5623 |
Now verify the tunnel is working by pinging across the tunnel. |
5624 | 5624 |
.LP |
... | ... |
@@ -5631,17 +5631,17 @@ On june: |
5631 | 5631 |
.B ping 10.4.0.1 |
5632 | 5632 |
.LP |
5633 | 5633 |
The |
5634 |
-.B --verb 9 |
|
5634 |
+.B \-\-verb 9 |
|
5635 | 5635 |
option will produce verbose output, similar to the |
5636 | 5636 |
.BR tcpdump (8) |
5637 | 5637 |
program. Omit the |
5638 |
-.B --verb 9 |
|
5638 |
+.B \-\-verb 9 |
|
5639 | 5639 |
option to have OpenVPN run quietly. |
5640 | 5640 |
.\"********************************************************* |
5641 | 5641 |
.SS Example 2: A tunnel with static-key security (i.e. using a pre-shared secret) |
5642 | 5642 |
First build a static key on may. |
5643 | 5643 |
.IP |
5644 |
-.B openvpn --genkey --secret key |
|
5644 |
+.B openvpn \-\-genkey \-\-secret key |
|
5645 | 5645 |
.LP |
5646 | 5646 |
This command will build a random key file called |
5647 | 5647 |
.B key |
... | ... |
@@ -5655,11 +5655,11 @@ program. |
5655 | 5655 |
.LP |
5656 | 5656 |
On may: |
5657 | 5657 |
.IP |
5658 |
-.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key |
|
5658 |
+.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 5 \-\-secret key |
|
5659 | 5659 |
.LP |
5660 | 5660 |
On june: |
5661 | 5661 |
.IP |
5662 |
-.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key |
|
5662 |
+.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 5 \-\-secret key |
|
5663 | 5663 |
.LP |
5664 | 5664 |
Now verify the tunnel is working by pinging across the tunnel. |
5665 | 5665 |
.LP |
... | ... |
@@ -5681,10 +5681,10 @@ as the TLS server. |
5681 | 5681 |
|
5682 | 5682 |
First, build a separate certificate/key pair |
5683 | 5683 |
for both may and june (see above where |
5684 |
-.B --cert |
|
5684 |
+.B \-\-cert |
|
5685 | 5685 |
is discussed for more info). Then construct |
5686 | 5686 |
Diffie Hellman parameters (see above where |
5687 |
-.B --dh |
|
5687 |
+.B \-\-dh |
|
5688 | 5688 |
is discussed for more info). You can also use the |
5689 | 5689 |
included test files client.crt, client.key, |
5690 | 5690 |
server.crt, server.key and ca.crt. |
... | ... |
@@ -5697,11 +5697,11 @@ parameters you can use the included file dh1024.pem. |
5697 | 5697 |
.LP |
5698 | 5698 |
On may: |
5699 | 5699 |
.IP |
5700 |
-.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5 |
|
5700 |
+.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-tls-client \-\-ca ca.crt \-\-cert client.crt \-\-key client.key \-\-reneg-sec 60 \-\-verb 5 |
|
5701 | 5701 |
.LP |
5702 | 5702 |
On june: |
5703 | 5703 |
.IP |
5704 |
-.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5 |
|
5704 |
+.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-tls-server \-\-dh dh1024.pem \-\-ca ca.crt \-\-cert server.crt \-\-key server.key \-\-reneg-sec 60 \-\-verb 5 |
|
5705 | 5705 |
.LP |
5706 | 5706 |
Now verify the tunnel is working by pinging across the tunnel. |
5707 | 5707 |
.LP |
... | ... |
@@ -5714,16 +5714,16 @@ On june: |
5714 | 5714 |
.B ping 10.4.0.1 |
5715 | 5715 |
.LP |
5716 | 5716 |
Notice the |
5717 |
-.B --reneg-sec 60 |
|
5717 |
+.B \-\-reneg-sec 60 |
|
5718 | 5718 |
option we used above. That tells OpenVPN to renegotiate |
5719 | 5719 |
the data channel keys every minute. |
5720 | 5720 |
Since we used |
5721 |
-.B --verb 5 |
|
5721 |
+.B \-\-verb 5 |
|
5722 | 5722 |
above, you will see status information on each new key negotiation. |
5723 | 5723 |
|
5724 | 5724 |
For production operations, a key renegotiation interval of 60 seconds |
5725 | 5725 |
is probably too frequent. Omit the |
5726 |
-.B --reneg-sec 60 |
|
5726 |
+.B \-\-reneg-sec 60 |
|
5727 | 5727 |
option to use OpenVPN's default key renegotiation interval of one hour. |
5728 | 5728 |
.\"********************************************************* |
5729 | 5729 |
.SS Routing: |
... | ... |
@@ -5759,7 +5759,7 @@ over the secure tunnel (or vice versa). |
5759 | 5759 |
|
5760 | 5760 |
In a production environment, you could put the route command(s) |
5761 | 5761 |
in a shell script and execute with the |
5762 |
-.B --up |
|
5762 |
+.B \-\-up |
|
5763 | 5763 |
option. |
5764 | 5764 |
.\"********************************************************* |
5765 | 5765 |
.SH FIREWALLS |
... | ... |
@@ -5767,7 +5767,7 @@ OpenVPN's usage of a single UDP port makes it fairly firewall-friendly. |
5767 | 5767 |
You should add an entry to your firewall rules to allow incoming OpenVPN |
5768 | 5768 |
packets. On Linux 2.4+: |
5769 | 5769 |
.IP |
5770 |
-.B iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT |
|
5770 |
+.B iptables -A INPUT -p udp -s 1.2.3.4 \-\-dport 1194 -j ACCEPT |
|
5771 | 5771 |
.LP |
5772 | 5772 |
This will allow incoming packets on UDP port 1194 (OpenVPN's default UDP port) |
5773 | 5773 |
from an OpenVPN peer at 1.2.3.4. |
... | ... |
@@ -5778,7 +5778,7 @@ address can be considered optional, since HMAC packet authentication |
5778 | 5778 |
is a much more secure method of verifying the authenticity of |
5779 | 5779 |
a packet source. In that case: |
5780 | 5780 |
.IP |
5781 |
-.B iptables -A INPUT -p udp --dport 1194 -j ACCEPT |
|
5781 |
+.B iptables -A INPUT -p udp \-\-dport 1194 -j ACCEPT |
|
5782 | 5782 |
.LP |
5783 | 5783 |
would be adequate and would not render the host inflexible with |
5784 | 5784 |
respect to its peer having a dynamic IP address. |
... | ... |
@@ -5787,7 +5787,7 @@ OpenVPN also works well on stateful firewalls. In some cases, you may |
5787 | 5787 |
not need to add any static rules to the firewall list if you are |
5788 | 5788 |
using a stateful firewall that knows how to track UDP connections. |
5789 | 5789 |
If you specify |
5790 |
-.B --ping n, |
|
5790 |
+.B \-\-ping n, |
|
5791 | 5791 |
OpenVPN will be guaranteed |
5792 | 5792 |
to send a packet to its peer at least once every |
5793 | 5793 |
.B n |