@@ -161,6 +161,9 @@ Asynchronous push reply

 Deprecated features

 -------------------

+For an up-to-date list of all deprecated options, see this wiki page:

+https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

+

 - ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5.  Migrate

   away from ``--key-method 1`` as soon as possible.  The recommended approach

   is to remove the ``--key-method`` option from the configuration files, OpenVPN

@@ -181,6 +184,18 @@ Deprecated features

 - ``--keysize`` is deprecated and will be removed in v2.6 together

   with the support of ciphers with cipher block size less than 128 bits.

+- ``--comp-lzo`` is deprecated in OpenVPN 2.4.  Use ``--compress`` instead.

+

+- ``--ifconfig-pool-linear`` has been deprecated since OpenVPN 2.1 and will be

+  removed in v2.5.  Use ``--topology p2p`` instead.

+

+- ``--client-cert-not-required`` is deprecated in OpenVPN 2.4 and will be removed

+  in v2.5.  Use ``--verify-client-cert none`` for a functional equivalent.

+

+- ``--ns-cert-type`` is deprecated in OpenVPN 2.3.18 and v2.4.  It will be removed

+  in v2.5.  Use the far better ``--remote-cert-tls`` option which replaces this

+  feature.

+

 User-visible Changes

 --------------------

@@ -769,7 +769,8 @@ Only use

 when none of the connecting clients are Windows systems.  This mode

 is functionally equivalent to the

 .B \-\-ifconfig\-pool\-linear

-directive which is available in OpenVPN 2.0 and is now deprecated.

+directive which is available in OpenVPN 2.0, is deprecated and will be

+removed in OpenVPN 2.5

 .B subnet \-\-

 Use a subnet rather than a point-to-point topology by

@@ -2485,15 +2486,17 @@ setting to be pushed later.

 .\"*********************************************************

 .TP

 .B \-\-comp\-lzo [mode]

+.B DEPRECATED

+This option will be removed in a future OpenVPN release.  Use the

+newer

+.B \-\-compress

+instead.

+

 Use LZO compression -- may add up to 1 byte per

 packet for incompressible data.

 .B mode

 may be "yes", "no", or "adaptive" (default).

-This option is deprecated in favor of the newer

-.B --compress

-option.

-

 In a server mode setup, it is possible to selectively turn

 compression on or off for individual clients.

@@ -3106,9 +3109,13 @@ a common name and IP address.  They do not guarantee that the given common

 name will always receive the given IP address.  If you want guaranteed

 assignment, use

 .B \-\-ifconfig\-push

+

 .\"*********************************************************

 .TP

 .B \-\-ifconfig\-pool\-linear

+.B DEPRECATED

+This option will be removed in OpenVPN 2.5

+

 Modifies the

 .B \-\-ifconfig\-pool

 directive to

@@ -3671,15 +3678,16 @@ to empty strings ("").  The authentication module/script MUST have logic

 to detect this condition and respond accordingly.

 .\"*********************************************************

 .TP

-.B \-\-client\-cert\-not\-required (DEPRECATED)

+.B \-\-client\-cert\-not\-required

+.B DEPRECATED

+This option will be removed in OpenVPN 2.5

+

 Don't require client certificate, client will authenticate

 using username/password only.  Be aware that using this directive

 is less secure than requiring certificates from all clients.

-

 .B Please note:

-This option is now deprecated and will be removed in OpenVPN v2.5.

-It is replaced by

+This is replaced by

 .B \-\-verify\-client\-cert

 which allows for more flexibility. The option

 .B \-\-verify\-client\-cert none

@@ -3744,7 +3752,10 @@ the authenticated username as the common name,

 rather than the common name from the client cert.

 .\"*********************************************************

 .TP

-.B \-\-compat\-names [no\-remapping] (DEPRECATED)

+.B \-\-compat\-names [no\-remapping]

+.B DEPRECATED

+This option will be removed in OpenVPN 2.5

+

 Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted

 like this:

 .IP

@@ -3792,7 +3803,10 @@ to make the transition to the new formatting less intrusive.  It will be

 removed in OpenVPN v2.5.  So please update your scripts/plug-ins where necessary.

 .\"*********************************************************

 .TP

-.B \-\-no\-name\-remapping (DEPRECATED)

+.B \-\-no\-name\-remapping

+.B DEPRECATED

+This option will be removed in OpenVPN 2.5

+

 The

 .B \-\-no\-name\-remapping

 option is an alias for

@@ -4150,13 +4164,29 @@ For more information on HMAC see

 .B \-\-cipher alg

 Encrypt data channel packets with cipher algorithm

 .B alg.

+

 The default is

 .B BF-CBC,

-an abbreviation for Blowfish in Cipher Block Chaining mode.

+an abbreviation for Blowfish in Cipher Block Chaining mode.  When cipher

+negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server

+side will automatically upgrade to

+.B AES-256-GCM.

+See

+.B \-\-ncp\-ciphers

+and

+.B \-\-ncp\-disable

+for more details on NCP.

-Using BF-CBC is no longer recommended, because of it's 64-bit block size.  This

+Using

+.B BF-CBC

+is no longer recommended, because of its 64-bit block size.  This

 small block size allows attacks based on collisions, as demonstrated by SWEET32.

-See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.

+See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.  Due to

+this, support for

+.B BF-CBC, DES, CAST5, IDEA

+and

+.B RC2

+ciphers will be removed in OpenVPN 2.6.

