1. openvpn
  2. Commit c70135d8ed31d133f2fb085bee01db8ad26d7fec
Browse code

Merge branch 'bugfix2.1' into beta2.2

Conflicts:
openvpn.8
- New option descriped (--register-dns)

Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>

David Sommerseth authored on 2010/07/23 05:30:27
Showing 40 changed files
.mailmap
History View file @ c70135d
1 1 
new file mode 100644
... ... 
@@ -0,0 +1 @@
0 
+James Yonan <james@openvpn.net>      james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>
.svncommitters
History View file @ c70135d
0 1 
new file mode 100644
... ... 
@@ -0,0 +1 @@
0 
+james = James Yonan <james@openvpn.net>
acinclude.m4
History View file @ c70135d
... ... 
@@ -224,8 +224,8 @@ acx_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -m
224 224 
 # pthread: Linux, etcetera
225 225 
 # --thread-safe: KAI C++
226 226
227 
-case "$target" in
228 
-        *solaris*)
227 
+case "$host" in
228 
+        *-*-solaris*)
229 229
230 230 
         # On Solaris (at least, for some versions), libc contains stubbed
231 231 
         # (non-functional) versions of the pthreads routines, so link-based
... ... 
@@ -321,9 +321,9 @@ if test "x$acx_pthread_ok" = xyes; then
321 321
322 322 
         AC_MSG_CHECKING([if more special flags are required for pthreads])
323 323 
         flag=no
324 
-        case "$target" in
325 
-                *-aix* | *-freebsd*)               flag="-D_THREAD_SAFE";;
326 
-                *solaris* | alpha*-osf* | *linux*) flag="-D_REENTRANT";;
324 
+        case "$host" in
325 
+                *-*-aix* | *-freebsd*)               flag="-D_THREAD_SAFE";;
326 
+                *-*-solaris* | alpha*-osf* | *linux*) flag="-D_REENTRANT";;
327 327 
         esac
328 328 
         AC_MSG_RESULT(${flag})
329 329 
         if test "x$flag" != xno; then
configure.ac
History View file @ c70135d
... ... 
@@ -32,7 +32,6 @@ AC_CONFIG_SRCDIR(syshead.h)
32 32
33 33 
 dnl Guess host type.
34 34 
 AC_CANONICAL_HOST
35 
-AC_CANONICAL_SYSTEM
36 35 
 AM_INIT_AUTOMAKE(openvpn, [$PACKAGE_VERSION])
37 36
38 37 
 AC_ARG_WITH(cygwin-native,
... ... 
@@ -48,7 +47,7 @@ case "${host}" in
48 48 
 		WIN32="yes"
49 49 
 		cross_compiling="yes"
50 50 
 	;;
51 
-	*-cygwin*)
51 
+	*-*-cygwin*)
52 52 
 		AC_MSG_CHECKING([cygwin mode to use])
53 53 
 		if test "${CYGWIN_NATIVE}" = "yes"; then
54 54 
 			AC_MSG_RESULT([Using native win32])
... ... 
@@ -275,38 +274,38 @@ AC_ARG_WITH(mem-check,
275 275 
 dnl fix search path, to allow compilers to find syshead.h
276 276 
 CPPFLAGS="$CPPFLAGS -I${srcdir}"
277 277
278 
-dnl check target OS
279 
-openvpn_target=$target
280 
-if test $target_alias; then
281 
-  openvpn_target=$target_alias
278 
+dnl check host OS
279 
+openvpn_host=$host
280 
+if test $host_alias; then
281 
+  openvpn_host=$host_alias
282 282 
 fi
283 
-AC_DEFINE_UNQUOTED(TARGET_ALIAS, "$openvpn_target", [A string representing our target])
284 
-case "$target" in
285 
-*linux*)
283 
+AC_DEFINE_UNQUOTED(TARGET_ALIAS, "$openvpn_host", [A string representing our host])
284 
+case "$host" in
285 
+*-*-linux*)
286 286 
 	AC_DEFINE(TARGET_LINUX, 1, [Are we running on Linux?])
287 287 
 	dnl RH9 SSL headers workaround
288 288 
         if test -z $CS_HDR_DIR && test "$CRYPTO" = "yes"; then
289 289 
            CPPFLAGS="$CPPFLAGS $(pkg-config --cflags openssl 2>/dev/null)"
290 290 
         fi
291 291 
 	;;
292 
-*solaris*)
292 
+*-*-solaris*)
293 293 
 	AC_DEFINE(TARGET_SOLARIS, 1, [Are we running on Solaris?])
294 294 
 	;;
295 
-*openbsd*)
295 
+*-*-openbsd*)
296 296 
 	AC_DEFINE(TARGET_OPENBSD, 1, [Are we running on OpenBSD?])
297 297 
 	;;
298 
-*freebsd*)
298 
+*-*-freebsd*)
299 299 
 	AC_DEFINE(TARGET_FREEBSD, 1, [Are we running on FreeBSD?])
300 300 
 	;;
301 
-*netbsd*)
301 
+*-*-netbsd*)
302 302 
 	AC_DEFINE(TARGET_NETBSD, 1, [Are we running NetBSD?])
303 303 
 	;;
304 
-*darwin*)
304 
+*-*-darwin*)
305 305 
 	dnl some Mac OS X tendering (we use vararg macros...)
306 306 
 	AC_DEFINE(TARGET_DARWIN, 1, [Are we running on Mac OS X?])
307 307 
 	CPPFLAGS="$CPPFLAGS -no-cpp-precomp"
308 308 
 	;;
309 
-*mingw*)
309 
+*-mingw*)
310 310 
 	AC_DEFINE(TARGET_WIN32, 1, [Are we running WIN32?])
311 311 
 	OPENVPN_ADD_LIBS(-lgdi32)
312 312 
 	OPENVPN_ADD_LIBS(-lws2_32)
... ... 
@@ -315,7 +314,7 @@ case "$target" in
315 315 
 	OPENVPN_ADD_LIBS(-liphlpapi)
316 316 
 	OPENVPN_ADD_LIBS(-lwinmm)
317 317 
 	;;
318 
-*dragonfly*)
318 
+*-*-dragonfly*)
319 319 
 	AC_DEFINE(TARGET_DRAGONFLY, 1, [Are we running on DragonFlyBSD?])
320 320 
 	;;
321 321
... ... 
@@ -574,7 +573,7 @@ if test "$PTHREAD" = "yes"; then
574 574 
   AC_MSG_RESULT([********* WARNING: pthread support is experimental for OpenVPN 2.0])
575 575 
   ACX_PTHREAD(
576 576 
         [
577 
-	    case "$target" in
577 
+	    case "$host" in
578 578 
 	    *openbsd*)
579 579 
 		AC_MSG_RESULT([WARNING: pthread support on OpenBSD is unstable!])
580 580 
 		CFLAGS="$CFLAGS -pthread"
contrib/OCSP_check/OCSP_check.sh
History View file @ c70135d
581 581 
new file mode 100644
... ... 
@@ -0,0 +1,111 @@
0 
+#!/bin/sh
1 
+
2 
+# Sample script to perform OCSP queries with OpenSSL
3 
+# given a certificate serial number.
4 
+
5 
+# If you run your own CA, you can set up a very simple
6 
+# OCSP server using the -port option to "openssl ocsp".
7 
+
8 
+# Full documentation and examples:
9 
+# http://www.openssl.org/docs/apps/ocsp.html
10 
+
11 
+
12 
+# Edit the following values to suit your needs
13 
+
14 
+# OCSP responder URL (mandatory)
15 
+# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER
16 
+#ocsp_url="http://ocsp.example.com/"
17 
+#ocsp_url="https://ocsp.secure.example.com/"
18 
+
19 
+# Path to issuer certificate (mandatory)
20 
+# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE
21 
+issuer="/path/to/CAcert.crt"
22 
+
23 
+# use a nonce in the query, set to "-no_nonce" to not use it
24 
+nonce="-nonce"
25 
+
26 
+# Verify the response
27 
+# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT
28 
+verify="/path/to/CAcert.crt"
29 
+
30 
+# Depth in the certificate chain where the cert to verify is.
31 
+# Set to -1 to run the verification at every level (NOTE that
32 
+# in that case you need a more complex script as the various
33 
+# parameters for the query will likely be different at each level)
34 
+# "0" is the usual value here, where the client certificate is
35 
+check_depth=0
36 
+
37 
+cur_depth=$1     # this is the *CURRENT* depth
38 
+common_name=$2   # CN in case you need it
39 
+
40 
+# minimal sanity checks
41 
+
42 
+err=0
43 
+if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then
44 
+  echo "Error: issuer certificate undefined or not found!" >&2
45 
+  err=1
46 
+fi
47 
+
48 
+if [ -z "$verify" ] || [ ! -e "$verify" ]; then
49 
+  echo "Error: verification certificate undefined or not found!" >&2
50 
+  err=1
51 
+fi
52 
+
53 
+if [ -z "$ocsp_url" ]; then
54 
+  echo "Error: OCSP server URL not defined!" >&2
55 
+  err=1
56 
+fi
57 
+
58 
+if [ $err -eq 1 ]; then
59 
+  echo "Did you forget to customize the variables in the script?" >&2
60 
+  exit 1
61 
+fi
62 
+
63 
+# begin
64 
+if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
65 
+
66 
+  eval serial="\$tls_serial_${cur_depth}"
67 
+
68 
+  # To successfully complete, the following must happen:
69 
+  #
70 
+  # - The serial number must not be empty
71 
+  # - The exit status of "openssl ocsp" must be zero
72 
+  # - The output of the above command must contain the line
73 
+  #   "0x${serial}: good"
74 
+  #
75 
+  # Everything else fails with exit status 1.
76 
+
77 
+  if [ -n "$serial" ]; then
78 
+
79 
+    # This is only an example; you are encouraged to run this command (without
80 
+    # redirections) manually against your or your CA's OCSP server to see how
81 
+    # it responds, and adapt accordingly.
82 
+    # Sample output that is assumed here:
83 
+    #
84 
+    # Response verify OK
85 
+    # 0x428740A5: good
86 
+    #      This Update: Apr 24 19:38:49 2010 GMT
87 
+    #      Next Update: May  2 14:23:42 2010 GMT
88 
+    #
89 
+    # NOTE: It is needed to check the exit code of OpenSSL explicitly.  OpenSSL
90 
+    #       can in some circumstances give a "good" result if it could not
91 
+    #       reach the the OSCP server.  In this case, the exit code will indicate
92 
+    #       if OpenSSL itself failed or not.  If OpenSSL's exit code is not 0,
93 
+    #       don't trust the OpenSSL status.
94 
+
95 
+    status=$(openssl ocsp -issuer "$issuer" \
96 
+                    "$nonce" \
97 
+                    -CAfile "$verify" \
98 
+                    -url "$ocsp_url" \
99 
+                    -serial "0x${serial}" 2>/dev/null)
100 
+
101 
+    if [ $? -eq 0 ]; then
102 
+      # check that it's good
103 
+      if echo "$status" | grep -Fq "0x${serial}: good"; then
104 
+        exit 0
105 
+      fi
106 
+    fi
107 
+  fi
108 
+  # if we get here, something was wrong
109 
+  exit 1
110 
+fi
contrib/pull-resolv-conf/client.down
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
4 4 
 # Licensed under the GPL version 2
... ... 
@@ -14,7 +14,6 @@
14 14 
 # Place this in /etc/openvpn/client.down
15 15 
 # Then, add the following to your /etc/openvpn/<clientconfig>.conf:
16 16 
 #   client
17 
-#   pull dhcp-options
18 17 
 #   up /etc/openvpn/client.up
19 18 
 #   down /etc/openvpn/client.down
20 19 
 # Next, "chmod a+x /etc/openvpn/client.down"
... ... 
@@ -23,8 +22,8 @@
23 23 
 # Note that this script is best served with the companion "client.up"
24 24 
 # script.
25 25
26 
-# Only tested on Gentoo Linux 2005.0 with OpenVPN 2.0
27 
-# It should work with any GNU/Linux with /etc/resolv.conf
26 
+# Tested under Debian lenny with OpenVPN 2.1_rc11
27 
+# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf
28 28
29 29 
 # This runs with the context of the OpenVPN UID/GID
30 30 
 # at the time of execution. This generally means that
... ... 
@@ -36,41 +35,12 @@
36 36 
 # is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
37 37 
 # been WARNED.
38 38
39 
-# init variables
40 
-
41 
-i=1
42 
-j=1
43 
-unset fopt
44 
-unset dns
45 
-unset opt
46 
-
47 
-# Convert ENVs to an array
48 
-
49 
-while fopt=foreign_option_$i; [ -n "${!fopt}" ]; do
50 
-{
51 
-	opt[i-1]=${!fopt}
52 
-	case ${opt[i-1]} in
53 
-		*DOMAIN* ) domain=`echo ${opt[i-1]} | \
54 
-				sed -e 's/dhcp-option DOMAIN //g'` ;;
55 
-		*DNS*    ) dns[j-1]=`echo ${opt[i-1]} | \
56 
-				sed -e 's/dhcp-option DNS //g'`
57 
-			       let j++ ;;
58 
-	esac
59 
-	let i++
60 
-}
61 
-done
62 
-
63 
-# Now, do the work
64 
-
65 
-if [ -n "${dns[*]}" ]; then
66 
-	for i in "${dns[@]}"; do
67 
-		sed -i -e "/nameserver ${i}/D" /etc/resolv.conf || die
68 
-	done
69 
-fi
70 
-
71 
-if [ -n "${domain}" ]; then
72 
-	sed -i -e "/search ${domain}/D" /etc/resolv.conf || die
39 
+if [ -x /sbin/resolvconf ] ; then
40 
+  /sbin/resolvconf -d "${1}"
41 
+elif [ -e /etc/resolv.conf.ovpnsave ] ; then
42 
+  # cp + rm rather than mv in case it's a symlink
43 
+  cp /etc/resolv.conf.ovpnsave /etc/resolv.conf
44 
+  rm -f /etc/resolv.conf.ovpnsave
73 45 
 fi
74 46
75 
-# all done...
76 47 
 exit 0
contrib/pull-resolv-conf/client.up
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
4 4 
 # Licensed under the GPL version 2
... ... 
@@ -14,7 +14,6 @@
14 14 
 # Place this in /etc/openvpn/client.up
15 15 
 # Then, add the following to your /etc/openvpn/<clientconfig>.conf:
16 16 
 #   client
17 
-#   pull dhcp-options
18 17 
 #   up /etc/openvpn/client.up
19 18 
 # Next, "chmod a+x /etc/openvpn/client.up"
20 19
... ... 
@@ -22,8 +21,8 @@
22 22 
 # Note that this script is best served with the companion "client.down"
23 23 
 # script.
24 24
25 
-# Only tested on Gentoo Linux 2005.0 with OpenVPN 2.0
26 
-# It should work with any GNU/Linux with /etc/resolv.conf
25 
+# Tested under Debian lenny with OpenVPN 2.1_rc11
26 
+# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf
27 27
28 28 
 # This runs with the context of the OpenVPN UID/GID
29 29 
 # at the time of execution. This generally means that
... ... 
@@ -38,38 +37,64 @@
38 38 
 # init variables
39 39
40 40 
 i=1
41 
-j=1
42 
-unset fopt
43 
-unset dns
44 
-unset opt
45 
-
46 
-# Convert ENVs to an array
47 
-
48 
-while fopt=foreign_option_$i; [ -n "${!fopt}" ]; do
49 
-{
50 
-	opt[i-1]=${!fopt}
51 
-	case ${opt[i-1]} in
52 
-		*DOMAIN* ) domain=`echo ${opt[i-1]} | \
53 
-				sed -e 's/dhcp-option DOMAIN //g'` ;;
54 
-		*DNS*    ) dns[j-1]=`echo ${opt[i-1]} | \
55 
-				sed -e 's/dhcp-option DNS //g'`
56 
-			       let j++ ;;
41 
+domains=
42 
+fopt=
43 
+ndoms=0
44 
+nns=0
45 
+nl='
46 
+'
47 
+
48 
+# $foreign_option_<n> is something like
49 
+# "dhcp-option DOMAIN example.com" (multiple allowed)
50 
+# or
51 
+# "dhcp-option DNS 10.10.10.10" (multiple allowed)
52 
+
53 
+# each DNS option becomes a "nameserver" option in resolv.con
54 
+# if we get one DOMAIN, that becomes "domain" in resolv.conf
55 
+# if we get multiple DOMAINS, those become "search" lines in resolv.conf
56 
+
57 
+while true; do
58 
+  eval fopt=\$foreign_option_${i}
59 
+  [ -z "${fopt}" ] && break
60 
+
61 
+  case ${fopt} in
62 
+		dhcp-option\ DOMAIN\ *)
63 
+           ndoms=$((ndoms + 1))
64 
+           domains="${domains} ${fopt#dhcp-option DOMAIN }"
65 
+           ;;
66 
+		dhcp-option\ DNS\ *)
67 
+           nns=$((nns + 1))
68 
+           if [ $nns -le 3 ]; then
69 
+             dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }"
70 
+           else
71 
+             printf "%s\n" "Too many nameservers - ignoring after third" >&2
72 
+           fi
73 
+           ;;
74 
+        *)
75 
+           printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2
76 
+           ;;
57 77 
 	esac
58 
-	let i++
59 
-}
78 
+  i=$((i + 1))
60 79 
 done
61 80
62 
-# Now, do the work
63 
-
64 
-if [ -n "${dns[*]}" ]; then
65 
-	for i in "${dns[@]}"; do
66 
-		sed -i -e "1,1 i nameserver ${i}" /etc/resolv.conf || die
67 
-	done
81 
+ds=domain
82 
+if [ $ndoms -gt 1 ]; then
83 
+  ds=search
68 84 
 fi
69 85
70 
-if [ -n "${domain}" ]; then
71 
-	sed -i -e "$j,1 i search ${domain}" /etc/resolv.conf || die
86 
+# This is the complete file - "$domains" has a leading space already
87 
+out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}"
88 
+
89 
+# use resolvconf if it's available
90 
+if [ -x /sbin/resolvconf ] ; then
91 
+  printf "%s\n" "${out}" | /sbin/resolvconf -a "${1}"
92 
+else
93 
+  # Preserve the existing resolv.conf
94 
+  if [ -e /etc/resolv.conf ] ; then
95 
+    cp /etc/resolv.conf /etc/resolv.conf.ovpnsave
96 
+  fi
97 
+  printf "%s\n" "${out}" > /etc/resolv.conf
98 
+  chmod 644 /etc/resolv.conf
72 99 
 fi
73 100
74 
-# all done...
75 101 
 exit 0
easy-rsa/2.0/build-ca
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 #
4 4 
 # Build a root certificate
easy-rsa/2.0/build-dh
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Build Diffie-Hellman parameters for the server side
4 4 
 # of an SSL/TLS connection.
easy-rsa/2.0/build-inter
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Make an intermediate CA certificate/private key pair using a locally generated
4 4 
 # root certificate.
easy-rsa/2.0/build-key
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Make a certificate/private key pair using a locally generated
4 4 
 # root certificate.
easy-rsa/2.0/build-key-pass
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Similar to build-key, but protect the private key
4 4 
 # with a password.
easy-rsa/2.0/build-key-pkcs12
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Make a certificate/private key pair using a locally generated
4 4 
 # root certificate and convert it to a PKCS #12 file including the
easy-rsa/2.0/build-key-server
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Make a certificate/private key pair using a locally generated
4 4 
 # root certificate.
easy-rsa/2.0/build-req
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Build a certificate signing request and private key.  Use this
4 4 
 # when your root certificate and key is not available locally.
easy-rsa/2.0/build-req-pass
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Like build-req, but protect your private key
4 4 
 # with a password.
easy-rsa/2.0/clean-all
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Initialize the $KEY_DIR directory.
4 4 
 # Note that this script does a
easy-rsa/2.0/inherit-inter
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Build a new PKI which is rooted on an intermediate certificate generated
4 4 
 # by ./build-inter or ./pkitool --inter from a parent PKI.  The new PKI should
easy-rsa/2.0/list-crl
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # list revoked certificates
4 4
easy-rsa/2.0/revoke-full
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # revoke a certificate, regenerate CRL,
4 4 
 # and verify revocation
easy-rsa/2.0/sign-req
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # Sign a certificate signing request (a .csr file)
4 4 
 # with a local root certificate and key.
forward.c
History View file @ c70135d
... ... 
@@ -766,7 +766,7 @@ process_incoming_link (struct context *c)
766 766
767 767 
   /* log incoming packet */
768 768 
 #ifdef LOG_RW
769 
-  if (c->c2.log_rw)
769 
+  if (c->c2.log_rw && c->c2.buf.len > 0)
770 770 
     fprintf (stderr, "R");
771 771 
 #endif
772 772 
   msg (D_LINK_RW, "%s READ [%d] from %s: %s",
... ... 
@@ -976,7 +976,7 @@ process_incoming_tun (struct context *c)
976 976 
     c->c2.tun_read_bytes += c->c2.buf.len;
977 977
978 978 
 #ifdef LOG_RW
979 
-  if (c->c2.log_rw)
979 
+  if (c->c2.log_rw && c->c2.buf.len > 0)
980 980 
     fprintf (stderr, "r");
981 981 
 #endif
982 982
init.c
History View file @ c70135d
... ... 
@@ -615,7 +615,7 @@ init_static (void)
615 615 
 #ifdef STATUS_PRINTF_TEST
616 616 
   {
617 617 
     struct gc_arena gc = gc_new ();
618 
-    const char *tmp_file = create_temp_filename ("/tmp", "foo", &gc);
618 
+    const char *tmp_file = create_temp_file ("/tmp", "foo", &gc);
619 619 
     struct status_output *so = status_open (tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
620 620 
     status_printf (so, "%s", "foo");
621 621 
     status_printf (so, "%s", "bar");
misc.c
History View file @ c70135d
... ... 
@@ -1165,25 +1165,57 @@ test_file (const char *filename)
1165 1165
1166 1166 
 /* create a temporary filename in directory */
1167 1167 
 const char *
1168 
-create_temp_filename (const char *directory, const char *prefix, struct gc_arena *gc)
1168 
+create_temp_file (const char *directory, const char *prefix, struct gc_arena *gc)
1169 1169 
 {
1170 1170 
   static unsigned int counter;
1171 1171 
   struct buffer fname = alloc_buf_gc (256, gc);
1172 
+  int fd;
1173 
+  const char *retfname = NULL;
1174 
+  unsigned int attempts = 0;
1172 1175
1173 
-  mutex_lock_static (L_CREATE_TEMP);
1174 
-  ++counter;
1175 
-  mutex_unlock_static (L_CREATE_TEMP);
1176 
-
1177 
-  {
1178 
-    uint8_t rndbytes[16];
1179 
-    const char *rndstr;
1180 
-
1181 
-    prng_bytes (rndbytes, sizeof (rndbytes));
1182 
-    rndstr = format_hex_ex (rndbytes, sizeof (rndbytes), 40, 0, NULL, gc);
1183 
-    buf_printf (&fname, PACKAGE "_%s_%s.tmp", prefix, rndstr);
1184 
-  }
1176 
+  do
1177 
+    {
1178 
+      uint8_t rndbytes[16];
1179 
+      const char *rndstr;
1180 
+
1181 
+      ++attempts;
1182 
+      mutex_lock_static (L_CREATE_TEMP);
1183 
+      ++counter;
1184 
+      mutex_unlock_static (L_CREATE_TEMP);
1185 
+
1186 
+      prng_bytes (rndbytes, sizeof rndbytes);
1187 
+      rndstr = format_hex_ex (rndbytes, sizeof rndbytes, 40, 0, NULL, gc);
1188 
+      buf_printf (&fname, PACKAGE "_%s_%s.tmp", prefix, rndstr);
1189 
+
1190 
+      retfname = gen_path (directory, BSTR (&fname), gc);
1191 
+      if (!retfname)
1192 
+        {
1193 
+          msg (M_FATAL, "Failed to create temporary filename and path");
1194 
+          return NULL;
1195 
+        }
1196 
+
1197 
+      /* Atomically create the file.  Errors out if the file already
1198 
+         exists.  */
1199 
+      fd = open (retfname, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR | S_IWUSR);
1200 
+      if (fd != -1)
1201 
+        {
1202 
+          close (fd);
1203 
+          return retfname;
1204 
+        }
1205 
+      else if (fd == -1 && errno != EEXIST)
1206 
+        {
1207 
+          /* Something else went wrong, no need to retry.  */
1208 
+          struct gc_arena gcerr = gc_new ();
1209 
+          msg (M_FATAL, "Could not create temporary file '%s': %s",
1210 
+               retfname, strerror_ts (errno, &gcerr));
1211 
+          gc_free (&gcerr);
1212 
+          return NULL;
1213 
+        }
1214 
+    }
1215 
+  while (attempts < 6);
1185 1216
1186 
-  return gen_path (directory, BSTR (&fname), gc);
1217 
+  msg (M_FATAL, "Failed to create temporary file after %i attempts", attempts);
1218 
+  return NULL;
1187 1219 
 }
1188 1220
1189 1221 
 /*
... ... 
@@ -1562,14 +1594,16 @@ void
1562 1562 
 purge_user_pass (struct user_pass *up, const bool force)
1563 1563 
 {
1564 1564 
   const bool nocache = up->nocache;
1565 
+  static bool warn_shown = false;
1565 1566 
   if (nocache || force)
1566 1567 
     {
1567 1568 
       CLEAR (*up);
1568 1569 
       up->nocache = nocache;
1569 1570 
     }
1570 
-  else
1571 
+  else if (!warn_shown)
1571 1572 
     {
1572 1573 
       msg (M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this");
1574 
+      warn_shown = true;
1573 1575 
     }
1574 1576 
 }
1575 1577
misc.h
History View file @ c70135d
... ... 
@@ -218,8 +218,8 @@ long int get_random(void);
218 218 
 /* return true if filename can be opened for read */
219 219 
 bool test_file (const char *filename);
220 220
221 
-/* create a temporary filename in directory */
222 
-const char *create_temp_filename (const char *directory, const char *prefix, struct gc_arena *gc);
221 
+/* create a temporary file in directory, returns the filename of the created file */
222 
+const char *create_temp_file (const char *directory, const char *prefix, struct gc_arena *gc);
223 223
224 224 
 /* put a directory and filename together */
225 225 
 const char *gen_path (const char *directory, const char *filename, struct gc_arena *gc);
multi.c
History View file @ c70135d
... ... 
@@ -1530,9 +1530,14 @@ multi_connection_established (struct multi_context *m, struct multi_instance *mi
1530 1530 
       if (plugin_defined (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
1531 1531 
 	{
1532 1532 
 	  struct argv argv = argv_new ();
1533 
-	  const char *dc_file = create_temp_filename (mi->context.options.tmp_dir, "cc", &gc);
1533 
+	  const char *dc_file = create_temp_file (mi->context.options.tmp_dir, "cc", &gc);
1534 
+
1535 
+          if( !dc_file ) {
1536 
+            cc_succeeded = false;
1537 
+            goto script_depr_failed;
1538 
+          }
1539 
+
1534 1540 
 	  argv_printf (&argv, "%s", dc_file);
1535 
-	  delete_file (dc_file);
1536 1541 
 	  if (plugin_call (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, &argv, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1537 1542 
 	    {
1538 1543 
 	      msg (M_WARN, "WARNING: client-connect plugin call failed");
... ... 
@@ -1543,6 +1548,7 @@ multi_connection_established (struct multi_context *m, struct multi_instance *mi
1543 1543 
 	      multi_client_connect_post (m, mi, dc_file, option_permissions_mask, &option_types_found);
1544 1544 
 	      ++cc_succeeded_count;
1545 1545 
 	    }
1546 
+        script_depr_failed:
1546 1547 
 	  argv_reset (&argv);
1547 1548 
 	}
1548 1549
... ... 
@@ -1578,9 +1584,11 @@ multi_connection_established (struct multi_context *m, struct multi_instance *mi
1578 1578
1579 1579 
 	  setenv_str (mi->context.c2.es, "script_type", "client-connect");
1580 1580
1581 
-	  dc_file = create_temp_filename (mi->context.options.tmp_dir, "cc", &gc);
1582 
-
1583 
-	  delete_file (dc_file);
1581 
+	  dc_file = create_temp_file (mi->context.options.tmp_dir, "cc", &gc);
1582 
+          if( !dc_file ) {
1583 
+            cc_succeeded = false;
1584 
+            goto script_failed;
1585 
+          }
1584 1586
1585 1587 
 	  argv_printf (&argv, "%sc %s",
1586 1588 
 		       mi->context.options.client_connect_script,
... ... 
@@ -1593,7 +1601,7 @@ multi_connection_established (struct multi_context *m, struct multi_instance *mi
1593 1593 
 	    }
1594 1594 
 	  else
1595 1595 
 	    cc_succeeded = false;
1596 
-
1596 
+        script_failed:
1597 1597 
 	  argv_reset (&argv);
1598 1598 
 	}
1599 1599
openvpn.8
History View file @ c70135d
... ... 
@@ -97,25 +97,25 @@ with a relatively lightweight footprint.
97 97 
 .SH OPTIONS
98 98 
 OpenVPN allows any option to be placed either on the command line
99 99 
 or in a configuration file.  Though all command line options are preceded
100 
-by a double-leading-dash ("--"), this prefix can be removed when
100 
+by a double-leading-dash ("\-\-"), this prefix can be removed when
101 101 
 an option is placed in a configuration file.
102 102 
 .\"*********************************************************
103 103 
 .TP
104 
-.B --help
104 
+.B \-\-help
105 105 
 Show options.
