Correct usage example: --verify-x509-name name-stub- name-prefix
This was to correct "--verfiy-x509-name Server -name-prexif"
to "--verify-x509-name Server- name-prefix"
Escape all dashes (with some exceptions)
[DS: On-the-fly change - Updated copyright year from 2010 to 2017]
Signed-off-by: Richard Bonhomme <fragmentux@gmail.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170819203735.8681-1-fragmentux@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15297.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
... | ... |
@@ -77,14 +77,14 @@ of its crypto capabilities from it. |
77 | 77 |
|
78 | 78 |
OpenVPN supports |
79 | 79 |
conventional encryption |
80 |
-using a pre-shared secret key |
|
80 |
+using a pre\-shared secret key |
|
81 | 81 |
.B (Static Key mode) |
82 | 82 |
or |
83 | 83 |
public key security |
84 | 84 |
.B (SSL/TLS mode) |
85 | 85 |
using client & server certificates. |
86 | 86 |
OpenVPN also |
87 |
-supports non-encrypted TCP/UDP tunnels. |
|
87 |
+supports non\-encrypted TCP/UDP tunnels. |
|
88 | 88 |
|
89 | 89 |
OpenVPN is designed to work with the |
90 | 90 |
.B TUN/TAP |
... | ... |
@@ -96,7 +96,7 @@ with a relatively lightweight footprint. |
96 | 96 |
.SH OPTIONS |
97 | 97 |
OpenVPN allows any option to be placed either on the command line |
98 | 98 |
or in a configuration file. Though all command line options are preceded |
99 |
-by a double-leading-dash ("\-\-"), this prefix can be removed when |
|
99 |
+by a double\-leading\-dash ("\-\-"), this prefix can be removed when |
|
100 | 100 |
an option is placed in a configuration file. |
101 | 101 |
.\"********************************************************* |
102 | 102 |
.TP |
... | ... |
@@ -126,7 +126,7 @@ can be used to enclose single parameters containing whitespace, |
126 | 126 |
and "#" or ";" characters in the first column |
127 | 127 |
can be used to denote comments. |
128 | 128 |
|
129 |
-Note that OpenVPN 2.0 and higher performs backslash-based shell |
|
129 |
+Note that OpenVPN 2.0 and higher performs backslash\-based shell |
|
130 | 130 |
escaping for characters not in single quotations, |
131 | 131 |
so the following mappings should be observed: |
132 | 132 |
|
... | ... |
@@ -164,7 +164,7 @@ Here is an example configuration file: |
164 | 164 |
.in +4 |
165 | 165 |
# |
166 | 166 |
# Sample OpenVPN configuration file for |
167 |
-# using a pre-shared static key. |
|
167 |
+# using a pre\-shared static key. |
|
168 | 168 |
# |
169 | 169 |
# '#' or ';' may be used to delimit comments. |
170 | 170 |
|
... | ... |
@@ -178,7 +178,7 @@ remote mypeer.mydomain |
178 | 178 |
# 10.1.0.2 is our remote VPN endpoint |
179 | 179 |
ifconfig 10.1.0.1 10.1.0.2 |
180 | 180 |
|
181 |
-# Our pre-shared static key |
|
181 |
+# Our pre\-shared static key |
|
182 | 182 |
secret static.key |
183 | 183 |
.in -4 |
184 | 184 |
.ft |
... | ... |
@@ -188,8 +188,8 @@ secret static.key |
188 | 188 |
.TP |
189 | 189 |
.B \-\-mode m |
190 | 190 |
Set OpenVPN major mode. By default, OpenVPN runs in |
191 |
-point-to-point mode ("p2p"). OpenVPN 2.0 introduces |
|
192 |
-a new mode ("server") which implements a multi-client |
|
191 |
+point\-to\-point mode ("p2p"). OpenVPN 2.0 introduces |
|
192 |
+a new mode ("server") which implements a multi\-client |
|
193 | 193 |
server capability. |
194 | 194 |
.\"********************************************************* |
195 | 195 |
.TP |
... | ... |
@@ -206,7 +206,7 @@ options may be specified for redundancy, each referring |
206 | 206 |
to a different OpenVPN server. Specifying multiple |
207 | 207 |
.B \-\-remote |
208 | 208 |
options for this purpose is a special case of the more |
209 |
-general connection-profile feature. See the |
|
209 |
+general connection\-profile feature. See the |
|
210 | 210 |
.B <connection> |
211 | 211 |
documentation below. |
212 | 212 |
|
... | ... |
@@ -243,7 +243,7 @@ the client with |
243 | 243 |
.B \-\-user |
244 | 244 |
and/or |
245 | 245 |
.B \-\-group, |
246 |
-AND the client is running a non-Windows OS, if the client needs |
|
246 |
+AND the client is running a non\-Windows OS, if the client needs |
|
247 | 247 |
to switch to a different server, and that server pushes |
248 | 248 |
back different TUN/TAP or route settings, the client may lack |
249 | 249 |
the necessary privileges to close and reopen the TUN/TAP interface. |
... | ... |
@@ -277,7 +277,7 @@ and IPv6 addresses, in the order getaddrinfo() returns them. |
277 | 277 |
.B \-\-remote\-random\-hostname |
278 | 278 |
Prepend a random string (6 bytes, 12 hex characters) to hostname to prevent |
279 | 279 |
DNS caching. For example, "foo.bar.gov" would be modified to |
280 |
-"<random-chars>.foo.bar.gov". |
|
280 |
+"<random\-chars>.foo.bar.gov". |
|
281 | 281 |
.\"********************************************************* |
282 | 282 |
.TP |
283 | 283 |
.B <connection> |
... | ... |
@@ -404,7 +404,7 @@ When multiple |
404 | 404 |
.B \-\-remote |
405 | 405 |
address/ports are specified, or if connection profiles are being |
406 | 406 |
used, initially randomize the order of the list |
407 |
-as a kind of basic load-balancing measure. |
|
407 |
+as a kind of basic load\-balancing measure. |
|
408 | 408 |
.\"********************************************************* |
409 | 409 |
.TP |
410 | 410 |
.B \-\-proto p |
... | ... |
@@ -453,12 +453,12 @@ networks. |
453 | 453 |
|
454 | 454 |
This article outlines some of problems with tunneling IP over TCP: |
455 | 455 |
|
456 |
-.I http://sites.inka.de/sites/bigred/devel/tcp-tcp.html |
|
456 |
+.I http://sites.inka.de/sites/bigred/devel/tcp\-tcp.html |
|
457 | 457 |
|
458 | 458 |
There are certain cases, however, where using TCP may be advantageous from |
459 |
-a security and robustness perspective, such as tunneling non-IP or |
|
460 |
-application-level UDP protocols, or tunneling protocols which don't |
|
461 |
-possess a built-in reliability layer. |
|
459 |
+a security and robustness perspective, such as tunneling non\-IP or |
|
460 |
+application\-level UDP protocols, or tunneling protocols which don't |
|
461 |
+possess a built\-in reliability layer. |
|
462 | 462 |
.\"********************************************************* |
463 | 463 |
.TP |
464 | 464 |
.B \-\-connect\-retry n [max] |
... | ... |
@@ -489,12 +489,12 @@ Show sensed HTTP or SOCKS proxy settings. Currently, only Windows clients |
489 | 489 |
support this option. |
490 | 490 |
.\"********************************************************* |
491 | 491 |
.TP |
492 |
-.B \-\-http\-proxy server port [authfile|'auto'|'auto\-nct'] [auth-method] |
|
492 |
+.B \-\-http\-proxy server port [authfile|'auto'|'auto\-nct'] [auth\-method] |
|
493 | 493 |
Connect to remote host through an HTTP proxy at address |
494 | 494 |
.B server |
495 | 495 |
and port |
496 | 496 |
.B port. |
497 |
-If HTTP Proxy-Authenticate is required, |
|
497 |
+If HTTP Proxy\-Authenticate is required, |
|
498 | 498 |
.B authfile |
499 | 499 |
is a file containing a username and password on 2 lines, or |
500 | 500 |
"stdin" to prompt from console. Its content can also be specified |
... | ... |
@@ -522,7 +522,7 @@ exists on OpenVPN 2.1 or higher. |
522 | 522 |
|
523 | 523 |
The |
524 | 524 |
.B auto\-nct |
525 |
-flag (no clear-text auth) instructs OpenVPN to automatically |
|
525 |
+flag (no clear\-text auth) instructs OpenVPN to automatically |
|
526 | 526 |
determine the authentication method, but to reject weak |
527 | 527 |
authentication protocols such as HTTP Basic Authentication. |
528 | 528 |
.\"********************************************************* |
... | ... |
@@ -531,16 +531,16 @@ authentication protocols such as HTTP Basic Authentication. |
531 | 531 |
Set extended HTTP proxy options. |
532 | 532 |
Repeat to set multiple options. |
533 | 533 |
|
534 |
-.B VERSION version -- |
|
534 |
+.B VERSION version \-\- |
|
535 | 535 |
Set HTTP version number to |
536 | 536 |
.B version |
537 | 537 |
(default=1.0). |
538 | 538 |
|
539 |
-.B AGENT user-agent -- |
|
540 |
-Set HTTP "User-Agent" string to |
|
541 |
-.B user-agent. |
|
539 |
+.B AGENT user\-agent \-\- |
|
540 |
+Set HTTP "User\-Agent" string to |
|
541 |
+.B user\-agent. |
|
542 | 542 |
|
543 |
-.B CUSTOM\-HEADER name content -- |
|
543 |
+.B CUSTOM\-HEADER name content \-\- |
|
544 | 544 |
Adds the custom Header with |
545 | 545 |
.B name |
546 | 546 |
as name and |
... | ... |
@@ -588,7 +588,7 @@ at a known address, however if packets arrive from a new |
588 | 588 |
address and pass all authentication tests, the new address |
589 | 589 |
will take control of the session. This is useful when |
590 | 590 |
you are connecting to a peer which holds a dynamic address |
591 |
-such as a dial-in user or DHCP client. |
|
591 |
+such as a dial\-in user or DHCP client. |
|
592 | 592 |
|
593 | 593 |
Essentially, |
594 | 594 |
.B \-\-float |
... | ... |
@@ -601,12 +601,12 @@ option. |
601 | 601 |
.B \-\-ipchange cmd |
602 | 602 |
Run command |
603 | 603 |
.B cmd |
604 |
-when our remote ip-address is initially authenticated or |
|
604 |
+when our remote ip\-address is initially authenticated or |
|
605 | 605 |
changes. |
606 | 606 |
|
607 | 607 |
.B cmd |
608 | 608 |
consists of a path to script (or executable program), optionally |
609 |
-followed by arguments. The path and arguments may be single- or double-quoted |
|
609 |
+followed by arguments. The path and arguments may be single\- or double\-quoted |
|
610 | 610 |
and/or escaped using a backslash, and should be separated by one or more spaces. |
611 | 611 |
|
612 | 612 |
When |
... | ... |
@@ -656,7 +656,7 @@ and |
656 | 656 |
.B \-\-rport |
657 | 657 |
options to given port). The current |
658 | 658 |
default of 1194 represents the official IANA port number |
659 |
-assignment for OpenVPN and has been used since version 2.0-beta17. |
|
659 |
+assignment for OpenVPN and has been used since version 2.0\-beta17. |
|
660 | 660 |
Previous versions used port 5000 as the default. |
661 | 661 |
.\"********************************************************* |
662 | 662 |
.TP |
... | ... |
@@ -717,9 +717,9 @@ devices encapsulate IPv4 or IPv6 (OSI Layer 3) while |
717 | 717 |
devices encapsulate Ethernet 802.3 (OSI Layer 2). |
718 | 718 |
.\"********************************************************* |
719 | 719 |
.TP |
720 |
-.B \-\-dev\-type device-type |
|
720 |
+.B \-\-dev\-type device\-type |
|
721 | 721 |
Which device type are we using? |
722 |
-.B device-type |
|
722 |
+.B device\-type |
|
723 | 723 |
should be |
724 | 724 |
.B tun |
725 | 725 |
(OSI Layer 3) |
... | ... |
@@ -756,13 +756,13 @@ directive, this directive must always be compatible between client and server. |
756 | 756 |
can be one of: |
757 | 757 |
|
758 | 758 |
.B net30 \-\- |
759 |
-Use a point-to-point topology, by allocating one /30 subnet per client. |
|
760 |
-This is designed to allow point-to-point semantics when some |
|
759 |
+Use a point\-to\-point topology, by allocating one /30 subnet per client. |
|
760 |
+This is designed to allow point\-to\-point semantics when some |
|
761 | 761 |
or all of the connecting clients might be Windows systems. This is the |
762 | 762 |
default on OpenVPN 2.0. |
763 | 763 |
|
764 | 764 |
.B p2p \-\- |
765 |
-Use a point-to-point topology where the remote endpoint of the client's |
|
765 |
+Use a point\-to\-point topology where the remote endpoint of the client's |
|
766 | 766 |
tun interface always points to the local endpoint of the server's tun interface. |
767 | 767 |
This mode allocates a single IP address per connecting client. |
768 | 768 |
Only use |
... | ... |
@@ -773,7 +773,7 @@ directive which is available in OpenVPN 2.0, is deprecated and will be |
773 | 773 |
removed in OpenVPN 2.5 |
774 | 774 |
|
775 | 775 |
.B subnet \-\- |
776 |
-Use a subnet rather than a point-to-point topology by |
|
776 |
+Use a subnet rather than a point\-to\-point topology by |
|
777 | 777 |
configuring the tun interface with a local IP address and subnet mask, |
778 | 778 |
similar to the topology used in |
779 | 779 |
.B \-\-dev tap |
... | ... |
@@ -783,7 +783,7 @@ Windows as well. Only available when server and clients are OpenVPN 2.1 or |
783 | 783 |
higher, or OpenVPN 2.0.x which has been manually patched with the |
784 | 784 |
.B \-\-topology |
785 | 785 |
directive code. When used on Windows, requires version 8.2 or higher |
786 |
-of the TAP-Win32 driver. When used on *nix, requires that the tun |
|
786 |
+of the TAP\-Win32 driver. When used on *nix, requires that the tun |
|
787 | 787 |
driver supports an |
788 | 788 |
.BR ifconfig (8) |
789 | 789 |
command which sets a subnet instead of a remote endpoint IP address. |
... | ... |
@@ -819,7 +819,7 @@ When not specifying a |
819 | 819 |
.B \-\-dev\-node |
820 | 820 |
option openvpn will first try to open utun, and fall back to tun.kext. |
821 | 821 |
|
822 |
-On Windows systems, select the TAP-Win32 adapter which |
|
822 |
+On Windows systems, select the TAP\-Win32 adapter which |
|
823 | 823 |
is named |
824 | 824 |
.B node |
825 | 825 |
in the Network Connections Control Panel or the |
... | ... |
@@ -827,10 +827,10 @@ raw GUID of the adapter enclosed by braces. |
827 | 827 |
The |
828 | 828 |
.B \-\-show\-adapters |
829 | 829 |
option under Windows can also be used |
830 |
-to enumerate all available TAP-Win32 |
|
830 |
+to enumerate all available TAP\-Win32 |
|
831 | 831 |
adapters and will show both the network |
832 | 832 |
connections control panel name and the GUID for |
833 |
-each TAP-Win32 adapter. |
|
833 |
+each TAP\-Win32 adapter. |
|
834 | 834 |
.TP |
835 | 835 |
.B \-\-lladdr address |
836 | 836 |
Specify the link layer address, more commonly known as the MAC address. |
... | ... |
@@ -846,7 +846,7 @@ May be used in order to execute OpenVPN in unprivileged environment. |
846 | 846 |
Set TUN/TAP adapter parameters. |
847 | 847 |
.B l |
848 | 848 |
is the IP address of the local VPN endpoint. |
849 |
-For TUN devices in point-to-point mode, |
|
849 |
+For TUN devices in point\-to\-point mode, |
|
850 | 850 |
.B rn |
851 | 851 |
is the IP address of the remote VPN endpoint. |
852 | 852 |
For TAP devices, or TUN devices used with |
... | ... |
@@ -856,7 +856,7 @@ is the subnet mask of the virtual network segment |
856 | 856 |
which is being created or connected to. |
857 | 857 |
|
858 | 858 |
For TUN devices, which facilitate virtual |
859 |
-point-to-point IP connections (when used in |
|
859 |
+point\-to\-point IP connections (when used in |
|
860 | 860 |
.B \-\-topology net30 |
861 | 861 |
or |
862 | 862 |
.B p2p |
... | ... |
@@ -876,7 +876,7 @@ you will be pinging across the VPN. |
876 | 876 |
For TAP devices, which provide |
877 | 877 |
the ability to create virtual |
878 | 878 |
ethernet segments, or TUN devices in |
879 |
-.B --topology subnet |
|
879 |
+.B \-\-topology subnet |
|
880 | 880 |
mode (which create virtual "multipoint networks"), |
881 | 881 |
.B \-\-ifconfig |
882 | 882 |
is used to set an IP address and |
... | ... |
@@ -956,10 +956,10 @@ while at the same time providing portable semantics |
956 | 956 |
across OpenVPN's platform space. |
957 | 957 |
|
958 | 958 |
.B netmask |
959 |
-default -- 255.255.255.255 |
|
959 |
+default \-\- 255.255.255.255 |
|
960 | 960 |
|
961 | 961 |
.B gateway |
962 |
-default -- taken from |
|
962 |
+default \-\- taken from |
|
963 | 963 |
.B \-\-route\-gateway |
964 | 964 |
or the second parameter to |
965 | 965 |
.B \-\-ifconfig |
... | ... |
@@ -968,7 +968,7 @@ when |
968 | 968 |
is specified. |
969 | 969 |
|
970 | 970 |
.B metric |
971 |
-default -- taken from |
|
971 |
+default \-\- taken from |
|
972 | 972 |
.B \-\-route\-metric |
973 | 973 |
otherwise 0. |
974 | 974 |
|
... | ... |
@@ -984,7 +984,7 @@ also be specified as a DNS or /etc/hosts |
984 | 984 |
file resolvable name, or as one of three special keywords: |
985 | 985 |
|
986 | 986 |
.B vpn_gateway |
987 |
+\-\- The remote VPN endpoint address |
|
987 | 988 |
(derived either from |
988 | 989 |
.B \-\-route\-gateway |
989 | 990 |
or the second parameter to |
... | ... |
@@ -994,11 +994,11 @@ when |
994 | 994 |
is specified). |
995 | 995 |
|
996 | 996 |
.B net_gateway |
997 |
+\-\- The pre\-existing IP default gateway, read from the routing |
|
997 | 998 |
table (not supported on all OSes). |
998 | 999 |
|
999 | 1000 |
.B remote_host |
1001 |
+\-\- The |
|
1000 | 1002 |
.B \-\-remote |
1001 | 1003 |
address if OpenVPN is being run in client mode, and is undefined in server mode. |
1002 | 1004 |
.\"********************************************************* |
... | ... |
@@ -1013,7 +1013,7 @@ If |
1013 | 1013 |
.B dhcp |
1014 | 1014 |
is specified as the parameter, |
1015 | 1015 |
the gateway address will be extracted from a DHCP |
1016 |
-negotiation with the OpenVPN server-side LAN. |
|
1016 |
+negotiation with the OpenVPN server\-side LAN. |
|
1017 | 1017 |
.\"********************************************************* |
1018 | 1018 |
.TP |
1019 | 1019 |
.B \-\-route\-metric m |
... | ... |
@@ -1053,7 +1053,7 @@ On Windows, |
1053 | 1053 |
tries to be more intelligent by waiting |
1054 | 1054 |
.B w |
1055 | 1055 |
seconds (w=30 by default) |
1056 |
-for the TAP-Win32 adapter to come up before adding routes. |
|
1056 |
+for the TAP\-Win32 adapter to come up before adding routes. |
|
1057 | 1057 |
.\"********************************************************* |
1058 | 1058 |
.TP |
1059 | 1059 |
.B \-\-route\-up cmd |
... | ... |
@@ -1064,7 +1064,7 @@ after routes are added, subject to |
1064 | 1064 |
|
1065 | 1065 |
.B cmd |
1066 | 1066 |
consists of a path to script (or executable program), optionally |
1067 |
-followed by arguments. The path and arguments may be single- or double-quoted |
|
1067 |