 To see other ciphers that are available with OpenVPN, use the

 .B \-\-show\-ciphers

@@ -4166,14 +4196,6 @@ Set

 .B alg=none

 to disable encryption.

-As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by

-.B \-\-cipher\fR.

-See

-.B \-\-ncp\-ciphers

-and

-.B \-\-ncp\-disable

-for more on NCP.

-

 .\"*********************************************************

 .TP

 .B \-\-ncp\-ciphers cipher_list

@@ -4260,6 +4282,9 @@ supported by OpenSSL.

 .\"*********************************************************

 .TP

 .B \-\-no\-replay

+.B DEPRECATED

+This option will be removed in OpenVPN 2.5.

+

 (Advanced) Disable OpenVPN's protection against replay attacks.

 Don't use this option unless you are prepared to make

 a tradeoff of greater efficiency in exchange for less

@@ -4423,7 +4448,6 @@ This option only makes sense when replay protection is enabled

 .\"*********************************************************

 .TP

 .B \-\-no\-iv

-

 .B DEPRECATED

 This option will be removed in OpenVPN 2.5.

@@ -4823,6 +4847,9 @@ Certificate Store GUI.

 .\"*********************************************************

 .TP

 .B \-\-key\-method m

+.B DEPRECATED

+This option will be removed in OpenVPN 2.5

+

 Use data channel key negotiation method

 .B m.

 The key method must match on both sides of the connection.

@@ -5379,8 +5406,9 @@ as X509_<depth>_<attribute>=<value>.  Multiple

 options can be defined to track multiple attributes.

 .\"*********************************************************

 .TP

-.B \-\-ns\-cert\-type client|server (DEPRECATED)

-This option is deprecated.  Use the more modern equivalent

+.B \-\-ns\-cert\-type client|server

+.B DEPRECATED

+This option will be removed in OpenVPN 2.5.  Use the more modern equivalent

 .B \-\-remote\-cert\-tls

 instead.  This option will be removed in OpenVPN 2.5.

@@ -415,8 +415,9 @@ static const char usage_message[] =

     "                  client instance.\n"

     "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"

     "                  to be dynamically allocated to connecting clients.\n"

-    "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n"

-    "                  in tun mode.  Not compatible with Windows clients.\n"

+    "--ifconfig-pool-linear : (DEPRECATED) Use individual addresses rather \n"

+    "                  than /30 subnets\n in tun mode.  Not compatible with\n"

+    "                  Windows clients.\n"

     "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"

     "                  data to file, at seconds intervals (default=600).\n"

     "                  If seconds=0, file will be treated as read-only.\n"

@@ -434,7 +435,7 @@ static const char usage_message[] =

     "                  Only valid in a client-specific config file.\n"

     "--disable       : Client is disabled.\n"

     "                  Only valid in a client-specific config file.\n"

-    "--client-cert-not-required : Don't require client certificate, client\n"

+    "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n"

     "                  will authenticate using username/password.\n"

     "--verify-client-cert [none|optional|require] : perform no, optional or\n"

     "                  mandatory client certificate verification.\n"

@@ -455,7 +456,7 @@ static const char usage_message[] =

     "                  with those of the server will be disconnected.\n"

     "--auth-user-pass-optional : Allow connections by clients that don't\n"

     "                  specify a username/password.\n"

-    "--no-name-remapping : Allow Common Name and X509 Subject to include\n"

+    "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"

     "                      any printable character.\n"

     "--client-to-client : Internally route client-to-client traffic.\n"

     "--duplicate-cn  : Allow multiple clients with the same common name to\n"

@@ -539,13 +540,13 @@ static const char usage_message[] =

     "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"

     "                   nonce_secret_len=nsl.  Set alg=none to disable PRNG.\n"

 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH

-    "--keysize n     : Size of cipher key in bits (optional).\n"

+    "--keysize n     : (DEPRECATED) Size of cipher key in bits (optional).\n"

     "                  If unspecified, defaults to cipher-specific default.\n"

 #endif

 #ifndef ENABLE_CRYPTO_MBEDTLS

     "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"

 #endif

-    "--no-replay     : Disable replay protection.\n"

+    "--no-replay     : (DEPRECATED) Disable replay protection.\n"

     "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"

     "--replay-window n [t]  : Use a replay protection sliding window of size n\n"

     "                         and a time window of t seconds.\n"

@@ -563,7 +564,7 @@ static const char usage_message[] =

     "(These options are meaningful only for TLS-mode)\n"

     "--tls-server    : Enable TLS and assume server role during TLS handshake.\n"

     "--tls-client    : Enable TLS and assume client role during TLS handshake.\n"

-    "--key-method m  : Data channel key exchange method.  m should be a method\n"

+    "--key-method m  : (DEPRECATED) Data channel key exchange method.  m should be a method\n"

     "                  number, such as 1 (default), 2, etc.\n"

     "--ca file       : Certificate authority file in .pem format containing\n"

     "                  root certificate.\n"

@@ -6570,6 +6571,7 @@ add_option(struct options *options,

     {

         VERIFY_PERMISSION(OPT_P_GENERAL);

         options->topology = TOP_P2P;

+        msg(M_WARN, "DEPRECATED OPTION: --ifconfig-pool-linear, use --topology p2p instead");

     }

     else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])

     {