106 106 
 .\"*********************************************************
107 107 
 .TP
108 
-.B --config file
108 
+.B \-\-config file
109 109 
 Load additional config options from
110 110 
 .B file
111 111 
 where each line corresponds to one command line option,
112 
-but with the leading '--' removed.
112 
+but with the leading '\-\-' removed.
113 113
114 114 
 If
115 
-.B --config file
115 
+.B \-\-config file
116 116 
 is the only option to the openvpn command,
117 117 
 the
118 
-.B --config
118 
+.B \-\-config
119 119 
 can be removed, and the command can be given as
120 120 
 .B openvpn file
121 121
... ... 
@@ -187,25 +187,25 @@ secret static.key
187 187 
 .\"*********************************************************
188 188 
 .SS Tunnel Options:
189 189 
 .TP
190 
-.B --mode m
190 
+.B \-\-mode m
191 191 
 Set OpenVPN major mode.  By default, OpenVPN runs in
192 192 
 point-to-point mode ("p2p").  OpenVPN 2.0 introduces
193 193 
 a new mode ("server") which implements a multi-client
194 194 
 server capability.
195 195 
 .\"*********************************************************
196 196 
 .TP
197 
-.B --local host
197 
+.B \-\-local host
198 198 
 Local host name or IP address for bind.
199 199 
 If specified, OpenVPN will bind to this address only.
200 200 
 If unspecified, OpenVPN will bind to all interfaces.
201 201 
 .\"*********************************************************
202 202 
 .TP
203 
-.B --remote host [port] [proto]
203 
+.B \-\-remote host [port] [proto]
204 204 
 Remote host name or IP address.  On the client, multiple
205 
-.B --remote
205 
+.B \-\-remote
206 206 
 options may be specified for redundancy, each referring
207 207 
 to a different OpenVPN server.  Specifying multiple
208 
-.B --remote
208 
+.B \-\-remote
209 209 
 options for this purpose is a special case of the more
210 210 
 general connection-profile feature.  See the
211 211 
 .B <connection>
... ... 
@@ -214,7 +214,7 @@ documentation below.
214 214 
 The OpenVPN client will try to connect to a server at
215 215 
 .B host:port
216 216 
 in the order specified by the list of
217 
-.B --remote
217 
+.B \-\-remote
218 218 
 options.
219 219
220 220 
 .B proto
... ... 
@@ -229,18 +229,18 @@ one server.
229 229
230 230 
 Note that since UDP is connectionless, connection failure
231 231 
 is defined by the
232 
-.B --ping
232 
+.B \-\-ping
233 233 
 and
234 
-.B --ping-restart
234 
+.B \-\-ping-restart
235 235 
 options.
236 236
237 237 
 Note the following corner case:  If you use multiple
238 
-.B --remote
238 
+.B \-\-remote
239 239 
 options, AND you are dropping root privileges on
240 240 
 the client with
241 
-.B --user
241 
+.B \-\-user
242 242 
 and/or
243 
-.B --group,
243 
+.B \-\-group,
244 244 
 AND the client is running a non-Windows OS, if the client needs
245 245 
 to switch to a different server, and that server pushes
246 246 
 back different TUN/TAP or route settings, the client may lack
... ... 
@@ -248,7 +248,7 @@ the necessary privileges to close and reopen the TUN/TAP interface.
248 248 
 This could cause the client to exit with a fatal error.
249 249
250 250 
 If
251 
-.B --remote
251 
+.B \-\-remote
252 252 
 is unspecified, OpenVPN will listen
253 253 
 for packets from any IP address, but will not act on those packets unless
254 254 
 they pass all authentication tests.  This requirement for authentication
... ... 
@@ -257,7 +257,7 @@ trusted IP addresses (it is very easy to forge a source IP address on
257 257 
 a UDP packet).
258 258
259 259 
 When used in TCP mode,
260 
-.B --remote
260 
+.B \-\-remote
261 261 
 will act as a filter, rejecting connections from any host which does
262 262 
 not match
263 263 
 .B host.
... ... 
@@ -283,7 +283,7 @@ and
283 283 
 An OpenVPN client will try each connection profile sequentially
284 284 
 until it achieves a successful connection.
285 285
286 
-.B --remote-random
286 
+.B \-\-remote-random
287 287 
 can be used to initially "scramble" the connection
288 288 
 list.
289 289
... ... 
@@ -381,15 +381,15 @@ blocks below it.
381 381
382 382 
 .\"*********************************************************
383 383 
 .TP
384 
-.B --remote-random
384 
+.B \-\-remote-random
385 385 
 When multiple
386 
-.B --remote
386 
+.B \-\-remote
387 387 
 address/ports are specified, or if connection profiles are being
388 388 
 used, initially randomize the order of the list
389 389 
 as a kind of basic load-balancing measure.
390 390 
 .\"*********************************************************
391 391 
 .TP
392 
-.B --proto p
392 
+.B \-\-proto p
393 393 
 Use protocol
394 394 
 .B p
395 395 
 for communicating with remote host.
... ... 
@@ -403,17 +403,17 @@ or
403 403 
 The default protocol is
404 404 
 .B udp
405 405 
 when
406 
-.B --proto
406 
+.B \-\-proto
407 407 
 is not specified.
408 408
409 409 
 For UDP operation,
410 
-.B --proto udp
410 
+.B \-\-proto udp
411 411 
 should be specified on both peers.
412 412
413 413 
 For TCP operation, one peer must use
414 
-.B --proto tcp-server
414 
+.B \-\-proto tcp-server
415 415 
 and the other must use
416 
-.B --proto tcp-client.
416 
+.B \-\-proto tcp-client.
417 417 
 A peer started with
418 418 
 .B tcp-server
419 419 
 will wait indefinitely for an incoming connection.  A peer
... ... 
@@ -421,9 +421,9 @@ started with
421 421 
 .B tcp-client
422 422 
 will attempt to connect, and if that fails, will sleep for 5
423 423 
 seconds (adjustable via the
424 
-.B --connect-retry
424 
+.B \-\-connect-retry
425 425 
 option) and try again infinite or up to N retries (adjustable via the
426 
-.B --connect-retry-max
426 
+.B \-\-connect-retry-max
427 427 
 option).  Both TCP client and server will simulate
428 428 
 a SIGUSR1 restart signal if either side resets the connection.
429 429
... ... 
@@ -443,9 +443,9 @@ application-level UDP protocols, or tunneling protocols which don't
443 443 
 possess a built-in reliability layer.
444 444 
 .\"*********************************************************
445 445 
 .TP
446 
-.B --connect-retry n
446 
+.B \-\-connect-retry n
447 447 
 For
448 
-.B --proto tcp-client,
448 
+.B \-\-proto tcp-client,
449 449 
 take
450 450 
 .B n
451 451 
 as the
... ... 
@@ -453,16 +453,16 @@ number of seconds to wait
453 453 
 between connection retries (default=5).
454 454 
 .\"*********************************************************
455 455 
 .TP
456 
-.B --connect-retry-max n
456 
+.B \-\-connect-retry-max n
457 457 
 For
458 
-.B --proto tcp-client,
458 
+.B \-\-proto tcp-client,
459 459 
 take
460 460 
 .B n
461 461 
 as the
462 462 
 number of retries of connection attempt (default=infinite).
463 463 
 .\"*********************************************************
464 464 
 .TP
465 
-.B --auto-proxy
465 
+.B \-\-auto-proxy
466 466 
 Try to sense HTTP or SOCKS proxy settings automatically.
467 467 
 If no settings are present, a direct connection will be attempted.
468 468 
 If both HTTP and SOCKS settings are present, HTTP will be preferred.
... ... 
@@ -474,7 +474,7 @@ InternetQueryOption API.
474 474 
 This option exists in OpenVPN 2.1 or higher.
475 475 
 .\"*********************************************************
476 476 
 .TP
477 
-.B --http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method]
477 
+.B \-\-http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method]
478 478 
 Connect to remote host through an HTTP proxy at address
479 479 
 .B server
480 480 
 and port
... ... 
@@ -509,32 +509,32 @@ determine the authentication method, but to reject weak
509 509 
 authentication protocols such as HTTP Basic Authentication.
510 510 
 .\"*********************************************************
511 511 
 .TP
512 
-.B --http-proxy-retry
512 
+.B \-\-http-proxy-retry
513 513 
 Retry indefinitely on HTTP proxy errors.  If an HTTP proxy error
514 514 
 occurs, simulate a SIGUSR1 reset.
515 515 
 .\"*********************************************************
516 516 
 .TP
517 
-.B --http-proxy-timeout n
517 
+.B \-\-http-proxy-timeout n
518 518 
 Set proxy timeout to
519 519 
 .B n
520 520 
 seconds, default=5.
521 521 
 .\"*********************************************************
522 522 
 .TP
523 
-.B --http-proxy-option type [parm]
523 
+.B \-\-http-proxy-option type [parm]
524 524 
 Set extended HTTP proxy options.
525 525 
 Repeat to set multiple options.
526 526
527 
-.B VERSION version --
527 
+.B VERSION version \-\-
528 528 
 Set HTTP version number to
529 529 
 .B version
530 530 
 (default=1.0).
531 531
532 
-.B AGENT user-agent --
532 
+.B AGENT user-agent \-\-
533 533 
 Set HTTP "User-Agent" string to
534 534 
 .B user-agent.
535 535 
 .\"*********************************************************
536 536 
 .TP
537 
-.B --socks-proxy server [port]
537 
+.B \-\-socks-proxy server [port]
538 538 
 Connect to remote host through a Socks5 proxy at address
539 539 
 .B server
540 540 
 and port
... ... 
@@ -542,14 +542,14 @@ and port
542 542 
 (default=1080).
543 543 
 .\"*********************************************************
544 544 
 .TP
545 
-.B --socks-proxy-retry
545 
+.B \-\-socks-proxy-retry
546 546 
 Retry indefinitely on Socks proxy errors.  If a Socks proxy error
547 547 
 occurs, simulate a SIGUSR1 reset.
548 548 
 .\"*********************************************************
549 549 
 .TP
550 
-.B --resolv-retry n
550 
+.B \-\-resolv-retry n
551 551 
 If hostname resolve fails for
552 
-.B --remote,
552 
+.B \-\-remote,
553 553 
 retry resolve for
554 554 
 .B n
555 555 
 seconds before failing.
... ... 
@@ -559,18 +559,18 @@ Set
559 559 
 to "infinite" to retry indefinitely.
560 560
561 561 
 By default,
562 
-.B --resolv-retry infinite
562 
+.B \-\-resolv-retry infinite
563 563 
 is enabled.  You can disable by setting n=0.
564 564 
 .\"*********************************************************
565 565 
 .TP
566 
-.B --float
566 
+.B \-\-float
567 567 
 Allow remote peer to change its IP address and/or port number, such as due to
568 568 
 DHCP (this is the default if
569 
-.B --remote
569 
+.B \-\-remote
570 570 
 is not used).
571 
-.B --float
571 
+.B \-\-float
572 572 
 when specified with
573 
-.B --remote
573 
+.B \-\-remote
574 574 
 allows an OpenVPN session to initially connect to a peer
575 575 
 at a known address, however if packets arrive from a new
576 576 
 address and pass all authentication tests, the new address
... ... 
@@ -579,14 +579,14 @@ you are connecting to a peer which holds a dynamic address
579 579 
 such as a dial-in user or DHCP client.
580 580
581 581 
 Essentially,
582 
-.B --float
582 
+.B \-\-float
583 583 
 tells OpenVPN to accept authenticated packets
584 584 
 from any address, not only the address which was specified in the
585 
-.B --remote
585 
+.B \-\-remote
586 586 
 option.
587 587 
 .\"*********************************************************
588 588 
 .TP
589 
-.B --ipchange cmd
589 
+.B \-\-ipchange cmd
590 590 
 Execute shell command
591 591 
 .B cmd
592 592 
 when our remote ip-address is initially authenticated or
... ... 
@@ -597,11 +597,11 @@ Execute as:
597 597 
 .B cmd ip_address port_number
598 598
599 599 
 Don't use
600 
-.B --ipchange
600 
+.B \-\-ipchange
601 601 
 in
602 
-.B --mode server
602 
+.B \-\-mode server
603 603 
 mode.  Use a
604 
-.B --client-connect
604 
+.B \-\-client-connect
605 605 
 script instead.
606 606
607 607 
 See the "Environmental Variables" section below for
... ... 
@@ -636,41 +636,41 @@ reestablish a connection with its most recently authenticated
636 636 
 peer on its new IP address.
637 637 
 .\"*********************************************************
638 638 
 .TP
639 
-.B --port port
639 
+.B \-\-port port
640 640 
 TCP/UDP port number for both local and remote.  The current
641 641 
 default of 1194 represents the official IANA port number
642 642 
 assignment for OpenVPN and has been used since version 2.0-beta17.
643 643 
 Previous versions used port 5000 as the default.
644 644 
 .\"*********************************************************
645 645 
 .TP
646 
-.B --lport port
646 
+.B \-\-lport port
647 647 
 TCP/UDP port number for bind.
648 648 
 .\"*********************************************************
649 649 
 .TP
650 
-.B --rport port
650 
+.B \-\-rport port
651 651 
 TCP/UDP port number for remote.
652 652 
 .\"*********************************************************
653 653 
 .TP
654 
-.B --bind
654 
+.B \-\-bind
655 655 
 Bind to local address and port. This is the default unless any of
656 
-.B --proto tcp-client
656 
+.B \-\-proto tcp-client
657 657 
 ,
658 
-.B --http-proxy
658 
+.B \-\-http-proxy
659 659 
 or
660 
-.B --socks-proxy
660 
+.B \-\-socks-proxy
661 661 
 are used.
662 662 
 .\"*********************************************************
663 663 
 .TP
664 
-.B --nobind
664 
+.B \-\-nobind
665 665 
 Do not bind to local address and port.  The IP stack will allocate
666 666 
 a dynamic port for returning packets.  Since the value of the dynamic port
667 667 
 could not be known in advance by a peer, this option is only suitable for
668 668 
 peers which will be initiating connections by using the
669 
-.B --remote
669 
+.B \-\-remote
670 670 
 option.
671 671 
 .\"*********************************************************
672 672 
 .TP
673 
-.B --dev tunX | tapX | null
673 
+.B \-\-dev tunX | tapX | null
674 674 
 TUN/TAP virtual network device (
675 675 
 .B X
676 676 
 can be omitted for a dynamic device.)
... ... 
@@ -688,7 +688,7 @@ devices encapsulate IPv4 or IPv6 (OSI Layer 3) while
688 688 
 devices encapsulate Ethernet 802.3 (OSI Layer 2).
689 689 
 .\"*********************************************************
690 690 
 .TP
691 
-.B --dev-type device-type
691 
+.B \-\-dev-type device-type
692 692 
 Which device type are we using?
693 693 
 .B device-type
694 694 
 should be
... ... 
@@ -698,60 +698,60 @@ or
698 698 
 .B tap
699 699 
 (OSI Layer 2).
700 700 
 Use this option only if the TUN/TAP device used with
701 
-.B --dev
701 
+.B \-\-dev
702 702 
 does not begin with
703 703 
 .B tun
704 704 
 or
705 705 
 .B tap.
706 706 
 .\"*********************************************************
707 707 
 .TP
708 
-.B --topology mode
708 
+.B \-\-topology mode
709 709 
 Configure virtual addressing topology when running in
710 
-.B --dev tun
710 
+.B \-\-dev tun
711 711 
 mode.  This directive has no meaning in
712 
-.B --dev tap
712 
+.B \-\-dev tap
713 713 
 mode, which always uses a
714 714 
 .B subnet
715 715 
 topology.
716 716
717 717 
 If you set this directive on the server, the
718 
-.B --server
718 
+.B \-\-server
719 719 
 and
720 
-.B --server-bridge
720 
+.B \-\-server-bridge
721 721 
 directives will automatically push your chosen topology setting to clients
722 722 
 as well.  This directive can also be manually pushed to clients.  Like the
723 
-.B --dev
723 
+.B \-\-dev
724 724 
 directive, this directive must always be compatible between client and server.
725 725
726 726 
 .B mode
727 727 
 can be one of:
728 728
729 
-.B net30 --
729 
+.B net30 \-\-
730 730 
 Use a point-to-point topology, by allocating one /30 subnet per client.
731 731 
 This is designed to allow point-to-point semantics when some
732 732 
 or all of the connecting clients might be Windows systems.  This is the
733 733 
 default on OpenVPN 2.0.
734 734
735 
-.B p2p --
735 
+.B p2p \-\-
736 736 
 Use a point-to-point topology where the remote endpoint of the client's
737 737 
 tun interface always points to the local endpoint of the server's tun interface.
738 738 
 This mode allocates a single IP address per connecting client.
739 739 
 Only use
740 740 
 when none of the connecting clients are Windows systems.  This mode
741 741 
 is functionally equivalent to the
742 
-.B --ifconfig-pool-linear
742 
+.B \-\-ifconfig-pool-linear
743 743 
 directive which is available in OpenVPN 2.0 and is now deprecated.
744 744
745 
-.B subnet --
745 
+.B subnet \-\-
746 746 
 Use a subnet rather than a point-to-point topology by
747 747 
 configuring the tun interface with a local IP address and subnet mask,
748 748 
 similar to the topology used in
749 
-.B --dev tap
749 
+.B \-\-dev tap
750 750 
 and ethernet bridging mode.
751 751 
 This mode allocates a single IP address per connecting client and works on
752 752 
 Windows as well.  Only available when server and clients are OpenVPN 2.1 or
753 753 
 higher, or OpenVPN 2.0.x which has been manually patched with the
754 
-.B --topology
754 
+.B \-\-topology
755 755 
 directive code.  When used on Windows, requires version 8.2 or higher
756 756 
 of the TAP-Win32 driver.  When used on *nix, requires that the tun
757 757 
 driver supports an
... ... 
@@ -761,26 +761,26 @@ command which sets a subnet instead of a remote endpoint IP address.
761 761 
 This option exists in OpenVPN 2.1 or higher.
762 762 
 .\"*********************************************************
763 763 
 .TP
764 
-.B --tun-ipv6
764 
+.B \-\-tun-ipv6
765 765 
 Build a tun link capable of forwarding IPv6 traffic.
766 766 
 Should be used in conjunction with
767 
-.B --dev tun
767 
+.B \-\-dev tun
768 768 
 or
769 
-.B --dev tunX.
769 
+.B \-\-dev tunX.
770 770 
 A warning will be displayed
771 771 
 if no specific IPv6 TUN support for your OS has been compiled into OpenVPN.
772 772 
 .\"*********************************************************
773 773 
 .TP
774 
-.B --dev-node node
774 
+.B \-\-dev-node node
775 775 
 Explicitly set the device node rather than using
776 776 
 /dev/net/tun, /dev/tun, /dev/tap, etc.  If OpenVPN
777 777 
 cannot figure out whether
778 778 
 .B node
779 779 
 is a TUN or TAP device based on the name, you should
780 780 
 also specify
781 
-.B --dev-type tun
781 
+.B \-\-dev-type tun
782 782 
 or
783 
-.B --dev-type tap.
783 
+.B \-\-dev-type tap.
784 784
785 785 
 On Windows systems, select the TAP-Win32 adapter which
786 786 
 is named
... ... 
@@ -788,24 +788,24 @@ is named
788 788 
 in the Network Connections Control Panel or the
789 789 
 raw GUID of the adapter enclosed by braces.
790 790 
 The
791 
-.B --show-adapters
791 
+.B \-\-show-adapters
792 792 
 option under Windows can also be used
793 793 
 to enumerate all available TAP-Win32
794 794 
 adapters and will show both the network
795 795 
 connections control panel name and the GUID for
796 796 
 each TAP-Win32 adapter.
797 797 
 .TP
798 
-.B --lladdr address
798 
+.B \-\-lladdr address
799 799 
 Specify the link layer address, more commonly known as the MAC address.
800 800 
 Only applied to TAP devices.
801 801 
 .\"*********************************************************
802 802 
 .TP
803 
-.B --iproute cmd
803 
+.B \-\-iproute cmd
804 804 
 Set alternate command to execute instead of default iproute2 command.
805 805 
 May be used in order to execute OpenVPN in unprivileged environment.
806 806 
 .\"*********************************************************
807 807 
 .TP
808 
-.B --ifconfig l rn
808 
+.B \-\-ifconfig l rn
809 809 
 Set TUN/TAP adapter parameters.
810 810 
 .B l
811 811 
 is the IP address of the local VPN endpoint.
... ... 
@@ -820,7 +820,7 @@ which is being created or connected to.
820 820 
 For TUN devices, which facilitate virtual
821 821 
 point-to-point IP connections,
822 822 
 the proper usage of
823 
-.B --ifconfig
823 
+.B \-\-ifconfig
824 824 
 is to use two private IP addresses
825 825 
 which are not a member of any
826 826 
 existing subnet which is in use.
... ... 
@@ -834,7 +834,7 @@ you will be pinging across the VPN.
834 834 
 For TAP devices, which provide
835 835 
 the ability to create virtual
836 836 
 ethernet segments,
837 
-.B --ifconfig
837 
+.B \-\-ifconfig
838 838 
 is used to set an IP address and
839 839 
 subnet mask just as a physical
840 840 
 ethernet adapter would be
... ... 
@@ -855,42 +855,42 @@ standard interface to the different
855 855 
 ifconfig implementations on different
856 856 
 platforms.
857 857
858 
-.B --ifconfig
858 
+.B \-\-ifconfig
859 859 
 parameters which are IP addresses can
860 860 
 also be specified as a DNS or /etc/hosts
861 861 
 file resolvable name.
862 862
863 863 
 For TAP devices,
864 
-.B --ifconfig
864 
+.B \-\-ifconfig
865 865 
 should not be used if the TAP interface will be
866 866 
 getting an IP address lease from a DHCP
867 867 
 server.
868 868 
 .\"*********************************************************
869 869 
 .TP
870 
-.B --ifconfig-noexec
870 
+.B \-\-ifconfig-noexec
871 871 
 Don't actually execute ifconfig/netsh commands, instead
872 872 
 pass
873 
-.B --ifconfig
873 
+.B \-\-ifconfig
874 874 
 parameters to scripts using environmental variables.
875 875 
 .\"*********************************************************
876 876 
 .TP
877 
-.B --ifconfig-nowarn
877 
+.B \-\-ifconfig-nowarn
878 878 
 Don't output an options consistency check warning
879 879 
 if the
880 
-.B --ifconfig
880 
+.B \-\-ifconfig
881 881 
 option on this side of the
882 882 
 connection doesn't match the remote side.  This is useful
883 883 
 when you want to retain the overall benefits of the
884 884 
 options consistency check (also see
885 
-.B --disable-occ
885 
+.B \-\-disable-occ
886 886 
 option) while only disabling the ifconfig component of
887 887 
 the check.
888 888
889 889 
 For example,
890 890 
 if you have a configuration where the local host uses
891 
-.B --ifconfig
891 
+.B \-\-ifconfig
892 892 
 but the remote host does not, use
893 
-.B --ifconfig-nowarn
893 
+.B \-\-ifconfig-nowarn
894 894 
 on the local host.
895 895
896 896 
 This option will also silence warnings about potential
... ... 
@@ -898,7 +898,7 @@ address conflicts which occasionally annoy more experienced
898 898 
 users by triggering "false positive" warnings.
899 899 
 .\"*********************************************************
900 900 
 .TP
901 
-.B --route network/IP [netmask] [gateway] [metric]
901 
+.B \-\-route network/IP [netmask] [gateway] [metric]
902 902 
 Add route to routing table after connection is established.
903 903 
 Multiple routes can be specified.  Routes will be
904 904 
 automatically torn down in reverse order prior to
... ... 
@@ -912,20 +912,20 @@ while at the same time providing portable semantics
912 912 
 across OpenVPN's platform space.
913 913
914 914 
 .B netmask
915 
-default -- 255.255.255.255
915 
+default \-\- 255.255.255.255
916 916
917 917 
 .B gateway
918 
-default -- taken from
919 
-.B --route-gateway
918 
+default \-\- taken from
919 
+.B \-\-route-gateway
920 920 
 or the second parameter to
921 
-.B --ifconfig
921 
+.B \-\-ifconfig
922 922 
 when
923 
-.B --dev tun
923 
+.B \-\-dev tun
924 924 
 is specified.
925 925
926 926 
 .B metric
927 
-default -- taken from
928 
-.B --route-metric
927 
+default \-\- taken from
928 
+.B \-\-route-metric
929 929 
 otherwise 0.
930 930
931 931 
 The default can be specified by leaving an option blank or setting
... ... 
@@ -940,37 +940,37 @@ also be specified as a DNS or /etc/hosts
940 940 
 file resolvable name, or as one of three special keywords:
941 941
942 942 
 .B vpn_gateway
943 
+\-\- The remote VPN endpoint address
943 944 
 (derived either from
944 
-.B --route-gateway
945 
+.B \-\-route-gateway
945 946 
 or the second parameter to
946 
-.B --ifconfig
947 
+.B \-\-ifconfig
947 948 
 when
948 
-.B --dev tun
949 
+.B \-\-dev tun
949 950 
 is specified).
950 951
951 952 
 .B net_gateway
953 
+\-\- The pre-existing IP default gateway, read from the routing
952 954 
 table (not supported on all OSes).
953 955
954 956 
 .B remote_host
955 
-.B --remote
957 
+\-\- The
958 
+.B \-\-remote
956 959 
 address if OpenVPN is being run in client mode, and is undefined in server mode.
957 960 
 .\"*********************************************************
958 961 
 .TP
959 
-.B --max-routes n
962 
+.B \-\-max-routes n
960 963 
 Allow a maximum number of n
961 
-.B --route
964 
+.B \-\-route
962 965 
 options to be specified, either in the local configuration file,
963 966 
 or pulled from an OpenVPN server.  By default, n=100.
964 967 
 .\"*********************************************************
965 968 
 .TP
966 
-.B --route-gateway gw|'dhcp'
969 
+.B \-\-route-gateway gw|'dhcp'
967 970 
 Specify a default gateway
968 971 
 .B gw
969 972 
 for use with
970 
-.B --route.
973 
+.B \-\-route.
971 974
972 975 
 If
973 976 
 .B dhcp
... ... 
@@ -979,14 +979,14 @@ the gateway address will be extracted from a DHCP
979 979 
 negotiation with the OpenVPN server-side LAN.
980 980 
 .\"*********************************************************
981 981 
 .TP
982 
-.B --route-metric m
982 
+.B \-\-route-metric m
983 983 
 Specify a default metric
984 984 
 .B m
985 985 
 for use with
986 
-.B --route.
986 
+.B \-\-route.
987 987 
 .\"*********************************************************
988 988 
 .TP
989 
-.B --route-delay [n] [w]
989 
+.B \-\-route-delay [n] [w]
990 990 
 Delay
991 991 
 .B n
992 992 
 seconds (default=0) after connection
... ... 
@@ -994,16 +994,16 @@ establishment, before adding routes. If
994 994 
 .B n
995 995 
 is 0, routes will be added immediately upon connection
996 996 
 establishment.  If
997 
-.B --route-delay
997 
+.B \-\-route-delay
998 998 
 is omitted, routes will be added immediately after TUN/TAP device
999 999 
 open and
1000 
-.B --up
1000 
+.B \-\-up
1001 1001 
 script execution, before any
1002 
-.B --user
1002 
+.B \-\-user
1003 1003 
 or
1004 
-.B --group
1004 
+.B \-\-group
1005 1005 
 privilege downgrade (or
1006 
-.B --chroot
1006 
+.B \-\-chroot
1007 1007 
 execution.)
1008 1008
1009 1009 
 This option is designed to be useful in scenarios where DHCP is
... ... 
@@ -1012,18 +1012,18 @@ tap adapter addresses.  The delay will give the DHCP handshake
1012 1012 
 time to complete before routes are added.
1013 1013
1014 1014 
 On Windows,
1015 
-.B --route-delay
1015 
+.B \-\-route-delay
1016 1016 
 tries to be more intelligent by waiting
1017 1017 
 .B w
1018 1018 
 seconds (w=30 by default)
1019 1019 
 for the TAP-Win32 adapter to come up before adding routes.
1020 1020 
 .\"*********************************************************
1021 1021 
 .TP
1022 
-.B --route-up cmd
1022 
+.B \-\-route-up cmd
1023 1023 
 Execute shell command
1024 1024 
 .B cmd
1025 1025 
 after routes are added, subject to
1026 
-.B --route-delay.
1026 
+.B \-\-route-delay.
1027 1027
1028 1028 
 See the "Environmental Variables" section below for
1029 1029 
 additional parameters passed as environmental variables.
... ... 
@@ -1033,17 +1033,17 @@ Note that
1033 1033 
 can be a shell command with multiple arguments.
1034 1034 
 .\"*********************************************************
1035 1035 
 .TP
1036 
-.B --route-noexec
1036 
+.B \-\-route-noexec
1037 1037 
 Don't add or remove routes automatically.  Instead pass routes to
1038 
-.B --route-up
1038 
+.B \-\-route-up
1039 1039 
 script using environmental variables.
1040 1040 
 .\"*********************************************************
1041 1041 
 .TP
1042 
-.B --route-nopull
1042 
+.B \-\-route-nopull
1043 1043 
 When used with
1044 
-.B --client
1044 
+.B \-\-client
1045 1045 
 or
1046 
-.B --pull,
1046 
+.B \-\-pull,
1047 1047 
 accept options pushed by server EXCEPT for routes.
1048 1048
1049 1049 
 When used on the client, this option effectively bars the
... ... 