+followed by arguments. The path and arguments may be single\- or double\-quoted |
|
1068 | 1068 |
and/or escaped using a backslash, and should be separated by one or more spaces. |
1069 | 1069 |
|
1070 | 1070 |
See the "Environmental Variables" section below for |
... | ... |
@@ -1078,7 +1078,7 @@ before routes are removed upon disconnection. |
1078 | 1078 |
|
1079 | 1079 |
.B cmd |
1080 | 1080 |
consists of a path to script (or executable program), optionally |
1081 |
-followed by arguments. The path and arguments may be single- or double-quoted |
|
1081 |
+followed by arguments. The path and arguments may be single\- or double\-quoted |
|
1082 | 1082 |
and/or escaped using a backslash, and should be separated by one or more spaces. |
1083 | 1083 |
|
1084 | 1084 |
See the "Environmental Variables" section below for |
... | ... |
@@ -1096,7 +1096,7 @@ When used with |
1096 | 1096 |
.B \-\-client |
1097 | 1097 |
or |
1098 | 1098 |
.B \-\-pull, |
1099 |
-accept options pushed by server EXCEPT for routes, block-outside-dns and dhcp |
|
1099 |
+accept options pushed by server EXCEPT for routes, block\-outside\-dns and dhcp |
|
1100 | 1100 |
options like DNS servers. |
1101 | 1101 |
|
1102 | 1102 |
When used on the client, this option effectively bars the |
... | ... |
@@ -1115,7 +1115,7 @@ and |
1115 | 1115 |
.\"********************************************************* |
1116 | 1116 |
.TP |
1117 | 1117 |
.B \-\-client\-nat snat|dnat network netmask alias |
1118 |
-This pushable client option sets up a stateless one-to-one NAT |
|
1118 |
+This pushable client option sets up a stateless one\-to\-one NAT |
|
1119 | 1119 |
rule on packet addresses (not ports), and is useful in cases |
1120 | 1120 |
where routes or ifconfig settings pushed to the client would |
1121 | 1121 |
create an IP numbering conflict. |
... | ... |
@@ -1141,14 +1141,14 @@ addresses in packets. |
1141 | 1141 |
.TP |
1142 | 1142 |
.B \-\-redirect\-gateway flags... |
1143 | 1143 |
Automatically execute routing commands to cause all outgoing IP traffic |
1144 |
-to be redirected over the VPN. This is a client-side option. |
|
1144 |
+to be redirected over the VPN. This is a client\-side option. |
|
1145 | 1145 |
|
1146 | 1146 |
This option performs three steps: |
1147 | 1147 |
|
1148 | 1148 |
.B (1) |
1149 | 1149 |
Create a static route for the |
1150 | 1150 |
.B \-\-remote |
1151 |
-address which forwards to the pre-existing default gateway. |
|
1151 |
+address which forwards to the pre\-existing default gateway. |
|
1152 | 1152 |
This is done so that |
1153 | 1153 |
.B (3) |
1154 | 1154 |
will not create a routing loop. |
... | ... |
@@ -1185,39 +1185,39 @@ Try to automatically determine whether to enable |
1185 | 1185 |
.B local |
1186 | 1186 |
flag above. |
1187 | 1187 |
|
1188 |
-.B def1 -- |
|
1188 |
+.B def1 \-\- |
|
1189 | 1189 |
Use this flag to override |
1190 | 1190 |
the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 |
1191 | 1191 |
rather than 0.0.0.0/0. This has the benefit of overriding |
1192 | 1192 |
but not wiping out the original default gateway. |
1193 | 1193 |
|
1194 |
-.B bypass-dhcp -- |
|
1195 |
-Add a direct route to the DHCP server (if it is non-local) which |
|
1194 |
+.B bypass\-dhcp \-\- |
|
1195 |
+Add a direct route to the DHCP server (if it is non\-local) which |
|
1196 | 1196 |
bypasses the tunnel |
1197 | 1197 |
(Available on Windows clients, may not be available |
1198 |
-on non-Windows clients). |
|
1198 |
+on non\-Windows clients). |
|
1199 | 1199 |
|
1200 |
-.B bypass-dns -- |
|
1201 |
-Add a direct route to the DNS server(s) (if they are non-local) which |
|
1200 |
+.B bypass\-dns \-\- |
|
1201 |
+Add a direct route to the DNS server(s) (if they are non\-local) which |
|
1202 | 1202 |
bypasses the tunnel |
1203 | 1203 |
(Available on Windows clients, may not be available |
1204 |
-on non-Windows clients). |
|
1204 |
+on non\-Windows clients). |
|
1205 | 1205 |
|
1206 |
-.B block-local -- |
|
1206 |
+.B block\-local \-\- |
|
1207 | 1207 |
Block access to local LAN when the tunnel is active, except for |
1208 | 1208 |
the LAN gateway itself. This is accomplished by routing the local |
1209 | 1209 |
LAN (except for the LAN gateway address) into the tunnel. |
1210 | 1210 |
|
1211 |
-.B ipv6 -- |
|
1211 |
+.B ipv6 \-\- |
|
1212 | 1212 |
Redirect IPv6 routing into the tunnel. This works similar to the |
1213 | 1213 |
.B def1 |
1214 | 1214 |
flag, that is, more specific IPv6 routes are added (2000::/4, 3000::/4), |
1215 | 1215 |
covering the whole IPv6 unicast space. |
1216 | 1216 |
|
1217 |
-.B !ipv4 -- |
|
1218 |
-Do not redirect IPv4 traffic - typically used in the flag pair |
|
1217 |
+.B !ipv4 \-\- |
|
1218 |
+Do not redirect IPv4 traffic \- typically used in the flag pair |
|
1219 | 1219 |
.B "ipv6 !ipv4" |
1220 |
-to redirect IPv6-only. |
|
1220 |
+to redirect IPv6\-only. |
|
1221 | 1221 |
.\"********************************************************* |
1222 | 1222 |
.TP |
1223 | 1223 |
.B \-\-link\-mtu n |
... | ... |
@@ -1271,13 +1271,13 @@ Should we do Path MTU discovery on TCP/UDP channel? Only supported on OSes such |
1271 | 1271 |
as Linux that supports the necessary system call to set. |
1272 | 1272 |
|
1273 | 1273 |
.B 'no' |
1274 |
+\-\- Never send DF (Don't Fragment) frames |
|
1274 | 1275 |
.br |
1275 | 1276 |
.B 'maybe' |
1277 |
+\-\- Use per\-route hints |
|
1276 | 1278 |
.br |
1277 | 1279 |
.B 'yes' |
1280 |
+\-\- Always DF (Don't Fragment) |
|
1278 | 1281 |
.br |
1279 | 1282 |
.\"********************************************************* |
1280 | 1283 |
.TP |
... | ... |
@@ -1357,7 +1357,7 @@ without IP level fragmentation. |
1357 | 1357 |
The |
1358 | 1358 |
.B \-\-mssfix |
1359 | 1359 |
option only makes sense when you are using the UDP protocol |
1360 |
-for OpenVPN peer-to-peer communication, i.e. |
|
1360 |
+for OpenVPN peer\-to\-peer communication, i.e. |
|
1361 | 1361 |
.B \-\-proto udp. |
1362 | 1362 |
|
1363 | 1363 |
.B \-\-mssfix |
... | ... |
@@ -1396,7 +1396,7 @@ parameter from the |
1396 | 1396 |
option. |
1397 | 1397 |
|
1398 | 1398 |
Therefore, one could lower the maximum UDP packet size |
1399 |
-to 1300 (a good first try for solving MTU-related |
|
1399 |
+to 1300 (a good first try for solving MTU\-related |
|
1400 | 1400 |
connection problems) with the following options: |
1401 | 1401 |
|
1402 | 1402 |
.B \-\-tun\-mtu 1500 \-\-fragment 1300 \-\-mssfix |
... | ... |
@@ -1459,11 +1459,11 @@ seconds before queuing the next write. |
1459 | 1459 |
|
1460 | 1460 |
It should be noted that OpenVPN supports multiple |
1461 | 1461 |
tunnels between the same two peers, allowing you |
1462 |
-to construct full-speed and reduced bandwidth tunnels |
|
1462 |
+to construct full\-speed and reduced bandwidth tunnels |
|
1463 | 1463 |
at the same time, |
1464 |
-routing low-priority data such as off-site backups |
|
1464 |
+routing low\-priority data such as off\-site backups |
|
1465 | 1465 |
over the reduced bandwidth tunnel, and other data |
1466 |
-over the full-speed tunnel. |
|
1466 |
+over the full\-speed tunnel. |
|
1467 | 1467 |
|
1468 | 1468 |
Also note that for low bandwidth tunnels |
1469 | 1469 |
(under 1000 bytes per second), you should probably |
... | ... |
@@ -1538,7 +1538,7 @@ This option can be combined with |
1538 | 1538 |
.B \-\-inactive, \-\-ping, |
1539 | 1539 |
and |
1540 | 1540 |
.B \-\-ping\-exit |
1541 |
-to create a two-tiered inactivity disconnect. |
|
1541 |
+to create a two\-tiered inactivity disconnect. |
|
1542 | 1542 |
|
1543 | 1543 |
For example, |
1544 | 1544 |
|
... | ... |
@@ -1561,7 +1561,7 @@ or other packet from remote. |
1561 | 1561 |
|
1562 | 1562 |
This option is useful in cases |
1563 | 1563 |
where the remote peer has a dynamic IP address and |
1564 |
-a low-TTL DNS name is used to track the IP address using |
|
1564 |
+a low\-TTL DNS name is used to track the IP address using |
|
1565 | 1565 |
a service such as |
1566 | 1566 |
.I http://dyndns.org/ |
1567 | 1567 |
+ a dynamic DNS client such |
... | ... |
@@ -1571,7 +1571,7 @@ as |
1571 | 1571 |
If the peer cannot be reached, a restart will be triggered, causing |
1572 | 1572 |
the hostname used with |
1573 | 1573 |
.B \-\-remote |
1574 |
-to be re-resolved (if |
|
1574 |
+to be re\-resolved (if |
|
1575 | 1575 |
.B \-\-resolv\-retry |
1576 | 1576 |
is also specified). |
1577 | 1577 |
|
... | ... |
@@ -1677,12 +1677,12 @@ restarts. |
1677 | 1677 |
.B SIGUSR1 |
1678 | 1678 |
is a restart signal similar to |
1679 | 1679 |
.B SIGHUP, |
1680 |
-but which offers finer-grained control over |
|
1680 |
+but which offers finer\-grained control over |
|
1681 | 1681 |
reset options. |
1682 | 1682 |
.\"********************************************************* |
1683 | 1683 |
.TP |
1684 | 1684 |
.B \-\-persist\-key |
1685 |
-Don't re-read key files across |
|
1685 |
+Don't re\-read key files across |
|
1686 | 1686 |
.B SIGUSR1 |
1687 | 1687 |
or |
1688 | 1688 |
.B \-\-ping\-restart. |
... | ... |
@@ -1693,12 +1693,12 @@ to allow restarts triggered by the |
1693 | 1693 |
.B SIGUSR1 |
1694 | 1694 |
signal. |
1695 | 1695 |
Normally if you drop root privileges in OpenVPN, |
1696 |
-the daemon cannot be restarted since it will now be unable to re-read protected |
|
1696 |
+the daemon cannot be restarted since it will now be unable to re\-read protected |
|
1697 | 1697 |
key files. |
1698 | 1698 |
|
1699 | 1699 |
This option solves the problem by persisting keys across |
1700 | 1700 |
.B SIGUSR1 |
1701 |
-resets, so they don't need to be re-read. |
|
1701 |
+resets, so they don't need to be re\-read. |
|
1702 | 1702 |
.\"********************************************************* |
1703 | 1703 |
.TP |
1704 | 1704 |
.B \-\-persist\-local\-ip |
... | ... |
@@ -1755,7 +1755,7 @@ UID change). |
1755 | 1755 |
|
1756 | 1756 |
.B cmd |
1757 | 1757 |
consists of a path to script (or executable program), optionally |
1758 |
-followed by arguments. The path and arguments may be single- or double-quoted |
|
1758 |
+followed by arguments. The path and arguments may be single\- or double\-quoted |
|
1759 | 1759 |
and/or escaped using a backslash, and should be separated by one or more spaces. |
1760 | 1760 |
|
1761 | 1761 |
The up command is useful for specifying route |
... | ... |
@@ -1780,7 +1780,7 @@ additional parameters passed as environmental variables. |
1780 | 1780 |
|
1781 | 1781 |
Note that if |
1782 | 1782 |
.B cmd |
1783 |
-includes arguments, all OpenVPN-generated arguments will be appended |
|
1783 |
+includes arguments, all OpenVPN\-generated arguments will be appended |
|
1784 | 1784 |
to them to build an argument list with which the executable will be |
1785 | 1785 |
called. |
1786 | 1786 |
|
... | ... |
@@ -1812,7 +1812,7 @@ as the last parameter. |
1812 | 1812 |
|
1813 | 1813 |
NOTE: on restart, OpenVPN will not pass the full set of environment |
1814 | 1814 |
variables to the script. Namely, everything related to routing and |
1815 |
-gateways will not be passed, as nothing needs to be done anyway - all |
|
1815 |
+gateways will not be passed, as nothing needs to be done anyway \- all |
|
1816 | 1816 |
the routing setup is already in place. Additionally, the up\-restart |
1817 | 1817 |
script will run with the downgraded UID/GID settings (if configured). |
1818 | 1818 |
|
... | ... |
@@ -1821,7 +1821,7 @@ The following standalone example shows how the |
1821 | 1821 |
script can be called in both an initialization and restart context. |
1822 | 1822 |
(NOTE: for security reasons, don't run the following example unless UDP port |
1823 | 1823 |
9999 is blocked by your firewall. Also, the example will run indefinitely, |
1824 |
-so you should abort with control-c). |
|
1824 |
+so you should abort with control\-c). |
|
1825 | 1825 |
|
1826 | 1826 |
.B openvpn \-\-dev tun \-\-port 9999 \-\-verb 4 \-\-ping\-restart 10 \-\-up 'echo up' \-\-down 'echo down' \-\-persist\-tun \-\-up\-restart |
1827 | 1827 |
|
... | ... |
@@ -1858,7 +1858,7 @@ mode, this option normally requires the use of |
1858 | 1858 |
to allow connection initiation to be sensed in the absence |
1859 | 1859 |
of tunnel data, since UDP is a "connectionless" protocol. |
1860 | 1860 |
|
1861 |
-On Windows, this option will delay the TAP-Win32 media state |
|
1861 |
+On Windows, this option will delay the TAP\-Win32 media state |
|
1862 | 1862 |
transitioning to "connected" until connection establishment, |
1863 | 1863 |
i.e. the receipt of the first authenticated packet from the peer. |
1864 | 1864 |
.\"********************************************************* |
... | ... |
@@ -1874,7 +1874,7 @@ UID change and/or |
1874 | 1874 |
). |
1875 | 1875 |
.B cmd |
1876 | 1876 |
consists of a path to script (or executable program), optionally |
1877 |
-followed by arguments. The path and arguments may be single- or double-quoted |
|
1877 |
+followed by arguments. The path and arguments may be single\- or double\-quoted |
|
1878 | 1878 |
and/or escaped using a backslash, and should be separated by one or more spaces. |
1879 | 1879 |
|
1880 | 1880 |
Called with the same parameters and environmental |
... | ... |
@@ -1970,7 +1970,7 @@ is available since OpenVPN 2.3.3. |
1970 | 1970 |
.\"********************************************************* |
1971 | 1971 |
.TP |
1972 | 1972 |
.B \-\-script\-security level |
1973 |
-This directive offers policy-level control over OpenVPN's usage of external programs |
|
1973 |
+This directive offers policy\-level control over OpenVPN's usage of external programs |
|
1974 | 1974 |
and scripts. Lower |
1975 | 1975 |
.B level |
1976 | 1976 |
values are more restrictive, higher values are more permissive. Settings for |
... | ... |
@@ -1980,10 +1980,10 @@ values are more restrictive, higher values are more permissive. Settings for |
1980 | 1980 |
Strictly no calling of external programs. |
1981 | 1981 |
.br |
1982 | 1982 |
.B 1 \-\- |
1983 |
-(Default) Only call built-in executables such as ifconfig, ip, route, or netsh. |
|
1983 |
+(Default) Only call built\-in executables such as ifconfig, ip, route, or netsh. |
|
1984 | 1984 |
.br |
1985 | 1985 |
.B 2 \-\- |
1986 |
-Allow calling of built-in executables and user-defined scripts. |
|
1986 |
+Allow calling of built\-in executables and user\-defined scripts. |
|
1987 | 1987 |
.br |
1988 | 1988 |
.B 3 \-\- |
1989 | 1989 |
Allow passwords to be passed to scripts via environmental variables (potentially unsafe). |
... | ... |
@@ -2008,14 +2008,14 @@ versions you needed to either add a full path to the script interpreter which ca |
2008 | 2008 |
script or use the |
2009 | 2009 |
.B system |
2010 | 2010 |
flag to run these scripts. As of OpenVPN 2.3 it is now a strict requirement to have |
2011 |
-full path to the script interpreter when running non-executables files. |
|
2011 |
+full path to the script interpreter when running non\-executables files. |
|
2012 | 2012 |
This is not needed for executable files, such as .exe, .com, .bat or .cmd files. For |
2013 | 2013 |
example, if you have a Visual Basic script, you must use this syntax now: |
2014 | 2014 |
|
2015 | 2015 |
.nf |
2016 | 2016 |
.ft 3 |
2017 | 2017 |
.in +4 |
2018 |
-\-\-up 'C:\\\\Windows\\\\System32\\\\wscript.exe C:\\\\Program\\ Files\\\\OpenVPN\\\\config\\\\my-up-script.vbs' |
|
2018 |
+\-\-up 'C:\\\\Windows\\\\System32\\\\wscript.exe C:\\\\Program\\ Files\\\\OpenVPN\\\\config\\\\my\-up\-script.vbs' |
|
2019 | 2019 |
.in -4 |
2020 | 2020 |
.ft |
2021 | 2021 |
.fi |
... | ... |
@@ -2065,7 +2065,7 @@ signal |
2065 | 2065 |
to a DHCP reset), you should make use of one or more of the |
2066 | 2066 |
.B \-\-persist |
2067 | 2067 |
options to ensure that OpenVPN doesn't need to execute any privileged |
2068 |
-operations in order to restart (such as re-reading key files |
|
2068 |
+operations in order to restart (such as re\-reading key files |
|
2069 | 2069 |
or running |
2070 | 2070 |
.BR ifconfig |
2071 | 2071 |
on the TUN device). |
... | ... |
@@ -2111,7 +2111,7 @@ This can be desirable from a security standpoint. |
2111 | 2111 |
|
2112 | 2112 |
Since the chroot operation is delayed until after |
2113 | 2113 |
initialization, most OpenVPN options that reference |
2114 |
-files will operate in a pre-chroot context. |
|
2114 |
+files will operate in a pre\-chroot context. |
|
2115 | 2115 |
|
2116 | 2116 |
In many cases, the |
2117 | 2117 |
.B dir |
... | ... |
@@ -2146,7 +2146,7 @@ it inside the chroot directory (e.g. with mount \-\-bind). |
2146 | 2146 |
|
2147 | 2147 |
Since the setcon operation is delayed until after |
2148 | 2148 |
initialization, OpenVPN can be restricted to just |
2149 |
-network-related system calls, whereas by applying the |
|
2149 |
+network\-related system calls, whereas by applying the |
|
2150 | 2150 |
context before startup (such as the OpenVPN one provided |
2151 | 2151 |
in the SELinux Reference Policies) you will have to |
2152 | 2152 |
allow many things required only during initialization. |
... | ... |
@@ -2195,11 +2195,11 @@ that initialization scripts can test the return status of the |
2195 | 2195 |
openvpn command for a fairly reliable indication of whether the command |
2196 | 2196 |
has correctly initialized and entered the packet forwarding event loop. |
2197 | 2197 |
|
2198 |
-In OpenVPN, the vast majority of errors which occur after initialization are non-fatal. |
|
2198 |
+In OpenVPN, the vast majority of errors which occur after initialization are non\-fatal. |
|
2199 | 2199 |
|
2200 | 2200 |
Note: as soon as OpenVPN has daemonized, it can not ask for usernames, |
2201 | 2201 |
passwords, or key pass phrases anymore. This has certain consequences, |
2202 |
-namely that using a password-protected private key will fail unless the |
|
2202 |
+namely that using a password\-protected private key will fail unless the |
|
2203 | 2203 |
.B \-\-askpass |
2204 | 2204 |
option is used to tell OpenVPN to ask for the pass phrase (this |
2205 | 2205 |
requirement is new in v2.3.7, and is a consequence of calling daemon() |
... | ... |
@@ -2208,9 +2208,9 @@ before initializing the crypto layer). |
2208 | 2208 |
Further, using |
2209 | 2209 |
.B \-\-daemon |
2210 | 2210 |
together with |
2211 |
-.B \-\-auth-user-pass |
|
2211 |
+.B \-\-auth\-user\-pass |
|
2212 | 2212 |
(entered on console) and |
2213 |
-.B \-\-auth-nocache |
|
2213 |
+.B \-\-auth\-nocache |
|
2214 | 2214 |
will fail as soon as key renegotiation (and reauthentication) occurs. |
2215 | 2215 |
.\"********************************************************* |
2216 | 2216 |
.TP |
... | ... |
@@ -2347,7 +2347,7 @@ less than zero is higher priority). |
2347 | 2347 |
.\".B \-\-tls\-server |
2348 | 2348 |
.\"specified). |
2349 | 2349 |
.\" |
2350 |
-.\"Using a TLS thread offloads the CPU-intensive process of SSL/TLS-based |
|
2350 |
+.\"Using a TLS thread offloads the CPU\-intensive process of SSL/TLS\-based |
|
2351 | 2351 |
.\"key exchange to a background thread so that it does not become |
2352 | 2352 |
.\"a latency bottleneck in the tunnel packet forwarding process. |
2353 | 2353 |
.\" |
... | ... |
@@ -2369,7 +2369,7 @@ or TUN/TAP devices. In such cases, one can optimize the event loop |
2369 | 2369 |
by avoiding the poll/epoll/select call, improving CPU efficiency |
2370 | 2370 |
by 5% to 10%. |
2371 | 2371 |
|
2372 |
-This option can only be used on non-Windows systems, when |
|
2372 |
+This option can only be used on non\-Windows systems, when |
|
2373 | 2373 |
.B \-\-proto udp |
2374 | 2374 |
is specified, and when |
2375 | 2375 |
.B \-\-shaper |
... | ... |
@@ -2377,7 +2377,7 @@ is NOT specified. |
2377 | 2377 |
.\"********************************************************* |
2378 | 2378 |
.TP |
2379 | 2379 |
.B \-\-multihome |
2380 |
-Configure a multi-homed UDP server. This option needs to be used when |
|
2380 |
+Configure a multi\-homed UDP server. This option needs to be used when |
|
2381 | 2381 |
a server has more than one IP address (e.g. multiple interfaces, or |
2382 | 2382 |
secondary IP addresses), and is not using |
2383 | 2383 |
.B \-\-local |
... | ... |
@@ -2389,10 +2389,10 @@ processing, so it's not enabled by default. |
2389 | 2389 |
|
2390 | 2390 |
Note: this option is only relevant for UDP servers. |
2391 | 2391 |
|
2392 |
-Note 2: if you do an IPv6+IPv4 dual-stack bind on a Linux machine with |
|
2392 |
+Note 2: if you do an IPv6+IPv4 dual\-stack bind on a Linux machine with |
|
2393 | 2393 |
multiple IPv4 address, connections to IPv4 addresses will not work |
2394 | 2394 |
right on kernels before 3.15, due to missing kernel support for the |
2395 |
-IPv4-mapped case (some distributions have ported this to earlier kernel |
|
2395 |
+IPv4\-mapped case (some distributions have ported this to earlier kernel |
|
2396 | 2396 |
versions, though). |
2397 | 2397 |
.\"********************************************************* |
2398 | 2398 |
.TP |
... | ... |
@@ -2492,7 +2492,7 @@ newer |
2492 | 2492 |
.B \-\-compress |
2493 | 2493 |
instead. |
2494 | 2494 |
|
2495 |
-Use LZO compression -- may add up to 1 byte per |
|
2495 |
+Use LZO compression \-\- may add up to 1 byte per |
|
2496 | 2496 |
packet for incompressible data. |
2497 | 2497 |
.B mode |
2498 | 2498 |
may be "yes", "no", or "adaptive" (default). |
... | ... |
@@ -2500,7 +2500,7 @@ may be "yes", "no", or "adaptive" (default). |
2500 | 2500 |
In a server mode setup, it is possible to selectively turn |
2501 | 2501 |
compression on or off for individual clients. |
2502 | 2502 |
|
2503 |
-First, make sure the client-side config file enables selective |
|
2503 |
+First, make sure the client\-side config file enables selective |
|
2504 | 2504 |
compression by having at least one |
2505 | 2505 |
.B \-\-comp\-lzo |
2506 | 2506 |
directive, such as |
... | ... |
@@ -2539,19 +2539,19 @@ Normally, adaptive compression is enabled with |
2539 | 2539 |
|
2540 | 2540 |
Adaptive compression tries to optimize the case where you have |
2541 | 2541 |
compression enabled, but you are sending predominantly incompressible |
2542 |
-(or pre-compressed) packets over the tunnel, such as an FTP or rsync transfer |
|
2542 |
+(or pre\-compressed) packets over the tunnel, such as an FTP or rsync transfer |
|
2543 | 2543 |
of a large, compressed file. With adaptive compression, |
2544 | 2544 |
OpenVPN will periodically sample the compression process to measure its |
2545 | 2545 |
efficiency. If the data being sent over the tunnel is already compressed, |
2546 | 2546 |
the compression efficiency will be very low, triggering openvpn to disable |
2547 |
-compression for a period of time until the next re-sample test. |
|
2547 |
+compression for a period of time until the next re\-sample test. |
|
2548 | 2548 |
.\"********************************************************* |
2549 | 2549 |
.TP |
2550 |
-.B \-\-management IP port [pw-file] |
|
2550 |
+.B \-\-management IP port [pw\-file] |
|
2551 | 2551 |
Enable a TCP server on |
2552 | 2552 |
.B IP:port |
2553 | 2553 |
to handle daemon management functions. |
2554 |
-.B pw-file, |
|
2554 |
+.B pw\-file, |
|
2555 | 2555 |
if specified, |
2556 | 2556 |
is a password file (password on first line) |
2557 | 2557 |
or "stdin" to prompt from standard input. The password |
... | ... |
@@ -2618,28 +2618,28 @@ console. |
2618 | 2618 |
.B \-\-management\-query\-proxy |
2619 | 2619 |
Query management channel for proxy server information for a specific |
2620 | 2620 |
.B \-\-remote |
2621 |
-(client-only). |
|
2621 |
+(client\-only). |
|
2622 | 2622 |
.\"********************************************************* |
2623 | 2623 |
.TP |
2624 | 2624 |
.B \-\-management\-query\-remote |
2625 | 2625 |
Allow management interface to override |
2626 | 2626 |
.B \-\-remote |
2627 |
-directives (client-only). |
|
2627 |
+directives (client\-only). |
|
2628 | 2628 |
.\"********************************************************* |
2629 | 2629 |
.TP |
2630 | 2630 |
.B \-\-management\-external\-key |
2631 | 2631 |
Allows usage for external private key file instead of |
2632 | 2632 |
.B \-\-key |
2633 |
-option (client-only). |
|
2633 |
+option (client\-only). |
|
2634 | 2634 |
.\"********************************************************* |
2635 | 2635 |
.TP |
2636 |
-.B \-\-management\-external\-cert certificate-hint |
|
2636 |
+.B \-\-management\-external\-cert certificate\-hint |
|
2637 | 2637 |
Allows usage for external certificate instead of |
2638 | 2638 |
.B \-\-cert |
2639 |
-option (client-only). |
|
2640 |
-.B certificate-hint |
|
2639 |
+option (client\-only). |
|
2640 |
+.B certificate\-hint |
|
2641 | 2641 |
is an arbitrary string which is passed to a management |
2642 |
-interface client as an argument of NEED-CERTIFICATE notification. |
|
2642 |
+interface client as an argument of NEED\-CERTIFICATE notification. |
|
2643 | 2643 |
Requires \-\-management\-external\-key. |
2644 | 2644 |
.\"********************************************************* |
2645 | 2645 |
.TP |
... | ... |
@@ -2682,7 +2682,7 @@ Report tunnel up/down events to management interface. |
2682 | 2682 |
.B \-\-management\-client\-auth |
2683 | 2683 |
Gives management interface client the responsibility |
2684 | 2684 |
to authenticate clients after their client certificate |
2685 |
-has been verified. See management-notes.txt in OpenVPN |
|
2685 |
+has been verified. See management\-notes.txt in OpenVPN |
|
2686 | 2686 |
distribution for detailed notes. |
2687 | 2687 |
.\"********************************************************* |
2688 | 2688 |
.TP |
... | ... |
@@ -2704,21 +2704,21 @@ only allow connections from group |
2704 | 2704 |
.B g. |
2705 | 2705 |
.\"********************************************************* |
2706 | 2706 |
.TP |
2707 |
-.B \-\-plugin module-pathname [init-string] |
|
2708 |
-Load plug-in module from the file |
|
2709 |
-.B module-pathname, |
|
2707 |
+.B \-\-plugin module\-pathname [init\-string] |
|
2708 |
+Load plug\-in module from the file |
|
2709 |
+.B module\-pathname, |
|
2710 | 2710 |
passing |
2711 |
-.B init-string |
|
2711 |
+.B init\-string |
|
2712 | 2712 |
as an argument |
2713 | 2713 |
to the module initialization function. Multiple |
2714 | 2714 |
plugin modules may be loaded into one OpenVPN |
2715 | 2715 |
process. |
2716 | 2716 |
|
2717 | 2717 |
The |
2718 |
-.B module-pathname |
|
2718 |
+.B module\-pathname |
|
2719 | 2719 |
argument can be just a filename or a filename with a relative |
2720 | 2720 |
or absolute path. The format of the filename and path defines |
2721 |
-if the plug-in will be loaded from a default plug-in directory |
|
2721 |
+if the plug\-in will be loaded from a default plug\-in directory |
|
2722 | 2722 |
or outside this directory. |
2723 | 2723 |
|
2724 | 2724 |
.nf |
... | ... |
@@ -2733,7 +2733,7 @@ or outside this directory. |
2733 | 2733 |
.in -4 |
2734 | 2734 |
.fi |
2735 | 2735 |
|
2736 |
-DEFAULT_DIR is replaced by the default plug-in directory, |
|
2736 |
+DEFAULT_DIR is replaced by the default plug\-in directory, |
|
2737 | 2737 |
which is configured at the build time of OpenVPN. CWD is the |
2738 | 2738 |
current directory where OpenVPN was started or the directory |
2739 | 2739 |
OpenVPN have swithed into via the |
... | ... |
@@ -2743,7 +2743,7 @@ option before the |
2743 | 2743 |
option. |
2744 | 2744 |
|
2745 | 2745 |
For more information and examples on how to build OpenVPN |
2746 |
-plug-in modules, see the README file in the |
|
2746 |
+plug\-in modules, see the README file in the |
|
2747 | 2747 |
.B plugin |
2748 | 2748 |
folder of the OpenVPN source distribution. |
2749 | 2749 |
|
... | ... |
@@ -2766,7 +2766,7 @@ every module and script must return success (0) in order for |
2766 | 2766 |
the connection to be authenticated. |
2767 | 2767 |
.\"********************************************************* |
2768 | 2768 |
.TP |
2769 |
-.B \-\-keying-material-exporter label len |
|
2769 |
+.B \-\-keying\-material\-exporter label len |
|
2770 | 2770 |
Save Exported Keying Material [RFC5705] of len bytes (must be |
2771 | 2771 |
between 16 and 4095 bytes) using label in environment |
2772 | 2772 |
(exported_keying_material) for use by plugins in |
... | ... |
@@ -2777,7 +2777,7 @@ labels. In order to prevent this, labels MUST begin with "EXPORTER". |
2777 | 2777 |
|
2778 | 2778 |
.\"********************************************************* |
2779 | 2779 |
.SS Server Mode |
2780 |
-Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode |
|
2780 |
+Starting with OpenVPN 2.0, a multi\-client TCP/UDP server mode |
|
2781 | 2781 |
is supported, and can be enabled with the |
2782 | 2782 |
.B \-\-mode server |
2783 | 2783 |
option. In server mode, OpenVPN will listen on a single |
... | ... |
@@ -2795,7 +2795,7 @@ of OpenVPN's server mode. This directive will set up an |
2795 | 2795 |
OpenVPN server which will allocate addresses to clients |
2796 | 2796 |
out of the given network/netmask. The server itself |
2797 | 2797 |
will take the ".1" address of the given network |
2798 |
-for use as the server-side endpoint of the local |
|
2798 |
+for use as the server\-side endpoint of the local |
|
2799 | 2799 |
TUN/TAP interface. |
2800 | 2800 |
|
2801 | 2801 |
For example, |
... | ... |
@@ -2838,7 +2838,7 @@ if you are ethernet bridging. Use |
2838 | 2838 |
instead. |
2839 | 2839 |
.\"********************************************************* |
2840 | 2840 |
.TP |
2841 |
-.B \-\-server\-bridge gateway netmask pool-start-IP pool-end-IP |
|
2841 |
+.B \-\-server\-bridge gateway netmask pool\-start\-IP pool\-end\-IP |
|
2842 | 2842 |
.TP |
2843 | 2843 |
.B \-\-server\-bridge ['nogw'] |
2844 | 2844 |
|
... | ... |
@@ -2849,10 +2849,10 @@ of OpenVPN's server mode in ethernet bridging configurations. |
2849 | 2849 |
|
2850 | 2850 |
If |
2851 | 2851 |
.B \-\-server\-bridge |
2852 |
-is used without any parameters, it will enable a DHCP-proxy |
|
2852 |
+is used without any parameters, it will enable a DHCP\-proxy |
|
2853 | 2853 |
mode, where connecting OpenVPN clients will receive an IP |
2854 | 2854 |
address for their TAP adapter from the DHCP server running |
2855 |
-on the OpenVPN server-side LAN. |
|
2855 |
+on the OpenVPN server\-side LAN. |
|
2856 | 2856 |
Note that only clients that support |
2857 | 2857 |
the binding of a DHCP client with the TAP adapter (such as |
2858 | 2858 |
Windows) can support this mode. The optional |
... | ... |
@@ -2868,7 +2868,7 @@ with the |
2868 | 2868 |
.B brctl |
2869 | 2869 |
tool, and with Windows XP it is done in the Network |
2870 | 2870 |
Connections Panel by selecting the ethernet and |
2871 |
-TAP adapters and right-clicking on "Bridge Connections". |
|
2871 |
+TAP adapters and right\-clicking on "Bridge Connections". |
|
2872 | 2872 |
|
2873 | 2873 |
Next you you must manually set the |
2874 | 2874 |
IP/netmask on the bridge interface. The |
... | ... |
@@ -2885,9 +2885,9 @@ subnet. |
2885 | 2885 |
Finally, set aside a IP range in the bridged |
2886 | 2886 |
subnet, |
2887 | 2887 |
denoted by |
2888 |
-.B pool-start-IP |
|
2888 |
+.B pool\-start\-IP |
|
2889 | 2889 |
and |
2890 |
-.B pool-end-IP, |
|
2890 |
+.B pool\-end\-IP, |
|
2891 | 2891 |
for OpenVPN to allocate to connecting |
2892 | 2892 |
clients. |
2893 | 2893 |
|
... | ... |
@@ -2966,7 +2966,7 @@ This is a partial list of options which can currently be pushed: |
2966 | 2966 |
.TP |
2967 | 2967 |
.B \-\-push\-reset |
2968 | 2968 |
Don't inherit the global push list for a specific client instance. |
2969 |
-Specify this option in a client-specific context such |
|
2969 |
+Specify this option in a client\-specific context such |
|
2970 | 2970 |
as with a |
2971 | 2971 |
.B \-\-client\-config\-dir |
2972 | 2972 |
configuration file. This option will ignore |
... | ... |
@@ -2978,22 +2978,22 @@ options at the global config file level. |
2978 | 2978 |
selectively remove all |
2979 | 2979 |
.B \-\-push |
2980 | 2980 |
options matching "opt" from the option list for a client. "opt" is matched |
2981 |
-as a substring against the whole option string to-be-pushed to the client, so |
|
2981 |
+as a substring against the whole option string to\-be\-pushed to the client, so |
|
2982 | 2982 |
.B \-\-push\-remove route |
2983 | 2983 |
would remove all |
2984 | 2984 |
.B \-\-push route ... |
2985 | 2985 |
and |
2986 |
-.B \-\-push route-ipv6 ... |
|
2986 |
+.B \-\-push route\-ipv6 ... |
|
2987 | 2987 |
statements, while |
2988 |
-.B \-\-push\-remove 'route-ipv6 2001:' |
|
2988 |
+.B \-\-push\-remove 'route\-ipv6 2001:' |
|
2989 | 2989 |
would only remove IPv6 routes for 2001:... networks. |
2990 | 2990 |
|
2991 | 2991 |
.B \-\-push\-remove |
2992 |
-can only be used in a client-specific context, like in a |
|
2992 |
+can only be used in a client\-specific context, like in a |
|
2993 | 2993 |
.B \-\-client\-config\-dir |
2994 | 2994 |
file, or |
2995 | 2995 |
.B \-\-client\-connect |
2996 |
-script or plugin -- similar to |
|
2996 |
+script or plugin \-\- similar to |
|
2997 | 2997 |
.B \-\-push\-reset, |
2998 | 2998 |
just more selective. |
2999 | 2999 |
|
... | ... |
@@ -3010,22 +3010,22 @@ option with the new value. |
3010 | 3010 |
Push additional information about the client to server. |
3011 | 3011 |
The following data is always pushed to the server: |
3012 | 3012 |
|
3013 |
-IV_VER=<version> -- the client OpenVPN version |
|
3013 |
+IV_VER=<version> \-\- the client OpenVPN version |
|
3014 | 3014 |
|
3015 |
-IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win] -- the client OS platform |
|
3015 |
+IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win] \-\- the client OS platform |
|
3016 | 3016 |
|
3017 |
-IV_LZO_STUB=1 -- if client was built with LZO stub capability |
|
3017 |
+IV_LZO_STUB=1 \-\- if client was built with LZO stub capability |
|
3018 | 3018 |
|
3019 |
-IV_LZ4=1 -- if the client supports LZ4 compressions. |
|
3019 |
+IV_LZ4=1 \-\- if the client supports LZ4 compressions. |
|
3020 | 3020 |
|
3021 |
-IV_PROTO=2 -- if the client supports peer-id floating mechansim |
|
3021 |
+IV_PROTO=2 \-\- if the client supports peer\-id floating mechansim |
|
3022 | 3022 |
|
3023 |
-IV_NCP=2 -- negotiable ciphers, client supports |
|
3023 |
+IV_NCP=2 \-\- negotiable ciphers, client supports |
|
3024 | 3024 |
.B \-\-cipher |
3025 | 3025 |
pushed by the server, a value of 2 or greater indicates client |
3026 |
-supports AES-GCM-128 and AES-GCM-256. |
|
3026 |
+supports AES\-GCM\-128 and AES\-GCM\-256. |
|
3027 | 3027 |
|
3028 |
-IV_UI_VER=<gui_id> <version> -- the UI version of a UI if one is |
|
3028 |
+IV_UI_VER=<gui_id> <version> \-\- the UI version of a UI if one is |
|
3029 | 3029 |
running, for example "de.blinkt.openvpn 0.5.47" for the |
3030 | 3030 |
Android app. |
3031 | 3031 |
|
... | ... |
@@ -3033,13 +3033,13 @@ When |
3033 | 3033 |
.B \-\-push\-peer\-info |
3034 | 3034 |
is enabled the additional information consists of the following data: |
3035 | 3035 |
|
3036 |
-IV_HWADDR=<mac address> -- the MAC address of clients default gateway |
|
3036 |
+IV_HWADDR=<mac address> \-\- the MAC address of clients default gateway |
|
3037 | 3037 |
|
3038 |
-IV_SSL=<version string> -- the ssl version used by the client, e.g. "OpenSSL 1.0.2f 28 Jan 2016". |
|
3038 |
+IV_SSL=<version string> \-\- the ssl version used by the client, e.g. "OpenSSL 1.0.2f 28 Jan 2016". |
|
3039 | 3039 |
|
3040 |
-IV_PLAT_VER=x.y - the version of the operating system, e.g. 6.1 for Windows 7. |
|
3040 |
+IV_PLAT_VER=x.y \- the version of the operating system, e.g. 6.1 for Windows 7. |