@@ -1052,16 +1052,16 @@ however note that this option still allows the server
1052 1052 
 to set the TCP/IP properties of the client's TUN/TAP interface.
1053 1053 
 .\"*********************************************************
1054 1054 
 .TP
1055 
-.B --allow-pull-fqdn
1055 
+.B \-\-allow-pull-fqdn
1056 1056 
 Allow client to pull DNS names from server (rather than being limited
1057 1057 
 to IP address) for
1058 
-.B --ifconfig,
1059 
-.B --route,
1058 
+.B \-\-ifconfig,
1059 
+.B \-\-route,
1060 1060 
 and
1061 
-.B --route-gateway.
1061 
+.B \-\-route-gateway.
1062 1062 
 .\"*********************************************************
1063 1063 
 .TP
1064 
-.B --redirect-gateway flags...
1064 
+.B \-\-redirect-gateway flags...
1065 1065 
 (Experimental) Automatically execute routing commands to cause all outgoing IP traffic
1066 1066 
 to be redirected over the VPN.
1067 1067
... ... 
@@ -1069,7 +1069,7 @@ This option performs three steps:
1069 1069
1070 1070 
 .B (1)
1071 1071 
 Create a static route for the
1072 
-.B --remote
1072 
+.B \-\-remote
1073 1073 
 address which forwards to the pre-existing default gateway.
1074 1074 
 This is done so that
1075 1075 
 .B (3)
... ... 
@@ -1080,11 +1080,11 @@ Delete the default gateway route.
1080 1080
1081 1081 
 .B (3)
1082 1082 
 Set the new default gateway to be the VPN endpoint address (derived either from
1083 
-.B --route-gateway
1083 
+.B \-\-route-gateway
1084 1084 
 or the second parameter to
1085 
-.B --ifconfig
1085 
+.B \-\-ifconfig
1086 1086 
 when
1087 
-.B --dev tun
1087 
+.B \-\-dev tun
1088 1088 
 is specified).
1089 1089
1090 1090 
 When the tunnel is torn down, all of the above steps are reversed so
... ... 
@@ -1092,7 +1092,7 @@ that the original default route is restored.
1092 1092
1093 1093 
 Option flags:
1094 1094
1095 
-.B local --
1095 
+.B local \-\-
1096 1096 
 Add the
1097 1097 
 .B local
1098 1098 
 flag if both OpenVPN servers are directly connected via a common subnet,
... ... 
@@ -1102,19 +1102,19 @@ flag will cause step
1102 1102 
 .B 1
1103 1103 
 above to be omitted.
1104 1104
1105 
-.B def1 --
1105 
+.B def1 \-\-
1106 1106 
 Use this flag to override
1107 1107 
 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
1108 1108 
 rather than 0.0.0.0/0.  This has the benefit of overriding
1109 1109 
 but not wiping out the original default gateway.
1110 1110
1111 
-.B bypass-dhcp --
1111 
+.B bypass-dhcp \-\-
1112 1112 
 Add a direct route to the DHCP server (if it is non-local) which
1113 1113 
 bypasses the tunnel
1114 1114 
 (Available on Windows clients, may not be available
1115 1115 
 on non-Windows clients).
1116 1116
1117 
-.B bypass-dns --
1117 
+.B bypass-dns \-\-
1118 1118 
 Add a direct route to the DNS server(s) (if they are non-local) which
1119 1119 
 bypasses the tunnel
1120 1120 
 (Available on Windows clients, may not be available
... ... 
@@ -1123,13 +1123,13 @@ on non-Windows clients).
1123 1123 
 Using the def1 flag is highly recommended.
1124 1124 
 .\"*********************************************************
1125 1125 
 .TP
1126 
-.B --link-mtu n
1126 
+.B \-\-link-mtu n
1127 1127 
 Sets an upper bound on the size of UDP packets which are sent
1128 1128 
 between OpenVPN peers.  It's best not to set this parameter unless
1129 1129 
 you know what you're doing.
1130 1130 
 .\"*********************************************************
1131 1131 
 .TP
1132 
-.B --tun-mtu n
1132 
+.B \-\-tun-mtu n
1133 1133 
 Take the TUN device MTU to be
1134 1134 
 .B n
1135 1135 
 and derive the link MTU
... ... 
@@ -1145,17 +1145,17 @@ MTU problems often manifest themselves as connections which
1145 1145 
 hang during periods of active usage.
1146 1146
1147 1147 
 It's best to use the
1148 
-.B --fragment
1148 
+.B \-\-fragment
1149 1149 
 and/or
1150 
-.B --mssfix
1150 
+.B \-\-mssfix
1151 1151 
 options to deal with MTU sizing issues.
1152 1152 
 .\"*********************************************************
1153 1153 
 .TP
1154 
-.B --tun-mtu-extra n
1154 
+.B \-\-tun-mtu-extra n
1155 1155 
 Assume that the TUN/TAP device might return as many as
1156 1156 
 .B n
1157 1157 
 bytes more than the
1158 
-.B --tun-mtu
1158 
+.B \-\-tun-mtu
1159 1159 
 size on read.  This parameter defaults to 0, which is sufficient for
1160 1160 
 most TUN devices.  TAP devices may introduce additional overhead in excess
1161 1161 
 of the MTU size, and a setting of 32 is the default when TAP devices are used.
... ... 
@@ -1163,34 +1163,34 @@ This parameter only controls internal OpenVPN buffer sizing,
1163 1163 
 so there is no transmission overhead associated with using a larger value.
1164 1164 
 .\"*********************************************************
1165 1165 
 .TP
1166 
-.B --mtu-disc type
1166 
+.B \-\-mtu-disc type
1167 1167 
 Should we do Path MTU discovery on TCP/UDP channel?  Only supported on OSes such
1168 1168 
 as Linux that supports the necessary system call to set.
1169 1169
1170 1170 
 .B 'no'
1171 
+\-\- Never send DF (Don't Fragment) frames
1171 1172 
 .br
1172 1173 
 .B 'maybe'
1174 
+\-\- Use per-route hints
1173 1175 
 .br
1174 1176 
 .B 'yes'
1177 
+\-\- Always DF (Don't Fragment)
1175 1178 
 .br
1176 1179 
 .\"*********************************************************
1177 1180 
 .TP
1178 
-.B --mtu-test
1181 
+.B \-\-mtu-test
1179 1182 
 To empirically measure MTU on connection startup,
1180 1183 
 add the
1181 
-.B --mtu-test
1184 
+.B \-\-mtu-test
1182 1185 
 option to your configuration.
1183 1186 
 OpenVPN will send ping packets of various sizes
1184 1187 
 to the remote peer and measure the largest packets
1185 1188 
 which were successfully received.  The
1186 
-.B --mtu-test
1189 
+.B \-\-mtu-test
1187 1190 
 process normally takes about 3 minutes to complete.
1188 1191 
 .\"*********************************************************
1189 1192 
 .TP
1190 
-.B --fragment max
1193 
+.B \-\-fragment max
1191 1194 
 Enable internal datagram fragmentation so
1192 1195 
 that no UDP datagrams are sent which
1193 1196 
 are larger than
... ... 
@@ -1200,24 +1200,24 @@ bytes.
1200 1200 
 The
1201 1201 
 .B max
1202 1202 
 parameter is interpreted in the same way as the
1203 
-.B --link-mtu
1203 
+.B \-\-link-mtu
1204 1204 
 parameter, i.e. the UDP packet size after encapsulation
1205 1205 
 overhead has been added in, but not including
1206 1206 
 the UDP header itself.
1207 1207
1208 1208 
 The
1209 
-.B --fragment
1209 
+.B \-\-fragment
1210 1210 
 option only makes sense when you are using the UDP protocol (
1211 
-.B --proto udp
1211 
+.B \-\-proto udp
1212 1212 
 ).
1213 1213
1214 
-.B --fragment
1214 
+.B \-\-fragment
1215 1215 
 adds 4 bytes of overhead per datagram.
1216 1216
1217 1217 
 See the
1218 
-.B --mssfix
1218 
+.B \-\-mssfix
1219 1219 
 option below for an important related option to
1220 
-.B --fragment.
1220 
+.B \-\-fragment.
1221 1221
1222 1222 
 It should also be noted that this option is not meant to replace
1223 1223 
 UDP fragmentation at the IP stack level.  It is only meant as a
... ... 
@@ -1230,44 +1230,45 @@ internal fragmentation capability may be your only option, such
1230 1230 
 as tunneling a UDP multicast stream which requires fragmentation.
1231 1231 
 .\"*********************************************************
1232 1232 
 .TP
1233 
-.B --mssfix max
1233 
+.B \-\-mssfix max
1234 1234 
 Announce to TCP sessions running over the tunnel that they should limit
1235 1235 
 their send packet sizes such that after OpenVPN has encapsulated them,
1236 1236 
 the resulting UDP packet size that OpenVPN sends to its peer will not
1237 1237 
 exceed
1238 1238 
 .B max
1239 
-bytes.
1239 
+bytes. The default value is
1240 
+.B 1450.
1240 1241
1241 1242 
 The
1242 1243 
 .B max
1243 1244 
 parameter is interpreted in the same way as the
1244 
-.B --link-mtu
1245 
+.B \-\-link-mtu
1245 1246 
 parameter, i.e. the UDP packet size after encapsulation
1246 1247 
 overhead has been added in, but not including
1247 1248 
 the UDP header itself.
1248 1249
1249 1250 
 The
1250 
-.B --mssfix
1251 
+.B \-\-mssfix
1251 1252 
 option only makes sense when you are using the UDP protocol
1252 1253 
 for OpenVPN peer-to-peer communication, i.e.
1253 
-.B --proto udp.
1254 
+.B \-\-proto udp.
1254 1255
1255 
-.B --mssfix
1256 
+.B \-\-mssfix
1256 1257 
 and
1257 
-.B --fragment
1258 
+.B \-\-fragment
1258 1259 
 can be ideally used together, where
1259 
-.B --mssfix
1260 
+.B \-\-mssfix
1260 1261 
 will try to keep TCP from needing
1261 1262 
 packet fragmentation in the first place,
1262 1263 
 and if big packets come through anyhow
1263 1264 
 (from protocols other than TCP),
1264 
-.B --fragment
1265 
+.B \-\-fragment
1265 1266 
 will internally fragment them.
1266 1267
1267 1268 
 Both
1268 
-.B --fragment
1269 
+.B \-\-fragment
1269 1270 
 and
1270 
-.B --mssfix
1271 
+.B \-\-mssfix
1271 1272 
 are designed to work around cases where Path MTU discovery
1272 1273 
 is broken on the network path between OpenVPN peers.
1273 1274
... ... 
@@ -1276,35 +1277,35 @@ connection which successfully starts, but then stalls
1276 1276 
 during active usage.
1277 1277
1278 1278 
 If
1279 
-.B --fragment
1279 
+.B \-\-fragment
1280 1280 
 and
1281 
-.B --mssfix
1281 
+.B \-\-mssfix
1282 1282 
 are used together,
1283 
-.B --mssfix
1283 
+.B \-\-mssfix
1284 1284 
 will take its default
1285 1285 
 .B max
1286 1286 
 parameter from the
1287 
-.B --fragment max
1287 
+.B \-\-fragment max
1288 1288 
 option.
1289 1289
1290 1290 
 Therefore, one could lower the maximum UDP packet size
1291 1291 
 to 1300 (a good first try for solving MTU-related
1292 1292 
 connection problems) with the following options:
1293 1293
1294 
-.B --tun-mtu 1500 --fragment 1300 --mssfix
1294 
+.B \-\-tun-mtu 1500 \-\-fragment 1300 \-\-mssfix
1295 1295 
 .\"*********************************************************
1296 1296 
 .TP
1297 
-.B --sndbuf size
1297 
+.B \-\-sndbuf size
1298 1298 
 Set the TCP/UDP socket send buffer size.
1299 1299 
 Currently defaults to 65536 bytes.
1300 1300 
 .\"*********************************************************
1301 1301 
 .TP
1302 
-.B --rcvbuf size
1302 
+.B \-\-rcvbuf size
1303 1303 
 Set the TCP/UDP socket receive buffer size.
1304 1304 
 Currently defaults to 65536 bytes.
1305 1305 
 .\"*********************************************************
1306 1306 
 .TP
1307 
-.B --socket-flags flags...
1307 
+.B \-\-socket-flags flags...
1308 1308 
 Apply the given flags to the OpenVPN transport socket.
1309 1309 
 Currently, only
1310 1310 
 .B TCP_NODELAY
... ... 
@@ -1321,12 +1322,12 @@ This option is pushable from server to client, and should be used
1321 1321 
 on both client and server for maximum effect.
1322 1322 
 .\"*********************************************************
1323 1323 
 .TP
1324 
-.B --txqueuelen n
1324 
+.B \-\-txqueuelen n
1325 1325 
 (Linux only) Set the TX queue length on the TUN/TAP interface.
1326 1326 
 Currently defaults to 100.
1327 1327 
 .\"*********************************************************
1328 1328 
 .TP
1329 
-.B --shaper n
1329 
+.B \-\-shaper n
1330 1330 
 Limit bandwidth of outgoing tunnel data to
1331 1331 
 .B n
1332 1332 
 bytes per second on the TCP/UDP port.
... ... 
@@ -1362,7 +1363,7 @@ OpenVPN allows
1362 1362 
 to be between 100 bytes/sec and 100 Mbytes/sec.
1363 1363 
 .\"*********************************************************
1364 1364 
 .TP
1365 
-.B --inactive n [bytes]
1365 
+.B \-\-inactive n [bytes]
1366 1366 
 Causes OpenVPN to exit after
1367 1367 
 .B n
1368 1368 
 seconds of inactivity on the TUN/TAP device.  The time length
... ... 
@@ -1376,18 +1377,18 @@ produces a combined in/out byte count that is less than
1376 1376 
 .B bytes.
1377 1377 
 .\"*********************************************************
1378 1378 
 .TP
1379 
-.B --ping n
1379 
+.B \-\-ping n
1380 1380 
 Ping remote over the TCP/UDP control channel
1381 1381 
 if no packets have been sent for at least
1382 1382 
 .B n
1383 1383 
 seconds (specify
1384 
-.B --ping
1384 
+.B \-\-ping
1385 1385 
 on both peers to cause ping packets to be sent in both directions since
1386 1386 
 OpenVPN ping packets are not echoed like IP ping packets).
1387 1387 
 When used in one of OpenVPN's secure modes (where
1388 
-.B --secret, --tls-server,
1388 
+.B \-\-secret, \-\-tls-server,
1389 1389 
 or
1390 
-.B --tls-client
1390 
+.B \-\-tls-client
1391 1391 
 is specified), the ping packet
1392 1392 
 will be cryptographically secure.
1393 1393
... ... 
@@ -1400,33 +1401,33 @@ pass will not time out.
1400 1400
1401 1401 
 (2) To provide a basis for the remote to test the existence
1402 1402 
 of its peer using the
1403 
-.B --ping-exit
1403 
+.B \-\-ping-exit
1404 1404 
 option.
1405 1405 
 .\"*********************************************************
1406 1406 
 .TP
1407 
-.B --ping-exit n
1407 
+.B \-\-ping-exit n
1408 1408 
 Causes OpenVPN to exit after
1409 1409 
 .B n
1410 1410 
 seconds pass without reception of a ping
1411 1411 
 or other packet from remote.
1412 1412 
 This option can be combined with
1413 
-.B --inactive, --ping,
1413 
+.B \-\-inactive, \-\-ping,
1414 1414 
 and
1415 
-.B --ping-exit
1415 
+.B \-\-ping-exit
1416 1416 
 to create a two-tiered inactivity disconnect.
1417 1417
1418 1418 
 For example,
1419 1419
1420 
-.B openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
1420 
+.B openvpn [options...] \-\-inactive 3600 \-\-ping 10 \-\-ping-exit 60
1421 1421
1422 1422 
 when used on both peers will cause OpenVPN to exit within 60
1423 1423 
 seconds if its peer disconnects, but will exit after one
1424 1424 
 hour if no actual tunnel data is exchanged.
1425 1425 
 .\"*********************************************************
1426 1426 
 .TP
1427 
-.B --ping-restart n
1427 
+.B \-\-ping-restart n
1428 1428 
 Similar to
1429 
-.B --ping-exit,
1429 
+.B \-\-ping-exit,
1430 1430 
 but trigger a
1431 1431 
 .B SIGUSR1
1432 1432 
 restart after
... ... 
@@ -1445,13 +1446,13 @@ as
1445 1445
1446 1446 
 If the peer cannot be reached, a restart will be triggered, causing
1447 1447 
 the hostname used with
1448 
-.B --remote
1448 
+.B \-\-remote
1449 1449 
 to be re-resolved (if
1450 
-.B --resolv-retry
1450 
+.B \-\-resolv-retry
1451 1451 
 is also specified).
1452 1452
1453 1453 
 In server mode,
1454 
-.B --ping-restart, --inactive,
1454 
+.B \-\-ping-restart, \-\-inactive,
1455 1455 
 or any other type of internally generated signal will always be
1456 1456 
 applied to
1457 1457 
 individual client instance objects, never to whole server itself.
... ... 
@@ -1460,14 +1461,14 @@ which would normally cause a restart, will cause the deletion
1460 1460 
 of the client instance object instead.
1461 1461
1462 1462 
 In client mode, the
1463 
-.B --ping-restart
1463 
+.B \-\-ping-restart
1464 1464 
 parameter is set to 120 seconds by default.  This default will
1465 1465 
 hold until the client pulls a replacement value from the server, based on
1466 1466 
 the
1467 
-.B --keepalive
1467 
+.B \-\-keepalive
1468 1468 
 setting in the server configuration.
1469 1469 
 To disable the 120 second default, set
1470 
-.B --ping-restart 0
1470 
+.B \-\-ping-restart 0
1471 1471 
 on the client.
1472 1472
1473 1473 
 See the signals section below for more information
... ... 
@@ -1477,27 +1478,27 @@ on
1477 1477 
 Note that the behavior of
1478 1478 
 .B SIGUSR1
1479 1479 
 can be modified by the
1480 
-.B --persist-tun, --persist-key, --persist-local-ip,
1480 
+.B \-\-persist-tun, \-\-persist-key, \-\-persist-local-ip,
1481 1481 
 and
1482 
-.B --persist-remote-ip
1482 
+.B \-\-persist-remote-ip
1483 1483 
 options.
1484 1484
1485 1485 
 Also note that
1486 
-.B --ping-exit
1486 
+.B \-\-ping-exit
1487 1487 
 and
1488 
-.B --ping-restart
1488 
+.B \-\-ping-restart
1489 1489 
 are mutually exclusive and cannot be used together.
1490 1490 
 .\"*********************************************************
1491 1491 
 .TP
1492 
-.B --keepalive n m
1492 
+.B \-\-keepalive n m
1493 1493 
 A helper directive designed to simplify the expression of
1494 
-.B --ping
1494 
+.B \-\-ping
1495 1495 
 and
1496 
-.B --ping-restart
1496 
+.B \-\-ping-restart
1497 1497 
 in server mode configurations.
1498 1498
1499 1499 
 For example,
1500 
-.B --keepalive 10 60
1500 
+.B \-\-keepalive 10 60
1501 1501 
 expands as follows:
1502 1502
1503 1503 
 .nf
... ... 
@@ -1516,24 +1517,24 @@ expands as follows:
1516 1516 
 .fi
1517 1517 
 .\"*********************************************************
1518 1518 
 .TP
1519 
-.B --ping-timer-rem
1519 
+.B \-\-ping-timer-rem
1520 1520 
 Run the
1521 
-.B --ping-exit
1521 
+.B \-\-ping-exit
1522 1522 
 /
1523 
-.B --ping-restart
1523 
+.B \-\-ping-restart
1524 1524 
 timer only if we have a remote address.  Use this option if you are
1525 1525 
 starting the daemon in listen mode (i.e. without an explicit
1526 
-.B --remote
1526 
+.B \-\-remote
1527 1527 
 peer), and you don't want to start clocking timeouts until a remote
1528 1528 
 peer connects.
1529 1529 
 .\"*********************************************************
1530 1530 
 .TP
1531 
-.B --persist-tun
1531 
+.B \-\-persist-tun
1532 1532 
 Don't close and reopen TUN/TAP device or run up/down scripts
1533 1533 
 across
1534 1534 
 .B SIGUSR1
1535 1535 
 or
1536 
-.B --ping-restart
1536 
+.B \-\-ping-restart
1537 1537 
 restarts.
1538 1538
1539 1539 
 .B SIGUSR1
... ... 
@@ -1543,14 +1544,14 @@ but which offers finer-grained control over
1543 1543 
 reset options.
1544 1544 
 .\"*********************************************************
1545 1545 
 .TP
1546 
-.B --persist-key
1546 
+.B \-\-persist-key
1547 1547 
 Don't re-read key files across
1548 1548 
 .B SIGUSR1
1549 1549 
 or
1550 
-.B --ping-restart.
1550 
+.B \-\-ping-restart.
1551 1551
1552 1552 
 This option can be combined with
1553 
-.B --user nobody
1553 
+.B \-\-user nobody
1554 1554 
 to allow restarts triggered by the
1555 1555 
 .B SIGUSR1
1556 1556 
 signal.
... ... 
@@ -1563,29 +1564,29 @@ This option solves the problem by persisting keys across
1563 1563 
 resets, so they don't need to be re-read.
1564 1564 
 .\"*********************************************************
1565 1565 
 .TP
1566 
-.B --persist-local-ip
1566 
+.B \-\-persist-local-ip
1567 1567 
 Preserve initially resolved local IP address and port number
1568 1568 
 across
1569 1569 
 .B SIGUSR1
1570 1570 
 or
1571 
-.B --ping-restart
1571 
+.B \-\-ping-restart
1572 1572 
 restarts.
1573 1573 
 .\"*********************************************************
1574 1574 
 .TP
1575 
-.B --persist-remote-ip
1575 
+.B \-\-persist-remote-ip
1576 1576 
 Preserve most recently authenticated remote IP address and port number
1577 1577 
 across
1578 1578 
 .B SIGUSR1
1579 1579 
 or
1580 
-.B --ping-restart
1580 
+.B \-\-ping-restart
1581 1581 
 restarts.
1582 1582 
 .\"*********************************************************
1583 1583 
 .TP
1584 
-.B --mlock
1584 
+.B \-\-mlock
1585 1585 
 Disable paging by calling the POSIX mlockall function.
1586 1586 
 Requires that OpenVPN be initially run as root (though
1587 1587 
 OpenVPN can subsequently downgrade its UID using the
1588 
-.B --user
1588 
+.B \-\-user
1589 1589 
 option).
1590 1590
1591 1591 
 Using this option ensures that key material and tunnel
... ... 
@@ -1597,33 +1598,33 @@ would not be able to scan the system swap file to
1597 1597 
 recover previously used
1598 1598 
 ephemeral keys, which are used for a period of time
1599 1599 
 governed by the
1600 
-.B --reneg
1600 
+.B \-\-reneg
1601 1601 
 options (see below), then are discarded.
1602 1602
1603 1603 
 The downside
1604 1604 
 of using
1605 
-.B --mlock
1605 
+.B \-\-mlock
1606 1606 
 is that it will reduce the amount of physical
1607 1607 
 memory available to other applications.
1608 1608 
 .\"*********************************************************
1609 1609 
 .TP
1610 
-.B --up cmd
1610 
+.B \-\-up cmd
1611 1611 
 Shell command to run after successful TUN/TAP device open
1612 1612 
 (pre
1613 
-.B --user
1613 
+.B \-\-user
1614 1614 
 UID change).  The up script is useful for specifying route
1615 1615 
 commands which route IP traffic destined for
1616 1616 
 private subnets which exist at the other
1617 1617 
 end of the VPN connection into the tunnel.
1618 1618
1619 1619 
 For
1620 
-.B --dev tun
1620 
+.B \-\-dev tun
1621 1621 
 execute as:
1622 1622
1623 1623 
 .B cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip [ init | restart ]
1624 1624
1625 1625 
 For
1626 
-.B --dev tap
1626 
+.B \-\-dev tap
1627 1627 
 execute as:
1628 1628
1629 1629 
 .B cmd tap_dev tap_mtu link_mtu ifconfig_local_ip ifconfig_netmask [ init | restart ]
... ... 
@@ -1648,62 +1649,62 @@ In this context, the last command line parameter passed to the script
1648 1648 
 will be
1649 1649 
 .I init.
1650 1650 
 If the
1651 
-.B --up-restart
1651 
+.B \-\-up-restart
1652 1652 
 option is also used, the up script will be called for restarts as
1653 1653 
 well.  A restart is considered to be a partial reinitialization
1654 1654 
 of OpenVPN where the TUN/TAP instance is preserved (the
1655 
-.B --persist-tun
1655 
+.B \-\-persist-tun
1656 1656 
 option will enable such preservation).  A restart
1657 1657 
 can be generated by a SIGUSR1 signal, a
1658 
-.B --ping-restart
1658 
+.B \-\-ping-restart
1659 1659 
 timeout, or a connection reset when the TCP protocol is enabled
1660 1660 
 with the
1661 
-.B --proto
1661 
+.B \-\-proto
1662 1662 
 option.  If a restart occurs, and
1663 
-.B --up-restart
1663 
+.B \-\-up-restart
1664 1664 
 has been specified, the up script will be called with
1665 1665 
 .I restart
1666 1666 
 as the last parameter.
1667 1667
1668 1668 
 The following standalone example shows how the
1669 
-.B --up
1669 
+.B \-\-up
1670 1670 
 script can be called in both an initialization and restart context.
1671 1671 
 (NOTE: for security reasons, don't run the following example unless UDP port
1672 1672 
 9999 is blocked by your firewall.  Also, the example will run indefinitely,
1673 1673 
 so you should abort with control-c).
1674 1674
1675 
-.B openvpn --dev tun --port 9999 --verb 4 --ping-restart 10 --up 'echo up' --down 'echo down' --persist-tun --up-restart
1675 
+.B openvpn \-\-dev tun \-\-port 9999 \-\-verb 4 \-\-ping-restart 10 \-\-up 'echo up' \-\-down 'echo down' \-\-persist-tun \-\-up-restart
1676 1676
1677 1677 
 Note that OpenVPN also provides the
1678 
-.B --ifconfig
1678 
+.B \-\-ifconfig
1679 1679 
 option to automatically ifconfig the TUN device,
1680 1680 
 eliminating the need to define an
1681 
-.B --up
1681 
+.B \-\-up
1682 1682 
 script, unless you also want to configure routes
1683 1683 
 in the
1684 
-.B --up
1684 
+.B \-\-up
1685 1685 
 script.
1686 1686
1687 1687 
 If
1688 
-.B --ifconfig
1688 
+.B \-\-ifconfig
1689 1689 
 is also specified, OpenVPN will pass the ifconfig local
1690 1690 
 and remote endpoints on the command line to the
1691 
-.B --up
1691 
+.B \-\-up
1692 1692 
 script so that they can be used to configure routes such as:
1693 1693
1694 1694 
 .B route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
1695 1695 
 .\"*********************************************************
1696 1696 
 .TP
1697 
-.B --up-delay
1697 
+.B \-\-up-delay
1698 1698 
 Delay TUN/TAP open and possible
1699 
-.B --up
1699 
+.B \-\-up
1700 1700 
 script execution
1701 1701 
 until after TCP/UDP connection establishment with peer.
1702 1702
1703 1703 
 In
1704 
-.B --proto udp
1704 
+.B \-\-proto udp
1705 1705 
 mode, this option normally requires the use of
1706 
-.B --ping
1706 
+.B \-\-ping
1707 1707 
 to allow connection initiation to be sensed in the absence
1708 1708 
 of tunnel data, since UDP is a "connectionless" protocol.
1709 1709
... ... 
@@ -1712,50 +1713,50 @@ transitioning to "connected" until connection establishment,
1712 1712 
 i.e. the receipt of the first authenticated packet from the peer.
1713 1713 
 .\"*********************************************************
1714 1714 
 .TP
1715 
-.B --down cmd
1715 
+.B \-\-down cmd
1716 1716 
 Shell command to run after TUN/TAP device close
1717 1717 
 (post
1718 
-.B --user
1718 
+.B \-\-user
1719 1719 
 UID change and/or
1720 
-.B --chroot
1720 
+.B \-\-chroot
1721 1721 
 ).  Called with the same parameters and environmental
1722 1722 
 variables as the
1723 
-.B --up
1723 
+.B \-\-up
1724 1724 
 option above.
1725 1725
1726 1726 
 Note that if you reduce privileges by using
1727 
-.B --user
1727 
+.B \-\-user
1728 1728 
 and/or
1729 
-.B --group,
1729 
+.B \-\-group,
1730 1730 
 your
1731 
-.B --down
1731 
+.B \-\-down
1732 1732 
 script will also run at reduced privilege.
1733 1733 
 .\"*********************************************************
1734 1734 
 .TP
1735 
-.B --down-pre
1735 
+.B \-\-down-pre
1736 1736 
 Call
1737 
-.B --down
1737 
+.B \-\-down
1738 1738 
 cmd/script before, rather than after, TUN/TAP close.
1739 1739 
 .\"*********************************************************
1740 1740 
 .TP
1741 
-.B --up-restart
1741 
+.B \-\-up-restart
1742 1742 
 Enable the
1743 
-.B --up
1743 
+.B \-\-up
1744 1744 
 and
1745 
-.B --down
1745 
+.B \-\-down
1746 1746 
 scripts to be called for restarts as well as initial program start.
1747 1747 
 This option is described more fully above in the
1748 
-.B --up
1748 
+.B \-\-up
1749 1749 
 option documentation.
1750 1750 
 .\"*********************************************************
1751 1751 
 .TP
1752 
-.B --setenv name value
1752 
+.B \-\-setenv name value
1753 1753 
 Set a custom environmental variable
1754 1754 
 .B name=value
1755 1755 
 to pass to script.
1756 1756 
 .\"*********************************************************
1757 1757 
 .TP
1758 
-.B --setenv FORWARD_COMPATIBLE 1
1758 
+.B \-\-setenv FORWARD_COMPATIBLE 1
1759 1759 
 Relax config file syntax checking so that unknown directives
1760 1760 
 will trigger a warning but not a fatal error,
1761 1761 
 on the assumption that a given unknown directive might be valid
... ... 
@@ -1768,7 +1769,7 @@ new software features to gracefully degrade when encountered by
1768 1768 
 older software versions.
1769 1769 
 .\"*********************************************************
1770 1770 
 .TP
1771 
-.B --setenv-safe name value
1771 
+.B \-\-setenv-safe name value
1772 1772 
 Set a custom environmental variable
1773 1773 
 .B OPENVPN_name=value
1774 1774 
 to pass to script.
... ... 
@@ -1779,23 +1780,23 @@ is a safety precaution to prevent a LD_PRELOAD style attack
1779 1779 
 from a malicious or compromised server.
1780 1780 
 .\"*********************************************************
1781 1781 
 .TP
1782 
-.B --script-security level [method]
1782 
+.B \-\-script-security level [method]
1783 1783 
 This directive offers policy-level control over OpenVPN's usage of external programs
1784 1784 
 and scripts.  Lower
1785 1785 
 .B level
1786 1786 
 values are more restrictive, higher values are more permissive.  Settings for
1787 1787 
 .B level:
1788 1788
1789 
-.B 0 --
1789 
+.B 0 \-\-
1790 1790 
 Strictly no calling of external programs.
1791 1791 
 .br
1792 
-.B 1 --
1792 
+.B 1 \-\-
1793 1793 
 (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.
1794 1794 
 .br
1795 
-.B 2 --
1795 
+.B 2 \-\-
1796 1796 
 Allow calling of built-in executables and user-defined scripts.
1797 1797 
 .br
1798 
-.B 3 --
1798 
+.B 3 \-\-
1799 1799 
 Allow passwords to be passed to scripts via environmental variables (potentially unsafe).
1800 1800
1801 1801 
 The
... ... 
@@ -1804,33 +1805,33 @@ parameter indicates how OpenVPN should call external commands and scripts.
1804 1804 
 Settings for
1805 1805 
 .B method:
1806 1806
1807 
-.B execve --
1807 
+.B execve \-\-
1808 1808 
 (default) Use execve() function on Unix family OSes and CreateProcess() on Windows.
1809 1809 
 .br
1810 
-.B system --
1810 
+.B system \-\-
1811 1811 
 Use system() function (deprecated and less safe since the external program command
1812 1812 
 line is subject to shell expansion).
1813 1813
1814 1814 
 The
1815 
-.B --script-security
1815 
+.B \-\-script-security
1816 1816 
 option was introduced in OpenVPN 2.1_rc9.  For configuration file compatibility
1817 1817 
 with previous OpenVPN versions, use:
1818 
-.B --script-security 3 system
1818 
+.B \-\-script-security 3 system
1819 1819 
 .\"*********************************************************
1820 1820 
 .TP
1821 
-.B --disable-occ
1821 
+.B \-\-disable-occ
1822 1822 
 Don't output a warning message if option inconsistencies are detected between
1823 1823 
 peers.  An example of an option inconsistency would be where one peer uses
1824 
-.B --dev tun
1824 
+.B \-\-dev tun
1825 1825 
 while the other peer uses
1826 
-.B --dev tap.
1826 
+.B \-\-dev tap.
1827 1827
1828 1828 
 Use of this option is discouraged, but is provided as
1829 1829 
 a temporary fix in situations where a recent version of OpenVPN must
1830 1830 
 connect to an old version.
1831 1831 
 .\"*********************************************************
1832 1832 
 .TP
1833 
-.B --user user
1833 
+.B \-\-user user
1834 1834 
 Change the user ID of the OpenVPN process to
1835 1835 
 .B user
1836 1836 
 after initialization, dropping privileges in the process.
... ... 
@@ -1852,7 +1853,7 @@ you want to reset an OpenVPN daemon with a
1852 1852 
 signal
1853 1853 
 (for example in response
1854 1854 
 to a DHCP reset), you should make use of one or more of the
1855 
-.B --persist
1855 
+.B \-\-persist
1856 1856 
 options to ensure that OpenVPN doesn't need to execute any privileged
1857 1857 
 operations in order to restart (such as re-reading key files
1858 1858 
 or running
... ... 
@@ -1860,16 +1861,16 @@ or running
1860 1860 
 on the TUN device).
1861 1861 
 .\"*********************************************************
1862 1862 
 .TP
1863 
-.B --group group
1863 
+.B \-\-group group
1864 1864 
 Similar to the
1865 
-.B --user
1865 
+.B \-\-user
1866 1866 
 option,
1867 1867 
 this option changes the group ID of the OpenVPN process to
1868 1868 
 .B group
1869 1869 
 after initialization.
1870 1870 
 .\"*********************************************************
1871 1871 
 .TP
1872 
-.B --cd dir
1872 
+.B \-\-cd dir
1873 1873 
 Change directory to
1874 1874 
 .B dir
1875 1875 
 prior to reading any files such as
... ... 
@@ -1881,16 +1882,16 @@ to the current directory such as "." or "..".
1881 1881
1882 1882 
 This option is useful when you are running
1883 1883 
 OpenVPN in
1884 
-.B --daemon
1884 
+.B \-\-daemon
1885 1885 
 mode, and you want to consolidate all of
1886 1886 
 your OpenVPN control files in one location.
1887 1887 
 .\"*********************************************************
1888 1888 
 .TP
1889 
-.B --chroot dir
1889 
+.B \-\-chroot dir
1890 1890 
 Chroot to
1891 1891 
 .B dir
1892 1892 
 after initialization.
1893 
-.B --chroot
1893 
+.B \-\-chroot
1894 1894 
 essentially redefines
1895 1895 
 .B dir
1896 1896 
 as being the top
... ... 
@@ -1909,22 +1910,22 @@ complications can result when scripts or restarts
1909 1909 
 are executed after the chroot operation.
1910 1910 
 .\"*********************************************************
1911 1911 
 .TP
1912 
-.B --setcon context
1912 
+.B \-\-setcon context
1913 1913 
 Apply SELinux
1914 1914 
 .B context
1915 1915 
 after initialization. This
1916 1916 
 essentially provides the ability to restrict OpenVPN's
1917 1917 
 rights to only network I/O operations, thanks to
1918 1918 
 SELinux. This goes further than
1919 
-.B --user
1919 
+.B \-\-user
1920 1920 
 and
1921 
-.B --chroot
1921 
+.B \-\-chroot
1922 1922 
 in that those two, while being great security features,
1923 1923 
 unfortunately do not protect against privilege escalation
1924 1924 
 by exploitation of a vulnerable system call. You can of
1925 1925 
 course combine all three, but please note that since
1926 1926 
 setcon requires access to /proc you will have to provide
1927 
-it inside the chroot directory (e.g. with mount --bind).
1927 
+it inside the chroot directory (e.g. with mount \-\-bind).
1928 1928
1929 1929 
 Since the setcon operation is delayed until after
1930 1930 
 initialization, OpenVPN can be restricted to just
... ... 
@@ -1936,13 +1937,13 @@ allow many things required only during initialization.
1936 1936 
 Like with chroot, complications can result when scripts
1937 1937 
 or restarts are executed after the setcon operation,
1938 1938 
 which is why you should really consider using the
1939 
-.B --persist-key
1939 
+.B \-\-persist-key
1940 1940 
 and
1941 
-.B --persist-tun
1941 
+.B \-\-persist-tun
1942 1942 
 options.
1943 1943 
 .\"*********************************************************
1944 1944 
 .TP
1945 
-.B --daemon [progname]
1945 
+.B \-\-daemon [progname]
1946 1946 
 Become a daemon after all initialization functions are completed.
1947 1947 
 This option will cause all message and error output to
1948 1948 
 be sent to the syslog file (such as /var/log/messages),
... ... 
@@ -1951,10 +1952,10 @@ ifconfig commands,
1951 1951 
 which will go to /dev/null unless otherwise redirected.
1952 1952 
 The syslog redirection occurs immediately at the point
1953 1953 
 that
1954 
-.B --daemon
1954 
+.B \-\-daemon
1955 1955 
 is parsed on the command line even though
1956 1956 
 the daemonization point occurs later.  If one of the
1957 
-.B --log
1957 
+.B \-\-log
1958 1958 
 options is present, it will supercede syslog
1959 1959 
 redirection.
1960 1960
... ... 
@@ -1970,7 +1971,7 @@ When unspecified,
1970 1970 
 defaults to "openvpn".
1971 1971
1972 1972 
 When OpenVPN is run with the
1973 
-.B --daemon
1973 
+.B \-\-daemon
1974 1974 
 option, it will try to delay daemonization until the majority of initialization
1975 1975 
 functions which are capable of generating fatal errors are complete.  This means
1976 1976 
 that initialization scripts can test the return status of the
... ... 
@@ -1980,20 +1981,20 @@ has correctly initialized and entered the packet forwarding event loop.
1980 1980 
 In OpenVPN, the vast majority of errors which occur after initialization are non-fatal.
1981 1981 
 .\"*********************************************************
1982 1982 
 .TP
1983 
-.B --syslog [progname]
1983 
+.B \-\-syslog [progname]
1984 1984 
 Direct log output to system logger, but do not become a daemon.
1985 1985 
 See
1986 
-.B --daemon
1986 
+.B \-\-daemon
1987 1987 
 directive above for description of
1988 1988 
 .B progname
1989 1989 
 parameter.
1990 1990 
 .\"*********************************************************
1991 1991 
 .TP
1992 
-.B --passtos
1992 
+.B \-\-passtos
1993 1993 
 Set the TOS field of the tunnel packet to what the payload's TOS is.
1994 1994 
 .\"*********************************************************
1995 1995 
 .TP
1996 
-.B --inetd [wait|nowait] [progname]
1996 
+.B \-\-inetd [wait|nowait] [progname]
1997 1997 
 Use this option when OpenVPN is being run from the inetd or
1998 1998 
 .BR xinetd(8)
1999 1999 
 server.
... ... 
@@ -2004,7 +2005,7 @@ option must match what is specified in the inetd/xinetd
2004 2004 
 config file.  The
2005 2005 
 .B nowait
2006 2006 
 mode can only be used with
2007 
-.B --proto tcp-server.
2007 
+.B \-\-proto tcp-server.
2008 2008 
 The default is
2009 2009 
 .B wait.
2010 2010 
 The
... ... 
@@ -2016,16 +2017,16 @@ see the OpenVPN FAQ:
2016 2016 
 .I http://openvpn.net/faq.html#oneport
2017 2017
2018 2018 
 This option precludes the use of
2019 
-.B --daemon, --local,
2019 
+.B \-\-daemon, \-\-local,
2020 2020 
 or
2021 
-.B --remote.
2021 
+.B \-\-remote.
2022 2022 
 Note that this option causes message and error output to be handled in the same
2023 2023 
 way as the
2024 
-.B --daemon
2024 
+.B \-\-daemon
2025 2025 
 option.  The optional
2026 2026 
 .B progname
2027 2027 
 parameter is also handled exactly as in
2028 
-.B --daemon.
2028 
+.B \-\-daemon.
2029 2029
2030 2030 
 Also note that in
2031 2031 
 .B wait
... ... 
@@ -2035,7 +2036,7 @@ on using OpenVPN with xinetd:
2035 2035 
 .I http://openvpn.net/1xhowto.html
2036 2036 
 .\"*********************************************************
2037 2037 
 .TP
2038 
-.B --log file
2038 
+.B \-\-log file
2039 2039 
 Output logging messages to
2040 2040 
 .B file,
2041 2041 
 including output to stdout/stderr which
... ... 
@@ -2046,44 +2047,44 @@ already exists it will be truncated.
2046 2046 
 This option takes effect
2047 2047 
 immediately when it is parsed in the command line
2048 2048 
 and will supercede syslog output if
2049 
-.B --daemon
2049 
+.B \-\-daemon
2050 2050 
 or
2051 
-.B --inetd
2051 
+.B \-\-inetd
2052 2052 
 is also specified.
2053 2053 
 This option is persistent over the entire course of
2054 2054 
 an OpenVPN instantiation and will not be reset by SIGHUP,
2055 2055 
 SIGUSR1, or
2056 
-.B --ping-restart.
2056 
+.B \-\-ping-restart.
2057 2057
2058 2058 
 Note that on Windows, when OpenVPN is started as a service,
2059 2059 
 logging occurs by default without the need to specify
2060 2060 
 this option.
2061 2061 
 .\"*********************************************************
2062 2062 
 .TP
2063 
-.B --log-append file
2063 
+.B \-\-log-append file
2064 2064 
 Append logging messages to
2065 2065 
 .B file.
2066 2066 
 If
2067 2067 
 .B file
2068 2068 
 does not exist, it will be created.
2069 2069 
 This option behaves exactly like
2070 
-.B --log
2070 
+.B \-\-log
2071 2071 
 except that it appends to rather
2072 2072 
 than truncating the log file.
2073 2073 
 .\"*********************************************************
2074 2074 
 .TP
2075 
-.B --suppress-timestamps
2075 
+.B \-\-suppress-timestamps
2076 2076 
 Avoid writing timestamps to log messages, even when they
2077 2077 
 otherwise would be prepended. In particular, this applies to
2078 2078 
 log messages sent to stdout.
2079 2079 
 .\"*********************************************************
2080 2080 
 .TP
2081 
-.B --writepid file
2081 
+.B \-\-writepid file
2082 2082 
 Write OpenVPN's main process ID to
2083 2083 
 .B file.
2084 2084 
 .\"*********************************************************
2085 2085 
 .TP
2086 
-.B --nice n
2086 
+.B \-\-nice n
2087 2087 
 Change process priority after initialization
2088 2088 
 (
2089 2089 
 .B n
... ... 
@@ -2092,14 +2093,14 @@ greater than 0 is lower priority,
2092 2092 
 less than zero is higher priority).
2093 2093 
 .\"*********************************************************
2094 2094 
 .\".TP
2095 
-.\".B --nice-work n
2095 
+.\".B \-\-nice-work n
2096 2096 
 .\"Change priority of background TLS work thread.  The TLS thread
2097 2097 
 .\"feature is enabled when OpenVPN is built
2098 2098 
 .\"with pthread support, and you are running OpenVPN
2099 2099 
 .\"in TLS mode (i.e. with
2100 
-.\".B --tls-client
2100 
+.\".B \-\-tls-client
2101 2101 
 .\"or
2102 
-.\".B --tls-server
2102 
+.\".B \-\-tls-server
2103 2103 
 .\"specified).
2104 2104 
 .\"
2105 2105 
 .\"Using a TLS thread offloads the CPU-intensive process of SSL/TLS-based
... ... 
@@ -2109,12 +2110,12 @@ less than zero is higher priority).
2109 2109 
 .\"The parameter
2110 2110 
 .\".B n
2111 2111 
 .\"is interpreted exactly as with the
2112 
-.\".B --nice
2112 
+.\".B \-\-nice
2113 2113 
 .\"option above, but in relation to the work thread rather
2114 2114 
 .\"than the main thread.
2115 2115 
 .\"*********************************************************
2116 2116 
 .TP
2117 
-.B --fast-io
2117 
+.B \-\-fast-io
2118 2118 
 (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding
2119 2119 
 a call to poll/epoll/select prior to the write operation.  The purpose
2120 2120 
 of such a call would normally be to block until the device
... ... 
@@ -2125,13 +2126,13 @@ by avoiding the poll/epoll/select call, improving CPU efficiency
2125 2125 
 by 5% to 10%.
2126 2126
2127 2127 
 This option can only be used on non-Windows systems, when
2128 
-.B --proto udp
2128 
+.B \-\-proto udp
2129 2129 
 is specified, and when
2130 
-.B --shaper
2130 
+.B \-\-shaper
2131 2131 
 is NOT specified.
2132 2132 
 .\"*********************************************************
2133 2133 
 .TP
2134 
-.B --multihome
2134 
+.B \-\-multihome
2135 2135 
 Configure a multi-homed UDP server.  This option can be used when
2136 2136 
 OpenVPN has been configured to listen on all interfaces, and will
2137 2137 
 attempt to bind client sessions to the interface on which packets
... ... 
@@ -2140,13 +2141,13 @@ of the same interface.  Note that this option is only relevant for
2140 2140 
 UDP servers and currently is only implemented on Linux.
2141 2141
2142 2142 
 Note: clients connecting to a
2143 
-.B --multihome
2143 
+.B \-\-multihome
2144 2144 
 server should always use the
2145 
-.B --nobind
2145 
+.B \-\-nobind
2146 2146 
 option.
2147 2147 
 .\"*********************************************************
2148 2148 
 .TP
2149 
-.B --echo [parms...]
2149 
+.B \-\-echo [parms...]
2150 2150 
 Echo
2151 2151 
 .B parms
2152 2152 
 to log output.
... ... 
@@ -2155,7 +2156,7 @@ Designed to be used to send messages to a controlling application
2155 2155 
 which is receiving the OpenVPN log output.
2156 2156 
 .\"*********************************************************
2157 2157 
 .TP
2158 
-.B --remap-usr1 signal
2158 
+.B \-\-remap-usr1 signal
2159 2159 
 Control whether internally or externally
2160 2160 
 generated SIGUSR1 signals are remapped to
2161 2161 
 SIGHUP (restart without persisting state) or
... ... 
@@ -2166,20 +2167,20 @@ can be set to "SIGHUP" or "SIGTERM".  By default, no remapping
2166 2166 
 occurs.
2167 2167 
 .\"*********************************************************
2168 2168 
 .TP
2169 
-.B --verb n
2169 
+.B \-\-verb n
2170 2170 
 Set output verbosity to
2171 2171 
 .B n
2172 2172 
 (default=1).  Each level shows all info from the previous levels.
2173 2173 
 Level 3 is recommended if you want a good summary
2174 2174 
 of what's happening without being swamped by output.
2175 2175
2176 
-.B 0 --
2176 
+.B 0 \-\-
2177 2177 
 No output except fatal errors.
2178 2178 
 .br
2179 
-.B 1 to 4 --
2179 
+.B 1 to 4 \-\-
2180 2180 
 Normal usage range.
2181 2181 
 .br
2182 
-.B 5 --
2182 
+.B 5 \-\-
2183 2183 
 Output
2184 2184 
 .B R
2185 2185 
 and
... ... 
@@ -2187,12 +2188,12 @@ and
2187 2187 
 characters to the console for each packet read and write, uppercase is
2188 2188 
 used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
2189 2189 
 .br
2190 
-.B 6 to 11 --
2190 
+.B 6 to 11 \-\-
2191 2191 
 Debug info range (see errlevel.h for additional
2192 2192 
 information on debug levels).
2193 2193 
 .\"*********************************************************
2194 2194 
 .TP
2195 
-.B --status file [n]
2195 
+.B \-\-status file [n]
2196 2196 
 Write operational status to
2197 2197 
 .B file
2198 2198 
 every
... ... 
@@ -2204,21 +2205,21 @@ Status can also be written to the syslog by sending a
2204 2204 
 signal.
2205 2205 
 .\"*********************************************************
2206 2206 
 .TP
2207 
-.B --status-version [n]
2207 
+.B \-\-status-version [n]
2208 2208 
 Choose the status file format version number.  Currently
2209 2209 
 .B n
2210 2210 
 can be 1, 2, or 3 and defaults to 1.
2211 2211 
 .\"*********************************************************
2212 2212 
 .TP
2213 
-.B --mute n
2213 
+.B \-\-mute n
2214 2214 
 Log at most
2215 2215 
 .B n
2216 2216 
 consecutive messages in the same category.  This is useful to
2217 2217 
 limit repetitive logging of similar message types.
2218 2218 
 .\"*********************************************************
2219 2219 
 .TP
2220 
-.B --comp-lzo [mode]
2221 
-Use fast LZO compression -- may add up to 1 byte per
2220 
+.B \-\-comp-lzo [mode]
2221 
+Use fast LZO compression \-\- may add up to 1 byte per
2222 2222 
 packet for incompressible data.
2223 2223 
 .B mode
2224 2224 
 may be "yes", "no", or "adaptive" (default).
... ... 
@@ -2228,16 +2229,16 @@ compression on or off for individual clients.
2228 2228
2229 2229 
 First, make sure the client-side config file enables selective
2230 2230 
 compression by having at least one
2231 
-.B --comp-lzo
2231 
+.B \-\-comp-lzo
2232 2232 
 directive, such as
2233 
-.B --comp-lzo no.
2233 
+.B \-\-comp-lzo no.
2234 2234 
 This will turn off compression by default,
2235 2235 
 but allow a future directive push from the server to
2236 2236 
 dynamically change the
2237 2237 
 on/off/adaptive setting.
2238 2238
2239 2239 
 Next in a
2240 
-.B --client-config-dir
2240 
+.B \-\-client-config-dir
2241 2241 
 file, specify the compression setting for the client,
2242 2242 
 for example:
2243 2243
... ... 
@@ -2256,12 +2257,12 @@ setting for the server
2256 2256 
 side of the link, the second sets the client side.
2257 2257 
 .\"*********************************************************
2258 2258 
 .TP
2259 
-.B --comp-noadapt
2259 
+.B \-\-comp-noadapt
2260 2260 
 When used in conjunction with
2261 
-.B --comp-lzo,
2261 
+.B \-\-comp-lzo,
2262 2262 
 this option will disable OpenVPN's adaptive compression algorithm.
2263 2263 
 Normally, adaptive compression is enabled with
2264 
-.B --comp-lzo.
2264 
+.B \-\-comp-lzo.
2265 2265
2266 2266 
 Adaptive compression tries to optimize the case where you have
2267 2267 
 compression enabled, but you are sending predominantly uncompressible
... ... 
@@ -2273,7 +2274,7 @@ the compression efficiency will be very low, triggering openvpn to disable
2273 2273 
 compression for a period of time until the next re-sample test.
2274 2274 
 .\"*********************************************************
2275 2275 
 .TP
2276 
-.B --management IP port [pw-file]
2276 
+.B \-\-management IP port [pw-file]
2277 2277 
 Enable a TCP server on
2278 2278 
 .B IP:port
2279 2279 
 to handle daemon management functions.
... ... 
@@ -2292,9 +2293,9 @@ and set
2292 2292 
 .B port
2293 2293 
 to 'unix'.  While the default behavior is to create a unix domain socket
2294 2294 
 that may be connected to by any process, the
2295 
-.B --management-client-user
2295 
+.B \-\-management-client-user
2296 2296 
 and
2297 
-.B --management-client-group
2297 
+.B \-\-management-client-group
2298 2298 
 directives can be used to restrict access.
2299 2299
2300 2300 
 The management interface provides a special mode where the TCP
... ... 
@@ -2323,24 +2324,24 @@ be set to 127.0.0.1
2323 2323 
 server to local clients.
2324 2324 
 .\"*********************************************************
2325 2325 
 .TP
2326 
-.B --management-query-passwords
2326 
+.B \-\-management-query-passwords
2327 2327 
 Query management channel for private key password and
2328 
-.B --auth-user-pass
2328 
+.B \-\-auth-user-pass
2329 2329 
 username/password.  Only query the management channel
2330 2330 
 for inputs which ordinarily would have been queried from the
2331 2331 
 console.
2332 2332 
 .\"*********************************************************
2333 2333 
 .TP
2334 
-.B --management-forget-disconnect
2334 
+.B \-\-management-forget-disconnect
2335 2335 
 Make OpenVPN forget passwords when management session
2336 2336 
 disconnects.
2337 2337
2338 2338 
 This directive does not affect the
2339 
-.B --http-proxy
2339 
+.B \-\-http-proxy
2340 2340 
 username/password.  It is always cached.
2341 2341 
 .\"*********************************************************
2342 2342 
 .TP
2343 
-.B --management-hold
2343 
+.B \-\-management-hold
2344 2344 
 Start OpenVPN in a hibernating state, until a client
2345 2345 
 of the management interface explicitly starts it
2346 2346 
 with the
... ... 
@@ -2348,45 +2349,45 @@ with the
2348 2348 
 command.
2349 2349 
 .\"*********************************************************
2350 2350 
 .TP
2351 
-.B --management-signal
2351 
+.B \-\-management-signal
2352 2352 
 Send SIGUSR1 signal to OpenVPN if management session disconnects.
2353 2353 
 This is useful when you wish to disconnect an OpenVPN session on
2354 2354 
 user logoff.
2355 2355 
 .\"*********************************************************
2356 2356 
 .TP
2357 
-.B --management-log-cache n
2357 
+.B \-\-management-log-cache n
2358 2358 
 Cache the most recent
2359 2359 
 .B n
2360 2360 
 lines of log file history for usage
2361 2361 
 by the management channel.
2362 2362 
 .\"*********************************************************
2363 2363 
 .TP
2364 
-.B --management-client-auth
2364 
+.B \-\-management-client-auth
2365 2365 
 Gives management interface client the responsibility
2366 2366 
 to authenticate clients after their client certificate
2367 2367 
 has been verified.  See management-notes.txt in OpenVPN
2368 2368 
 distribution for detailed notes.
2369 2369 
 .\"*********************************************************
2370 2370 
 .TP
2371 
-.B --management-client-pf
2371 
+.B \-\-management-client-pf
2372 2372 
 Management interface clients must specify a packet
2373 2373 
 filter file for each connecting client.  See management-notes.txt
2374 2374 
 in OpenVPN distribution for detailed notes.
2375 2375 
 .\"*********************************************************
2376 2376 
 .TP
2377 
-.B --management-client-user u
2377 
+.B \-\-management-client-user u
2378 2378 
 When the management interface is listening on a unix domain socket,
2379 2379 
 only allow connections from user
2380 2380 
 .B u.
2381 2381 
 .\"*********************************************************
2382 2382 
 .TP
2383 
-.B --management-client-group g
2383 
+.B \-\-management-client-group g
2384 2384 
 When the management interface is listening on a unix domain socket,
2385 2385 
 only allow connections from group
2386 2386 
 .B g.
2387 2387 
 .\"*********************************************************
2388 2388 
 .TP
2389 
-.B --plugin module-pathname [init-string]
2389 
+.B \-\-plugin module-pathname [init-string]
2390 2390 
 Load plug-in module from the file
2391 2391 
 .B module-pathname,
2392 2392 
 passing
... ... 
@@ -2422,7 +2423,7 @@ the connection to be authenticated.
2422 2422 
 .SS Server Mode
2423 2423 
 Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode
2424 2424 
 is supported, and can be enabled with the
2425 
-.B --mode server
2425 
+.B \-\-mode server
2426 2426 
 option.  In server mode, OpenVPN will listen on a single
2427 2427 
 port for incoming client connections.  All client
2428 2428 
 connections will be routed through a single tun or tap
... ... 
@@ -2432,7 +2433,7 @@ on sufficiently fast hardware.  SSL/TLS authentication must
2432 2432 
 be used in this mode.
2433 2433 
 .\"*********************************************************
2434 2434 
 .TP
2435 
-.B --server network netmask
2435 
+.B \-\-server network netmask
2436 2436 
 A helper directive designed to simplify the configuration
2437 2437 
 of OpenVPN's server mode.  This directive will set up an
2438 2438 
 OpenVPN server which will allocate addresses to clients
... ... 
@@ -2442,7 +2443,7 @@ for use as the server-side endpoint of the local
2442 2442 
 TUN/TAP interface.
2443 2443
2444 2444 
 For example,
2445 
-.B --server 10.8.0.0 255.255.255.0
2445 
+.B \-\-server 10.8.0.0 255.255.255.0
2446 2446 
 expands as follows:
2447 2447
2448 2448 
 .nf
... ... 
@@ -2472,23 +2473,23 @@ expands as follows:
2472 2472 
 .fi
2473 2473
2474 2474 
 Don't use
2475 
-.B --server
2475 
+.B \-\-server
2476 2476 
 if you are ethernet bridging.  Use
2477 
-.B --server-bridge
2477 
+.B \-\-server-bridge
2478 2478 
 instead.
2479 2479 
 .\"*********************************************************
2480 2480 
 .TP
2481 
-.B --server-bridge gateway netmask pool-start-IP pool-end-IP
2481 
+.B \-\-server-bridge gateway netmask pool-start-IP pool-end-IP
2482 2482 
 .TP
2483 
-.B --server-bridge ['nogw']
2483 
+.B \-\-server-bridge ['nogw']
2484 2484
2485 2485 
 A helper directive similar to
2486 
-.B --server
2486 
+.B \-\-server
2487 2487 
 which is designed to simplify the configuration
2488 2488 
 of OpenVPN's server mode in ethernet bridging configurations.
2489 2489
2490 2490 
 If
2491 
-.B --server-bridge
2491 
+.B \-\-server-bridge
2492 2492 
 is used without any parameters, it will enable a DHCP-proxy
2493 2493 
 mode, where connecting OpenVPN clients will receive an IP
2494 2494 
 address for their TAP adapter from the DHCP server running
... ... 
@@ -2516,7 +2517,7 @@ IP/netmask on the bridge interface.  The
2516 2516 
 and
2517 2517 
 .B netmask
2518 2518 
 parameters to
2519 
-.B --server-bridge
2519 
+.B \-\-server-bridge
2520 2520 
 can be set to either the IP/netmask of the
2521 2521 
 bridge interface, or the IP/netmask of the
2522 2522 
 default gateway/router on the bridged
... ... 