|
3041 | 3041 |
|
3042 |
-UV_<name>=<value> -- client environment variables whose names start with "UV_" |
|
3042 |
+UV_<name>=<value> \-\- client environment variables whose names start with "UV_" |
|
3043 | 3043 |
.\"********************************************************* |
3044 | 3044 |
.TP |
3045 | 3045 |
.B \-\-disable |
... | ... |
@@ -3059,12 +3059,12 @@ or dynamically generated using a |
3059 | 3059 |
script. |
3060 | 3060 |
.\"********************************************************* |
3061 | 3061 |
.TP |
3062 |
-.B \-\-ifconfig\-pool start-IP end-IP [netmask] |
|
3062 |
+.B \-\-ifconfig\-pool start\-IP end\-IP [netmask] |
|
3063 | 3063 |
Set aside a pool of subnets to be |
3064 | 3064 |
dynamically allocated to connecting clients, similar |
3065 |
-to a DHCP server. For tun-style |
|
3065 |
+to a DHCP server. For tun\-style |
|
3066 | 3066 |
tunnels, each client will be given a /30 subnet (for |
3067 |
-interoperability with Windows clients). For tap-style |
|
3067 |
+interoperability with Windows clients). For tap\-style |
|
3068 | 3068 |
tunnels, individual addresses will be allocated, and the |
3069 | 3069 |
optional |
3070 | 3070 |
.B netmask |
... | ... |
@@ -3081,24 +3081,24 @@ at |
3081 | 3081 |
intervals (default=600), as well as on program startup and |
3082 | 3082 |
shutdown. |
3083 | 3083 |
|
3084 |
-The goal of this option is to provide a long-term association |
|
3084 |
+The goal of this option is to provide a long\-term association |
|
3085 | 3085 |
between clients (denoted by their common name) and the virtual |
3086 |
-IP address assigned to them from the ifconfig-pool. |
|
3087 |
-Maintaining a long-term |
|
3086 |
+IP address assigned to them from the ifconfig\-pool. |
|
3087 |
+Maintaining a long\-term |
|
3088 | 3088 |
association is good for clients because it allows them |
3089 | 3089 |
to effectively use the |
3090 | 3090 |
.B \-\-persist\-tun |
3091 | 3091 |
option. |
3092 | 3092 |
|
3093 | 3093 |
.B file |
3094 |
-is a comma-delimited ASCII file, formatted as |
|
3095 |
-<Common-Name>,<IP-address>. |
|
3094 |
+is a comma\-delimited ASCII file, formatted as |
|
3095 |
+<Common\-Name>,<IP\-address>. |
|
3096 | 3096 |
|
3097 | 3097 |
If |
3098 | 3098 |
.B seconds |
3099 | 3099 |
= 0, |
3100 | 3100 |
.B file |
3101 |
-will be treated as read-only. This is useful if |
|
3101 |
+will be treated as read\-only. This is useful if |
|
3102 | 3102 |
you would like to treat |
3103 | 3103 |
.B file |
3104 | 3104 |
as a configuration file. |
... | ... |
@@ -3175,17 +3175,17 @@ OpenVPN's internal client IP address selection algorithm works as |
3175 | 3175 |
follows: |
3176 | 3176 |
|
3177 | 3177 |
.B 1 |
3178 |
+\-\- Use |
|
3178 | 3179 |
.B \-\-client\-connect script |
3179 | 3180 |
generated file for static IP (first choice). |
3180 | 3181 |
.br |
3181 | 3182 |
.B 2 |
3183 |
+\-\- Use |
|
3182 | 3184 |
.B \-\-client\-config\-dir |
3183 | 3185 |
file for static IP (next choice). |
3184 | 3186 |
.br |
3185 | 3187 |
.B 3 |
3188 |
+\-\- Use |
|
3186 | 3189 |
.B \-\-ifconfig\-pool |
3187 | 3190 |
allocation for dynamic IP (last choice). |
3188 | 3191 |
.br |
... | ... |
@@ -3245,15 +3245,15 @@ Because the OpenVPN server mode handles multiple clients |
3245 | 3245 |
through a single tun or tap interface, it is effectively |
3246 | 3246 |
a router. The |
3247 | 3247 |
.B \-\-client\-to\-client |
3248 |
-flag tells OpenVPN to internally route client-to-client |
|
3249 |
-traffic rather than pushing all client-originating traffic |
|
3248 |
+flag tells OpenVPN to internally route client\-to\-client |
|
3249 |
+traffic rather than pushing all client\-originating traffic |
|
3250 | 3250 |
to the TUN/TAP interface. |
3251 | 3251 |
|
3252 | 3252 |
When this option is used, each client will "see" the other |
3253 | 3253 |
clients which are currently connected. Otherwise, each |
3254 | 3254 |
client will only see the server. Don't use this option |
3255 | 3255 |
if you want to firewall tunnel traffic using |
3256 |
-custom, per-client rules. |
|
3256 |
+custom, per\-client rules. |
|
3257 | 3257 |
.\"********************************************************* |
3258 | 3258 |
.TP |
3259 | 3259 |
.B \-\-duplicate\-cn |
... | ... |
@@ -3269,11 +3269,11 @@ on client connection. |
3269 | 3269 |
|
3270 | 3270 |
.B cmd |
3271 | 3271 |
consists of a path to script (or executable program), optionally |
3272 |
-followed by arguments. The path and arguments may be single- or double-quoted |
|
3272 |
+followed by arguments. The path and arguments may be single\- or double\-quoted |
|
3273 | 3273 |
and/or escaped using a backslash, and should be separated by one or more spaces. |
3274 | 3274 |
|
3275 | 3275 |
The command is passed the common name |
3276 |
-and IP address of the just-authenticated client |
|
3276 |
+and IP address of the just\-authenticated client |
|
3277 | 3277 |
as environmental variables (see environmental variable section |
3278 | 3278 |
below). The command is also passed |
3279 | 3279 |
the pathname of a freshly created temporary file as the last argument |
... | ... |
@@ -3295,7 +3295,7 @@ Note that the return value of |
3295 | 3295 |
.B script |
3296 | 3296 |
is significant. If |
3297 | 3297 |
.B script |
3298 |
-returns a non-zero error status, it will cause the client |
|
3298 |
+returns a non\-zero error status, it will cause the client |
|
3299 | 3299 |
to be disconnected. |
3300 | 3300 |
.\"********************************************************* |
3301 | 3301 |
.TP |
... | ... |
@@ -3311,10 +3311,10 @@ successful (0) status returns. |
3311 | 3311 |
|
3312 | 3312 |
The exception to this rule is if the |
3313 | 3313 |
.B \-\-client\-disconnect |
3314 |
-command or plugins are cascaded, and at least one client-connect |
|
3315 |
-function succeeded, then ALL of the client-disconnect functions for |
|
3314 |
+command or plugins are cascaded, and at least one client\-connect |
|
3315 |
+function succeeded, then ALL of the client\-disconnect functions for |
|
3316 | 3316 |
scripts and plugins will be called on client instance object deletion, |
3317 |
-even in cases where some of the related client-connect functions returned |
|
3317 |
+even in cases where some of the related client\-connect functions returned |
|
3318 | 3318 |
an error status. |
3319 | 3319 |
|
3320 | 3320 |
The |
... | ... |
@@ -3334,7 +3334,7 @@ for custom client config files. After |
3334 | 3334 |
a connecting client has been authenticated, OpenVPN will |
3335 | 3335 |
look in this directory for a file having the same name |
3336 | 3336 |
as the client's X509 common name. If a matching file |
3337 |
-exists, it will be opened and parsed for client-specific |
|
3337 |
+exists, it will be opened and parsed for client\-specific |
|
3338 | 3338 |
configuration options. If no matching file is found, OpenVPN |
3339 | 3339 |
will instead try to open and parse a default file called |
3340 | 3340 |
"DEFAULT", which may be provided but is not required. Note that |
... | ... |
@@ -3353,7 +3353,7 @@ created, edited, or removed while the server is live, |
3353 | 3353 |
without needing to restart the server. |
3354 | 3354 |
|
3355 | 3355 |
The following |
3356 |
-options are legal in a client-specific context: |
|
3356 |
+options are legal in a client\-specific context: |
|
3357 | 3357 |
.B \-\-push, \-\-push\-reset, \-\-push\-remove, \-\-iroute, \-\-ifconfig\-push, |
3358 | 3358 |
and |
3359 | 3359 |
.B \-\-config. |
... | ... |
@@ -3379,7 +3379,7 @@ This directory will be used by in the following cases: |
3379 | 3379 |
|
3380 | 3380 |
* |
3381 | 3381 |
.B \-\-client\-connect |
3382 |
-scripts to dynamically generate client-specific |
|
3382 |
+scripts to dynamically generate client\-specific |
|
3383 | 3383 |
configuration files. |
3384 | 3384 |
|
3385 | 3385 |
* |
... | ... |
@@ -3458,7 +3458,7 @@ forcing the server to deplete |
3458 | 3458 |
virtual memory as its internal routing table expands. |
3459 | 3459 |
This directive can be used in a |
3460 | 3460 |
.B \-\-client\-config\-dir |
3461 |
-file or auto-generated by a |
|
3461 |
+file or auto\-generated by a |
|
3462 | 3462 |
.B \-\-client\-connect |
3463 | 3463 |
script to override the global value for a particular client. |
3464 | 3464 |
|
... | ... |
@@ -3514,7 +3514,7 @@ to validate client virtual addresses or routes. |
3514 | 3514 |
|
3515 | 3515 |
.B cmd |
3516 | 3516 |
consists of a path to script (or executable program), optionally |
3517 |
-followed by arguments. The path and arguments may be single- or double-quoted |
|
3517 |
+followed by arguments. The path and arguments may be single\- or double\-quoted |
|
3518 | 3518 |
and/or escaped using a backslash, and should be separated by one or more spaces. |
3519 | 3519 |
|
3520 | 3520 |
Three arguments will be appended to any arguments in |
... | ... |
@@ -3539,7 +3539,7 @@ client linked to this address. Only present for "add" |
3539 | 3539 |
or "update" operations, not "delete". |
3540 | 3540 |
|
3541 | 3541 |
On "add" or "update" methods, if the script returns |
3542 |
-a failure code (non-zero), OpenVPN will reject the address |
|
3542 |
+a failure code (non\-zero), OpenVPN will reject the address |
|
3543 | 3543 |
and will not modify its internal routing table. |
3544 | 3544 |
|
3545 | 3545 |
Normally, the |
... | ... |
@@ -3548,8 +3548,8 @@ script will use the information provided above to set |
3548 | 3548 |
appropriate firewall entries on the VPN TUN/TAP interface. |
3549 | 3549 |
Since OpenVPN provides the association between virtual IP |
3550 | 3550 |
or MAC address and the client's authenticated common name, |
3551 |
-it allows a user-defined script to configure firewall access |
|
3552 |
-policies with regard to the client's high-level common name, |
|
3551 |
+it allows a user\-defined script to configure firewall access |
|
3552 |
+policies with regard to the client's high\-level common name, |
|
3553 | 3553 |
rather than the low level client virtual addresses. |
3554 | 3554 |
.\"********************************************************* |
3555 | 3555 |
.TP |
... | ... |
@@ -3564,7 +3564,7 @@ provided by the client. |
3564 | 3564 |
|
3565 | 3565 |
.B cmd |
3566 | 3566 |
consists of a path to script (or executable program), optionally |
3567 |
-followed by arguments. The path and arguments may be single- or double-quoted |
|
3567 |
+followed by arguments. The path and arguments may be single\- or double\-quoted |
|
3568 | 3568 |
and/or escaped using a backslash, and should be separated by one or more spaces. |
3569 | 3569 |
|
3570 | 3570 |
If |
... | ... |
@@ -3603,18 +3603,18 @@ returning a success exit code (0) if the |
3603 | 3603 |
client's authentication request is to be accepted, or a failure |
3604 | 3604 |
code (1) to reject the client. |
3605 | 3605 |
|
3606 |
-This directive is designed to enable a plugin-style interface |
|
3606 |
+This directive is designed to enable a plugin\-style interface |
|
3607 | 3607 |
for extending OpenVPN's authentication capabilities. |
3608 | 3608 |
|
3609 | 3609 |
To protect against a client passing a maliciously formed |
3610 | 3610 |
username or password string, the username string must |
3611 | 3611 |
consist only of these characters: alphanumeric, underbar |
3612 |
-('_'), dash ('-'), dot ('.'), or at ('@'). The password |
|
3612 |
+('_'), dash ('\-'), dot ('.'), or at ('@'). The password |
|
3613 | 3613 |
string can consist of any printable characters except for |
3614 | 3614 |
CR or LF. Any illegal characters in either the username |
3615 | 3615 |
or password string will be converted to underbar ('_'). |
3616 | 3616 |
|
3617 |
-Care must be taken by any user-defined scripts to avoid |
|
3617 |
+Care must be taken by any user\-defined scripts to avoid |
|
3618 | 3618 |
creating a security vulnerability in the way that these |
3619 | 3619 |
strings are handled. Never use these strings in such a way |
3620 | 3620 |
that they might be escaped or evaluated by a shell interpreter. |
... | ... |
@@ -3643,7 +3643,7 @@ or it is set to 0, the token will never expire. |
3643 | 3643 |
This feature is useful for environments which is configured |
3644 | 3644 |
to use One Time Passwords (OTP) as part of the user/password |
3645 | 3645 |
authentications and that authentication mechanism does not |
3646 |
-implement any auth-token support. |
|
3646 |
+implement any auth\-token support. |
|
3647 | 3647 |
.\"********************************************************* |
3648 | 3648 |
.TP |
3649 | 3649 |
.B \-\-opt\-verify |
... | ... |
@@ -3669,10 +3669,10 @@ or |
3669 | 3669 |
is specified (or an authentication plugin module), the |
3670 | 3670 |
OpenVPN server daemon will require connecting clients to specify a |
3671 | 3671 |
username and password. This option makes the submission of a username/password |
3672 |
-by clients optional, passing the responsibility to the user-defined authentication |
|
3672 |
+by clients optional, passing the responsibility to the user\-defined authentication |
|
3673 | 3673 |
module/script to accept or deny the client based on other factors |
3674 | 3674 |
(such as the setting of X509 certificate fields). When this option is used, |
3675 |
-and a connecting client does not submit a username/password, the user-defined |
|
3675 |
+and a connecting client does not submit a username/password, the user\-defined |
|
3676 | 3676 |
authentication module/script will see the username and password as being set |
3677 | 3677 |
to empty strings (""). The authentication module/script MUST have logic |
3678 | 3678 |
to detect this condition and respond accordingly. |
... | ... |
@@ -3763,16 +3763,16 @@ like this: |
3763 | 3763 |
/C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com |
3764 | 3764 |
.IP |
3765 | 3765 |
In addition the old behaviour was to remap any character other than |
3766 |
-alphanumeric, underscore ('_'), dash ('-'), dot ('.'), and slash ('/') to |
|
3766 |
+alphanumeric, underscore ('_'), dash ('\-'), dot ('.'), and slash ('/') to |
|
3767 | 3767 |
underscore ('_'). The X.509 Subject string as returned by the |
3768 | 3768 |
.B tls_id |
3769 | 3769 |
environmental variable, could additionally contain colon (':') or equal ('='). |
3770 | 3770 |
.IP |
3771 | 3771 |
When using the |
3772 | 3772 |
.B \-\-compat\-names |
3773 |
-option, this old formatting and remapping will be re-enabled again. This is |
|
3774 |
-purely implemented for compatibility reasons when using older plug-ins or |
|
3775 |
-scripts which does not handle the new formatting or UTF-8 characters. |
|
3773 |
+option, this old formatting and remapping will be re\-enabled again. This is |
|
3774 |
+purely implemented for compatibility reasons when using older plug\-ins or |
|
3775 |
+scripts which does not handle the new formatting or UTF\-8 characters. |
|
3776 | 3776 |
.IP |
3777 | 3777 |
In OpenVPN 2.3 the formatting of these fields changed into a more |
3778 | 3778 |
standardised format. It now looks like: |
... | ... |
@@ -3795,12 +3795,12 @@ option to be compatible with the now deprecated \-\-no\-name\-remapping option. |
3795 | 3795 |
It is only available at the server. When this mode flag is used, the Common Name, |
3796 | 3796 |
Subject, and username strings are allowed to include any printable character |
3797 | 3797 |
including space, but excluding control characters such as tab, newline, and |
3798 |
-carriage-return. no-remapping is only available on the server side. |
|
3798 |
+carriage\-return. no\-remapping is only available on the server side. |
|
3799 | 3799 |
|
3800 | 3800 |
.B Please note: |
3801 | 3801 |
This option is immediately deprecated. It is only implemented |
3802 | 3802 |
to make the transition to the new formatting less intrusive. It will be |
3803 |
-removed in OpenVPN 2.5. So please update your scripts/plug-ins where necessary. |
|
3803 |
+removed in OpenVPN 2.5. So please update your scripts/plug\-ins where necessary. |
|
3804 | 3804 |
.\"********************************************************* |
3805 | 3805 |
.TP |
3806 | 3806 |
.B \-\-no\-name\-remapping |
... | ... |
@@ -3826,7 +3826,7 @@ option as soon as possible. |
3826 | 3826 |
.B \-\-port\-share host port [dir] |
3827 | 3827 |
When run in TCP server mode, share the OpenVPN port with |
3828 | 3828 |
another application, such as an HTTPS server. If OpenVPN |
3829 |
-senses a connection to its port which is using a non-OpenVPN |
|
3829 |
+senses a connection to its port which is using a non\-OpenVPN |
|
3830 | 3830 |
protocol, it will proxy the connection to the server at |
3831 | 3831 |
.B host:port. |
3832 | 3832 |
Currently only designed to work with HTTP/HTTPS, |
... | ... |
@@ -3870,7 +3870,7 @@ of OpenVPN's client mode. This directive is equivalent to: |
3870 | 3870 |
.TP |
3871 | 3871 |
.B \-\-pull |
3872 | 3872 |
This option must be used on a client which is connecting |
3873 |
-to a multi-client server. It indicates to OpenVPN that it |
|
3873 |
+to a multi\-client server. It indicates to OpenVPN that it |
|
3874 | 3874 |
should accept options pushed by the server, provided they |
3875 | 3875 |
are part of the legal set of pushable options (note that the |
3876 | 3876 |
.B \-\-pull |
... | ... |
@@ -3959,7 +3959,7 @@ the client. |
3959 | 3959 |
.TP |
3960 | 3960 |
.B \-\-auth\-retry type |
3961 | 3961 |
Controls how OpenVPN responds to username/password verification |
3962 |
-errors such as the client-side response to an AUTH_FAILED message from the server |
|
3962 |
+errors such as the client\-side response to an AUTH_FAILED message from the server |
|
3963 | 3963 |
or verification failure of the private key password. |
3964 | 3964 |
|
3965 | 3965 |
Normally used to prevent auth errors from being fatal |