@@ -2548,7 +2549,7 @@ push "route-gateway 10.8.0.4"
2548 2548 
 .fi
2549 2549
2550 2550 
 In another example,
2551 
-.B --server-bridge
2551 
+.B \-\-server-bridge
2552 2552 
 (without parameters) expands as follows:
2553 2553
2554 2554 
 .nf
... ... 
@@ -2563,7 +2564,7 @@ push "route-gateway dhcp"
2563 2563 
 .fi
2564 2564
2565 2565 
 Or
2566 
-.B --server-bridge nogw
2566 
+.B \-\-server-bridge nogw
2567 2567 
 expands as follows:
2568 2568
2569 2569 
 .nf
... ... 
@@ -2576,13 +2577,13 @@ tls-server
2576 2576 
 .fi
2577 2577 
 .\"*********************************************************
2578 2578 
 .TP
2579 
-.B --push "option"
2579 
+.B \-\-push "option"
2580 2580 
 Push a config file option back to the client for remote
2581 2581 
 execution.  Note that
2582 2582 
 .B
2583 2583 
 option
2584 2584 
 must be enclosed in double quotes ("").  The client must specify
2585 
-.B --pull
2585 
+.B \-\-pull
2586 2586 
 in its config file.  The set of options which can be
2587 2587 
 pushed is limited by both feasibility and security.
2588 2588 
 Some options such as those which would execute scripts
... ... 
@@ -2593,44 +2594,44 @@ cannot be pushed because the client needs to know
2593 2593 
 them before the connection to the server can be initiated.
2594 2594
2595 2595 
 This is a partial list of options which can currently be pushed:
2596 
-.B --route, --route-gateway, --route-delay, --redirect-gateway,
2597 
-.B --ip-win32, --dhcp-option,
2598 
-.B --inactive, --ping, --ping-exit, --ping-restart,
2599 
-.B --setenv,
2600 
-.B --persist-key, --persist-tun, --echo,
2601 
-.B --comp-lzo,
2602 
-.B --socket-flags,
2603 
-.B --sndbuf, --rcvbuf
2596 
+.B \-\-route, \-\-route-gateway, \-\-route-delay, \-\-redirect-gateway,
2597 
+.B \-\-ip-win32, \-\-dhcp-option,
2598 
+.B \-\-inactive, \-\-ping, \-\-ping-exit, \-\-ping-restart,
2599 
+.B \-\-setenv,
2600 
+.B \-\-persist-key, \-\-persist-tun, \-\-echo,
2601 
+.B \-\-comp-lzo,
2602 
+.B \-\-socket-flags,
2603 
+.B \-\-sndbuf, \-\-rcvbuf
2604 2604 
 .\"*********************************************************
2605 2605 
 .TP
2606 
-.B --push-reset
2606 
+.B \-\-push-reset
2607 2607 
 Don't inherit the global push list for a specific client instance.
2608 2608 
 Specify this option in a client-specific context such
2609 2609 
 as with a
2610 
-.B --client-config-dir
2610 
+.B \-\-client-config-dir
2611 2611 
 configuration file.  This option will ignore
2612 
-.B --push
2612 
+.B \-\-push
2613 2613 
 options at the global config file level.
2614 2614 
 .\"*********************************************************
2615 2615 
 .TP
2616 
-.B --disable
2616 
+.B \-\-disable
2617 2617 
 Disable a particular client (based on the common name)
2618 2618 
 from connecting.  Don't use this option to disable a client
2619 2619 
 due to key or password compromise.  Use a CRL (certificate
2620 2620 
 revocation list) instead (see the
2621 
-.B --crl-verify
2621 
+.B \-\-crl-verify
2622 2622 
 option).
2623 2623
2624 2624 
 This option must be associated with a specific client instance,
2625 2625 
 which means that it must be specified either in a client
2626 2626 
 instance config file using
2627 
-.B --client-config-dir
2627 
+.B \-\-client-config-dir
2628 2628 
 or dynamically generated using a
2629 
-.B --client-connect
2629 
+.B \-\-client-connect
2630 2630 
 script.
2631 2631 
 .\"*********************************************************
2632 2632 
 .TP
2633 
-.B --ifconfig-pool start-IP end-IP [netmask]
2633 
+.B \-\-ifconfig-pool start-IP end-IP [netmask]
2634 2634 
 Set aside a pool of subnets to be
2635 2635 
 dynamically allocated to connecting clients, similar
2636 2636 
 to a DHCP server.  For tun-style
... ... 
@@ -2643,7 +2644,7 @@ parameter will also be pushed to clients.
2643 2643
2644 2644 
 .\"*********************************************************
2645 2645 
 .TP
2646 
-.B --ifconfig-pool-persist file [seconds]
2646 
+.B \-\-ifconfig-pool-persist file [seconds]
2647 2647 
 Persist/unpersist ifconfig-pool
2648 2648 
 data to
2649 2649 
 .B file,
... ... 
@@ -2658,7 +2659,7 @@ IP address assigned to them from the ifconfig-pool.
2658 2658 
 Maintaining a long-term
2659 2659 
 association is good for clients because it allows them
2660 2660 
 to effectively use the
2661 
-.B --persist-tun
2661 
+.B \-\-persist-tun
2662 2662 
 option.
2663 2663
2664 2664 
 .B file
... ... 
@@ -2679,32 +2680,32 @@ suggestions only, based on past associations between
2679 2679 
 a common name and IP address.  They do not guarantee that the given common
2680 2680 
 name will always receive the given IP address.  If you want guaranteed
2681 2681 
 assignment, use
2682 
-.B --ifconfig-push
2682 
+.B \-\-ifconfig-push
2683 2683 
 .\"*********************************************************
2684 2684 
 .TP
2685 
-.B --ifconfig-pool-linear
2685 
+.B \-\-ifconfig-pool-linear
2686 2686 
 Modifies the
2687 
-.B --ifconfig-pool
2687 
+.B \-\-ifconfig-pool
2688 2688 
 directive to
2689 2689 
 allocate individual TUN interface addresses for
2690 2690 
 clients rather than /30 subnets.  NOTE:  This option
2691 2691 
 is incompatible with Windows clients.
2692 2692
2693 2693 
 This option is deprecated, and should be replaced with
2694 
-.B --topology p2p
2694 
+.B \-\-topology p2p
2695 2695 
 which is functionally equivalent.
2696 2696 
 .\"*********************************************************
2697 2697 
 .TP
2698 
-.B --ifconfig-push local remote-netmask
2698 
+.B \-\-ifconfig-push local remote-netmask
2699 2699 
 Push virtual IP endpoints for client tunnel,
2700 
-overriding the --ifconfig-pool dynamic allocation.
2700 
+overriding the \-\-ifconfig-pool dynamic allocation.
2701 2701
2702 2702 
 The parameters
2703 2703 
 .B local
2704 2704 
 and
2705 2705 
 .B remote-netmask
2706 2706 
 are set according to the
2707 
-.B --ifconfig
2707 
+.B \-\-ifconfig
2708 2708 
 directive which you want to execute on the client machine to
2709 2709 
 configure the remote end of the tunnel.  Note that the parameters
2710 2710 
 .B local
... ... 
@@ -2717,13 +2718,13 @@ on the server at the time of client connection.
2717 2717 
 This option must be associated with a specific client instance,
2718 2718 
 which means that it must be specified either in a client
2719 2719 
 instance config file using
2720 
-.B --client-config-dir
2720 
+.B \-\-client-config-dir
2721 2721 
 or dynamically generated using a
2722 
-.B --client-connect
2722 
+.B \-\-client-connect
2723 2723 
 script.
2724 2724
2725 2725 
 Remember also to include a
2726 
-.B --route
2726 
+.B \-\-route
2727 2727 
 directive in the main OpenVPN config file which encloses
2728 2728 
 .B local,
2729 2729 
 so that the kernel will know to route it
... ... 
@@ -2733,23 +2734,23 @@ OpenVPN's internal client IP address selection algorithm works as
2733 2733 
 follows:
2734 2734
2735 2735 
 .B 1
2736 
-.B --client-connect script
2736 
+\-\- Use
2737 
+.B \-\-client-connect script
2737 2738 
 generated file for static IP (first choice).
2738 2739 
 .br
2739 2740 
 .B 2
2740 
-.B --client-config-dir
2741 
+\-\- Use
2742 
+.B \-\-client-config-dir
2741 2743 
 file for static IP (next choice).
2742 2744 
 .br
2743 2745 
 .B 3
2744 
-.B --ifconfig-pool
2746 
+\-\- Use
2747 
+.B \-\-ifconfig-pool
2745 2748 
 allocation for dynamic IP (last choice).
2746 2749 
 .br
2747 2750 
 .\"*********************************************************
2748 2751 
 .TP
2749 
-.B --iroute network [netmask]
2752 
+.B \-\-iroute network [netmask]
2750 2753 
 Generate an internal route to a specific
2751 2754 
 client. The
2752 2755 
 .B netmask
... ... 
@@ -2760,36 +2761,36 @@ the server to a particular client, regardless
2760 2760 
 of where the client is connecting from.  Remember
2761 2761 
 that you must also add the route to the system
2762 2762 
 routing table as well (such as by using the
2763 
-.B --route
2763 
+.B \-\-route
2764 2764 
 directive).  The reason why two routes are needed
2765 2765 
 is that the
2766 
-.B --route
2766 
+.B \-\-route
2767 2767 
 directive routes the packet from the kernel
2768 2768 
 to OpenVPN.  Once in OpenVPN, the
2769 
-.B --iroute
2769 
+.B \-\-iroute
2770 2770 
 directive routes to the specific client.
2771 2771
2772 2772 
 This option must be specified either in a client
2773 2773 
 instance config file using
2774 
-.B --client-config-dir
2774 
+.B \-\-client-config-dir
2775 2775 
 or dynamically generated using a
2776 
-.B --client-connect
2776 
+.B \-\-client-connect
2777 2777 
 script.
2778 2778
2779 2779 
 The
2780 
-.B --iroute
2780 
+.B \-\-iroute
2781 2781 
 directive also has an important interaction with
2782 
-.B --push
2782 
+.B \-\-push
2783 2783 
 "route ...".
2784 
-.B --iroute
2784 
+.B \-\-iroute
2785 2785 
 essentially defines a subnet which is owned by a
2786 2786 
 particular client (we will call this client A).
2787 2787 
 If you would like other clients to be able to reach A's
2788 2788 
 subnet, you can use
2789 
-.B --push
2789 
+.B \-\-push
2790 2790 
 "route ..."
2791 2791 
 together with
2792 
-.B --client-to-client
2792 
+.B \-\-client-to-client
2793 2793 
 to effect this.  In order for all clients to see
2794 2794 
 A's subnet, OpenVPN must push this route to all clients
2795 2795 
 EXCEPT for A, since the subnet is already owned by A.
... ... 
@@ -2798,11 +2799,11 @@ not pushing a route to a client
2798 2798 
 if it matches one of the client's iroutes.
2799 2799 
 .\"*********************************************************
2800 2800 
 .TP
2801 
-.B --client-to-client
2801 
+.B \-\-client-to-client
2802 2802 
 Because the OpenVPN server mode handles multiple clients
2803 2803 
 through a single tun or tap interface, it is effectively
2804 2804 
 a router.  The
2805 
-.B --client-to-client
2805 
+.B \-\-client-to-client
2806 2806 
 flag tells OpenVPN to internally route client-to-client
2807 2807 
 traffic rather than pushing all client-originating traffic
2808 2808 
 to the TUN/TAP interface.
... ... 
@@ -2814,20 +2815,20 @@ if you want to firewall tunnel traffic using
2814 2814 
 custom, per-client rules.
2815 2815 
 .\"*********************************************************
2816 2816 
 .TP
2817 
-.B --duplicate-cn
2817 
+.B \-\-duplicate-cn
2818 2818 
 Allow multiple clients with the same common name to concurrently connect.
2819 2819 
 In the absence of this option, OpenVPN will disconnect a client instance
2820 2820 
 upon connection of a new client having the same common name.
2821 2821 
 .\"*********************************************************
2822 2822 
 .TP
2823 
-.B --client-connect script
2823 
+.B \-\-client-connect script
2824 2824 
 Run
2825 2825 
 .B script
2826 2826 
 on client connection.  The script is passed the common name
2827 2827 
 and IP address of the just-authenticated client
2828 2828 
 as environmental variables (see environmental variable section
2829 2829 
 below).  The script is also passed
2830 
-the pathname of a not-yet-created temporary file as $1
2830 
+the pathname of a freshly created temporary file as $1
2831 2831 
 (i.e. the first command line argument), to be used by the script
2832 2832 
 to pass dynamically generated config file directives back to OpenVPN.
2833 2833
... ... 
@@ -2836,7 +2837,7 @@ to be applied on the server when the client connects,
2836 2836 
 it should write it to the file named by $1.
2837 2837
2838 2838 
 See the
2839 
-.B --client-config-dir
2839 
+.B \-\-client-config-dir
2840 2840 
 option below for options which
2841 2841 
 can be legally used in a dynamically generated config file.
2842 2842
... ... 
@@ -2848,18 +2849,18 @@ returns a non-zero error status, it will cause the client
2848 2848 
 to be disconnected.
2849 2849 
 .\"*********************************************************
2850 2850 
 .TP
2851 
-.B --client-disconnect
2851 
+.B \-\-client-disconnect
2852 2852 
 Like
2853 
-.B --client-connect
2853 
+.B \-\-client-connect
2854 2854 
 but called on client instance shutdown.  Will not be called
2855 2855 
 unless the
2856 
-.B --client-connect
2856 
+.B \-\-client-connect
2857 2857 
 script and plugins (if defined)
2858 2858 
 were previously called on this instance with
2859 2859 
 successful (0) status returns.
2860 2860
2861 2861 
 The exception to this rule is if the
2862 
-.B --client-disconnect
2862 
+.B \-\-client-disconnect
2863 2863 
 script or plugins are cascaded, and at least one client-connect
2864 2864 
 function succeeded, then ALL of the client-disconnect functions for
2865 2865 
 scripts and plugins will be called on client instance object deletion,
... ... 
@@ -2868,7 +2869,7 @@ an error status.
2868 2868 
 .B
2869 2869 
 .\"*********************************************************
2870 2870 
 .TP
2871 
-.B --client-config-dir dir
2871 
+.B \-\-client-config-dir dir
2872 2872 
 Specify a directory
2873 2873 
 .B dir
2874 2874 
 for custom client config files.  After
... ... 
@@ -2882,9 +2883,9 @@ will instead try to open and parse a default file called
2882 2882
2883 2883 
 This file can specify a fixed IP address for a given
2884 2884 
 client using
2885 
-.B --ifconfig-push,
2885 
+.B \-\-ifconfig-push,
2886 2886 
 as well as fixed subnets owned by the client using
2887 
-.B --iroute.
2887 
+.B \-\-iroute.
2888 2888
2889 2889 
 One of the useful properties of this option is that it
2890 2890 
 allows client configuration files to be conveniently
... ... 
@@ -2893,28 +2894,28 @@ without needing to restart the server.
2893 2893
2894 2894 
 The following
2895 2895 
 options are legal in a client-specific context:
2896 
-.B --push, --push-reset, --iroute, --ifconfig-push,
2896 
+.B \-\-push, \-\-push-reset, \-\-iroute, \-\-ifconfig-push,
2897 2897 
 and
2898 
-.B --config.
2898 
+.B \-\-config.
2899 2899 
 .\"*********************************************************
2900 2900 
 .TP
2901 
-.B --ccd-exclusive
2901 
+.B \-\-ccd-exclusive
2902 2902 
 Require, as a
2903 2903 
 condition of authentication, that a connecting client has a
2904 
-.B --client-config-dir
2904 
+.B \-\-client-config-dir
2905 2905 
 file.
2906 2906 
 .\"*********************************************************
2907 2907 
 .TP
2908 
-.B --tmp-dir dir
2908 
+.B \-\-tmp-dir dir
2909 2909 
 Specify a directory
2910 2910 
 .B dir
2911 2911 
 for temporary files.  This directory will be used by
2912 
-.B --client-connect
2912 
+.B \-\-client-connect
2913 2913 
 scripts to dynamically generate client-specific
2914 2914 
 configuration files.
2915 2915 
 .\"*********************************************************
2916 2916 
 .TP
2917 
-.B --hash-size r v
2917 
+.B \-\-hash-size r v
2918 2918 
 Set the size of the real address hash table to
2919 2919 
 .B r
2920 2920 
 and the virtual address table to
... ... 
@@ -2922,13 +2923,13 @@ and the virtual address table to
2922 2922 
 By default, both tables are sized at 256 buckets.
2923 2923 
 .\"*********************************************************
2924 2924 
 .TP
2925 
-.B --bcast-buffers n
2925 
+.B \-\-bcast-buffers n
2926 2926 
 Allocate
2927 2927 
 .B n
2928 2928 
 buffers for broadcast datagrams (default=256).
2929 2929 
 .\"*********************************************************
2930 2930 
 .TP
2931 
-.B --tcp-queue-limit n
2931 
+.B \-\-tcp-queue-limit n
2932 2932 
 Maximum number of output packets queued before TCP (default=64).
2933 2933
2934 2934 
 When OpenVPN is tunneling data from a TUN/TAP device to a
... ... 
@@ -2940,7 +2941,7 @@ OpenVPN will start to drop outgoing packets directed
2940 2940 
 at this client.
2941 2941 
 .\"*********************************************************
2942 2942 
 .TP
2943 
-.B --tcp-nodelay
2943 
+.B \-\-tcp-nodelay
2944 2944 
 This macro sets the TCP_NODELAY socket flag on the server
2945 2945 
 as well as pushes it to connecting clients.  The TCP_NODELAY
2946 2946 
 flag disables the Nagle algorithm on TCP sockets causing
... ... 
@@ -2963,13 +2964,13 @@ The macro expands as follows:
2963 2963 
 .fi
2964 2964 
 .\"*********************************************************
2965 2965 
 .TP
2966 
-.B --max-clients n
2966 
+.B \-\-max-clients n
2967 2967 
 Limit server to a maximum of
2968 2968 
 .B n
2969 2969 
 concurrent clients.
2970 2970 
 .\"*********************************************************
2971 2971 
 .TP
2972 
-.B --max-routes-per-client n
2972 
+.B \-\-max-routes-per-client n
2973 2973 
 Allow a maximum of
2974 2974 
 .B n
2975 2975 
 internal routes per client (default=256).
... ... 
@@ -2979,9 +2980,9 @@ server with packets appearing to come from many unique MAC addresses,
2979 2979 
 forcing the server to deplete
2980 2980 
 virtual memory as its internal routing table expands.
2981 2981 
 This directive can be used in a
2982 
-.B --client-config-dir
2982 
+.B \-\-client-config-dir
2983 2983 
 file or auto-generated by a
2984 
-.B --client-connect
2984 
+.B \-\-client-connect
2985 2985 
 script to override the global value for a particular client.
2986 2986
2987 2987 
 Note that this
... ... 
@@ -2989,7 +2990,7 @@ directive affects OpenVPN's internal routing table, not the
2989 2989 
 kernel routing table.
2990 2990 
 .\"*********************************************************
2991 2991 
 .TP
2992 
-.B --connect-freq n sec
2992 
+.B \-\-connect-freq n sec
2993 2993 
 Allow a maximum of
2994 2994 
 .B n
2995 2995 
 new connections per
... ... 
@@ -3003,12 +3004,12 @@ DoS scenario, legitimate connections might also be refused.
3003 3003
3004 3004 
 For the best protection against DoS attacks in server mode,
3005 3005 
 use
3006 
-.B --proto udp
3006 
+.B \-\-proto udp
3007 3007 
 and
3008 
-.B --tls-auth.
3008 
+.B \-\-tls-auth.
3009 3009 
 .\"*********************************************************
3010 3010 
 .TP
3011 
-.B --learn-address cmd
3011 
+.B \-\-learn-address cmd
3012 3012 
 Run script or shell command
3013 3013 
 .B cmd
3014 3014 
 to validate client virtual addresses or routes.
... ... 
@@ -3016,19 +3017,19 @@ to validate client virtual addresses or routes.
3016 3016 
 .B cmd
3017 3017 
 will be executed with 3 parameters:
3018 3018
3019 
-.B [1] operation --
3019 
+.B [1] operation \-\-
3020 3020 
 "add", "update", or "delete" based on whether or not
3021 3021 
 the address is being added to, modified, or deleted from
3022 3022 
 OpenVPN's internal routing table.
3023 3023 
 .br
3024 
-.B [2] address --
3024 
+.B [2] address \-\-
3025 3025 
 The address being learned or unlearned.  This can be
3026 3026 
 an IPv4 address such as "198.162.10.14", an IPv4 subnet
3027 3027 
 such as "198.162.10.0/24", or an ethernet MAC address (when
3028 
-.B --dev tap
3028 
+.B \-\-dev tap
3029 3029 
 is being used) such as "00:FF:01:02:03:04".
3030 3030 
 .br
3031 
-.B [3] common name --
3031 
+.B [3] common name \-\-
3032 3032 
 The common name on the certificate associated with the
3033 3033 
 client linked to this address.  Only present for "add"
3034 3034 
 or "update" operations, not "delete".
... ... 
@@ -3048,7 +3049,7 @@ policies with regard to the client's high-level common name,
3048 3048 
 rather than the low level client virtual addresses.
3049 3049 
 .\"*********************************************************
3050 3050 
 .TP
3051 
-.B --auth-user-pass-verify script method
3051 
+.B \-\-auth-user-pass-verify script method
3052 3052 
 Require the client to provide a username/password (possibly
3053 3053 
 in addition to a client certificate) for authentication.
3054 3054
... ... 
@@ -3079,10 +3080,10 @@ will be passed as an argument to
3079 3079 
 and the file will be automatically deleted by OpenVPN after
3080 3080 
 the script returns.  The location of the temporary file is
3081 3081 
 controlled by the
3082 
-.B --tmp-dir
3082 
+.B \-\-tmp-dir
3083 3083 
 option, and will default to the current directory if unspecified.
3084 3084 
 For security, consider setting
3085 
-.B --tmp-dir
3085 
+.B \-\-tmp-dir
3086 3086 
 to a volatile storage medium such as
3087 3087 
 .B /dev/shm
3088 3088 
 (if available) to prevent the username/password file from touching the hard drive.
... ... 
@@ -3114,7 +3115,7 @@ For a sample script that performs PAM authentication, see
3114 3114 
 in the OpenVPN source distribution.
3115 3115 
 .\"*********************************************************
3116 3116 
 .TP
3117 
-.B --opt-verify
3117 
+.B \-\-opt-verify
3118 3118 
 Clients that connect with options that are incompatible
3119 3119 
 with those of the server will be disconnected.
3120 3120
... ... 
@@ -3124,16 +3125,16 @@ comp-lzo, fragment, keydir, cipher, auth, keysize, secret,
3124 3124 
 no-replay, no-iv, tls-auth, key-method, tls-server, and tls-client.
3125 3125
3126 3126 
 This option requires that
3127 
-.B --disable-occ
3127 
+.B \-\-disable-occ
3128 3128 
 NOT be used.
3129 3129 
 .\"*********************************************************
3130 3130 
 .TP
3131 
-.B --auth-user-pass-optional
3131 
+.B \-\-auth-user-pass-optional
3132 3132 
 Allow connections by clients that do not specify a username/password.
3133 3133 
 Normally, when
3134 
-.B --auth-user-pass-verify
3134 
+.B \-\-auth-user-pass-verify
3135 3135 
 or
3136 
-.B --management-client-auth
3136 
+.B \-\-management-client-auth
3137 3137 
 is specified (or an authentication plugin module), the
3138 3138 
 OpenVPN server daemon will require connecting clients to specify a
3139 3139 
 username and password.  This option makes the submission of a username/password
... ... 
@@ -3146,35 +3147,35 @@ to empty strings ("").  The authentication module/script MUST have logic
3146 3146 
 to detect this condition and respond accordingly.
3147 3147 
 .\"*********************************************************
3148 3148 
 .TP
3149 
-.B --client-cert-not-required
3149 
+.B \-\-client-cert-not-required
3150 3150 
 Don't require client certificate, client will authenticate
3151 3151 
 using username/password only.  Be aware that using this directive
3152 3152 
 is less secure than requiring certificates from all clients.
3153 3153
3154 3154 
 If you use this directive, the
3155 3155 
 entire responsibility of authentication will rest on your
3156 
-.B --auth-user-pass-verify
3156 
+.B \-\-auth-user-pass-verify
3157 3157 
 script, so keep in mind that bugs in your script
3158 3158 
 could potentially compromise the security of your VPN.
3159 3159
3160 3160 
 If you don't use this directive, but you also specify an
3161 
-.B --auth-user-pass-verify
3161 
+.B \-\-auth-user-pass-verify
3162 3162 
 script, then OpenVPN will perform double authentication.  The
3163 3163 
 client certificate verification AND the
3164 
-.B --auth-user-pass-verify
3164 
+.B \-\-auth-user-pass-verify
3165 3165 
 script will need to succeed in order for a client to be
3166 3166 
 authenticated and accepted onto the VPN.
3167 3167 
 .\"*********************************************************
3168 3168 
 .TP
3169 
-.B --username-as-common-name
3169 
+.B \-\-username-as-common-name
3170 3170 
 For
3171 
-.B --auth-user-pass-verify
3171 
+.B \-\-auth-user-pass-verify
3172 3172 
 authentication, use
3173 3173 
 the authenticated username as the common name,
3174 3174 
 rather than the common name from the client cert.
3175 3175 
 .\"*********************************************************
3176 3176 
 .TP
3177 
-.B --no-name-remapping
3177 
+.B \-\-no-name-remapping
3178 3178 
 Allow Common Name, X509 Subject, and username strings to include
3179 3179 
 any printable character including space, but excluding control
3180 3180 
 characters such as tab, newline, and carriage-return.
... ... 
@@ -3195,7 +3196,7 @@ disable the remapping feature.  Don't use this option unless you
3195 3195 
 know what you are doing!
3196 3196 
 .\"*********************************************************
3197 3197 
 .TP
3198 
-.B --port-share host port
3198 
+.B \-\-port-share host port
3199 3199 
 When run in TCP server mode, share the OpenVPN port with
3200 3200 
 another application, such as an HTTPS server.  If OpenVPN
3201 3201 
 senses a connection to its port which is using a non-OpenVPN
... ... 
@@ -3210,13 +3211,13 @@ Not implemented on Windows.
3210 3210 
 .SS Client Mode
3211 3211 
 Use client mode when connecting to an OpenVPN server
3212 3212 
 which has
3213 
-.B --server, --server-bridge,
3213 
+.B \-\-server, \-\-server-bridge,
3214 3214 
 or
3215 
-.B --mode server
3215 
+.B \-\-mode server
3216 3216 
 in it's configuration.
3217 3217 
 .\"*********************************************************
3218 3218 
 .TP
3219 
-.B --client
3219 
+.B \-\-client
3220 3220 
 A helper directive designed to simplify the configuration
3221 3221 
 of OpenVPN's client mode.  This directive is equivalent to:
3222 3222
... ... 
@@ -3230,33 +3231,33 @@ of OpenVPN's client mode.  This directive is equivalent to:
3230 3230 
 .fi
3231 3231 
 .\"*********************************************************
3232 3232 
 .TP
3233 
-.B --pull
3233 
+.B \-\-pull
3234 3234 
 This option must be used on a client which is connecting
3235 3235 
 to a multi-client server.  It indicates to OpenVPN that it
3236 3236 
 should accept options pushed by the server, provided they
3237 3237 
 are part of the legal set of pushable options (note that the
3238 
-.B --pull
3238 
+.B \-\-pull
3239 3239 
 option is implied by
3240 
-.B --client
3240 
+.B \-\-client
3241 3241 
 ).
3242 3242
3243 3243 
 In particular,
3244 
-.B --pull
3244 
+.B \-\-pull
3245 3245 
 allows the server to push routes to the client, so you should
3246 3246 
 not use
3247 
-.B --pull
3247 
+.B \-\-pull
3248 3248 
 or
3249 
-.B --client
3249 
+.B \-\-client
3250 3250 
 in situations where you don't trust the server to have control
3251 3251 
 over the client's routing table.
3252 3252 
 .\"*********************************************************
3253 3253 
 .TP
3254 
-.B --auth-user-pass [up]
3254 
+.B \-\-auth-user-pass [up]
3255 3255 
 Authenticate with server using username/password.
3256 3256 
 .B up
3257 3257 
 is a file containing username/password on 2 lines (Note: OpenVPN
3258 3258 
 will only read passwords from a file if it has been built
3259 
-with the --enable-password-save configure option, or on Windows
3259 
+with the \-\-enable-password-save configure option, or on Windows
3260 3260 
 by defining ENABLE_PASSWORD_SAVE in config-win32.h).
3261 3261
3262 3262 
 If
... ... 
@@ -3265,12 +3266,12 @@ is omitted, username/password will be prompted from the
3265 3265 
 console.
3266 3266
3267 3267 
 The server configuration must specify an
3268 
-.B --auth-user-pass-verify
3268 
+.B \-\-auth-user-pass-verify
3269 3269 
 script to verify the username/password provided by
3270 3270 
 the client.
3271 3271 
 .\"*********************************************************
3272 3272 
 .TP
3273 
-.B --auth-retry type
3273 
+.B \-\-auth-retry type
3274 3274 
 Controls how OpenVPN responds to username/password verification
3275 3275 
 errors such as the client-side response to an AUTH_FAILED message from the server
3276 3276 
 or verification failure of the private key password.
... ... 
@@ -3281,40 +3282,40 @@ of error.
3281 3281
3282 3282 
 An AUTH_FAILED message is generated by the server if the client
3283 3283 
 fails
3284 
-.B --auth-user-pass
3284 
+.B \-\-auth-user-pass
3285 3285 
 authentication, or if the server-side
3286 
-.B --client-connect
3286 
+.B \-\-client-connect
3287 3287 
 script returns an error status when the client
3288 3288 
 tries to connect.
3289 3289
3290 3290 
 .B type
3291 3291 
 can be one of:
3292 3292
3293 
-.B none --
3293 
+.B none \-\-
3294 3294 
 Client will exit with a fatal error (this is the default).
3295 3295 
 .br
3296 
-.B nointeract --
3296 
+.B nointeract \-\-
3297 3297 
 Client will retry the connection without requerying for an
3298 
-.B --auth-user-pass
3298 
+.B \-\-auth-user-pass
3299 3299 
 username/password.  Use this option for unattended clients.
3300 3300 
 .br
3301 
-.B interact --
3301 
+.B interact \-\-
3302 3302 
 Client will requery for an
3303 
-.B --auth-user-pass
3303 
+.B \-\-auth-user-pass
3304 3304 
 username/password and/or private key password before attempting a reconnection.
3305 3305
3306 3306 
 Note that while this option cannot be pushed, it can be controlled
3307 3307 
 from the management interface.
3308 3308 
 .\"*********************************************************
3309 3309 
 .TP
3310 
-.B --server-poll-timeout n
3310 
+.B \-\-server-poll-timeout n
3311 3311 
 when polling possible remote servers to connect to
3312 3312 
 in a round-robin fashion, spend no more than
3313 3313 
 .B n
3314 3314 
 seconds waiting for a response before trying the next server.
3315 3315 
 .\"*********************************************************
3316 3316 
 .TP
3317 
-.B --explicit-exit-notify [n]
3317 
+.B \-\-explicit-exit-notify [n]
3318 3318 
 In UDP client mode or point-to-point mode, send server/peer an exit notification
3319 3319 
 if tunnel is restarted or OpenVPN process is exited.  In client mode, on
3320 3320 
 exit/restart, this
... ... 
@@ -3329,12 +3330,12 @@ These options are meaningful for both Static & TLS-negotiated key modes
3329 3329 
 (must be compatible between peers).
3330 3330 
 .\"*********************************************************
3331 3331 
 .TP
3332 
-.B --secret file [direction]
3332 
+.B \-\-secret file [direction]
3333 3333 
 Enable Static Key encryption mode (non-TLS).
3334 3334 
 Use pre-shared secret
3335 3335 
 .B file
3336 3336 
 which was generated with
3337 
-.B --genkey.
3337 
+.B \-\-genkey.
3338 3338
3339 3339 
 The optional
3340 3340 
 .B direction
... ... 
@@ -3365,7 +3366,7 @@ supports the
3365 3365 
 .B direction
3366 3366 
 parameter, will also support 2048 bit key file generation
3367 3367 
 using the
3368 
-.B --genkey
3368 
+.B \-\-genkey
3369 3369 
 option.
3370 3370
3371 3371 
 Static key encryption mode has certain advantages,
... ... 
@@ -3395,7 +3396,7 @@ would see nothing
3395 3395 
 but random-looking data.
3396 3396 
 .\"*********************************************************
3397 3397 
 .TP
3398 
-.B --auth alg
3398 
+.B \-\-auth alg
3399 3399 
 Authenticate packets with HMAC using message
3400 3400 
 digest algorithm
3401 3401 
 .B alg.
... ... 
@@ -3410,7 +3411,7 @@ OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC the resulting ci
3410 3410
3411 3411 
 In static-key encryption mode, the HMAC key
3412 3412 
 is included in the key file generated by
3413 
-.B --genkey.
3413 
+.B \-\-genkey.
3414 3414 
 In TLS mode, the HMAC key is dynamically generated and shared
3415 3415 
 between peers via the TLS control channel.  If OpenVPN receives a packet with
3416 3416 
 a bad HMAC it will drop the packet.
... ... 
@@ -3423,7 +3424,7 @@ For more information on HMAC see
3423 3423 
 .I http://www.cs.ucsd.edu/users/mihir/papers/hmac.html
3424 3424 
 .\"*********************************************************
3425 3425 
 .TP
3426 
-.B --cipher alg
3426 
+.B \-\-cipher alg
3427 3427 
 Encrypt packets with cipher algorithm
3428 3428 
 .B alg.
3429 3429 
 The default is
... ... 
@@ -3438,7 +3439,7 @@ For more information on blowfish, see
3438 3438
3439 3439 
 To see other ciphers that are available with
3440 3440 
 OpenVPN, use the
3441 
-.B --show-ciphers
3441 
+.B \-\-show-ciphers
3442 3442 
 option.
3443 3443
3444 3444 
 OpenVPN supports the CBC, CFB, and OFB cipher modes,
... ... 
@@ -3450,10 +3451,10 @@ Set
3450 3450 
 to disable encryption.
3451 3451 
 .\"*********************************************************
3452 3452 
 .TP
3453 
-.B --keysize n
3453 
+.B \-\-keysize n
3454 3454 
 Size of cipher key in bits (optional).
3455 3455 
 If unspecified, defaults to cipher-specific default.  The
3456 
-.B --show-ciphers
3456 
+.B \-\-show-ciphers
3457 3457 
 option (see below) shows all available OpenSSL ciphers,
3458 3458 
 their default key sizes, and whether the key size can
3459 3459 
 be changed.  Use care in changing a cipher's default
... ... 
@@ -3463,7 +3464,7 @@ larger key may offer no real guarantee of greater
3463 3463 
 security, or may even reduce security.
3464 3464 
 .\"*********************************************************
3465 3465 
 .TP
3466 
-.B --prng alg [nsl]
3466 
+.B \-\-prng alg [nsl]
3467 3467 
 (Advanced) For PRNG (Pseudo-random number generator),
3468 3468 
 use digest algorithm
3469 3469 
 .B alg
... ... 
@@ -3478,19 +3479,19 @@ to disable the PRNG and use the OpenSSL RAND_bytes function
3478 3478 
 instead for all of OpenVPN's pseudo-random number needs.
3479 3479 
 .\"*********************************************************
3480 3480 
 .TP
3481 
-.B --engine [engine-name]
3481 
+.B \-\-engine [engine-name]
3482 3482 
 Enable OpenSSL hardware-based crypto engine functionality.
3483 3483
3484 3484 
 If
3485 3485 
 .B engine-name
3486 3486 
 is specified,
3487 3487 
 use a specific crypto engine.  Use the
3488 
-.B --show-engines
3488 
+.B \-\-show-engines
3489 3489 
 standalone option to list the crypto engines which are
3490 3490 
 supported by OpenSSL.
3491 3491 
 .\"*********************************************************
3492 3492 
 .TP
3493 
-.B --no-replay
3493 
+.B \-\-no-replay
3494 3494 
 (Advanced) Disable OpenVPN's protection against replay attacks.
3495 3495 
 Don't use this option unless you are prepared to make
3496 3496 
 a tradeoff of greater efficiency in exchange for less
... ... 
@@ -3534,7 +3535,7 @@ algorithm used
3534 3534 
 by IPSec.
3535 3535 
 .\"*********************************************************
3536 3536 
 .TP
3537 
-.B --replay-window n [t]
3537 
+.B \-\-replay-window n [t]
3538 3538 
 Use a replay protection sliding-window of size
3539 3539 
 .B n
3540 3540 
 and a time window of
... ... 
@@ -3549,9 +3550,9 @@ is 15 seconds.
3549 3549
3550 3550 
 This option is only relevant in UDP mode, i.e.
3551 3551 
 when either
3552 
-.B --proto udp
3552 
+.B \-\-proto udp
3553 3553 
 is specifed, or no
3554 
-.B --proto
3554 
+.B \-\-proto
3555 3555 
 option is specified.
3556 3556
3557 3557 
 When OpenVPN tunnels IP packets over UDP, there is the possibility that
... ... 
@@ -3563,7 +3564,7 @@ the TCP/IP protocol stack, provided they satisfy several constraints.
3563 3563
3564 3564 
 .B (a)
3565 3565 
 The packet cannot be a replay (unless
3566 
-.B --no-replay
3566 
+.B \-\-no-replay
3567 3567 
 is specified, which disables replay protection altogether).
3568 3568
3569 3569 
 .B (b)
... ... 
@@ -3585,7 +3586,7 @@ a larger value for
3585 3585 
 Satellite links in particular often require this.
3586 3586
3587 3587 
 If you run OpenVPN at
3588 
-.B --verb 4,
3588 
+.B \-\-verb 4,
3589 3589 
 you will see the message "Replay-window backtrack occurred [x]"
3590 3590 
 every time the maximum sequence number backtrack seen thus far
3591 3591 
 increases.  This can be used to calibrate
... ... 
@@ -3621,7 +3622,7 @@ parameters of what is to be expected from the physical IP layer.  The problem
3621 3621 
 is easily fixed by simply using TCP as the VPN transport layer.
3622 3622 
 .\"*********************************************************
3623 3623 
 .TP
3624 
-.B --mute-replay-warnings
3624 
+.B \-\-mute-replay-warnings
3625 3625 
 Silence the output of replay warnings, which are a common
3626 3626 
 false alarm on WiFi networks.  This option preserves
3627 3627 
 the security of the replay protection code without
... ... 
@@ -3629,7 +3630,7 @@ the verbosity associated with warnings about duplicate
3629 3629 
 packets.
3630 3630 
 .\"*********************************************************
3631 3631 
 .TP
3632 
-.B --replay-persist file
3632 
+.B \-\-replay-persist file
3633 3633 
 Persist replay-protection state across sessions using
3634 3634 
 .B file
3635 3635 
 to save and reload the state.
... ... 
@@ -3637,7 +3638,7 @@ to save and reload the state.
3637 3637 
 This option will strengthen protection against replay attacks,
3638 3638 
 especially when you are using OpenVPN in a dynamic context (such
3639 3639 
 as with
3640 
-.B --inetd)
3640 
+.B \-\-inetd)
3641 3641 
 when OpenVPN sessions are frequently started and stopped.
3642 3642
3643 3643 
 This option will keep a disk copy of the current replay protection
... ... 
@@ -3648,12 +3649,12 @@ which were already received by the prior session.
3648 3648
3649 3649 
 This option only makes sense when replay protection is enabled
3650 3650 
 (the default) and you are using either
3651 
-.B --secret
3651 
+.B \-\-secret
3652 3652 
 (shared-secret key mode) or TLS mode with
3653 
-.B --tls-auth.
3653 
+.B \-\-tls-auth.
3654 3654 
 .\"*********************************************************
3655 3655 
 .TP
3656 
-.B --no-iv
3656 
+.B \-\-no-iv
3657 3657 
 (Advanced) Disable OpenVPN's use of IV (cipher initialization vector).
3658 3658 
 Don't use this option unless you are prepared to make
3659 3659 
 a tradeoff of greater efficiency in exchange for less
... ... 
@@ -3674,24 +3675,24 @@ space-saving optimization that uses the unique identifier for
3674 3674 
 datagram replay protection as the IV.
3675 3675 
 .\"*********************************************************
3676 3676 
 .TP
3677 
-.B --test-crypto
3677 
+.B \-\-test-crypto
3678 3678 
 Do a self-test of OpenVPN's crypto options by encrypting and
3679 3679 
 decrypting test packets using the data channel encryption options
3680 3680 
 specified above.  This option does not require a peer to function,
3681 3681 
 and therefore can be specified without
3682 
-.B --dev
3682 
+.B \-\-dev
3683 3683 
 or
3684 
-.B --remote.
3684 
+.B \-\-remote.
3685 3685
3686 3686 
 The typical usage of
3687 
-.B --test-crypto
3687 
+.B \-\-test-crypto
3688 3688 
 would be something like this:
3689 3689
3690 
-.B openvpn --test-crypto --secret key
3690 
+.B openvpn \-\-test-crypto \-\-secret key
3691 3691
3692 3692 
 or
3693 3693
3694 
-.B openvpn --test-crypto --secret key --verb 9
3694 
+.B openvpn \-\-test-crypto \-\-secret key \-\-verb 9
3695 3695
3696 3696 
 This option is very useful to test OpenVPN after it has been ported to
3697 3697 
 a new platform, or to isolate problems in the compiler, OpenSSL
... ... 
@@ -3715,17 +3716,17 @@ including certificate-based authentication and Diffie Hellman forward secrecy.
3715 3715
3716 3716 
 To use TLS mode, each peer that runs OpenVPN should have its own local
3717 3717 
 certificate/key pair (
3718 
-.B --cert
3718 
+.B \-\-cert
3719 3719 
 and
3720 
-.B --key
3720 
+.B \-\-key
3721 3721 
 ), signed by the root certificate which is specified
3722 3722 
 in
3723 
-.B --ca.
3723 
+.B \-\-ca.
3724 3724
3725 3725 
 When two OpenVPN peers connect, each presents its local certificate to the
3726 3726 
 other.  Each peer will then check that its partner peer presented a
3727 3727 
 certificate which was signed by the master root certificate as specified in
3728 
-.B --ca.
3728 
+.B \-\-ca.
3729 3729
3730 3730 
 If that check on both peers succeeds, then the TLS negotiation
3731 3731 
 will succeed, both OpenVPN
... ... 
@@ -3742,18 +3743,18 @@ The easy-rsa package is also rendered in web form here:
3742 3742 
 .I http://openvpn.net/easyrsa.html
3743 3743 
 .\"*********************************************************
3744 3744 
 .TP
3745 
-.B --tls-server
3745 
+.B \-\-tls-server
3746 3746 
 Enable TLS and assume server role during TLS handshake.  Note that
3747 3747 
 OpenVPN is designed as a peer-to-peer application.  The designation
3748 3748 
 of client or server is only for the purpose of negotiating the TLS
3749 3749 
 control channel.
3750 3750 
 .\"*********************************************************
3751 3751 
 .TP
3752 
-.B --tls-client
3752 
+.B \-\-tls-client
3753 3753 
 Enable TLS and assume client role during TLS handshake.
3754 3754 
 .\"*********************************************************
3755 3755 
 .TP
3756 
-.B --ca file
3756 
+.B \-\-ca file
3757 3757 
 Certificate authority (CA) file in .pem format, also referred to as the
3758 3758 
 .I root
3759 3759 
 certificate.  This file can have multiple
... ... 
@@ -3775,10 +3776,10 @@ production environment, since by virtue of the fact that
3775 3775 
 they are distributed with OpenVPN, they are totally insecure.
3776 3776 
 .\"*********************************************************
3777 3777 
 .TP
3778 
-.B --dh file
3778 
+.B \-\-dh file
3779 3779 
 File containing Diffie Hellman parameters
3780 3780 
 in .pem format (required for
3781 
-.B --tls-server
3781 
+.B \-\-tls-server
3782 3782 
 only). Use
3783 3783
3784 3784 
 .B openssl dhparam -out dh1024.pem 1024
... ... 
@@ -3788,15 +3789,15 @@ included with the OpenVPN distribution.  Diffie Hellman parameters
3788 3788 
 may be considered public.
3789 3789 
 .\"*********************************************************
3790 3790 
 .TP
3791 
-.B --cert file
3792 
-Local peer's signed certificate in .pem format -- must be signed
3791 
+.B \-\-cert file
3792 
+Local peer's signed certificate in .pem format \-\- must be signed
3793 3793 
 by a certificate authority whose certificate is in
3794 
-.B --ca file.
3794 
+.B \-\-ca file.
3795 3795 
 Each peer in an OpenVPN link running in TLS mode should have its own
3796 3796 
 certificate and private key file.  In addition, each certificate should
3797 3797 
 have been signed by the key of a certificate
3798 3798 
 authority whose public key resides in the
3799 
-.B --ca
3799 
+.B \-\-ca
3800 3800 
 certificate authority file.
3801 3801 
 You can easily make your own certificate authority (see above) or pay money
3802 3802 
 to use a commercial service such as thawte.com (in which case you will be
... ... 
@@ -3821,7 +3822,7 @@ Note that the
3821 3821 
 command reads the location of the certificate authority key from its
3822 3822 
 configuration file such as
3823 3823 
 .B /usr/share/ssl/openssl.cnf
3824 
+\-\- note also
3824 3825 
 that for certificate authority functions, you must set up the files
3825 3826 
 .B index.txt
3826 3827 
 (may be empty) and
... ... 
@@ -3832,90 +3833,90 @@ that for certificate authority functions, you must set up the files
3832 3832 
 ).
3833 3833 
 .\"*********************************************************
3834 3834 
 .TP
3835 
-.B --key file
3835 
+.B \-\-key file
3836 3836 
 Local peer's private key in .pem format.  Use the private key which was generated
3837 3837 
 when you built your peer's certificate (see
3838 3838 
 .B -cert file
3839 3839 
 above).
3840 3840 
 .\"*********************************************************
3841 3841 
 .TP
3842 
-.B --pkcs12 file
3842 
+.B \-\-pkcs12 file
3843 3843 
 Specify a PKCS #12 file containing local private key,
3844 3844 
 local certificate, and root CA certificate.
3845 3845 
 This option can be used instead of
3846 
-.B --ca, --cert,
3846 
+.B \-\-ca, \-\-cert,
3847 3847 
 and
3848 
-.B --key.
3848 
+.B \-\-key.
3849 3849 
 .\"*********************************************************
3850 3850 
 .TP
3851 
-.B --pkcs11-cert-private [0|1]...
3851 
+.B \-\-pkcs11-cert-private [0|1]...
3852 3852 
 Set if access to certificate object should be performed after login.
3853 3853 
 Every provider has its own setting.
3854 3854 
 .\"*********************************************************
3855 3855 
 .TP
3856 
-.B --pkcs11-id name
3856 
+.B \-\-pkcs11-id name
3857 3857 
 Specify the serialized certificate id to be used. The id can be gotten
3858 3858 
 by the standalone
3859 
-.B --show-pkcs11-ids
3859 
+.B \-\-show-pkcs11-ids
3860 3860 
 option.
3861 3861 
 .\"*********************************************************
3862 3862 
 .TP
3863 
-.B --pkcs11-id-management
3863 
+.B \-\-pkcs11-id-management
3864 3864 
 Acquire PKCS#11 id from management interface. In this case a NEED-STR 'pkcs11-id-request'
3865 3865 
 real-time message will be triggered, application may use pkcs11-id-count command to
3866 3866 
 retrieve available number of certificates, and pkcs11-id-get command to retrieve certificate
3867 3867 
 id and certificate body.
3868 3868 
 .\"*********************************************************
3869 3869 
 .TP
3870 
-.B --pkcs11-pin-cache seconds
3870 
+.B \-\-pkcs11-pin-cache seconds
3871 3871 
 Specify how many seconds the PIN can be cached, the default is until the token is removed.
3872 3872 
 .\"*********************************************************
3873 3873 
 .TP
3874 
-.B --pkcs11-protected-authentication [0|1]...
3874 
+.B \-\-pkcs11-protected-authentication [0|1]...
3875 3875 
 Use PKCS#11 protected authentication path, useful for biometric and external
3876 3876 
 keypad devices.
3877 3877 
 Every provider has its own setting.
3878 3878 
 .\"*********************************************************
3879 3879 
 .TP
3880 
-.B --pkcs11-providers provider...
3880 
+.B \-\-pkcs11-providers provider...
3881 3881 
 Specify a RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) providers
3882 3882 
 to load.
3883 3883 
 This option can be used instead of
3884 
-.B --cert, --key,
3884 
+.B \-\-cert, \-\-key,
3885 3885 
 and
3886 
-.B --pkcs12.
3886 
+.B \-\-pkcs12.
3887 3887 
 .\"*********************************************************
3888 3888 
 .TP
3889 
-.B --pkcs11-private-mode mode...
3889 
+.B \-\-pkcs11-private-mode mode...
3890 3890 
 Specify which method to use in order to perform private key operations.
3891 3891 
 A different mode can be specified for each provider.
3892 3892 
 Mode is encoded as hex number, and can be a mask one of the following:
3893 3893
3894 3894 
 .B 0
3895 
-(default) -- Try to determind automatically.
3895 
+(default) \-\- Try to determind automatically.
3896 3896 
 .br
3897 3897 
 .B 1
3898 
+\-\- Use sign.
3898 3899 
 .br
3899 3900 
 .B 2
3901 
+\-\- Use sign recover.
3900 3902 
 .br
3901 3903 
 .B 4
3904 
+\-\- Use decrypt.
3902 3905 
 .br
3903 3906 
 .B 8
3907 
+\-\- Use unwrap.
3904 3908 
 .br
3905 3909 
 .\"*********************************************************
3906 3910 
 .TP
3907 
-.B --cryptoapicert select-string
3911 
+.B \-\-cryptoapicert select-string
3908 3912 
 Load the certificate and private key from the
3909 3913 
 Windows Certificate System Store (Windows Only).
3910 3914
3911 3915 
 Use this option instead of
3912 
-.B --cert
3916 
+.B \-\-cert
3913 3917 
 and
3914 
-.B --key.
3918 
+.B \-\-key.
3915 3919
3916 3920 
 This makes
3917 3921 
 it possible to use any smart card, supported by Windows, but also any
... ... 
@@ -3941,7 +3942,7 @@ Certificate Store GUI.
3941 3941
3942 3942 
 .\"*********************************************************
3943 3943 
 .TP
3944 
-.B --key-method m
3944 
+.B \-\-key-method m
3945 3945 
 Use data channel key negotiation method
3946 3946 
 .B m.
3947 3947 
 The key method must match on both sides of the connection.
... ... 
@@ -3969,16 +3970,16 @@ of keying occur:
3969 3969 
 of the connection producing certificates and verifying the certificate
3970 3970 
 (or other authentication info provided) of
3971 3971 
 the other side.  The
3972 
-.B --key-method
3972 
+.B \-\-key-method
3973 3973 
 parameter has no effect on this process.
3974 3974
3975 3975 
 (2) After the TLS connection is established, the tunnel session keys are
3976 3976 
 separately negotiated over the existing secure TLS channel.  Here,
3977 
-.B --key-method
3977 
+.B \-\-key-method
3978 3978 
 determines the derivation of the tunnel session keys.
3979 3979 
 .\"*********************************************************
3980 3980 
 .TP
3981 
-.B --tls-cipher l
3981 
+.B \-\-tls-cipher l
3982 3982 
 A list
3983 3983 
 .B l
3984 3984 
 of allowable TLS ciphers delimited by a colon (":").
... ... 
@@ -3988,11 +3989,11 @@ version rollback attack where a man-in-the-middle attacker tries
3988 3988 
 to force two peers to negotiate to the lowest level
3989 3989 
 of security they both support.
3990 3990 
 Use
3991 
-.B --show-tls
3991 
+.B \-\-show-tls
3992 3992 
 to see a list of supported TLS ciphers.
3993 3993 
 .\"*********************************************************
3994 3994 
 .TP
3995 
-.B --tls-timeout n
3995 
+.B \-\-tls-timeout n
3996 3996 
 Packet retransmit timeout on TLS control channel
3997 3997 
 if no acknowledgment from remote within
3998 3998 
 .B n
... ... 
@@ -4009,7 +4010,7 @@ the higher level network protocols running on top of the tunnel
4009 4009 
 such as TCP expect this role to be left to them.
4010 4010 
 .\"*********************************************************
4011 4011 
 .TP
4012 
-.B --reneg-bytes n
4012 
+.B \-\-reneg-bytes n
4013 4013 
 Renegotiate data channel key after
4014 4014 
 .B n
4015 4015 
 bytes sent or received (disabled by default).
... ... 
@@ -4019,13 +4020,13 @@ a number of seconds.  A key renegotiation will be forced
4019 4019 
 if any of these three criteria are met by either peer.
4020 4020 
 .\"*********************************************************
4021 4021 
 .TP
4022 
-.B --reneg-pkts n
4022 
+.B \-\-reneg-pkts n
4023 4023 
 Renegotiate data channel key after
4024 4024 
 .B n
4025 4025 
 packets sent and received (disabled by default).
4026 4026 
 .\"*********************************************************
4027 4027 
 .TP
4028 
-.B --reneg-sec n
4028 
+.B \-\-reneg-sec n
4029 4029 
 Renegotiate data channel key after
4030 4030 
 .B n
4031 4031 
 seconds (default=3600).
... ... 
@@ -4036,16 +4037,16 @@ cause the end user to be challenged to reauthorize once per hour.
4036 4036 
 Also, keep in mind that this option can be used on both the client and server,
4037 4037 
 and whichever uses the lower value will be the one to trigger the renegotiation.
4038 4038 
 A common mistake is to set
4039 
-.B --reneg-sec
4039 
+.B \-\-reneg-sec
4040 4040 
 to a higher value on either the client or server, while the other side of the connection
4041 4041 
 is still using the default value of 3600 seconds, meaning that the renegotiation will
4042 
-still occur once per 3600 seconds.  The solution is to increase --reneg-sec on both the
4042 
+still occur once per 3600 seconds.  The solution is to increase \-\-reneg-sec on both the
4043 4043 
 client and server, or set it to 0 on one side of the connection (to disable), and to
4044 4044 
 your chosen value on the other side.
4045 4045 
 .\"*********************************************************
4046 4046 
 .TP
4047 
-.B --hand-window n
4048 
-Handshake Window -- the TLS-based key exchange must finalize within
4047 
+.B \-\-hand-window n
4048 
+Handshake Window \-\- the TLS-based key exchange must finalize within
4049 4049 
 .B n
4050 4050 
 seconds
4051 4051 
 of handshake initiation by any peer (default = 60 seconds).
... ... 
@@ -4053,47 +4054,47 @@ If the handshake fails
4053 4053 
 we will attempt to reset our connection with our peer and try again.
4054 4054 
 Even in the event of handshake failure we will still use
4055 4055 
 our expiring key for up to
4056 
-.B --tran-window
4056 
+.B \-\-tran-window
4057 4057 
 seconds to maintain continuity of transmission of tunnel
4058 4058 
 data.
4059 4059 
 .\"*********************************************************
4060 4060 
 .TP
4061 
-.B --tran-window n
4062 
-Transition window -- our old key can live this many seconds
4061 
+.B \-\-tran-window n
4062 
+Transition window \-\- our old key can live this many seconds
4063 4063 
 after a new a key renegotiation begins (default = 3600 seconds).
4064 4064 
 This feature allows for a graceful transition from old to new
4065 4065 
 key, and removes the key renegotiation sequence from the critical
4066 4066 
 path of tunnel data forwarding.
4067 4067 
 .\"*********************************************************
4068 4068 
 .TP
4069 
-.B --single-session
4069 
+.B \-\-single-session
4070 4070 
 After initially connecting to a remote peer, disallow any new connections.
4071 4071 
 Using this
4072 4072 
 option means that a remote peer cannot connect, disconnect, and then
4073 4073 
 reconnect.
4074 4074
4075 4075 
 If the daemon is reset by a signal or
4076 
-.B --ping-restart,
4076 
+.B \-\-ping-restart,
4077 4077 
 it will allow one new connection.
4078 4078
4079 
-.B --single-session
4079 
+.B \-\-single-session
4080 4080 
 can be used with
4081 
-.B --ping-exit
4081 
+.B \-\-ping-exit
4082 4082 
 or
4083 
-.B --inactive
4083 
+.B \-\-inactive
4084 4084 
 to create a single dynamic session that will exit when finished.
4085 4085 
 .\"*********************************************************
4086 4086 
 .TP
4087 
-.B --tls-exit
4087 
+.B \-\-tls-exit
4088 4088 
 Exit on TLS negotiation failure.
4089 4089 
 .\"*********************************************************
4090 4090 
 .TP
4091 
-.B --tls-auth file [direction]
4091 
+.B \-\-tls-auth file [direction]
4092 4092 
 Add an additional layer of HMAC authentication on top of the TLS
4093 4093 
 control channel to protect against DoS attacks.
4094 4094
4095 4095 
 In a nutshell,
4096 
-.B --tls-auth
4096 
+.B \-\-tls-auth
4097 4097 
 enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port,
4098 4098 
 where TLS control channel packets
4099 4099 
 bearing an incorrect HMAC signature can be dropped immediately without
... ... 
@@ -4104,7 +4105,7 @@ response.
4104 4104
4105 4105 
 .B (1)
4106 4106 
 An OpenVPN static key file generated by
4107 
-.B --genkey
4107 
+.B \-\-genkey
4108 4108 
 (required if
4109 4109 
 .B direction
4110 4110 
 parameter is used).
... ... 
@@ -4122,19 +4123,19 @@ OpenVPN will first try format (1), and if the file fails to parse as
4122 4122 
 a static key file, format (2) will be used.
4123 4123
4124 4124 
 See the
4125 
-.B --secret
4125 
+.B \-\-secret
4126 4126 
 option for more information on the optional
4127 4127 
 .B direction
4128 4128 
 parameter.
4129 4129
4130 
-.B --tls-auth
4130 
+.B \-\-tls-auth
4131 4131 
 is recommended when you are running OpenVPN in a mode where
4132 4132 
 it is listening for packets from any IP address, such as when
4133 
-.B --remote
4133 
+.B \-\-remote
4134 4134 
 is not specified, or
4135 
-.B --remote
4135 
+.B \-\-remote
4136 4136 
 is specified with
4137 
-.B --float.