... | ... |
@@ -3969,7 +3969,7 @@ of error. |
3969 | 3969 |
An AUTH_FAILED message is generated by the server if the client |
3970 | 3970 |
fails |
3971 | 3971 |
.B \-\-auth\-user\-pass |
3972 |
-authentication, or if the server-side |
|
3972 |
+authentication, or if the server\-side |
|
3973 | 3973 |
.B \-\-client\-connect |
3974 | 3974 |
script returns an error status when the client |
3975 | 3975 |
tries to connect. |
... | ... |
@@ -4018,7 +4018,7 @@ connect timeouts. |
4018 | 4018 |
.\"********************************************************* |
4019 | 4019 |
.TP |
4020 | 4020 |
.B \-\-explicit\-exit\-notify [n] |
4021 |
-In UDP client mode or point-to-point mode, send server/peer an exit notification |
|
4021 |
+In UDP client mode or point\-to\-point mode, send server/peer an exit notification |
|
4022 | 4022 |
if tunnel is restarted or OpenVPN process is exited. In client mode, on |
4023 | 4023 |
exit/restart, this |
4024 | 4024 |
option will tell the server to immediately close its client instance object |
... | ... |
@@ -4044,13 +4044,13 @@ When this option is set, OpenVPN will not drop incoming tun packets |
4044 | 4044 |
with same destination as host. |
4045 | 4045 |
.\"********************************************************* |
4046 | 4046 |
.SS Data Channel Encryption Options: |
4047 |
-These options are meaningful for both Static & TLS-negotiated key modes |
|
4047 |
+These options are meaningful for both Static & TLS\-negotiated key modes |
|
4048 | 4048 |
(must be compatible between peers). |
4049 | 4049 |
.\"********************************************************* |
4050 | 4050 |
.TP |
4051 | 4051 |
.B \-\-secret file [direction] |
4052 |
-Enable Static Key encryption mode (non-TLS). |
|
4053 |
-Use pre-shared secret |
|
4052 |
+Enable Static Key encryption mode (non\-TLS). |
|
4053 |
+Use pre\-shared secret |
|
4054 | 4054 |
.B file |
4055 | 4055 |
which was generated with |
4056 | 4056 |
.B \-\-genkey. |
... | ... |
@@ -4058,7 +4058,7 @@ which was generated with |
4058 | 4058 |
The optional |
4059 | 4059 |
.B direction |
4060 | 4060 |
parameter enables the use of 4 distinct keys |
4061 |
-(HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt), so that |
|
4061 |
+(HMAC\-send, cipher\-encrypt, HMAC\-receive, cipher\-decrypt), so that |
|
4062 | 4062 |
each data flow direction has a different set of HMAC and cipher keys. |
4063 | 4063 |
This has a number of desirable security properties including |
4064 | 4064 |
eliminating certain kinds of DoS and message replay attacks. |
... | ... |
@@ -4078,7 +4078,7 @@ The |
4078 | 4078 |
.B direction |
4079 | 4079 |
parameter requires that |
4080 | 4080 |
.B file |
4081 |
-contains a 2048 bit key. While pre-1.5 versions of OpenVPN |
|
4081 |
+contains a 2048 bit key. While pre\-1.5 versions of OpenVPN |
|
4082 | 4082 |
generate 1024 bit key files, any version of OpenVPN which |
4083 | 4083 |
supports the |
4084 | 4084 |
.B direction |
... | ... |
@@ -4092,7 +4092,7 @@ the primary being ease of configuration. |
4092 | 4092 |
|
4093 | 4093 |
There are no certificates |
4094 | 4094 |
or certificate authorities or complicated negotiation handshakes and protocols. |
4095 |
-The only requirement is that you have a pre-existing secure channel with |
|
4095 |
+The only requirement is that you have a pre\-existing secure channel with |
|
4096 | 4096 |
your peer (such as |
4097 | 4097 |
.B ssh |
4098 | 4098 |
) to initially copy the key. This requirement, along with the |
... | ... |
@@ -4105,13 +4105,13 @@ was able to steal your private key, he would gain no information to help |
4105 | 4105 |
him decrypt past sessions. |
4106 | 4106 |
|
4107 | 4107 |
Another advantageous aspect of Static Key encryption mode is that |
4108 |
-it is a handshake-free protocol |
|
4108 |
+it is a handshake\-free protocol |
|
4109 | 4109 |
without any distinguishing signature or feature |
4110 | 4110 |
(such as a header or protocol handshake sequence) |
4111 | 4111 |
that would mark the ciphertext packets as being |
4112 | 4112 |
generated by OpenVPN. Anyone eavesdropping on the wire |
4113 | 4113 |
would see nothing |
4114 |
-but random-looking data. |
|
4114 |
+but random\-looking data. |
|
4115 | 4115 |
.\"********************************************************* |
4116 | 4116 |
.TP |
4117 | 4117 |
.B \-\-key\-direction |
... | ... |
@@ -4124,7 +4124,7 @@ options. Useful when using inline files (See section on inline files). |
4124 | 4124 |
.TP |
4125 | 4125 |
.B \-\-auth alg |
4126 | 4126 |
Authenticate data channel packets and (if enabled) |
4127 |
-.B tls-auth |
|
4127 |
+.B tls\-auth |
|
4128 | 4128 |
control channel packets with HMAC using message digest algorithm |
4129 | 4129 |
.B alg. |
4130 | 4130 |
(The default is |
... | ... |
@@ -4134,7 +4134,7 @@ HMAC is a commonly used message authentication algorithm (MAC) that uses |
4134 | 4134 |
a data string, a secure hash algorithm, and a key, to produce |
4135 | 4135 |
a digital signature. |
4136 | 4136 |
|
4137 |
-The OpenVPN data channel protocol uses encrypt-then-mac (i.e. first encrypt a |
|
4137 |
+The OpenVPN data channel protocol uses encrypt\-then\-mac (i.e. first encrypt a |
|
4138 | 4138 |
packet, then HMAC the resulting ciphertext), which prevents padding oracle |
4139 | 4139 |
attacks. |
4140 | 4140 |
|
... | ... |
@@ -4144,9 +4144,9 @@ algorithm is ignored for the data channel, and the authentication method of the |
4144 | 4144 |
AEAD cipher is used instead. Note that |
4145 | 4145 |
.B alg |
4146 | 4146 |
still specifies the digest used for |
4147 |
-.B tls-auth\fR. |
|
4147 |
+.B tls\-auth\fR. |
|
4148 | 4148 |
|
4149 |
-In static-key encryption mode, the HMAC key |
|
4149 |
+In static\-key encryption mode, the HMAC key |
|
4150 | 4150 |
is included in the key file generated by |
4151 | 4151 |
.B \-\-genkey. |
4152 | 4152 |
In TLS mode, the HMAC key is dynamically generated and shared |
... | ... |
@@ -4166,11 +4166,11 @@ Encrypt data channel packets with cipher algorithm |
4166 | 4166 |
.B alg. |
4167 | 4167 |
|
4168 | 4168 |
The default is |
4169 |
-.B BF-CBC, |
|
4169 |
+.B BF\-CBC, |
|
4170 | 4170 |
an abbreviation for Blowfish in Cipher Block Chaining mode. When cipher |
4171 | 4171 |
negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server |
4172 | 4172 |
side will automatically upgrade to |
4173 |
-.B AES-256-GCM. |
|
4173 |
+.B AES\-256\-GCM. |
|
4174 | 4174 |
See |
4175 | 4175 |
.B \-\-ncp\-ciphers |
4176 | 4176 |
and |
... | ... |
@@ -4178,12 +4178,12 @@ and |
4178 | 4178 |
for more details on NCP. |
4179 | 4179 |
|
4180 | 4180 |
Using |
4181 |
-.B BF-CBC |
|
4182 |
-is no longer recommended, because of its 64-bit block size. This |
|
4181 |
+.B BF\-CBC |
|
4182 |
+is no longer recommended, because of its 64\-bit block size. This |
|
4183 | 4183 |
small block size allows attacks based on collisions, as demonstrated by SWEET32. |
4184 | 4184 |
See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. Due to |
4185 | 4185 |
this, support for |
4186 |
-.B BF-CBC, DES, CAST5, IDEA |
|
4186 |
+.B BF\-CBC, DES, CAST5, IDEA |
|
4187 | 4187 |
and |
4188 | 4188 |
.B RC2 |
4189 | 4189 |
ciphers will be removed in OpenVPN 2.6. |
... | ... |
@@ -4202,20 +4202,20 @@ to disable encryption. |
4202 | 4202 |
Restrict the allowed ciphers to be negotiated to the ciphers in |
4203 | 4203 |
.B cipher_list\fR. |
4204 | 4204 |
.B cipher_list |
4205 |
-is a colon-separated list of ciphers, and defaults to |
|
4206 |
-"AES-256-GCM:AES-128-GCM". |
|
4205 |
+is a colon\-separated list of ciphers, and defaults to |
|
4206 |
+"AES\-256\-GCM:AES\-128\-GCM". |
|
4207 | 4207 |
|
4208 | 4208 |
For servers, the first cipher from |
4209 | 4209 |
.B cipher_list |
4210 | 4210 |
will be pushed to clients that support cipher negotiation. |
4211 | 4211 |
|
4212 |
-Cipher negotiation is enabled in client-server mode only. I.e. if |
|
4212 |
+Cipher negotiation is enabled in client\-server mode only. I.e. if |
|
4213 | 4213 |
.B \-\-mode |
4214 |
-is set to 'server' (server-side, implied by setting |
|
4214 |
+is set to 'server' (server\-side, implied by setting |
|
4215 | 4215 |
.B \-\-server |
4216 | 4216 |
), or if |
4217 | 4217 |
.B \-\-pull |
4218 |
-is specified (client-side, implied by setting \-\-client). |
|
4218 |
+is specified (client\-side, implied by setting \-\-client). |
|
4219 | 4219 |
|
4220 | 4220 |
If both peers support and do not disable NCP, the negotiated cipher will |
4221 | 4221 |
override the cipher specified by |
... | ... |
@@ -4226,10 +4226,10 @@ will inherit the cipher of the peer if that cipher is different from the local |
4226 | 4226 |
.B \-\-cipher |
4227 | 4227 |
setting, but the peer cipher is one of the ciphers specified in |
4228 | 4228 |
.B \-\-ncp\-ciphers\fR. |
4229 |
-E.g. a non-NCP client (<=v2.3, or with \-\-ncp\-disabled set) connecting to a |
|
4230 |
-NCP server (v2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers |
|
4231 |
-AES-256-GCM:AES-256-CBC" set can either specify "\-\-cipher BF-CBC" or |
|
4232 |
-"\-\-cipher AES-256-CBC" and both will work. |
|
4229 |
+E.g. a non\-NCP client (<=v2.3, or with \-\-ncp\-disabled set) connecting to a |
|
4230 |
+NCP server (v2.4+) with "\-\-cipher BF\-CBC" and "\-\-ncp\-ciphers |
|
4231 |
+AES\-256\-GCM:AES\-256\-CBC" set can either specify "\-\-cipher BF\-CBC" or |
|
4232 |
+"\-\-cipher AES\-256\-CBC" and both will work. |
|
4233 | 4233 |
|
4234 | 4234 |
.\"********************************************************* |
4235 | 4235 |
.TP |
... | ... |
@@ -4243,19 +4243,19 @@ negotiation. |
4243 | 4243 |
This option will be removed in OpenVPN 2.6. |
4244 | 4244 |
|
4245 | 4245 |
Size of cipher key in bits (optional). |
4246 |
-If unspecified, defaults to cipher-specific default. The |
|
4246 |
+If unspecified, defaults to cipher\-specific default. The |
|
4247 | 4247 |
.B \-\-show\-ciphers |
4248 | 4248 |
option (see below) shows all available OpenSSL ciphers, |
4249 | 4249 |
their default key sizes, and whether the key size can |
4250 | 4250 |
be changed. Use care in changing a cipher's default |
4251 | 4251 |
key size. Many ciphers have not been extensively |
4252 |
-cryptanalyzed with non-standard key lengths, and a |
|
4252 |
+cryptanalyzed with non\-standard key lengths, and a |
|
4253 | 4253 |
larger key may offer no real guarantee of greater |
4254 | 4254 |
security, or may even reduce security. |
4255 | 4255 |
.\"********************************************************* |
4256 | 4256 |
.TP |
4257 | 4257 |
.B \-\-prng alg [nsl] |
4258 |
-(Advanced) For PRNG (Pseudo-random number generator), |
|
4258 |
+(Advanced) For PRNG (Pseudo\-random number generator), |
|
4259 | 4259 |
use digest algorithm |
4260 | 4260 |
.B alg |
4261 | 4261 |
(default=sha1), and set |
... | ... |
@@ -4266,14 +4266,14 @@ to the size in bytes of the nonce secret length (between 16 and 64). |
4266 | 4266 |
Set |
4267 | 4267 |
.B alg=none |
4268 | 4268 |
to disable the PRNG and use the OpenSSL RAND_bytes function |
4269 |
-instead for all of OpenVPN's pseudo-random number needs. |
|
4269 |
+instead for all of OpenVPN's pseudo\-random number needs. |
|
4270 | 4270 |
.\"********************************************************* |
4271 | 4271 |
.TP |
4272 |
-.B \-\-engine [engine-name] |
|
4273 |
-Enable OpenSSL hardware-based crypto engine functionality. |
|
4272 |
+.B \-\-engine [engine\-name] |
|
4273 |
+Enable OpenSSL hardware\-based crypto engine functionality. |
|
4274 | 4274 |
|
4275 | 4275 |
If |
4276 |
-.B engine-name |
|
4276 |
+.B engine\-name |
|
4277 | 4277 |
is specified, |
4278 | 4278 |
use a specific crypto engine. Use the |
4279 | 4279 |
.B \-\-show\-engines |
... | ... |
@@ -4329,7 +4329,7 @@ by IPSec. |
4329 | 4329 |
.\"********************************************************* |
4330 | 4330 |
.TP |
4331 | 4331 |
.B \-\-replay\-window n [t] |
4332 |
-Use a replay protection sliding-window of size |
|
4332 |
+Use a replay protection sliding\-window of size |
|
4333 | 4333 |
.B n |
4334 | 4334 |
and a time window of |
4335 | 4335 |
.B t |
... | ... |
@@ -4351,7 +4351,7 @@ option is specified. |
4351 | 4351 |
When OpenVPN tunnels IP packets over UDP, there is the possibility that |
4352 | 4352 |
packets might be dropped or delivered out of order. Because OpenVPN, like IPSec, |
4353 | 4353 |
is emulating the physical network layer, |
4354 |
-it will accept an out-of-order packet sequence, and |
|
4354 |
+it will accept an out\-of\-order packet sequence, and |
|
4355 | 4355 |
will deliver such packets in the same order they were received to |
4356 | 4356 |
the TCP/IP protocol stack, provided they satisfy several constraints. |
4357 | 4357 |
|
... | ... |
@@ -4380,7 +4380,7 @@ Satellite links in particular often require this. |
4380 | 4380 |
|
4381 | 4381 |
If you run OpenVPN at |
4382 | 4382 |
.B \-\-verb 4, |
4383 |
-you will see the message "Replay-window backtrack occurred [x]" |
|
4383 |
+you will see the message "Replay\-window backtrack occurred [x]" |
|
4384 | 4384 |
every time the maximum sequence number backtrack seen thus far |
4385 | 4385 |
increases. This can be used to calibrate |
4386 | 4386 |
.B n. |
... | ... |
@@ -4404,11 +4404,11 @@ reordering: Don't allow it. Since TCP guarantees reliability, any packet |
4404 | 4404 |
loss or reordering event can be assumed to be an attack. |
4405 | 4405 |
|
4406 | 4406 |
In this sense, it could be argued that TCP tunnel transport is preferred when |
4407 |
-tunneling non-IP or UDP application protocols which might be vulnerable to a |
|
4407 |
+tunneling non\-IP or UDP application protocols which might be vulnerable to a |
|
4408 | 4408 |
message deletion or reordering attack which falls within the normal |
4409 | 4409 |
operational parameters of IP networks. |
4410 | 4410 |
|
4411 |
-So I would make the statement that one should never tunnel a non-IP protocol |
|
4411 |
+So I would make the statement that one should never tunnel a non\-IP protocol |
|
4412 | 4412 |
or UDP application protocol over UDP, if the protocol might be vulnerable to a |
4413 | 4413 |
message deletion or reordering attack that falls within the normal operating |
4414 | 4414 |
parameters of what is to be expected from the physical IP layer. The problem |
... | ... |
@@ -4424,7 +4424,7 @@ packets. |
4424 | 4424 |
.\"********************************************************* |
4425 | 4425 |
.TP |
4426 | 4426 |
.B \-\-replay\-persist file |
4427 |
-Persist replay-protection state across sessions using |
|
4427 |
+Persist replay\-protection state across sessions using |
|
4428 | 4428 |
.B file |
4429 | 4429 |
to save and reload the state. |
4430 | 4430 |
|
... | ... |
@@ -4443,7 +4443,7 @@ which were already received by the prior session. |
4443 | 4443 |
This option only makes sense when replay protection is enabled |
4444 | 4444 |
(the default) and you are using either |
4445 | 4445 |
.B \-\-secret |
4446 |
-(shared-secret key mode) or TLS mode with |
|
4446 |
+(shared\-secret key mode) or TLS mode with |
|
4447 | 4447 |
.B \-\-tls\-auth. |
4448 | 4448 |
.\"********************************************************* |
4449 | 4449 |
.TP |
... | ... |
@@ -4463,11 +4463,11 @@ messages are being encrypted/decrypted with the same key. |
4463 | 4463 |
|
4464 | 4464 |
IV is implemented differently depending on the cipher mode used. |
4465 | 4465 |
|
4466 |
-In CBC mode, OpenVPN uses a pseudo-random IV for each packet. |
|
4466 |
+In CBC mode, OpenVPN uses a pseudo\-random IV for each packet. |
|
4467 | 4467 |
|
4468 | 4468 |
In CFB/OFB mode, OpenVPN uses a unique sequence number and time stamp |
4469 | 4469 |
as the IV. In fact, in CFB/OFB mode, OpenVPN uses a datagram |
4470 |
-space-saving optimization that uses the unique identifier for |
|
4470 |
+space\-saving optimization that uses the unique identifier for |
|
4471 | 4471 |
datagram replay protection as the IV. |
4472 | 4472 |
.\"********************************************************* |
4473 | 4473 |
.TP |
... | ... |
@@ -4486,7 +4486,7 @@ than 1.1. |
4486 | 4486 |
.\"********************************************************* |
4487 | 4487 |
.TP |
4488 | 4488 |
.B \-\-test\-crypto |
4489 |
-Do a self-test of OpenVPN's crypto options by encrypting and |
|
4489 |
+Do a self\-test of OpenVPN's crypto options by encrypting and |
|
4490 | 4490 |
decrypting test packets using the data channel encryption options |
4491 | 4491 |
specified above. This option does not require a peer to function, |
4492 | 4492 |
and therefore can be specified without |
... | ... |
@@ -4506,7 +4506,7 @@ or |
4506 | 4506 |
|
4507 | 4507 |
This option is very useful to test OpenVPN after it has been ported to |
4508 | 4508 |
a new platform, or to isolate problems in the compiler, OpenSSL |
4509 |
-crypto library, or OpenVPN's crypto code. Since it is a self-test mode, |
|
4509 |
+crypto library, or OpenVPN's crypto code. Since it is a self\-test mode, |
|
4510 | 4510 |
problems with encryption and authentication can be debugged independently |
4511 | 4511 |
of network and tunnel issues. |
4512 | 4512 |
.\"********************************************************* |
... | ... |
@@ -4522,7 +4522,7 @@ any mediation. The result is the best of both worlds: a fast data channel |
4522 | 4522 |
that forwards over UDP with only the overhead of encrypt, |
4523 | 4523 |
decrypt, and HMAC functions, |
4524 | 4524 |
and a control channel that provides all of the security features of TLS, |
4525 |
-including certificate-based authentication and Diffie Hellman forward secrecy. |
|
4525 |
+including certificate\-based authentication and Diffie Hellman forward secrecy. |
|
4526 | 4526 |
|
4527 | 4527 |
To use TLS mode, each peer that runs OpenVPN should have its own local |
4528 | 4528 |