4137 
+.B \-\-float.
4138 4138
4139 4139 
 The rationale for
4140 4140 
 this feature is as follows.  TLS requires a multi-packet exchange
... ... 
@@ -4161,7 +4162,7 @@ An important rule of thumb in reducing vulnerability to DoS attacks is to
4161 4161 
 minimize the amount of resources a potential, but as yet unauthenticated,
4162 4162 
 client is able to consume.
4163 4163
4164 
-.B --tls-auth
4164 
+.B \-\-tls-auth
4165 4165 
 does this by signing every TLS control channel packet with an HMAC signature,
4166 4166 
 including packets which are sent before the TLS level has had a chance
4167 4167 
 to authenticate the peer.
... ... 
@@ -4169,20 +4170,20 @@ The result is that packets without
4169 4169 
 the correct signature can be dropped immediately upon reception,
4170 4170 
 before they have a chance to consume additional system resources
4171 4171 
 such as by initiating a TLS handshake.
4172 
-.B --tls-auth
4172 
+.B \-\-tls-auth
4173 4173 
 can be strengthened by adding the
4174 
-.B --replay-persist
4174 
+.B \-\-replay-persist
4175 4175 
 option which will keep OpenVPN's replay protection state
4176 4176 
 in a file so that it is not lost across restarts.
4177 4177
4178 4178 
 It should be emphasized that this feature is optional and that the
4179 4179 
 passphrase/key file used with
4180 
-.B --tls-auth
4180 
+.B \-\-tls-auth
4181 4181 
 gives a peer nothing more than the power to initiate a TLS
4182 4182 
 handshake.  It is not used to encrypt or authenticate any tunnel data.
4183 4183 
 .\"*********************************************************
4184 4184 
 .TP
4185 
-.B --askpass [file]
4185 
+.B \-\-askpass [file]
4186 4186 
 Get certificate password from console or
4187 4187 
 .B file
4188 4188 
 before we daemonize.
... ... 
@@ -4191,7 +4192,7 @@ For the extremely
4191 4191 
 security conscious, it is possible to protect your private key with
4192 4192 
 a password.  Of course this means that every time the OpenVPN
4193 4193 
 daemon is started you must be there to type the password.  The
4194 
-.B --askpass
4194 
+.B \-\-askpass
4195 4195 
 option allows you to start OpenVPN from the command line.  It will
4196 4196 
 query you for a password before it daemonizes.  To protect a private
4197 4197 
 key with a password you should omit the
... ... 
@@ -4208,15 +4209,15 @@ Keep in mind that storing your password in a file
4208 4208 
 to a certain extent invalidates the extra security provided by
4209 4209 
 using an encrypted key (Note: OpenVPN
4210 4210 
 will only read passwords from a file if it has been built
4211 
-with the --enable-password-save configure option, or on Windows
4211 
+with the \-\-enable-password-save configure option, or on Windows
4212 4212 
 by defining ENABLE_PASSWORD_SAVE in config-win32.h).
4213 4213 
 .\"*********************************************************
4214 4214 
 .TP
4215 
-.B --auth-nocache
4215 
+.B \-\-auth-nocache
4216 4216 
 Don't cache
4217 
-.B --askpass
4217 
+.B \-\-askpass
4218 4218 
 or
4219 
-.B --auth-user-pass
4219 
+.B \-\-auth-user-pass
4220 4220 
 username/passwords in virtual memory.
4221 4221
4222 4222 
 If specified, this directive will cause OpenVPN to immediately
... ... 
@@ -4226,19 +4227,19 @@ from stdin, which may be multiple times during the duration of an
4226 4226 
 OpenVPN session.
4227 4227
4228 4228 
 This directive does not affect the
4229 
-.B --http-proxy
4229 
+.B \-\-http-proxy
4230 4230 
 username/password.  It is always cached.
4231 4231 
 .\"*********************************************************
4232 4232 
 .TP
4233 
-.B --tls-verify cmd
4233 
+.B \-\-tls-verify cmd
4234 4234 
 Execute shell command
4235 4235 
 .B cmd
4236 4236 
 to verify the X509 name of a
4237 4237 
 pending TLS connection that has otherwise passed all other
4238 4238 
 tests of certification (except for revocation via
4239 
-.B --crl-verify
4239 
+.B \-\-crl-verify
4240 4240 
 directive; the revocation test occurs after the
4241 
-.B --tls-verify
4241 
+.B \-\-tls-verify
4242 4242 
 test).
4243 4243
4244 4244 
 .B cmd
... ... 
@@ -4271,7 +4272,7 @@ to
4271 4271 
 to build a command line which will be passed to the script.
4272 4272 
 .\"*********************************************************
4273 4273 
 .TP
4274 
-.B --tls-remote name
4274 
+.B \-\-tls-remote name
4275 4275 
 Accept connections only from a host with X509 name
4276 4276 
 or common name equal to
4277 4277 
 .B name.
... ... 
@@ -4281,24 +4282,24 @@ of verification.
4281 4281 
 Name can also be a common name prefix, for example if you
4282 4282 
 want a client to only accept connections to "Server-1",
4283 4283 
 "Server-2", etc., you can simply use
4284 
-.B --tls-remote Server
4284 
+.B \-\-tls-remote Server
4285 4285
4286 4286 
 Using a common name prefix is a useful alternative to managing
4287 4287 
 a CRL (Certificate Revocation List) on the client, since it allows the client
4288 4288 
 to refuse all certificates except for those associated
4289 4289 
 with designated servers.
4290 4290
4291 
-.B --tls-remote
4291 
+.B \-\-tls-remote
4292 4292 
 is a useful replacement for the
4293 
-.B --tls-verify
4293 
+.B \-\-tls-verify
4294 4294 
 option to verify the remote host, because
4295 
-.B --tls-remote
4295 
+.B \-\-tls-remote
4296 4296 
 works in a
4297 
-.B --chroot
4297 
+.B \-\-chroot
4298 4298 
 environment too.
4299 4299 
 .\"*********************************************************
4300 4300 
 .TP
4301 
-.B --ns-cert-type client|server
4301 
+.B \-\-ns-cert-type client|server
4302 4302 
 Require that peer certificate was signed with an explicit
4303 4303 
 .B nsCertType
4304 4304 
 designation of "client" or "server".
... ... 
@@ -4313,19 +4314,19 @@ field set to "server".
4313 4313
4314 4314 
 If the server certificate's nsCertType field is set
4315 4315 
 to "server", then the clients can verify this with
4316 
-.B --ns-cert-type server.
4316 
+.B \-\-ns-cert-type server.
4317 4317
4318 4318 
 This is an important security precaution to protect against
4319 4319 
 a man-in-the-middle attack where an authorized client
4320 4320 
 attempts to connect to another client by impersonating the server.
4321 4321 
 The attack is easily prevented by having clients verify
4322 4322 
 the server certificate using any one of
4323 
-.B --ns-cert-type, --tls-remote,
4323 
+.B \-\-ns-cert-type, \-\-tls-remote,
4324 4324 
 or
4325 
-.B --tls-verify.
4325 
+.B \-\-tls-verify.
4326 4326 
 .\"*********************************************************
4327 4327 
 .TP
4328 
-.B --remote-cert-ku v...
4328 
+.B \-\-remote-cert-ku v...
4329 4329 
 Require that peer certificate was signed with an explicit
4330 4330 
 .B key usage.
4331 4331
... ... 
@@ -4336,7 +4337,7 @@ The key usage should be encoded in hex, more than one key
4336 4336 
 usage can be specified.
4337 4337 
 .\"*********************************************************
4338 4338 
 .TP
4339 
-.B --remote-cert-eku oid
4339 
+.B \-\-remote-cert-eku oid
4340 4340 
 Require that peer certificate was signed with an explicit
4341 4341 
 .B extended key usage.
4342 4342
... ... 
@@ -4347,7 +4348,7 @@ The extended key usage should be encoded in oid notation, or
4347 4347 
 OpenSSL symbolic representation.
4348 4348 
 .\"*********************************************************
4349 4349 
 .TP
4350 
-.B --remote-cert-tls client|server
4350 
+.B \-\-remote-cert-tls client|server
4351 4351 
 Require that peer certificate was signed with an explicit
4352 4352 
 .B key usage
4353 4353 
 and
... ... 
@@ -4358,18 +4359,18 @@ This is a useful security option for clients, to ensure that
4358 4358 
 the host they connect to is a designated server.
4359 4359
4360 4360 
 The
4361 
-.B --remote-cert-tls client
4361 
+.B \-\-remote-cert-tls client
4362 4362 
 option is equivalent to
4363 4363 
 .B
4364 
+\-\-remote-cert-ku 80 08 88 \-\-remote-cert-eku "TLS Web Client Authentication"
4364 4365
4365 4366 
 The key usage is digitalSignature and/or keyAgreement.
4366 4367
4367 4368 
 The
4368 
-.B --remote-cert-tls server
4369 
+.B \-\-remote-cert-tls server
4369 4370 
 option is equivalent to
4370 4371 
 .B
4372 
+\-\-remote-cert-ku a0 88 \-\-remote-cert-eku "TLS Web Server Authentication"
4371 4373
4372 4374 
 The key usage is digitalSignature and ( keyEncipherment or keyAgreement ).
4373 4375
... ... 
@@ -4378,12 +4379,12 @@ a man-in-the-middle attack where an authorized client
4378 4378 
 attempts to connect to another client by impersonating the server.
4379 4379 
 The attack is easily prevented by having clients verify
4380 4380 
 the server certificate using any one of
4381 
-.B --remote-cert-tls, --tls-remote,
4381 
+.B \-\-remote-cert-tls, \-\-tls-remote,
4382 4382 
 or
4383 
-.B --tls-verify.
4383 
+.B \-\-tls-verify.
4384 4384 
 .\"*********************************************************
4385 4385 
 .TP
4386 
-.B --crl-verify crl
4386 
+.B \-\-crl-verify crl
4387 4387 
 Check peer certificate against the file
4388 4388 
 .B crl
4389 4389 
 in PEM format.
... ... 
@@ -4403,28 +4404,28 @@ if the root certificate key itself was compromised.
4403 4403 
 .SS SSL Library information:
4404 4404 
 .\"*********************************************************
4405 4405 
 .TP
4406 
-.B --show-ciphers
4406 
+.B \-\-show-ciphers
4407 4407 
 (Standalone)
4408 4408 
 Show all cipher algorithms to use with the
4409 
-.B --cipher
4409 
+.B \-\-cipher
4410 4410 
 option.
4411 4411 
 .\"*********************************************************
4412 4412 
 .TP
4413 
-.B --show-digests
4413 
+.B \-\-show-digests
4414 4414 
 (Standalone)
4415 4415 
 Show all message digest algorithms to use with the
4416 
-.B --auth
4416 
+.B \-\-auth
4417 4417 
 option.
4418 4418 
 .\"*********************************************************
4419 4419 
 .TP
4420 
-.B --show-tls
4420 
+.B \-\-show-tls
4421 4421 
 (Standalone)
4422 4422 
 Show all TLS ciphers (TLS used only as a control channel).  The TLS
4423 4423 
 ciphers will be sorted from highest preference (most secure) to
4424 4424 
 lowest.
4425 4425 
 .\"*********************************************************
4426 4426 
 .TP
4427 
-.B --show-engines
4427 
+.B \-\-show-engines
4428 4428 
 (Standalone)
4429 4429 
 Show currently available hardware-based crypto acceleration
4430 4430 
 engines supported by the OpenSSL library.
... ... 
@@ -4433,18 +4434,18 @@ engines supported by the OpenSSL library.
4433 4433 
 Used only for non-TLS static key encryption mode.
4434 4434 
 .\"*********************************************************
4435 4435 
 .TP
4436 
-.B --genkey
4436 
+.B \-\-genkey
4437 4437 
 (Standalone)
4438 4438 
 Generate a random key to be used as a shared secret,
4439 4439 
 for use with the
4440 
-.B --secret
4440 
+.B \-\-secret
4441 4441 
 option.  This file must be shared with the
4442 4442 
 peer over a pre-existing secure channel such as
4443 4443 
 .BR scp (1)
4444 4444 
 .
4445 4445 
 .\"*********************************************************
4446 4446 
 .TP
4447 
-.B --secret file
4447 
+.B \-\-secret file
4448 4448 
 Write key to
4449 4449 
 .B file.
4450 4450 
 .\"*********************************************************
... ... 
@@ -4453,7 +4454,7 @@ Available with linux 2.4.7+.  These options comprise a standalone mode
4453 4453 
 of OpenVPN which can be used to create and delete persistent tunnels.
4454 4454 
 .\"*********************************************************
4455 4455 
 .TP
4456 
-.B --mktun
4456 
+.B \-\-mktun
4457 4457 
 (Standalone)
4458 4458 
 Create a persistent tunnel on platforms which support them such
4459 4459 
 as Linux.  Normally TUN/TAP tunnels exist only for
... ... 
@@ -4464,9 +4465,9 @@ only when they are deleted or the machine is rebooted.
4464 4464
4465 4465 
 One of the advantages of persistent tunnels is that they eliminate the
4466 4466 
 need for separate
4467 
-.B --up
4467 
+.B \-\-up
4468 4468 
 and
4469 
-.B --down
4469 
+.B \-\-down
4470 4470 
 scripts to run the appropriate
4471 4471 
 .BR ifconfig (8)
4472 4472 
 and
... ... 
@@ -4478,40 +4479,40 @@ Another advantage is that open connections through the TUN/TAP-based tunnel
4478 4478 
 will not be reset if the OpenVPN peer restarts.  This can be useful to
4479 4479 
 provide uninterrupted connectivity through the tunnel in the event of a DHCP
4480 4480 
 reset of the peer's public IP address (see the
4481 
-.B --ipchange
4481 
+.B \-\-ipchange
4482 4482 
 option above).
4483 4483
4484 4484 
 One disadvantage of persistent tunnels is that it is harder to automatically
4485 4485 
 configure their MTU value (see
4486 
-.B --link-mtu
4486 
+.B \-\-link-mtu
4487 4487 
 and
4488 
-.B --tun-mtu
4488 
+.B \-\-tun-mtu
4489 4489 
 above).
4490 4490
4491 4491 
 On some platforms such as Windows, TAP-Win32 tunnels are persistent by
4492 4492 
 default.
4493 4493 
 .\"*********************************************************
4494 4494 
 .TP
4495 
-.B --rmtun
4495 
+.B \-\-rmtun
4496 4496 
 (Standalone)
4497 4497 
 Remove a persistent tunnel.
4498 4498 
 .\"*********************************************************
4499 4499 
 .TP
4500 
-.B --dev tunX | tapX
4500 
+.B \-\-dev tunX | tapX
4501 4501 
 TUN/TAP device
4502 4502 
 .\"*********************************************************
4503 4503 
 .TP
4504 
-.B --user user
4504 
+.B \-\-user user
4505 4505 
 Optional user to be owner of this tunnel.
4506 4506 
 .\"*********************************************************
4507 4507 
 .TP
4508 
-.B --group group
4508 
+.B \-\-group group
4509 4509 
 Optional group to be owner of this tunnel.
4510 4510 
 .\"*********************************************************
4511 4511 
 .SS Windows-Specific Options:
4512 4512 
 .\"*********************************************************
4513 4513 
 .TP
4514 
-.B --win-sys path|'env'
4514 
+.B \-\-win-sys path|'env'
4515 4515 
 Set the Windows system directory pathname to use when looking for system
4516 4516 
 executables such as
4517 4517 
 .B route.exe
... ... 
@@ -4527,23 +4528,23 @@ indicates that the pathname should be read from the
4527 4527 
 environmental variable.
4528 4528 
 .\"*********************************************************
4529 4529 
 .TP
4530 
-.B --ip-win32 method
4530 
+.B \-\-ip-win32 method
4531 4531 
 When using
4532 
-.B --ifconfig
4532 
+.B \-\-ifconfig
4533 4533 
 on Windows, set the TAP-Win32 adapter
4534 4534 
 IP address and netmask using
4535 4535 
 .B method.
4536 4536 
 Don't use this option unless you are also using
4537 
-.B --ifconfig.
4537 
+.B \-\-ifconfig.
4538 4538
4539 
-.B manual --
4539 
+.B manual \-\-
4540 4540 
 Don't set the IP address or netmask automatically.
4541 4541 
 Instead output a message
4542 4542 
 to the console telling the user to configure the
4543 4543 
 adapter manually and indicating the IP/netmask which
4544 4544 
 OpenVPN expects the adapter to be set to.
4545 4545
4546 
-.B dynamic [offset] [lease-time] --
4546 
+.B dynamic [offset] [lease-time] \-\-
4547 4547 
 Automatically set the IP address and netmask by replying to
4548 4548 
 DHCP query messages generated by the kernel.  This mode is
4549 4549 
 probably the "cleanest" solution
... ... 
@@ -4553,13 +4554,13 @@ this mode: (1) The TCP/IP properties for the TAP-Win32
4553 4553 
 adapter must be set to "Obtain an IP address automatically," and
4554 4554 
 (2) OpenVPN needs to claim an IP address in the subnet for use
4555 4555 
 as the virtual DHCP server address.  By default in
4556 
-.B --dev tap
4556 
+.B \-\-dev tap
4557 4557 
 mode, OpenVPN will
4558 4558 
 take the normally unused first address in the subnet.  For example,
4559 4559 
 if your subnet is 192.168.4.0 netmask 255.255.255.0, then
4560 4560 
 OpenVPN will take the IP address 192.168.4.0 to use as the
4561 4561 
 virtual DHCP server address.  In
4562 
-.B --dev tun
4562 
+.B \-\-dev tun
4563 4563 
 mode, OpenVPN will cause the DHCP server to masquerade as if it were
4564 4564 
 coming from the remote endpoint.  The optional offset parameter is
4565 4565 
 an integer which is > -256 and < 256 and which defaults to 0.
... ... 
@@ -4581,13 +4582,13 @@ because it prevents routes involving the TAP-Win32 adapter from
4581 4581 
 being lost when the system goes to sleep.  The default
4582 4582 
 lease time is one year.
4583 4583
4584 
-.B netsh --
4584 
+.B netsh \-\-
4585 4585 
 Automatically set the IP address and netmask using
4586 4586 
 the Windows command-line "netsh"
4587 4587 
 command.  This method appears to work correctly on
4588 4588 
 Windows XP but not Windows 2000.
4589 4589
4590 
-.B ipapi --
4590 
+.B ipapi \-\-
4591 4591 
 Automatically set the IP address and netmask using the
4592 4592 
 Windows IP Helper API.  This approach
4593 4593 
 does not have ideal semantics, though testing has indicated
... ... 
@@ -4596,7 +4597,7 @@ it is best to leave the TCP/IP properties for the TAP-Win32
4596 4596 
 adapter in their default state, i.e. "Obtain an IP address
4597 4597 
 automatically."
4598 4598
4599 
-.B adaptive --
4599 
+.B adaptive \-\-
4600 4600 
 (Default) Try
4601 4601 
 .B dynamic
4602 4602 
 method initially and fail over to
... ... 
@@ -4626,55 +4627,55 @@ mode to restore the TAP-Win32 adapter TCP/IP properties
4626 4626 
 to a DHCP configuration.
4627 4627 
 .\"*********************************************************
4628 4628 
 .TP
4629 
-.B --route-method m
4629 
+.B \-\-route-method m
4630 4630 
 Which method
4631 4631 
 .B m
4632 4632 
 to use for adding routes on Windows?
4633 4633
4634 4634 
 .B adaptive
4635 
-(default) -- Try IP helper API first.  If that fails, fall
4635 
+(default) \-\- Try IP helper API first.  If that fails, fall
4636 4636 
 back to the route.exe shell command.
4637 4637 
 .br
4638 4638 
 .B ipapi
4639 
+\-\- Use IP helper API.
4639 4640 
 .br
4640 4641 
 .B exe
4642 
+\-\- Call the route.exe shell command.
4641 4643 
 .\"*********************************************************
4642 4644 
 .TP
4643 
-.B --dhcp-option type [parm]
4645 
+.B \-\-dhcp-option type [parm]
4644 4646 
 Set extended TAP-Win32 TCP/IP properties, must
4645 4647 
 be used with
4646 
-.B --ip-win32 dynamic
4648 
+.B \-\-ip-win32 dynamic
4647 4649 
 or
4648 
-.B --ip-win32 adaptive.
4650 
+.B \-\-ip-win32 adaptive.
4649 4651 
 This option can be used to set additional TCP/IP properties
4650 4652 
 on the TAP-Win32 adapter, and is particularly useful for
4651 4653 
 configuring an OpenVPN client to access a Samba server
4652 4654 
 across the VPN.
4653 4655
4654 
-.B DOMAIN name --
4656 
+.B DOMAIN name \-\-
4655 4657 
 Set Connection-specific DNS Suffix.
4656 4658
4657 
-.B DNS addr --
4659 
+.B DNS addr \-\-
4658 4660 
 Set primary domain name server address.  Repeat
4659 4661 
 this option to set secondary DNS server addresses.
4660 4662
4661 
-.B WINS addr --
4663 
+.B WINS addr \-\-
4662 4664 
 Set primary WINS server address (NetBIOS over TCP/IP Name Server).
4663 4665 
 Repeat this option to set secondary WINS server addresses.
4664 4666
4665 
-.B NBDD addr --
4667 
+.B NBDD addr \-\-
4666 4668 
 Set primary NBDD server address (NetBIOS over TCP/IP Datagram Distribution Server)
4667 4669 
 Repeat this option
4668 4670 
 to set secondary NBDD server addresses.
4669 4671
4670 
-.B NTP addr --
4672 
+.B NTP addr \-\-
4671 4673 
 Set primary NTP server address (Network Time Protocol).
4672 4674 
 Repeat this option
4673 4675 
 to set secondary NTP server addresses.
4674 4676
4675 
-.B NBT type --
4677 
+.B NBT type \-\-
4676 4678 
 Set NetBIOS over TCP/IP Node type.  Possible options:
4677 4679 
 .B 1
4678 4680 
 = b-node (broadcasts),
... ... 
@@ -4687,7 +4688,7 @@ then query name server), and
4687 4687 
 .B 8
4688 4688 
 = h-node (query name server, then broadcast).
4689 4689
4690 
-.B NBS scope-id --
4690 
+.B NBS scope-id \-\-
4691 4691 
 Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended
4692 4692 
 naming service for the NetBIOS over TCP/IP (Known as NBT) module. The
4693 4693 
 primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on
... ... 
@@ -4699,19 +4700,19 @@ computers to use the same computer name, as they have different
4699 4699 
 scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.
4700 4700 
 (This description of NetBIOS scopes courtesy of NeonSurge@abyss.com)
4701 4701
4702 
-.B DISABLE-NBT --
4702 
+.B DISABLE-NBT \-\-
4703 4703 
 Disable Netbios-over-TCP/IP.
4704 4704
4705 4705 
 Note that if
4706 
-.B --dhcp-option
4706 
+.B \-\-dhcp-option
4707 4707 
 is pushed via
4708 
-.B --push
4708 
+.B \-\-push
4709 4709 
 to a non-windows client, the option will be saved in the client's
4710 4710 
 environment before the up script is called, under
4711 4711 
 the name "foreign_option_{n}".
4712 4712 
 .\"*********************************************************
4713 4713 
 .TP
4714 
-.B --tap-sleep n
4714 
+.B \-\-tap-sleep n
4715 4715 
 Cause OpenVPN to sleep for
4716 4716 
 .B n
4717 4717 
 seconds immediately after the TAP-Win32 adapter state
... ... 
@@ -4719,21 +4720,21 @@ is set to "connected".
4719 4719
4720 4720 
 This option is intended to be used to troubleshoot problems
4721 4721 
 with the
4722 
-.B --ifconfig
4722 
+.B \-\-ifconfig
4723 4723 
 and
4724 
-.B --ip-win32
4724 
+.B \-\-ip-win32
4725 4725 
 options, and is used to give
4726 4726 
 the TAP-Win32 adapter time to come up before
4727 4727 
 Windows IP Helper API operations are applied to it.
4728 4728 
 .\"*********************************************************
4729 4729 
 .TP
4730 
-.B --show-net-up
4730 
+.B \-\-show-net-up
4731 4731 
 Output OpenVPN's view of the system routing table and network
4732 4732 
 adapter list to the syslog or log file after the TUN/TAP adapter
4733 4733 
 has been brought up and any routes have been added.
4734 4734 
 .\"*********************************************************
4735 4735 
 .TP
4736 
-.B --dhcp-renew
4736 
+.B \-\-dhcp-renew
4737 4737 
 Ask Windows to renew the TAP adapter lease on startup.
4738 4738 
 This option is normally unnecessary, as Windows automatically
4739 4739 
 triggers a DHCP renegotiation on the TAP adapter when it
... ... 
@@ -4742,27 +4743,27 @@ Media Status property to "Always Connected", you may need this
4742 4742 
 flag.
4743 4743 
 .\"*********************************************************
4744 4744 
 .TP
4745 
-.B --dhcp-release
4745 
+.B \-\-dhcp-release
4746 4746 
 Ask Windows to release the TAP adapter lease on shutdown.
4747 4747 
 This option has the same caveats as
4748 
-.B --dhcp-renew
4748 
+.B \-\-dhcp-renew
4749 4749 
 above.
4750 4750 
 .\"*********************************************************
4751 4751 
 .TP
4752 
-.B --register-dns
4752 
+.B \-\-register-dns
4753 4753 
 Run ipconfig /flushdns and ipconfig /registerdns on
4754 4754 
 connection initiation.  This is known to kick Windows into
4755 4755 
 recognizing pushed DNS servers.
4756 4756 
 .\"*********************************************************
4757 4757 
 .TP
4758 
-.B --pause-exit
4758 
+.B \-\-pause-exit
4759 4759 
 Put up a "press any key to continue" message on the console prior
4760 4760 
 to OpenVPN program exit.  This option is automatically used by the
4761 4761 
 Windows explorer when OpenVPN is run on a configuration
4762 4762 
 file using the right-click explorer menu.
4763 4763 
 .\"*********************************************************
4764 4764 
 .TP
4765 
-.B --service exit-event [0|1]
4765 
+.B \-\-service exit-event [0|1]
4766 4766 
 Should be used when OpenVPN is being automatically executed by another
4767 4767 
 program in such
4768 4768 
 a context that no interaction with the user via display or keyboard
... ... 
@@ -4785,26 +4786,26 @@ parameter.  In any case, the controlling process can signal
4785 4785 
 causing all such OpenVPN processes to exit.
4786 4786
4787 4787 
 When executing an OpenVPN process using the
4788 
-.B --service
4788 
+.B \-\-service
4789 4789 
 directive, OpenVPN will probably not have a console
4790 4790 
 window to output status/error
4791 4791 
 messages, therefore it is useful to use
4792 
-.B --log
4792 
+.B \-\-log
4793 4793 
 or
4794 
-.B --log-append
4794 
+.B \-\-log-append
4795 4795 
 to write these messages to a file.
4796 4796 
 .\"*********************************************************
4797 4797 
 .TP
4798 
-.B --show-adapters
4798 
+.B \-\-show-adapters
4799 4799 
 (Standalone)
4800 4800 
 Show available TAP-Win32 adapters which can be selected using the
4801 
-.B --dev-node
4801 
+.B \-\-dev-node
4802 4802 
 option.  On non-Windows systems, the
4803 4803 
 .BR ifconfig (8)
4804 4804 
 command provides similar functionality.
4805 4805 
 .\"*********************************************************
4806 4806 
 .TP
4807 
-.B --allow-nonadmin [TAP-adapter]
4807 
+.B \-\-allow-nonadmin [TAP-adapter]
4808 4808 
 (Standalone)
4809 4809 
 Set
4810 4810 
 .B TAP-adapter
... ... 
@@ -4819,10 +4820,10 @@ and reloaded.
4819 4819 
 This directive can only be used by an administrator.
4820 4820 
 .\"*********************************************************
4821 4821 
 .TP
4822 
-.B --show-valid-subnets
4822 
+.B \-\-show-valid-subnets
4823 4823 
 (Standalone)
4824 4824 
 Show valid subnets for
4825 
-.B --dev tun
4825 
+.B \-\-dev tun
4826 4826 
 emulation.  Since the TAP-Win32 driver
4827 4827 
 exports an ethernet interface to Windows, and since TUN devices are
4828 4828 
 point-to-point in nature, it is necessary for the TAP-Win32 driver
... ... 
@@ -4832,7 +4833,7 @@ Namely, the point-to-point endpoints used in TUN device emulation
4832 4832 
 must be the middle two addresses of a /30 subnet (netmask 255.255.255.252).
4833 4833 
 .\"*********************************************************
4834 4834 
 .TP
4835 
-.B --show-net
4835 
+.B \-\-show-net
4836 4836 
 (Standalone)
4837 4837 
 Show OpenVPN's view of the system routing table and network
4838 4838 
 adapter list.
... ... 
@@ -4840,12 +4841,12 @@ adapter list.
4840 4840 
 .SS PKCS#11 Standalone Options:
4841 4841 
 .\"*********************************************************
4842 4842 
 .TP
4843 
-.B --show-pkcs11-ids provider [cert_private]
4843 
+.B \-\-show-pkcs11-ids provider [cert_private]
4844 4844 
 (Standalone)
4845 4845 
 Show PKCS#11 token object list. Specify cert_private as 1
4846 4846 
 if certificates are stored as private objects.
4847 4847
4848 
-.B --verb
4848 
+.B \-\-verb
4849 4849 
 option can be used BEFORE this option to produce debugging information.
4850 4850 
 .\"*********************************************************
4851 4851 
 .SH SCRIPTING AND ENVIRONMENTAL VARIABLES
... ... 