certificate/key pair ( |
... | ... |
@@ -4545,12 +4545,12 @@ passing data. |
4545 | 4545 |
|
4546 | 4546 |
The OpenVPN project provides a set of scripts for |
4547 | 4547 |
managing RSA certificates & keys: |
4548 |
-.I https://github.com/OpenVPN/easy-rsa |
|
4548 |
+.I https://github.com/OpenVPN/easy\-rsa |
|
4549 | 4549 |
.\"********************************************************* |
4550 | 4550 |
.TP |
4551 | 4551 |
.B \-\-tls\-server |
4552 | 4552 |
Enable TLS and assume server role during TLS handshake. Note that |
4553 |
-OpenVPN is designed as a peer-to-peer application. The designation |
|
4553 |
+OpenVPN is designed as a peer\-to\-peer application. The designation |
|
4554 | 4554 |
of client or server is only for the purpose of negotiating the TLS |
4555 | 4555 |
control channel. |
4556 | 4556 |
.\"********************************************************* |
... | ... |
@@ -4590,11 +4590,11 @@ When using the |
4590 | 4590 |
option, you are required to supply valid CRLs for the CAs too. CAs in the |
4591 | 4591 |
capath directory are expected to be named <hash>.<n>. CRLs are expected to |
4592 | 4592 |
be named <hash>.r<n>. See the |
4593 |
-.B -CApath |
|
4593 |
+.B \-CApath |
|
4594 | 4594 |
option of |
4595 | 4595 |
.B openssl verify |
4596 | 4596 |
, and the |
4597 |
-.B -hash |
|
4597 |
+.B \-hash |
|
4598 | 4598 |
option of |
4599 | 4599 |
.B openssl x509 |
4600 | 4600 |
and |
... | ... |
@@ -4616,7 +4616,7 @@ requires peers to be using an SSL library that supports ECDH TLS cipher suites |
4616 | 4616 |
|
4617 | 4617 |
Use |
4618 | 4618 |
.B openssl dhparam \-out dh2048.pem 2048 |
4619 |
-to generate 2048-bit DH parameters. Diffie Hellman parameters may be considered |
|
4619 |
+to generate 2048\-bit DH parameters. Diffie Hellman parameters may be considered |
|
4620 | 4620 |
public. |
4621 | 4621 |
.\"********************************************************* |
4622 | 4622 |
.TP |
... | ... |
@@ -4624,13 +4624,13 @@ public. |
4624 | 4624 |
Specify the curve to use for elliptic curve Diffie Hellman. Available |
4625 | 4625 |
curves can be listed with |
4626 | 4626 |
.BR \-\-show\-curves . |
4627 |
-The specified curve will only be used for ECDH TLS-ciphers. |
|
4627 |
+The specified curve will only be used for ECDH TLS\-ciphers. |
|
4628 | 4628 |
|
4629 | 4629 |
This option is not supported in mbed TLS builds of OpenVPN. |
4630 | 4630 |
.\"********************************************************* |
4631 | 4631 |
.TP |
4632 | 4632 |
.B \-\-cert file |
4633 |
-Local peer's signed certificate in .pem format -- must be signed |
|
4633 |
+Local peer's signed certificate in .pem format \-\- must be signed |
|
4634 | 4634 |
by a certificate authority whose certificate is in |
4635 | 4635 |
.B \-\-ca file. |
4636 | 4636 |
Each peer in an OpenVPN link running in TLS mode should have its own |
... | ... |
@@ -4662,7 +4662,7 @@ Note that the |
4662 | 4662 |
command reads the location of the certificate authority key from its |
4663 | 4663 |
configuration file such as |
4664 | 4664 |
.B /usr/share/ssl/openssl.cnf |
4665 |
+\-\- note also |
|
4665 | 4666 |
that for certificate authority functions, you must set up the files |
4666 | 4667 |
.B index.txt |
4667 | 4668 |
(may be empty) and |
... | ... |
@@ -4683,7 +4683,7 @@ local certificate chain. |
4683 | 4683 |
This option is useful for "split" CAs, where the CA for server |
4684 | 4684 |
certs is different than the CA for client certs. Putting certs |
4685 | 4685 |
in this file allows them to be used to complete the local |
4686 |
-certificate chain without trusting them to verify the peer-submitted |
|
4686 |
+certificate chain without trusting them to verify the peer\-submitted |
|
4687 | 4687 |
certificate, as would be the case if the certs were placed in the |
4688 | 4688 |
.B ca |
4689 | 4689 |
file. |
... | ... |
@@ -4700,7 +4700,7 @@ above). |
4700 | 4700 |
Sets the minimum |
4701 | 4701 |
TLS version we will accept from the peer (default is "1.0"). |
4702 | 4702 |
Examples for version |
4703 |
-include "1.0", "1.1", or "1.2". If 'or-highest' is specified |
|
4703 |
+include "1.0", "1.1", or "1.2". If 'or\-highest' is specified |
|
4704 | 4704 |
and version is not recognized, we will only accept the highest TLS |
4705 | 4705 |
version supported by the local SSL implementation. |
4706 | 4706 |
.\"********************************************************* |
... | ... |
@@ -4721,10 +4721,10 @@ Not available with PolarSSL. |
4721 | 4721 |
.\"********************************************************* |
4722 | 4722 |
.TP |
4723 | 4723 |
.B \-\-verify\-hash hash [algo] |
4724 |
-Specify SHA1 or SHA256 fingerprint for level-1 cert. The level-1 cert is the |
|
4724 |
+Specify SHA1 or SHA256 fingerprint for level\-1 cert. The level\-1 cert is the |
|
4725 | 4725 |
CA (or intermediate cert) that signs the leaf certificate, and is |
4726 | 4726 |
one removed from the leaf certificate in the direction of the root. |
4727 |
-When accepting a connection from a peer, the level-1 cert |
|
4727 |
+When accepting a connection from a peer, the level\-1 cert |
|
4728 | 4728 |
fingerprint must match |
4729 | 4729 |
.B hash |
4730 | 4730 |
or certificate verification will fail. Hash is specified |
... | ... |
@@ -4756,9 +4756,9 @@ option. |
4756 | 4756 |
.\"********************************************************* |
4757 | 4757 |
.TP |
4758 | 4758 |
.B \-\-pkcs11\-id\-management |
4759 |
-Acquire PKCS#11 id from management interface. In this case a NEED-STR 'pkcs11-id-request' |
|
4760 |
-real-time message will be triggered, application may use pkcs11-id-count command to |
|
4761 |
-retrieve available number of certificates, and pkcs11-id-get command to retrieve certificate |
|
4759 |
+Acquire PKCS#11 id from management interface. In this case a NEED\-STR 'pkcs11\-id\-request' |
|
4760 |
+real\-time message will be triggered, application may use pkcs11\-id\-count command to |
|
4761 |
+retrieve available number of certificates, and pkcs11\-id\-get command to retrieve certificate |
|
4762 | 4762 |
id and certificate body. |
4763 | 4763 |
.\"********************************************************* |
4764 | 4764 |
.TP |
... | ... |
@@ -4780,7 +4780,7 @@ This option can be used instead of |
4780 | 4780 |
and |
4781 | 4781 |
.B \-\-pkcs12. |
4782 | 4782 |
|
4783 |
-If p11-kit is present on the system, its |
|
4783 |
+If p11\-kit is present on the system, its |
|
4784 | 4784 |
.B p11\-kit\-proxy.so |
4785 | 4785 |
module will be loaded by default if either the |
4786 | 4786 |
.B \-\-pkcs11\-id |
... | ... |
@@ -4797,23 +4797,23 @@ A different mode can be specified for each provider. |
4797 | 4797 |
Mode is encoded as hex number, and can be a mask one of the following: |
4798 | 4798 |
|
4799 | 4799 |
.B 0 |
4800 |
-(default) -- Try to determine automatically. |
|
4800 |
+(default) \-\- Try to determine automatically. |
|
4801 | 4801 |
.br |
4802 | 4802 |
.B 1 |
4803 |
+\-\- Use sign. |
|
4803 | 4804 |
.br |
4804 | 4805 |
.B 2 |
4806 |
+\-\- Use sign recover. |
|
4805 | 4807 |
.br |
4806 | 4808 |
.B 4 |
4809 |
+\-\- Use decrypt. |
|
4807 | 4810 |
.br |
4808 | 4811 |
.B 8 |
4812 |
+\-\- Use unwrap. |
|
4809 | 4813 |
.br |
4810 | 4814 |
.\"********************************************************* |
4811 | 4815 |
.TP |
4812 |
-.B \-\-cryptoapicert select-string |
|
4816 |
+.B \-\-cryptoapicert select\-string |
|
4813 | 4817 |
Load the certificate and private key from the |
4814 | 4818 |
Windows Certificate System Store (Windows/OpenSSL Only). |
4815 | 4819 |
|
... | ... |
@@ -4841,7 +4841,7 @@ To select a certificate, based on certificate's thumbprint: |
4841 | 4841 |
.B cryptoapicert |
4842 | 4842 |
"THUMB:f6 49 24 41 01 b4 ..." |
4843 | 4843 |
|
4844 |
-The thumbprint hex string can easily be copy-and-pasted from the Windows |
|
4844 |
+The thumbprint hex string can easily be copy\-and\-pasted from the Windows |
|
4845 | 4845 |
Certificate Store GUI. |
4846 | 4846 |
|
4847 | 4847 |
.\"********************************************************* |
... | ... |
@@ -4859,7 +4859,7 @@ for protecting the tunnel data channel is generated and |
4859 | 4859 |
exchanged over the TLS session. |
4860 | 4860 |
|
4861 | 4861 |
In method 1 (the default for OpenVPN 1.x), both sides generate |
4862 |
-random encrypt and HMAC-send keys which are forwarded to |
|
4862 |
+random encrypt and HMAC\-send keys which are forwarded to |
|
4863 | 4863 |
the other host over the TLS channel. Method 1 is |
4864 | 4864 |
.B deprecated in OpenVPN 2.4 |
4865 | 4865 |
, and |
... | ... |
@@ -4909,7 +4909,7 @@ to see a list of TLS ciphers supported by your crypto library. |
4909 | 4909 |
|
4910 | 4910 |
Warning! |
4911 | 4911 |
.B \-\-tls\-cipher |
4912 |
-is an expert feature, which - if used correcly - can improve the security of |
|
4912 |
+is an expert feature, which \- if used correcly \- can improve the security of |
|
4913 | 4913 |
your VPN connection. But it is also easy to unwittingly use it to carefully |
4914 | 4914 |
align a gun with your foot, or just break your connection. Use with care! |
4915 | 4915 |
|
... | ... |
@@ -4928,7 +4928,7 @@ packet to its peer, it will expect to receive an |
4928 | 4928 |
acknowledgement within |
4929 | 4929 |
.B n |
4930 | 4930 |
seconds or it will retransmit the packet, subject |
4931 |
-to a TCP-like exponential backoff algorithm. This parameter |
|
4931 |
+to a TCP\-like exponential backoff algorithm. This parameter |
|
4932 | 4932 |
only applies to control channel packets. Data channel |
4933 | 4933 |
packets (which carry encrypted tunnel data) are never |
4934 | 4934 |
acknowledged, sequenced, or retransmitted by OpenVPN because |
... | ... |
@@ -4945,7 +4945,7 @@ to be expressed as a number of bytes encrypted/decrypted, a number of packets, |
4945 | 4945 |
or a number of seconds. A key renegotiation will be forced |
4946 | 4946 |
if any of these three criteria are met by either peer. |
4947 | 4947 |
|
4948 |
-If using ciphers with cipher block sizes less than 128-bits, \-\-reneg\-bytes is |
|
4948 |
+If using ciphers with cipher block sizes less than 128\-bits, \-\-reneg\-bytes is |
|
4949 | 4949 |
set to 64MB by default, unless it is explicitly disabled by setting the value to |
4950 | 4950 |
0, but this is |
4951 | 4951 |
.B HIGHLY DISCOURAGED |
... | ... |
@@ -4964,7 +4964,7 @@ Renegotiate data channel key after |
4964 | 4964 |
.B n |
4965 | 4965 |
seconds (default=3600). |
4966 | 4966 |
|
4967 |
-When using dual-factor authentication, note that this default value may |
|
4967 |
+When using dual\-factor authentication, note that this default value may |
|
4968 | 4968 |
cause the end user to be challenged to reauthorize once per hour. |
4969 | 4969 |
|
4970 | 4970 |
Also, keep in mind that this option can be used on both the client and server, |
... | ... |
@@ -4979,7 +4979,7 @@ your chosen value on the other side. |
4979 | 4979 |
.\"********************************************************* |
4980 | 4980 |
.TP |
4981 | 4981 |
.B \-\-hand\-window n |
4982 |
-Handshake Window -- the TLS-based key exchange must finalize within |
|
4982 |
+Handshake Window \-\- the TLS\-based key exchange must finalize within |
|
4983 | 4983 |
.B n |
4984 | 4984 |
seconds |
4985 | 4985 |
of handshake initiation by any peer (default = 60 seconds). |
... | ... |
@@ -4993,7 +4993,7 @@ data. |
4993 | 4993 |
.\"********************************************************* |
4994 | 4994 |
.TP |
4995 | 4995 |
.B \-\-tran\-window n |
4996 |
-Transition window -- our old key can live this many seconds |
|
4996 |
+Transition window \-\- our old key can live this many seconds |
|
4997 | 4997 |
after a new a key renegotiation begins (default = 3600 seconds). |
4998 | 4998 |
This feature allows for a graceful transition from old to new |
4999 | 4999 |
key, and removes the key renegotiation sequence from the critical |
... | ... |
@@ -5056,7 +5056,7 @@ is specified with |
5056 | 5056 |
.B \-\-float. |
5057 | 5057 |
|
5058 | 5058 |
The rationale for |
5059 |
-this feature is as follows. TLS requires a multi-packet exchange |
|
5059 |
+this feature is as follows. TLS requires a multi\-packet exchange |
|
5060 | 5060 |
before it is able to authenticate a peer. During this time |
5061 | 5061 |
before authentication, OpenVPN is allocating resources (memory |
5062 | 5062 |
and CPU) to this potential peer. The potential peer is also |
... | ... |
@@ -5065,7 +5065,7 @@ it is sending. Most successful network attacks today seek |
5065 | 5065 |
to either exploit bugs in programs (such as buffer overflow attacks) or |
5066 | 5066 |
force a program to consume so many resources that it becomes unusable. |
5067 | 5067 |
Of course the first line of defense is always to produce clean, |
5068 |
-well-audited code. OpenVPN has been written with buffer overflow |
|
5068 |
+well\-audited code. OpenVPN has been written with buffer overflow |
|
5069 | 5069 |
attack prevention as a top priority. |
5070 | 5070 |
But as history has shown, many of the most widely used |
5071 | 5071 |
network applications have, from time to time, |
... | ... |
@@ -5121,8 +5121,8 @@ provides more privacy by hiding the certificate used for the TLS connection, |
5121 | 5121 |
.IP \[bu] |
5122 | 5122 |
makes it harder to identify OpenVPN traffic as such, |
5123 | 5123 |
.IP \[bu] |
5124 |
-provides "poor-man's" post-quantum security, against attackers who will never |
|
5125 |
-know the pre-shared key (i.e. no forward secrecy). |
|
5124 |
+provides "poor\-man's" post\-quantum security, against attackers who will never |
|
5125 |
+know the pre\-shared key (i.e. no forward secrecy). |
|
5126 | 5126 |
.RE |
5127 | 5127 |
|
5128 | 5128 |
.IP |
... | ... |
@@ -5135,10 +5135,10 @@ does *not* require the user to set |
5135 | 5135 |
.B Security Considerations |
5136 | 5136 |
|
5137 | 5137 |
All peers use the same |
5138 |
-.B \-\-tls-crypt |
|
5139 |
-pre-shared group key to authenticate and encrypt control channel messages. To |
|
5138 |
+.B \-\-tls\-crypt |
|
5139 |
+pre\-shared group key to authenticate and encrypt control channel messages. To |
|
5140 | 5140 |
ensure that IV collisions remain unlikely, this key should not be used to |
5141 |
-encrypt more than 2^48 client-to-server or 2^48 server-to-client control |
|
5141 |
+encrypt more than 2^48 client\-to\-server or 2^48 server\-to\-client control |
|
5142 | 5142 |
channel messages. A typical initial negotiation is about 10 packets in each |
5143 | 5143 |
direction. Assuming both initial negotiation and renegotiations are at most |
5144 | 5144 |
2^16 (65536) packets (to be conservative), and (re)negotiations happen each |
... | ... |
@@ -5152,8 +5152,8 @@ If IV collisions were to occur, this could result in the security of |
5152 | 5152 |
degrading to the same security as using |
5153 | 5153 |
.B \-\-tls\-auth\fR. |
5154 | 5154 |
That is, the control channel still benefits from the extra protection against |
5155 |
-active man-in-the-middle-attacks and DoS attacks, but may no longer offer |
|
5156 |
-extra privacy and post-quantum security on top of what TLS itself offers. |
|
5155 |
+active man\-in\-the\-middle\-attacks and DoS attacks, but may no longer offer |
|
5156 |
+extra privacy and post\-quantum security on top of what TLS itself offers. |
|
5157 | 5157 |
.\"********************************************************* |
5158 | 5158 |
.TP |
5159 | 5159 |
.B \-\-askpass [file] |
... | ... |
@@ -5271,7 +5271,7 @@ should return 0 to allow the TLS handshake to proceed, or 1 to fail. |
5271 | 5271 |
|
5272 | 5272 |
.B cmd |
5273 | 5273 |
consists of a path to script (or executable program), optionally |
5274 |
-followed by arguments. The path and arguments may be single- or double-quoted |
|
5274 |
+followed by arguments. The path and arguments may be single\- or double\-quoted |
|
5275 | 5275 |
and/or escaped using a backslash, and should be separated by one or more spaces. |
5276 | 5276 |
|
5277 | 5277 |
When |
... | ... |
@@ -5340,13 +5340,13 @@ instead of the Common Name. |
5340 | 5340 |
Only the subjectAltName and issuerAltName X.509 extensions are supported. |
5341 | 5341 |
|
5342 | 5342 |
.B Please note: |
5343 |
-This option has a feature which will convert an all-lowercase |
|
5343 |
+This option has a feature which will convert an all\-lowercase |
|
5344 | 5344 |
.B fieldname |
5345 |
-to uppercase characters, e.g., ou -> OU. A mixed-case |
|
5345 |
+to uppercase characters, e.g., ou \-> OU. A mixed\-case |
|
5346 | 5346 |
.B fieldname |
5347 | 5347 |
or one having the |
5348 | 5348 |
.B ext: |
5349 |
-prefix will be left as-is. This automatic upcasing feature |
|
5349 |
+prefix will be left as\-is. This automatic upcasing feature |
|
5350 | 5350 |
is deprecated and will be removed in a future release. |
5351 | 5351 |
.\"********************************************************* |
5352 | 5352 |
.TP |
... | ... |
@@ -5360,18 +5360,18 @@ Which X.509 name is compared to |
5360 | 5360 |
depends on the setting of type. |
5361 | 5361 |
.B type |
5362 | 5362 |
can be "subject" to match the complete subject DN (default), |
5363 |
-"name" to match a subject RDN or "name-prefix" to match a subject RDN prefix. |
|
5363 |
+"name" to match a subject RDN or "name\-prefix" to match a subject RDN prefix. |
|
5364 | 5364 |
Which RDN is verified as name depends on the |
5365 | 5365 |
.B \-\-x509\-username\-field |
5366 | 5366 |
option. But it defaults to the common name (CN), e.g. a certificate with a |
5367 |
-subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by: |
|
5367 |
+subject DN "C=KG, ST=NA, L=Bishkek, CN=Server\-1" would be matched by: |
|
5368 | 5368 |
|
5369 | 5369 |
.B \-\-verify\-x509\-name 'C=KG, ST=NA, L=Bishkek, CN=Server\-1' |
5370 | 5370 |
and |
5371 | 5371 |
.B \-\-verify\-x509\-name Server\-1 name |
5372 | 5372 |
or you could use |
5373 |
-.B \-\-verify\-x509\-name Server -name-prefix |
|
5374 |
-if you want a client to only accept connections to "Server-1", "Server-2", etc. |
|
5373 |
+.B \-\-verify\-x509\-name Server\- name\-prefix |
|
5374 |
+if you want a client to only accept connections to "Server\-1", "Server\-2", etc. |
|
5375 | 5375 |
|
5376 | 5376 |
.B \-\-verify\-x509\-name |
5377 | 5377 |
is a useful replacement for the |
... | ... |
@@ -5390,7 +5390,7 @@ with designated servers. |
5390 | 5390 |
.B NOTE: |
5391 | 5391 |
Test against a name prefix only when you are using OpenVPN with |
5392 | 5392 |
a custom CA certificate that is under your control. |
5393 |
-Never use this option with type "name-prefix" when your client certificates |
|
5393 |
+Never use this option with type "name\-prefix" when your client certificates |
|
5394 | 5394 |
are signed by a third party, such as a commercial web CA. |
5395 | 5395 |
.\"********************************************************* |
5396 | 5396 |
.TP |
... | ... |
@@ -5429,7 +5429,7 @@ to "server", then the clients can verify this with |
5429 | 5429 |
.B \-\-ns\-cert\-type server. |
5430 | 5430 |
|
5431 | 5431 |
This is an important security precaution to protect against |
5432 |
-a man-in-the-middle attack where an authorized client |
|
5432 |
+a man\-in\-the\-middle attack where an authorized client |
|
5433 | 5433 |
attempts to connect to another client by impersonating the server. |
5434 | 5434 |
The attack is easily prevented by having clients verify |
5435 | 5435 |
the server certificate using any one of |
... | ... |
@@ -5494,7 +5494,7 @@ option is equivalent to |
5494 | 5494 |
\-\-remote\-cert\-ku \-\-remote\-cert\-eku "TLS Web Server Authentication" |
5495 | 5495 |
|
5496 | 5496 |
This is an important security precaution to protect against |
5497 |
-a man-in-the-middle attack where an authorized client |
|
5497 |
+a man\-in\-the\-middle attack where an authorized client |
|
5498 | 5498 |
attempts to connect to another client by impersonating the server. |
5499 | 5499 |
The attack is easily prevented by having clients verify |
5500 | 5500 |
the server certificate using any one of |
... | ... |
@@ -5566,7 +5566,7 @@ an ECDSA cipher suite will not work if you are using an RSA certificate, etc.). |
5566 | 5566 |
.TP |
5567 | 5567 |
.B \-\-show\-engines |
5568 | 5568 |
(Standalone) |
5569 |
-Show currently available hardware-based crypto acceleration |
|
5569 |
+Show currently available hardware\-based crypto acceleration |
|
5570 | 5570 |
engines supported by the OpenSSL library. |
5571 | 5571 |
.\"********************************************************* |
5572 | 5572 |
.TP |
... | ... |
@@ -5577,7 +5577,7 @@ Show all available elliptic curves to use with the |
5577 | 5577 |
option. |
5578 | 5578 |
.\"********************************************************* |
5579 | 5579 |
.SS Generate a random key: |
5580 |
-Used only for non-TLS static key encryption mode. |
|
5580 |
+Used only for non\-TLS static key encryption mode. |
|
5581 | 5581 |
.\"********************************************************* |
5582 | 5582 |
.TP |
5583 | 5583 |
.B \-\-genkey |
... | ... |
@@ -5586,7 +5586,7 @@ Generate a random key to be used as a shared secret, |
5586 | 5586 |
for use with the |
5587 | 5587 |
.B \-\-secret |
5588 | 5588 |
option. This file must be shared with the |
5589 |
-peer over a pre-existing secure channel such as |
|
5589 |
+peer over a pre\-existing secure channel such as |
|
5590 | 5590 |
.BR scp (1) |
5591 | 5591 |
. |
5592 | 5592 |
.\"********************************************************* |
... | ... |
@@ -5621,7 +5621,7 @@ and |
5621 | 5621 |
commands. These commands can be placed in the the same shell script |
5622 | 5622 |
which starts or terminates an OpenVPN session. |
5623 | 5623 |
|
5624 |
-Another advantage is that open connections through the TUN/TAP-based tunnel |
|
5624 |
+Another advantage is that open connections through the TUN/TAP\-based tunnel |
|
5625 | 5625 |
will not be reset if the OpenVPN peer restarts. This can be useful to |
5626 | 5626 |
provide uninterrupted connectivity through the tunnel in the event of a DHCP |
5627 | 5627 |
reset of the peer's public IP address (see the |
... | ... |
@@ -5635,7 +5635,7 @@ and |
5635 | 5635 |
.B \-\-tun\-mtu |
5636 | 5636 |
above). |
5637 | 5637 |
|
5638 |
-On some platforms such as Windows, TAP-Win32 tunnels are persistent by |
|
5638 |
+On some platforms such as Windows, TAP\-Win32 tunnels are persistent by |
|
5639 | 5639 |
default. |
5640 | 5640 |
.\"********************************************************* |
5641 | 5641 |
.TP |
... | ... |
@@ -5655,7 +5655,7 @@ Optional user to be owner of this tunnel. |
5655 | 5655 |
.B \-\-group group |
5656 | 5656 |
Optional group to be owner of this tunnel. |
5657 | 5657 |
.\"********************************************************* |
5658 |
-.SS Windows-Specific Options: |
|
5658 |
+.SS Windows\-Specific Options: |
|
5659 | 5659 |
.\"********************************************************* |
5660 | 5660 |
.TP |
5661 | 5661 |
.B \-\-win\-sys path |
... | ... |
@@ -5680,7 +5680,7 @@ is found in the configuration file. |
5680 | 5680 |
.B \-\-ip\-win32 method |
5681 | 5681 |
When using |
5682 | 5682 |
.B \-\-ifconfig |
5683 |
-on Windows, set the TAP-Win32 adapter |
|
5683 |
+on Windows, set the TAP\-Win32 adapter |
|
5684 | 5684 |
IP address and netmask using |
5685 | 5685 |
.B method. |
5686 | 5686 |
Don't use this option unless you are also using |
... | ... |
@@ -5693,13 +5693,13 @@ to the console telling the user to configure the |
5693 | 5693 |
adapter manually and indicating the IP/netmask which |
5694 | 5694 |
OpenVPN expects the adapter to be set to. |
5695 | 5695 |
|
5696 |
-.B dynamic [offset] [lease-time] -- |
|
5696 |
+.B dynamic [offset] [lease\-time] \-\- |
|
5697 | 5697 |
Automatically set the IP address and netmask by replying to |
5698 | 5698 |
DHCP query messages generated by the kernel. This mode is |
5699 | 5699 |
probably the "cleanest" solution |
5700 |
-for setting the TCP/IP properties since it uses the well-known |
|
5700 |
+for setting the TCP/IP properties since it uses the well\-known |
|
5701 | 5701 |
DHCP protocol. There are, however, two prerequisites for using |
5702 |
-this mode: (1) The TCP/IP properties for the TAP-Win32 |
|
5702 |
+this mode: (1) The TCP/IP properties for the TAP\-Win32 |
|
5703 | 5703 |
adapter must be set to "Obtain an IP address automatically," and |
5704 | 5704 |
(2) OpenVPN needs to claim an IP address in the subnet for use |
5705 | 5705 |
as the virtual DHCP server address. By default in |
... | ... |
@@ -5712,7 +5712,7 @@ virtual DHCP server address. In |
5712 | 5712 |
.B \-\-dev tun |
5713 | 5713 |
mode, OpenVPN will cause the DHCP server to masquerade as if it were |
5714 | 5714 |
coming from the remote endpoint. The optional offset parameter is |
5715 |
-an integer which is > \-256 and < 256 and which defaults to -1. |
|
5715 |
+an integer which is > \-256 and < 256 and which defaults to \-1. |
|
5716 | 5716 |
If offset is positive, the DHCP server will masquerade as the IP |
5717 | 5717 |
address at network address + offset. |
5718 | 5718 |
If offset is negative, the DHCP server will masquerade as the IP |
... | ... |
@@ -5723,17 +5723,17 @@ address is. OpenVPN will "claim" this address, so make sure to |
5723 | 5723 |
use a free address. Having said that, different OpenVPN instantiations, |
5724 | 5724 |
including different ends of the same connection, can share the same |
5725 | 5725 |
virtual DHCP server address. The |
5726 |
-.B lease-time |
|
5726 |
+.B lease\-time |
|
5727 | 5727 |
parameter controls the lease time of the DHCP assignment given to |
5728 |
-the TAP-Win32 adapter, and is denoted in seconds. |
|
5728 |
+the TAP\-Win32 adapter, and is denoted in seconds. |
|
5729 | 5729 |
Normally a very long lease time is preferred |
5730 |
-because it prevents routes involving the TAP-Win32 adapter from |
|
5730 |
+because it prevents routes involving the TAP\-Win32 adapter from |
|
5731 | 5731 |
being lost when the system goes to sleep. The default |
5732 | 5732 |
lease time is one year. |
5733 | 5733 |
|
5734 | 5734 |
.B netsh \-\- |
5735 | 5735 |
Automatically set the IP address and netmask using |
5736 |
-the Windows command-line "netsh" |
|
5736 |
+the Windows command\-line "netsh" |
|
5737 | 5737 |
command. This method appears to work correctly on |
5738 | 5738 |
Windows XP but not Windows 2000. |
5739 | 5739 |
|
... | ... |
@@ -5742,7 +5742,7 @@ Automatically set the IP address and netmask using the |
5742 | 5742 |
Windows IP Helper API. This approach |
5743 | 5743 |
does not have ideal semantics, though testing has indicated |
5744 | 5744 |
that it works okay in practice. If you use this option, |
5745 |
-it is best to leave the TCP/IP properties for the TAP-Win32 |
|
5745 |
+it is best to leave the TCP/IP properties for the TAP\-Win32 |
|
5746 | 5746 |
adapter in their default state, i.e. "Obtain an IP address |
5747 | 5747 |
automatically." |
5748 | 5748 |
|
... | ... |
@@ -5751,14 +5751,14 @@ automatically." |
5751 | 5751 |
.B dynamic |
5752 | 5752 |
method initially and fail over to |
5753 | 5753 |
.B netsh |
5754 |
-if the DHCP negotiation with the TAP-Win32 adapter does |
|
5754 |
+if the DHCP negotiation with the TAP\-Win32 adapter does |
|
5755 | 5755 |
not succeed in 20 seconds. Such failures have been known |
5756 |
-to occur when certain third-party firewall packages installed |
|
5756 |
+to occur when certain third\-party firewall packages installed |
|
5757 | 5757 |
on the client machine block the DHCP negotiation used by |
5758 |
-the TAP-Win32 adapter. |
|
5758 |
+the TAP\-Win32 adapter. |
|
5759 | 5759 |
Note that if the |
5760 | 5760 |
.B netsh |
5761 |
-failover occurs, the TAP-Win32 adapter |
|
5761 |
+failover occurs, the TAP\-Win32 adapter |
|
5762 | 5762 |
TCP/IP properties will be reset from DHCP to static, and this |
5763 | 5763 |
will cause future OpenVPN startups using the |
5764 | 5764 |
.B adaptive |
... | ... |
@@ -5772,7 +5772,7 @@ mode from using |
5772 | 5772 |
.B netsh, |
5773 | 5773 |
run OpenVPN at least once using the |
5774 | 5774 |
.B dynamic |
5775 |
-mode to restore the TAP-Win32 adapter TCP/IP properties |
|
5775 |
+mode to restore the TAP\-Win32 adapter TCP/IP properties |
|
5776 | 5776 |
to a DHCP configuration. |
5777 | 5777 |
.\"********************************************************* |
5778 | 5778 |
.TP |
... | ... |
@@ -5782,29 +5782,29 @@ Which method |
5782 | 5782 |
to use for adding routes on Windows? |
5783 | 5783 |
|
5784 | 5784 |
.B adaptive |
5785 |
-(default) -- Try IP helper API first. If that fails, fall |
|
5785 |
+(default) \-\- Try IP helper API first. If that fails, fall |
|
5786 | 5786 |
back to the route.exe shell command. |
5787 | 5787 |
.br |
5788 | 5788 |
.B ipapi |
5789 |
+\-\- Use IP helper API. |
|
5789 | 5790 |
.br |
5790 | 5791 |
.B exe |
5792 |
+\-\- Call the route.exe shell command. |
|
5791 | 5793 |
.\"********************************************************* |
5792 | 5794 |
.TP |
5793 | 5795 |
.B \-\-dhcp\-option type [parm] |
5794 |
-Set extended TAP-Win32 TCP/IP properties, must |
|
5796 |
+Set extended TAP\-Win32 TCP/IP properties, must |
|
5795 | 5797 |
be used with |
5796 | 5798 |
.B \-\-ip\-win32 dynamic |
5797 | 5799 |
or |
5798 | 5800 |
.B \-\-ip\-win32 adaptive. |
5799 | 5801 |
This option can be used to set additional TCP/IP properties |
5800 |
-on the TAP-Win32 adapter, and is particularly useful for |
|
5802 |
+on the TAP\-Win32 adapter, and is particularly useful for |
|
5801 | 5803 |
configuring an OpenVPN client to access a Samba server |
5802 | 5804 |
across the VPN. |
5803 | 5805 |
|
5804 | 5806 |
.B DOMAIN name \-\- |
5805 |
-Set Connection-specific DNS Suffix. |
|
5807 |
+Set Connection\-specific DNS Suffix. |
|
5806 | 5808 |
|
5807 | 5809 |
.B DNS addr \-\- |
5808 | 5810 |
Set primary domain name server IPv4 address. Repeat |
... | ... |
@@ -5838,17 +5838,17 @@ to set secondary NTP server addresses. |
5838 | 5838 |
.B NBT type \-\- |
5839 | 5839 |
Set NetBIOS over TCP/IP Node type. Possible options: |
5840 | 5840 |
.B 1 |
5841 |
-= b-node (broadcasts), |
|
5841 |
+= b\-node (broadcasts), |
|
5842 | 5842 |
.B 2 |
5843 |
-= p-node (point-to-point |
|
5843 |
+= p\-node (point\-to\-point |
|
5844 | 5844 |
name queries to a WINS server), |
5845 | 5845 |
.B 4 |
5846 |
-= m-node (broadcast |
|
5846 |
+= m\-node (broadcast |
|
5847 | 5847 |
then query name server), and |
5848 | 5848 |
.B 8 |
5849 |
-= h-node (query name server, then broadcast). |
|
5849 |
+= h\-node (query name server, then broadcast). |
|
5850 | 5850 |
|
5851 |
-.B NBS scope-id -- |
|
5851 |
+.B NBS scope\-id \-\- |
|
5852 | 5852 |
Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended |
5853 | 5853 |
naming service for the NetBIOS over TCP/IP (Known as NBT) module. The |
5854 | 5854 |
primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on |
... | ... |
@@ -5860,14 +5860,14 @@ computers to use the same computer name, as they have different |
5860 | 5860 |
scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique. |
5861 | 5861 |
(This description of NetBIOS scopes courtesy of NeonSurge@abyss.com) |
5862 | 5862 |
|
5863 |
-.B DISABLE-NBT -- |
|
5864 |
-Disable Netbios-over-TCP/IP. |
|
5863 |
+.B DISABLE\-NBT \-\- |
|
5864 |
+Disable Netbios\-over\-TCP/IP. |
|
5865 | 5865 |
|
5866 | 5866 |
Note that if |
5867 | 5867 |
.B \-\-dhcp\-option |
5868 | 5868 |
is pushed via |
5869 | 5869 |
.B \-\-push |
5870 |
-to a non-windows client, the option will be saved in the client's |
|
5870 |
+to a non\-windows client, the option will be saved in the client's |
|
5871 | 5871 |
environment before the up script is called, under |
5872 | 5872 |
the name "foreign_option_{n}". |
5873 | 5873 |
.\"********************************************************* |
... | ... |
@@ -5875,7 +5875,7 @@ the name "foreign_option_{n}". |
5875 | 5875 |
.B \-\-tap\-sleep n |
5876 | 5876 |
Cause OpenVPN to sleep for |
5877 | 5877 |
.B n |
5878 |
-seconds immediately after the TAP-Win32 adapter state |
|
5878 |
+seconds immediately after the TAP\-Win32 adapter state |
|
5879 | 5879 |
is set to "connected". |
5880 | 5880 |
|
5881 | 5881 |
This option is intended to be used to troubleshoot problems |
... | ... |
@@ -5884,7 +5884,7 @@ with the |
5884 | 5884 |
and |
5885 | 5885 |
.B \-\-ip\-win32 |
5886 | 5886 |
options, and is used to give |
5887 |
-the TAP-Win32 adapter time to come up before |
|
5887 |
+the TAP\-Win32 adapter time to come up before |
|
5888 | 5888 |
Windows IP Helper API operations are applied to it. |
5889 | 5889 |
.\"********************************************************* |
5890 | 5890 |
.TP |
... | ... |
@@ -5901,7 +5901,7 @@ TCP or UDP port 53 except one inside the tunnel. It uses |
5901 | 5901 |
Windows Filtering Platform (WFP) and works on Windows Vista or |
5902 | 5902 |
later. |
5903 | 5903 |
|
5904 |
-This option is considered unknown on non-Windows platforms |
|
5904 |
+This option is considered unknown on non\-Windows platforms |
|
5905 | 5905 |
and unsupported on Windows XP, resulting in fatal error. |
5906 | 5906 |
You may want to use |
5907 | 5907 |
.B \-\-setenv opt |
... | ... |
@@ -5916,7 +5916,7 @@ fatal errors. |
5916 | 5916 |
Ask Windows to renew the TAP adapter lease on startup. |
5917 | 5917 |
This option is normally unnecessary, as Windows automatically |
5918 | 5918 |
triggers a DHCP renegotiation on the TAP adapter when it |
5919 |
-comes up, however if you set the TAP-Win32 adapter |
|
5919 |
+comes up, however if you set the TAP\-Win32 adapter |
|
5920 | 5920 |
Media Status property to "Always Connected", you may need this |
5921 | 5921 |
flag. |
5922 | 5922 |
.\"********************************************************* |
... | ... |
@@ -5936,29 +5936,29 @@ recognizing pushed DNS servers. |
5936 | 5936 |
Put up a "press any key to continue" message on the console prior |
5937 | 5937 |
to OpenVPN program exit. This option is automatically used by the |
5938 | 5938 |
Windows explorer when OpenVPN is run on a configuration |
5939 |
-file using the right-click explorer menu. |
|
5939 |
+file using the right\-click explorer menu. |
|
5940 | 5940 |
.\"********************************************************* |
5941 | 5941 |
.TP |
5942 |
-.B \-\-service exit-event [0|1] |
|
5942 |
+.B \-\-service exit\-event [0|1] |
|
5943 | 5943 |
Should be used when OpenVPN is being automatically executed by another |
5944 | 5944 |
program in such |
5945 | 5945 |
a context that no interaction with the user via display or keyboard |
5946 |
-is possible. In general, end-users should never need to explicitly |
|
5946 |
+is possible. In general, end\-users should never need to explicitly |
|
5947 | 5947 |
use this option, as it is automatically added by the OpenVPN service wrapper |
5948 | 5948 |
when a given OpenVPN configuration is being run as a service. |
5949 | 5949 |
|
5950 |
-.B exit-event |
|
5950 |
+.B exit\-event |
|
5951 | 5951 |
is the name of a Windows global event object, and OpenVPN will continuously |
5952 | 5952 |
monitor the state of this event object and exit when it becomes signaled. |
5953 | 5953 |
|
5954 | 5954 |
The second parameter indicates the initial state of |
5955 |
-.B exit-event |
|
5955 |
+.B exit\-event |
|
5956 | 5956 |
and normally defaults to 0. |
5957 | 5957 |
|
5958 | 5958 |
Multiple OpenVPN processes can be simultaneously executed with the same |
5959 |
-.B exit-event |
|
5959 |
+.B exit\-event |
|
5960 | 5960 |
parameter. In any case, the controlling process can signal |
5961 |
-.B exit-event, |
|
5961 |
+.B exit\-event, |
|
5962 | 5962 |
causing all such OpenVPN processes to exit. |
5963 | 5963 |
|
5964 | 5964 |
When executing an OpenVPN process using the |
... | ... |
@@ -5974,9 +5974,9 @@ to write these messages to a file. |
5974 | 5974 |
.TP |
5975 | 5975 |
.B \-\-show\-adapters |
5976 | 5976 |
(Standalone) |
5977 |
-Show available TAP-Win32 adapters which can be selected using the |
|
5977 |
+Show available TAP\-Win32 adapters which can be selected using the |
|
5978 | 5978 |
.B \-\-dev\-node |
5979 |
-option. On non-Windows systems, the |
|
5979 |
+option. On non\-Windows systems, the |
|
5980 | 5980 |
.BR ifconfig (8) |
5981 | 5981 |
command provides similar functionality. |
5982 | 5982 |
.\"********************************************************* |
... | ... |
@@ -5984,14 +5984,14 @@ command provides similar functionality. |
5984 | 5984 |
.B \-\-allow\-nonadmin [TAP\-adapter] |
5985 | 5985 |
(Standalone) |
5986 | 5986 |
Set |
5987 |
-.B TAP-adapter |
|
5988 |
-to allow access from non-administrative accounts. If |
|
5989 |
-.B TAP-adapter |
|
5987 |
+.B TAP\-adapter |
|
5988 |
+to allow access from non\-administrative accounts. If |
|
5989 |
+.B TAP\-adapter |
|
5990 | 5990 |
is omitted, all TAP adapters on the system will be configured to allow |
5991 |
-non-admin access. |
|
5992 |
-The non-admin access setting will only persist for the length of time that |
|
5993 |
-the TAP-Win32 device object and driver remain loaded, and will need |
|
5994 |
-to be re-enabled after a reboot, or if the driver is unloaded |
|
5991 |
+non\-admin access. |
|
5992 |
+The non\-admin access setting will only persist for the length of time that |
|
5993 |
+the TAP\-Win32 device object and driver remain loaded, and will need |
|
5994 |
+to be re\-enabled after a reboot, or if the driver is unloaded |
|
5995 | 5995 |
and reloaded. |
5996 | 5996 |
This directive can only be used by an administrator. |
5997 | 5997 |
.\"********************************************************* |
... | ... |
@@ -6000,12 +6000,12 @@ This directive can only be used by an administrator. |
6000 | 6000 |
(Standalone) |
6001 | 6001 |
Show valid subnets for |
6002 | 6002 |
.B \-\-dev tun |
6003 |
-emulation. Since the TAP-Win32 driver |
|
6003 |
+emulation. Since the TAP\-Win32 driver |
|
6004 | 6004 |
exports an ethernet interface to Windows, and since TUN devices are |
6005 |
-point-to-point in nature, it is necessary for the TAP-Win32 driver |
|
6005 |
+point\-to\-point in nature, it is necessary for the TAP\-Win32 driver |
|
6006 | 6006 |
to impose certain constraints on TUN endpoint address selection. |
6007 | 6007 |
|
6008 |
-Namely, the point-to-point endpoints used in TUN device emulation |
|
6008 |
+Namely, the point\-to\-point endpoints used in TUN device emulation |
|
6009 | 6009 |
must be the middle two addresses of a /30 subnet (netmask 255.255.255.252). |
6010 | 6010 |
.\"********************************************************* |
6011 | 6011 |
.TP |
... | ... |
@@ -6022,7 +6022,7 @@ adapter list. |
6022 | 6022 |
Show PKCS#11 token object list. Specify cert_private as 1 |
6023 | 6023 |
if certificates are stored as private objects. |
6024 | 6024 |
|
6025 |
-If p11-kit is present on the system, the |
|
6025 |
+If p11\-kit is present on the system, the |
|
6026 | 6026 |
.B provider |
6027 | 6027 |
argument is optional; if omitted the default |
6028 | 6028 |
.B p11\-kit\-proxy.so |
... | ... |
@@ -6042,8 +6042,8 @@ is passed as argument, the IPv6 route for this host is reported. |
6042 | 6042 |
.\"********************************************************* |
6043 | 6043 |
.SS IPv6 Related Options |
6044 | 6044 |
.\"********************************************************* |
6045 |
-The following options exist to support IPv6 tunneling in peer-to-peer |
|
6046 |
-and client-server mode. All options are modeled after their IPv4 |
|
6045 |
+The following options exist to support IPv6 tunneling in peer\-to\-peer |
|
6046 |
+and client\-server mode. All options are modeled after their IPv4 |
|
6047 | 6047 |
counterparts, so more detailed explanations given there apply here |
6048 | 6048 |
as well (except for |
6049 | 6049 |
.B \-\-topology |
... | ... |
@@ -6065,7 +6065,7 @@ field from |
6065 | 6065 |
is used. |
6066 | 6066 |
.TP |
6067 | 6067 |
.B \-\-server\-ipv6 ipv6addr/bits |
6068 |
-convenience-function to enable a number of IPv6 related options at |
|
6068 |
+convenience\-function to enable a number of IPv6 related options at |
|
6069 | 6069 |
once, namely |
6070 | 6070 |
.B \-\-ifconfig\-ipv6, \-\-ifconfig\-ipv6\-pool |
6071 | 6071 |
and |
... | ... |
@@ -6082,14 +6082,14 @@ pool starts at |
6082 | 6082 |
and matches the offset determined from the start of the IPv4 pool. |
6083 | 6083 |
.TP |
6084 | 6084 |
.B \-\-ifconfig\-ipv6\-push ipv6addr/bits ipv6remote |
6085 |
-for ccd/ per-client static IPv6 interface configuration, see |
|
6085 |
+for ccd/ per\-client static IPv6 interface configuration, see |
|
6086 | 6086 |
.B \-\-client\-config\-dir |
6087 | 6087 |
and |
6088 | 6088 |
.B \-\-ifconfig\-push |
6089 | 6089 |
for more details. |
6090 | 6090 |
.TP |
6091 | 6091 |
.B \-\-iroute\-ipv6 ipv6addr/bits |
6092 |
-for ccd/ per-client static IPv6 route configuration, see |
|
6092 |
+for ccd/ per\-client static IPv6 route configuration, see |
|
6093 | 6093 |
.B \-\-iroute |
6094 | 6094 |
for more details how to setup and use this, and how |
6095 | 6095 |
.B \-\-iroute |
... | ... |
@@ -6100,7 +6100,7 @@ interact. |
6100 | 6100 |
.\"********************************************************* |
6101 | 6101 |
.SH SCRIPTING AND ENVIRONMENTAL VARIABLES |
6102 | 6102 |
OpenVPN exports a series |
6103 |
-of environmental variables for use by user-defined scripts. |
|
6103 |
+of environmental variables for use by user\-defined scripts. |
|
6104 | 6104 |
.\"********************************************************* |
6105 | 6105 |
.SS Script Order of Execution |
6106 | 6106 |
.\"********************************************************* |
... | ... |
@@ -6185,13 +6185,13 @@ Here is a brief rundown of OpenVPN's current string types and the |
6185 | 6185 |
permitted character class for each string: |
6186 | 6186 |
|
6187 | 6187 |
.B X509 Names: |
6188 |
-Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), at |
|
6188 |
+Alphanumeric, underbar ('_'), dash ('\-'), dot ('.'), at |
|
6189 | 6189 |
('@'), colon (':'), slash ('/'), and equal ('='). Alphanumeric is defined |
6190 | 6190 |
as a character which will cause the C library isalnum() function to return |
6191 | 6191 |
true. |
6192 | 6192 |
|
6193 | 6193 |
.B Common Names: |
6194 |
-Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at |
|
6194 |
+Alphanumeric, underbar ('_'), dash ('\-'), dot ('.'), and at |
|
6195 | 6195 |
('@'). |
6196 | 6196 |
|
6197 | 6197 |
.B \-\-auth\-user\-pass username: |
... | ... |
@@ -6205,8 +6205,8 @@ Printable is defined to be a character which will cause the C library |
6205 | 6205 |
isprint() function to return true. |
6206 | 6206 |
|
6207 | 6207 |
.B \-\-client\-config\-dir filename as derived from common name or username: |
6208 |
-Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or |
|
6209 |
-".." as standalone strings. As of v2.0.1-rc6, the at ('@') character has |
|
6208 |
+Alphanumeric, underbar ('_'), dash ('\-'), and dot ('.') except for "." or |
|
6209 |
+".." as standalone strings. As of v2.0.1\-rc6, the at ('@') character has |
|
6210 | 6210 |
been added as well for compatibility with the common name character class. |
6211 | 6211 |
|
6212 | 6212 |
.B Environmental variable names: |
... | ... |
@@ -6222,7 +6222,7 @@ character class for that string type will be remapped to underbar ('_'). |
6222 | 6222 |
Once set, a variable is persisted |
6223 | 6223 |
indefinitely until it is reset by a new value or a restart, |
6224 | 6224 |
|
6225 |
-As of OpenVPN 2.0-beta12, in server mode, environmental |
|
6225 |
+As of OpenVPN 2.0\-beta12, in server mode, environmental |
|
6226 | 6226 |
variables set by OpenVPN |
6227 | 6227 |
are scoped according to the client objects |
6228 | 6228 |
they are |
... | ... |
@@ -6304,7 +6304,7 @@ An option pushed via |
6304 | 6304 |
to a client which does not natively support it, |
6305 | 6305 |
such as |
6306 | 6306 |
.B \-\-dhcp\-option |
6307 |
-on a non-Windows system, will be recorded to this |
|
6307 |
+on a non\-Windows system, will be recorded to this |
|
6308 | 6308 |
environmental variable sequence prior to |
6309 | 6309 |
.B \-\-up |
6310 | 6310 |
script execution. |
... | ... |
@@ -6529,7 +6529,7 @@ Set on program initiation and reset on SIGHUP. |
6529 | 6529 |
.\"********************************************************* |
6530 | 6530 |
.TP |
6531 | 6531 |
.B route_net_gateway |
6532 |
-The pre-existing default IP gateway in the system routing |
|
6532 |
+The pre\-existing default IP gateway in the system routing |
|
6533 | 6533 |
table. |
6534 | 6534 |
Set prior to |
6535 | 6535 |
.B \-\-up |
... | ... |
@@ -6634,7 +6634,7 @@ or |
6634 | 6634 |
.\"********************************************************* |
6635 | 6635 |
.TP |
6636 | 6636 |
.B time_ascii |
6637 |
-Client connection timestamp, formatted as a human-readable |
|
6637 |
+Client connection timestamp, formatted as a human\-readable |
|
6638 | 6638 |
time string. |
6639 | 6639 |
Set prior to execution of the |
6640 | 6640 |
.B \-\-client\-connect |
... | ... |
@@ -6684,7 +6684,7 @@ is the verification level. Only set for TLS connections. Set prior |
6684 | 6684 |
to execution of |
6685 | 6685 |
.B \-\-tls\-verify |
6686 | 6686 |
script. This is in the form of a decimal string like "933971680", which is |
6687 |
-suitable for doing serial-based OCSP queries (with OpenSSL, do not |
|
6687 |
+suitable for doing serial\-based OCSP queries (with OpenSSL, do not |
|
6688 | 6688 |
prepend "0x" to the string) If something goes wrong while reading |
6689 | 6689 |
the value from the certificate it will be an empty string, so your |
6690 | 6690 |
code should check that. |
... | ... |
@@ -6785,12 +6785,12 @@ and 1 for the CA certificate. |
6785 | 6785 |
.ft 3 |
6786 | 6786 |
.in +4 |
6787 | 6787 |
X509_0_emailAddress=me@myhost.mydomain |
6788 |
-X509_0_CN=Test-Client |
|
6789 |
-X509_0_O=OpenVPN-TEST |
|
6788 |
+X509_0_CN=Test\-Client |
|
6789 |
+X509_0_O=OpenVPN\-TEST |
|
6790 | 6790 |
X509_0_ST=NA |
6791 | 6791 |
X509_0_C=KG |
6792 | 6792 |
X509_1_emailAddress=me@myhost.mydomain |
6793 |
-X509_1_O=OpenVPN-TEST |
|
6793 |
+X509_1_O=OpenVPN\-TEST |
|
6794 | 6794 |
X509_1_L=BISHKEK |
6795 | 6795 |
X509_1_ST=NA |
6796 | 6796 |
X509_1_C=KG |
... | ... |
@@ -6801,7 +6801,7 @@ X509_1_C=KG |
6801 | 6801 |
.SH INLINE FILE SUPPORT |
6802 | 6802 |
OpenVPN allows including files in the main configuration for the |
6803 | 6803 |
.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret, |
6804 |
-.B \-\-crl\-verify, \-\-http\-proxy\-user\-pass, \-\-tls-auth |
|
6804 |
+.B \-\-crl\-verify, \-\-http\-proxy\-user\-pass, \-\-tls\-auth |
|
6805 | 6805 |
and |
6806 | 6806 |
.B \-\-tls\-crypt |
6807 | 6807 |
options. |
... | ... |
@@ -6817,9 +6817,9 @@ Here is an example of an inline file usage |
6817 | 6817 |
.ft 3 |
6818 | 6818 |
.in +4 |
6819 | 6819 |
<cert> |
6820 |
+\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- |
|
6820 | 6821 |
[...] |
6822 |
+\-\-\-\-\-END CERTIFICATE\-\-\-\-\- |
|
6821 | 6823 |
</cert> |
6822 | 6824 |
.in -4 |
6823 | 6825 |
.ft |
... | ... |
@@ -6835,15 +6835,15 @@ the inline file has to be base64 encoded. Encoding of a .p12 file into base64 ca |
6835 | 6835 |
.B SIGHUP |
6836 | 6836 |
Cause OpenVPN to close all TUN/TAP and |
6837 | 6837 |
network connections, |
6838 |
-restart, re-read the configuration file (if any), |
|
6838 |
+restart, re\-read the configuration file (if any), |
|
6839 | 6839 |
and reopen TUN/TAP and network connections. |
6840 | 6840 |
.\"********************************************************* |
6841 | 6841 |
.TP |
6842 | 6842 |
.B SIGUSR1 |
6843 | 6843 |
Like |
6844 | 6844 |
.B SIGHUP, |
6845 |
-except don't re-read configuration file, and possibly don't close and reopen TUN/TAP |
|
6846 |
-device, re-read key files, preserve local IP address/port, or preserve most recently authenticated |
|
6845 |
+except don't re\-read configuration file, and possibly don't close and reopen TUN/TAP |
|
6846 |
+device, re\-read key files, preserve local IP address/port, or preserve most recently authenticated |
|
6847 | 6847 |
remote IP address/port based on |
6848 | 6848 |
.B \-\-persist\-tun, \-\-persist\-key, \-\-persist\-local\-ip, |
6849 | 6849 |
and |
... | ... |
@@ -6923,7 +6923,7 @@ a UDP ping to its remote peer once every 15 seconds which will cause many |
6923 | 6923 |
stateful firewalls to forward packets in both directions |
6924 | 6924 |
without an explicit firewall rule). |
6925 | 6925 |
|
6926 |
-If you are using a Linux iptables-based firewall, you may need to enter |
|
6926 |
+If you are using a Linux iptables\-based firewall, you may need to enter |
|
6927 | 6927 |
the following command to allow incoming packets on the TUN device: |
6928 | 6928 |
.IP |
6929 | 6929 |
.B iptables \-A INPUT \-i tun+ \-j ACCEPT |
... | ... |
@@ -6963,7 +6963,7 @@ via |
6963 | 6963 |
.B ssh |
6964 | 6964 |
without using the VPN (since |
6965 | 6965 |
.B ssh |
6966 |
-has its own built-in security) you would use the command |
|
6966 |
+has its own built\-in security) you would use the command |
|
6967 | 6967 |
.B ssh alice.example.com. |
6968 | 6968 |
However in the same scenario, you could also use the command |
6969 | 6969 |
.B telnet 10.4.0.2 |
... | ... |
@@ -7008,7 +7008,7 @@ program. Omit the |
7008 | 7008 |
.B \-\-verb 9 |
7009 | 7009 |
option to have OpenVPN run quietly. |
7010 | 7010 |
.\"********************************************************* |
7011 |
-.SS Example 2: A tunnel with static-key security (i.e. using a pre-shared secret) |
|
7011 |
+.SS Example 2: A tunnel with static\-key security (i.e. using a pre\-shared secret) |
|
7012 | 7012 |
First build a static key on bob. |
7013 | 7013 |
.IP |
7014 | 7014 |
.B openvpn \-\-genkey \-\-secret key |
... | ... |
@@ -7041,13 +7041,13 @@ On alice: |
7041 | 7041 |
.IP |
7042 | 7042 |
.B ping 10.4.0.1 |
7043 | 7043 |
.\"********************************************************* |
7044 |
-.SS Example 3: A tunnel with full TLS-based security |
|
7044 |
+.SS Example 3: A tunnel with full TLS\-based security |
|
7045 | 7045 |
For this test, we will designate |
7046 | 7046 |
.B bob |
7047 | 7047 |
as the TLS client and |
7048 | 7048 |
.B alice |
7049 | 7049 |
as the TLS server. |
7050 |
-.I Note that client or server designation only has meaning for the TLS subsystem. It has no bearing on OpenVPN's peer-to-peer, UDP-based communication model. |
|
7050 |
+.I Note that client or server designation only has meaning for the TLS subsystem. It has no bearing on OpenVPN's peer\-to\-peer, UDP\-based communication model. |
|
7051 | 7051 |
|
7052 | 7052 |
First, build a separate certificate/key pair |
7053 | 7053 |
for both bob and alice (see above where |
... | ... |
@@ -7058,7 +7058,7 @@ Diffie Hellman parameters (see above where |
7058 | 7058 |
is discussed for more info). You can also use the |
7059 | 7059 |
included test files client.crt, client.key, |
7060 | 7060 |
server.crt, server.key and ca.crt. |
7061 |
-The .crt files are certificates/public-keys, the .key |
|
7061 |
+The .crt files are certificates/public\-keys, the .key |
|
7062 | 7062 |
files are private keys, and ca.crt is a certification |
7063 | 7063 |
authority who has signed both |
7064 | 7064 |
client.crt and server.crt. For Diffie Hellman |
... | ... |
@@ -7133,7 +7133,7 @@ in a script and execute with the |
7133 | 7133 |
option. |
7134 | 7134 |
.\"********************************************************* |
7135 | 7135 |
.SH FIREWALLS |
7136 |
-OpenVPN's usage of a single UDP port makes it fairly firewall-friendly. |
|
7136 |
+OpenVPN's usage of a single UDP port makes it fairly firewall\-friendly. |
|
7137 | 7137 |
You should add an entry to your firewall rules to allow incoming OpenVPN |
7138 | 7138 |
packets. On Linux 2.4+: |
7139 | 7139 |
.IP |
... | ... |
@@ -7142,7 +7142,7 @@ packets. On Linux 2.4+: |
7142 | 7142 |
This will allow incoming packets on UDP port 1194 (OpenVPN's default UDP port) |
7143 | 7143 |
from an OpenVPN peer at 1.2.3.4. |
7144 | 7144 |
|
7145 |
-If you are using HMAC-based packet authentication (the default in any of |
|
7145 |
+If you are using HMAC\-based packet authentication (the default in any of |
|
7146 | 7146 |
OpenVPN's secure modes), having the firewall filter on source |
7147 | 7147 |
address can be considered optional, since HMAC packet authentication |
7148 | 7148 |
is a much more secure method of verifying the authenticity of |
... | ... |
@@ -7235,11 +7235,11 @@ OpenSSL Project ( |
7235 | 7235 |
For more information on the TLS protocol, see |
7236 | 7236 |
.I http://www.ietf.org/rfc/rfc2246.txt |
7237 | 7237 |
|
7238 |
-For more information on the LZO real-time compression library see |
|
7238 |
+For more information on the LZO real\-time compression library see |
|
7239 | 7239 |
.I http://www.oberhumer.com/opensource/lzo/ |
7240 | 7240 |
.\"********************************************************* |
7241 | 7241 |
.SH COPYRIGHT |
7242 |
-Copyright (C) 2002-2010 OpenVPN Technologies, Inc. This program is free software; |
|
7242 |
+Copyright (C) 2002\-2017 OpenVPN Technologies, Inc. This program is free software; |
|
7243 | 7243 |
you can redistribute it and/or modify |
7244 | 7244 |
it under the terms of the GNU General Public License version 2 |
7245 | 7245 |
as published by the Free Software Foundation. |