@@ -4855,52 +4856,52 @@ of environmental variables for use by user-defined scripts.
4855 4855 
 .SS Script Order of Execution
4856 4856 
 .\"*********************************************************
4857 4857 
 .TP
4858 
-.B --up
4858 
+.B \-\-up
4859 4859 
 Executed after TCP/UDP socket bind and TUN/TAP open.
4860 4860 
 .\"*********************************************************
4861 4861 
 .TP
4862 
-.B --tls-verify
4862 
+.B \-\-tls-verify
4863 4863 
 Executed when we have a still untrusted remote peer.
4864 4864 
 .\"*********************************************************
4865 4865 
 .TP
4866 
-.B --ipchange
4866 
+.B \-\-ipchange
4867 4867 
 Executed after connection authentication, or remote IP address change.
4868 4868 
 .\"*********************************************************
4869 4869 
 .TP
4870 
-.B --client-connect
4870 
+.B \-\-client-connect
4871 4871 
 Executed in
4872 
-.B --mode server
4872 
+.B \-\-mode server
4873 4873 
 mode immediately after client authentication.
4874 4874 
 .\"*********************************************************
4875 4875 
 .TP
4876 
-.B --route-up
4876 
+.B \-\-route-up
4877 4877 
 Executed after connection authentication, either
4878 4878 
 immediately after, or some number of seconds after
4879 4879 
 as defined by the
4880 
-.B --route-delay
4880 
+.B \-\-route-delay
4881 4881 
 option.
4882 4882 
 .\"*********************************************************
4883 4883 
 .TP
4884 
-.B --client-disconnect
4884 
+.B \-\-client-disconnect
4885 4885 
 Executed in
4886 
-.B --mode server
4886 
+.B \-\-mode server
4887 4887 
 mode on client instance shutdown.
4888 4888 
 .\"*********************************************************
4889 4889 
 .TP
4890 
-.B --down
4890 
+.B \-\-down
4891 4891 
 Executed after TCP/UDP and TUN/TAP close.
4892 4892 
 .\"*********************************************************
4893 4893 
 .TP
4894 
-.B --learn-address
4894 
+.B \-\-learn-address
4895 4895 
 Executed in
4896 
-.B --mode server
4896 
+.B \-\-mode server
4897 4897 
 mode whenever an IPv4 address/route or MAC address is added to OpenVPN's
4898 4898 
 internal routing table.
4899 4899 
 .\"*********************************************************
4900 4900 
 .TP
4901 
-.B --auth-user-pass-verify
4901 
+.B \-\-auth-user-pass-verify
4902 4902 
 Executed in
4903 
-.B --mode server
4903 
+.B \-\-mode server
4904 4904 
 mode on new client connections, when the client is
4905 4905 
 still untrusted.
4906 4906 
 .\"*********************************************************
... ... 
@@ -4924,7 +4925,7 @@ Can string remapping be disabled?
4924 4924
4925 4925 
 .B A:
4926 4926 
 Yes, by using the
4927 
-.B --no-name-remapping
4927 
+.B \-\-no-name-remapping
4928 4928 
 option, however this should be considered an advanced option.
4929 4929
4930 4930 
 Here is a brief rundown of OpenVPN's current string types and the
... ... 
@@ -4940,17 +4941,17 @@ true.
4940 4940 
 Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at
4941 4941 
 ('@').
4942 4942
4943 
-.B --auth-user-pass username:
4943 
+.B \-\-auth-user-pass username:
4944 4944 
 Same as Common Name, with one exception: starting with OpenVPN 2.0.1,
4945 4945 
 the username is passed to the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin in its raw form,
4946 4946 
 without string remapping.
4947 4947
4948 
-.B --auth-user-pass password:
4948 
+.B \-\-auth-user-pass password:
4949 4949 
 Any "printable" character except CR or LF.
4950 4950 
 Printable is defined to be a character which will cause the C library
4951 4951 
 isprint() function to return true.
4952 4952
4953 
-.B --client-config-dir filename as derived from common name or username:
4953 
+.B \-\-client-config-dir filename as derived from common name or username:
4954 4954 
 Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or
4955 4955 
 ".." as standalone strings.  As of 2.0.1-rc6, the at ('@') character has
4956 4956 
 been added as well for compatibility with the common name character class.
... ... 
@@ -4980,45 +4981,45 @@ which refer to different client instances.
4980 4980 
 .B bytes_received
4981 4981 
 Total number of bytes received from client during VPN session.
4982 4982 
 Set prior to execution of the
4983 
-.B --client-disconnect
4983 
+.B \-\-client-disconnect
4984 4984 
 script.
4985 4985 
 .\"*********************************************************
4986 4986 
 .TP
4987 4987 
 .B bytes_sent
4988 4988 
 Total number of bytes sent to client during VPN session.
4989 4989 
 Set prior to execution of the
4990 
-.B --client-disconnect
4990 
+.B \-\-client-disconnect
4991 4991 
 script.
4992 4992 
 .\"*********************************************************
4993 4993 
 .TP
4994 4994 
 .B common_name
4995 4995 
 The X509 common name of an authenticated client.
4996 4996 
 Set prior to execution of
4997 
-.B --client-connect, --client-disconnect,
4997 
+.B \-\-client-connect, \-\-client-disconnect,
4998 4998 
 and
4999 
-.B --auth-user-pass-verify
4999 
+.B \-\-auth-user-pass-verify
5000 5000 
 scripts.
5001 5001 
 .\"*********************************************************
5002 5002 
 .TP
5003 5003 
 .B config
5004 5004 
 Name of first
5005 
-.B --config
5005 
+.B \-\-config
5006 5006 
 file.
5007 5007 
 Set on program initiation and reset on SIGHUP.
5008 5008 
 .\"*********************************************************
5009 5009 
 .TP
5010 5010 
 .B daemon
5011 5011 
 Set to "1" if the
5012 
-.B --daemon
5012 
+.B \-\-daemon
5013 5013 
 directive is specified, or "0" otherwise.
5014 5014 
 Set on program initiation and reset on SIGHUP.
5015 5015 
 .\"*********************************************************
5016 5016 
 .TP
5017 5017 
 .B daemon_log_redirect
5018 5018 
 Set to "1" if the
5019 
-.B --log
5019 
+.B \-\-log
5020 5020 
 or
5021 
-.B --log-append
5021 
+.B \-\-log-append
5022 5022 
 directives are specified, or "0" otherwise.
5023 5023 
 Set on program initiation and reset on SIGHUP.
5024 5024 
 .\"*********************************************************
... ... 
@@ -5027,30 +5028,30 @@ Set on program initiation and reset on SIGHUP.
5027 5027 
 The actual name of the TUN/TAP device, including
5028 5028 
 a unit number if it exists.
5029 5029 
 Set prior to
5030 
-.B --up
5030 
+.B \-\-up
5031 5031 
 or
5032 
-.B --down
5032 
+.B \-\-down
5033 5033 
 script execution.
5034 5034 
 .\"*********************************************************
5035 5035 
 .TP
5036 5036 
 .B foreign_option_{n}
5037 5037 
 An option pushed via
5038 
-.B --push
5038 
+.B \-\-push
5039 5039 
 to a client which does not natively support it,
5040 5040 
 such as
5041 
-.B --dhcp-option
5041 
+.B \-\-dhcp-option
5042 5042 
 on a non-Windows system, will be recorded to this
5043 5043 
 environmental variable sequence prior to
5044 
-.B --up
5044 
+.B \-\-up
5045 5045 
 script execution.
5046 5046 
 .\"*********************************************************
5047 5047 
 .TP
5048 5048 
 .B ifconfig_broadcast
5049 5049 
 The broadcast address for the virtual
5050 5050 
 ethernet segment which is derived from the
5051 
-.B --ifconfig
5051 
+.B \-\-ifconfig
5052 5052 
 option when
5053 
-.B --dev tap
5053 
+.B \-\-dev tap
5054 5054 
 is used.
5055 5055 
 Set prior to OpenVPN calling the
5056 5056 
 .I ifconfig
... ... 
@@ -5058,13 +5059,13 @@ or
5058 5058 
 .I netsh
5059 5059 
 (windows version of ifconfig) commands which
5060 5060 
 normally occurs prior to
5061 
-.B --up
5061 
+.B \-\-up
5062 5062 
 script execution.
5063 5063 
 .\"*********************************************************
5064 5064 
 .TP
5065 5065 
 .B ifconfig_local
5066 5066 
 The local VPN endpoint IP address specified in the
5067 
-.B --ifconfig
5067 
+.B \-\-ifconfig
5068 5068 
 option (first parameter).
5069 5069 
 Set prior to OpenVPN calling the
5070 5070 
 .I ifconfig
... ... 
@@ -5072,15 +5073,15 @@ or
5072 5072 
 .I netsh
5073 5073 
 (windows version of ifconfig) commands which
5074 5074 
 normally occurs prior to
5075 
-.B --up
5075 
+.B \-\-up
5076 5076 
 script execution.
5077 5077 
 .\"*********************************************************
5078 5078 
 .TP
5079 5079 
 .B ifconfig_remote
5080 5080 
 The remote VPN endpoint IP address specified in the
5081 
-.B --ifconfig
5081 
+.B \-\-ifconfig
5082 5082 
 option (second parameter) when
5083 
-.B --dev tun
5083 
+.B \-\-dev tun
5084 5084 
 is used.
5085 5085 
 Set prior to OpenVPN calling the
5086 5086 
 .I ifconfig
... ... 
@@ -5088,16 +5089,16 @@ or
5088 5088 
 .I netsh
5089 5089 
 (windows version of ifconfig) commands which
5090 5090 
 normally occurs prior to
5091 
-.B --up
5091 
+.B \-\-up
5092 5092 
 script execution.
5093 5093 
 .\"*********************************************************
5094 5094 
 .TP
5095 5095 
 .B ifconfig_netmask
5096 5096 
 The subnet mask of the virtual ethernet segment
5097 5097 
 that is specified as the second parameter to
5098 
-.B --ifconfig
5098 
+.B \-\-ifconfig
5099 5099 
 when
5100 
-.B --dev tap
5100 
+.B \-\-dev tap
5101 5101 
 is being used.
5102 5102 
 Set prior to OpenVPN calling the
5103 5103 
 .I ifconfig
... ... 
@@ -5105,61 +5106,61 @@ or
5105 5105 
 .I netsh
5106 5106 
 (windows version of ifconfig) commands which
5107 5107 
 normally occurs prior to
5108 
-.B --up
5108 
+.B \-\-up
5109 5109 
 script execution.
5110 5110 
 .\"*********************************************************
5111 5111 
 .TP
5112 5112 
 .B ifconfig_pool_local_ip
5113 5113 
 The local
5114 5114 
 virtual IP address for the TUN/TAP tunnel taken from an
5115 
-.B --ifconfig-push
5115 
+.B \-\-ifconfig-push
5116 5116 
 directive if specified, or otherwise from
5117 5117 
 the ifconfig pool (controlled by the
5118 
-.B --ifconfig-pool
5118 
+.B \-\-ifconfig-pool
5119 5119 
 config file directive).
5120 5120 
 Only set for
5121 
-.B --dev tun
5121 
+.B \-\-dev tun
5122 5122 
 tunnels.
5123 5123 
 This option is set on the server prior to execution
5124 5124 
 of the
5125 
-.B --client-connect
5125 
+.B \-\-client-connect
5126 5126 
 and
5127 
-.B --client-disconnect
5127 
+.B \-\-client-disconnect
5128 5128 
 scripts.
5129 5129 
 .\"*********************************************************
5130 5130 
 .TP
5131 5131 
 .B ifconfig_pool_netmask
5132 5132 
 The
5133 5133 
 virtual IP netmask for the TUN/TAP tunnel taken from an
5134 
-.B --ifconfig-push
5134 
+.B \-\-ifconfig-push
5135 5135 
 directive if specified, or otherwise from
5136 5136 
 the ifconfig pool (controlled by the
5137 
-.B --ifconfig-pool
5137 
+.B \-\-ifconfig-pool
5138 5138 
 config file directive).
5139 5139 
 Only set for
5140 
-.B --dev tap
5140 
+.B \-\-dev tap
5141 5141 
 tunnels.
5142 5142 
 This option is set on the server prior to execution
5143 5143 
 of the
5144 
-.B --client-connect
5144 
+.B \-\-client-connect
5145 5145 
 and
5146 
-.B --client-disconnect
5146 
+.B \-\-client-disconnect
5147 5147 
 scripts.
5148 5148 
 .\"*********************************************************
5149 5149 
 .TP
5150 5150 
 .B ifconfig_pool_remote_ip
5151 5151 
 The remote
5152 5152 
 virtual IP address for the TUN/TAP tunnel taken from an
5153 
-.B --ifconfig-push
5153 
+.B \-\-ifconfig-push
5154 5154 
 directive if specified, or otherwise from
5155 5155 
 the ifconfig pool (controlled by the
5156 
-.B --ifconfig-pool
5156 
+.B \-\-ifconfig-pool
5157 5157 
 config file directive).
5158 5158 
 This option is set on the server prior to execution
5159 5159 
 of the
5160 
-.B --client-connect
5160 
+.B \-\-client-connect
5161 5161 
 and
5162 
-.B --client-disconnect
5162 
+.B \-\-client-disconnect
5163 5163 
 scripts.
5164 5164 
 .\"*********************************************************
5165 5165 
 .TP
... ... 
@@ -5167,31 +5168,31 @@ scripts.
5167 5167 
 The maximum packet size (not including the IP header)
5168 5168 
 of tunnel data in UDP tunnel transport mode.
5169 5169 
 Set prior to
5170 
-.B --up
5170 
+.B \-\-up
5171 5171 
 or
5172 
-.B --down
5172 
+.B \-\-down
5173 5173 
 script execution.
5174 5174 
 .\"*********************************************************
5175 5175 
 .TP
5176 5176 
 .B local
5177 5177 
 The
5178 
-.B --local
5178 
+.B \-\-local
5179 5179 
 parameter.
5180 5180 
 Set on program initiation and reset on SIGHUP.
5181 5181 
 .\"*********************************************************
5182 5182 
 .TP
5183 5183 
 .B local_port
5184 5184 
 The local port number, specified by
5185 
-.B --port
5185 
+.B \-\-port
5186 5186 
 or
5187 
-.B --lport.
5187 
+.B \-\-lport.
5188 5188 
 Set on program initiation and reset on SIGHUP.
5189 5189 
 .\"*********************************************************
5190 5190 
 .TP
5191 5191 
 .B password
5192 5192 
 The password provided by a connecting client.
5193 5193 
 Set prior to
5194 
-.B --auth-user-pass-verify
5194 
+.B \-\-auth-user-pass-verify
5195 5195 
 script execution only when the
5196 5196 
 .B via-env
5197 5197 
 modifier is specified, and deleted from the environment
... ... 
@@ -5200,23 +5201,23 @@ after the script returns.
5200 5200 
 .TP
5201 5201 
 .B proto
5202 5202 
 The
5203 
-.B --proto
5203 
+.B \-\-proto
5204 5204 
 parameter.
5205 5205 
 Set on program initiation and reset on SIGHUP.
5206 5206 
 .\"*********************************************************
5207 5207 
 .TP
5208 5208 
 .B remote_{n}
5209 5209 
 The
5210 
-.B --remote
5210 
+.B \-\-remote
5211 5211 
 parameter.
5212 5212 
 Set on program initiation and reset on SIGHUP.
5213 5213 
 .\"*********************************************************
5214 5214 
 .TP
5215 5215 
 .B remote_port_{n}
5216 5216 
 The remote port number, specified by
5217 
-.B --port
5217 
+.B \-\-port
5218 5218 
 or
5219 
-.B --rport.
5219 
+.B \-\-rport.
5220 5220 
 Set on program initiation and reset on SIGHUP.
5221 5221 
 .\"*********************************************************
5222 5222 
 .TP
... ... 
@@ -5224,29 +5225,29 @@ Set on program initiation and reset on SIGHUP.
5224 5224 
 The pre-existing default IP gateway in the system routing
5225 5225 
 table.
5226 5226 
 Set prior to
5227 
-.B --up
5227 
+.B \-\-up
5228 5228 
 script execution.
5229 5229 
 .\"*********************************************************
5230 5230 
 .TP
5231 5231 
 .B route_vpn_gateway
5232 5232 
 The default gateway used by
5233 
-.B --route
5233 
+.B \-\-route
5234 5234 
 options, as specified in either the
5235 
-.B --route-gateway
5235 
+.B \-\-route-gateway
5236 5236 
 option or the second parameter to
5237 
-.B --ifconfig
5237 
+.B \-\-ifconfig
5238 5238 
 when
5239 
-.B --dev tun
5239 
+.B \-\-dev tun
5240 5240 
 is specified.
5241 5241 
 Set prior to
5242 
-.B --up
5242 
+.B \-\-up
5243 5243 
 script execution.
5244 5244 
 .\"*********************************************************
5245 5245 
 .TP
5246 5246 
 .B route_{parm}_{n}
5247 5247 
 A set of variables which define each route to be added, and
5248 5248 
 are set prior to
5249 
-.B --up
5249 
+.B \-\-up
5250 5250 
 script execution.
5251 5251
5252 5252 
 .B parm
... ... 
@@ -5265,7 +5266,7 @@ or configuration file.
5265 5265 
 Set to "init" or "restart" prior to up/down script execution.
5266 5266 
 For more information, see
5267 5267 
 documentation for
5268 
-.B --up.
5268 
+.B \-\-up.
5269 5269 
 .\"*********************************************************
5270 5270 
 .TP
5271 5271 
 .B script_type
... ... 
@@ -5281,15 +5282,15 @@ Set prior to execution of any script.
5281 5281 
 The reason for exit or restart.  Can be one of
5282 5282 
 .B sigusr1, sighup, sigterm, sigint, inactive
5283 5283 
 (controlled by
5284 
-.B --inactive
5284 
+.B \-\-inactive
5285 5285 
 option),
5286 5286 
 .B ping-exit
5287 5287 
 (controlled by
5288 
-.B --ping-exit
5288 
+.B \-\-ping-exit
5289 5289 
 option),
5290 5290 
 .B ping-restart
5291 5291 
 (controlled by
5292 
-.B --ping-restart
5292 
+.B \-\-ping-restart
5293 5293 
 option),
5294 5294 
 .B connection-reset
5295 5295 
 (triggered on TCP connection reset),
... ... 
@@ -5303,7 +5304,7 @@ or
5303 5303 
 Client connection timestamp, formatted as a human-readable
5304 5304 
 time string.
5305 5305 
 Set prior to execution of the
5306 
-.B --client-connect
5306 
+.B \-\-client-connect
5307 5307 
 script.
5308 5308 
 .\"*********************************************************
5309 5309 
 .TP
... ... 
@@ -5311,7 +5312,7 @@ script.
5311 5311 
 The duration (in seconds) of the client session which is now
5312 5312 
 disconnecting.
5313 5313 
 Set prior to execution of the
5314 
-.B --client-disconnect
5314 
+.B \-\-client-disconnect
5315 5315 
 script.
5316 5316 
 .\"*********************************************************
5317 5317 
 .TP
... ... 
@@ -5319,7 +5320,7 @@ script.
5319 5319 
 Client connection timestamp, formatted as a unix integer
5320 5320 
 date/time value.
5321 5321 
 Set prior to execution of the
5322 
-.B --client-connect
5322 
+.B \-\-client-connect
5323 5323 
 script.
5324 5324 
 .\"*********************************************************
5325 5325 
 .TP
... ... 
@@ -5329,7 +5330,7 @@ where
5329 5329 
 .B n
5330 5330 
 is the verification level.  Only set for TLS connections.  Set prior
5331 5331 
 to execution of
5332 
-.B --tls-verify
5332 
+.B \-\-tls-verify
5333 5333 
 script.
5334 5334 
 .\"*********************************************************
5335 5335 
 .TP
... ... 
@@ -5340,33 +5341,38 @@ where
5340 5340 
 is the verification level.  Only set for TLS connections.  Set prior
5341 5341 
 to execution of
5342 5342 
 .B --tls-verify
5343 
-script.
5343 
+script. This is in the form of a hex string like "37AB46E0", which is
5344 
+suitable for doing serial-based OCSP queries (with OpenSSL, you have
5345 
+to prepend "0x" to the string). If something goes wrong while reading
5346 
+the value from the certificate it will be an empty string, so your
5347 
+code should check that.
5348 
+See the contrib/OCSP_check/OCSP_check.sh script for an example.
5344 5349 
 .\"*********************************************************
5345 5350 
 .TP
5346 5351 
 .B tun_mtu
5347 5352 
 The MTU of the TUN/TAP device.
5348 5353 
 Set prior to
5349 
-.B --up
5354 
+.B \-\-up
5350 5355 
 or
5351 
-.B --down
5356 
+.B \-\-down
5352 5357 
 script execution.
5353 5358 
 .\"*********************************************************
5354 5359 
 .TP
5355 5360 
 .B trusted_ip
5356 5361 
 Actual IP address of connecting client or peer which has been authenticated.
5357 5362 
 Set prior to execution of
5358 
-.B --ipchange, --client-connect,
5363 
+.B \-\-ipchange, \-\-client-connect,
5359 5364 
 and
5360 
-.B --client-disconnect
5365 
+.B \-\-client-disconnect
5361 5366 
 scripts.
5362 5367 
 .\"*********************************************************
5363 5368 
 .TP
5364 5369 
 .B trusted_port
5365 5370 
 Actual port number of connecting client or peer which has been authenticated.
5366 5371 
 Set prior to execution of
5367 
-.B --ipchange, --client-connect,
5372 
+.B \-\-ipchange, \-\-client-connect,
5368 5373 
 and
5369 
-.B --client-disconnect
5374 
+.B \-\-client-disconnect
5370 5375 
 scripts.
5371 5376 
 .\"*********************************************************
5372 5377 
 .TP
... ... 
@@ -5375,12 +5381,12 @@ Actual IP address of connecting client or peer which has not been authenticated
5375 5375 
 yet.  Sometimes used to
5376 5376 
 .B nmap
5377 5377 
 the connecting host in a
5378 
-.B --tls-verify
5378 
+.B \-\-tls-verify
5379 5379 
 script to ensure it is firewalled properly.
5380 5380 
 Set prior to execution of
5381 
-.B --tls-verify
5381 
+.B \-\-tls-verify
5382 5382 
 and
5383 
-.B --auth-user-pass-verify
5383 
+.B \-\-auth-user-pass-verify
5384 5384 
 scripts.
5385 5385 
 .\"*********************************************************
5386 5386 
 .TP
... ... 
@@ -5388,16 +5394,16 @@ scripts.
5388 5388 
 Actual port number of connecting client or peer which has not been authenticated
5389 5389 
 yet.
5390 5390 
 Set prior to execution of
5391 
-.B --tls-verify
5391 
+.B \-\-tls-verify
5392 5392 
 and
5393 
-.B --auth-user-pass-verify
5393 
+.B \-\-auth-user-pass-verify
5394 5394 
 scripts.
5395 5395 
 .\"*********************************************************
5396 5396 
 .TP
5397 5397 
 .B username
5398 5398 
 The username provided by a connecting client.
5399 5399 
 Set prior to
5400 
-.B --auth-user-pass-verify
5400 
+.B \-\-auth-user-pass-verify
5401 5401 
 script execution only when the
5402 5402 
 .B via-env
5403 5403 
 modifier is specified.
... ... 
@@ -5409,7 +5415,7 @@ where
5409 5409 
 .B n
5410 5410 
 is the verification level.  Only set for TLS connections.  Set prior
5411 5411 
 to execution of
5412 
-.B --tls-verify
5412 
+.B \-\-tls-verify
5413 5413 
 script.  This variable is similar to
5414 5414 
 .B tls_id_{n}
5415 5415 
 except the component X509 subject fields are broken out, and
... ... 
@@ -5453,30 +5459,30 @@ Like
5453 5453 
 except don't re-read configuration file, and possibly don't close and reopen TUN/TAP
5454 5454 
 device, re-read key files, preserve local IP address/port, or preserve most recently authenticated
5455 5455 
 remote IP address/port based on
5456 
-.B --persist-tun, --persist-key, --persist-local-ip,
5456 
+.B \-\-persist-tun, \-\-persist-key, \-\-persist-local-ip,
5457 5457 
 and
5458 
-.B --persist-remote-ip
5458 
+.B \-\-persist-remote-ip
5459 5459 
 options respectively (see above).
5460 5460
5461 5461 
 This signal may also be internally generated by a timeout condition, governed
5462 5462 
 by the
5463 
-.B --ping-restart
5463 
+.B \-\-ping-restart
5464 5464 
 option.
5465 5465
5466 5466 
 This signal, when combined with
5467 
-.B --persist-remote-ip,
5467 
+.B \-\-persist-remote-ip,
5468 5468 
 may be
5469 5469 
 sent when the underlying parameters of the host's network interface change
5470 5470 
 such as when the host is a DHCP client and is assigned a new IP address.
5471 5471 
 See
5472 
-.B --ipchange
5472 
+.B \-\-ipchange
5473 5473 
 above for more information.
5474 5474 
 .\"*********************************************************
5475 5475 
 .TP
5476 5476 
 .B SIGUSR2
5477 5477 
 Causes OpenVPN to display its current statistics (to the syslog
5478 5478 
 file if
5479 
-.B --daemon
5479 
+.B \-\-daemon
5480 5480 
 is used, or stdout otherwise).
5481 5481 
 .\"*********************************************************
5482 5482 
 .TP
... ... 
@@ -5531,7 +5537,7 @@ If firewalls exist between
5531 5531 
 the two machines, they should be set to forward UDP port 1194
5532 5532 
 in both directions.  If you do not have control over the firewalls
5533 5533 
 between the two machines, you may still be able to use OpenVPN by adding
5534 
-.B --ping 15
5534 
+.B \-\-ping 15
5535 5535 
 to each of the
5536 5536 
 .B openvpn
5537 5537 
 commands used below in the examples (this will cause each peer to send out
... ... 
@@ -5600,11 +5606,11 @@ you will get a weird feedback loop.
5600 5600 
 .LP
5601 5601 
 On may:
5602 5602 
 .IP
5603 
-.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9
5603 
+.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 9
5604 5604 
 .LP
5605 5605 
 On june:
5606 5606 
 .IP
5607 
-.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9
5607 
+.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 9
5608 5608 
 .LP
5609 5609 
 Now verify the tunnel is working by pinging across the tunnel.
5610 5610 
 .LP
... ... 
@@ -5617,17 +5623,17 @@ On june:
5617 5617 
 .B ping 10.4.0.1
5618 5618 
 .LP
5619 5619 
 The
5620 
-.B --verb 9
5620 
+.B \-\-verb 9
5621 5621 
 option will produce verbose output, similar to the
5622 5622 
 .BR tcpdump (8)
5623 5623 
 program.  Omit the
5624 
-.B --verb 9
5624 
+.B \-\-verb 9
5625 5625 
 option to have OpenVPN run quietly.
5626 5626 
 .\"*********************************************************
5627 5627 
 .SS Example 2: A tunnel with static-key security (i.e. using a pre-shared secret)
5628 5628 
 First build a static key on may.
5629 5629 
 .IP
5630 
-.B openvpn --genkey --secret key
5630 
+.B openvpn \-\-genkey \-\-secret key
5631 5631 
 .LP
5632 5632 
 This command will build a random key file called
5633 5633 
 .B key
... ... 
@@ -5641,11 +5647,11 @@ program.
5641 5641 
 .LP
5642 5642 
 On may:
5643 5643 
 .IP
5644 
-.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key
5644 
+.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 5 \-\-secret key
5645 5645 
 .LP
5646 5646 
 On june:
5647 5647 
 .IP
5648 
-.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key
5648 
+.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 5 \-\-secret key
5649 5649 
 .LP
5650 5650 
 Now verify the tunnel is working by pinging across the tunnel.
5651 5651 
 .LP
... ... 
@@ -5667,10 +5673,10 @@ as the TLS server.
5667 5667
5668 5668 
 First, build a separate certificate/key pair
5669 5669 
 for both may and june (see above where
5670 
-.B --cert
5670 
+.B \-\-cert
5671 5671 
 is discussed for more info).  Then construct
5672 5672 
 Diffie Hellman parameters (see above where
5673 
-.B --dh
5673 
+.B \-\-dh
5674 5674 
 is discussed for more info).  You can also use the
5675 5675 
 included test files client.crt, client.key,
5676 5676 
 server.crt, server.key and ca.crt.
... ... 
@@ -5683,11 +5689,11 @@ parameters you can use the included file dh1024.pem.
5683 5683 
 .LP
5684 5684 
 On may:
5685 5685 
 .IP
5686 
-.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5
5686 
+.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-tls-client \-\-ca ca.crt \-\-cert client.crt \-\-key client.key \-\-reneg-sec 60 \-\-verb 5
5687 5687 
 .LP
5688 5688 
 On june:
5689 5689 
 .IP
5690 
-.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5
5690 
+.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-tls-server \-\-dh dh1024.pem \-\-ca ca.crt \-\-cert server.crt \-\-key server.key \-\-reneg-sec 60 \-\-verb 5
5691 5691 
 .LP
5692 5692 
 Now verify the tunnel is working by pinging across the tunnel.
5693 5693 
 .LP
... ... 
@@ -5700,16 +5706,16 @@ On june:
5700 5700 
 .B ping 10.4.0.1
5701 5701 
 .LP
5702 5702 
 Notice the
5703 
-.B --reneg-sec 60
5703 
+.B \-\-reneg-sec 60
5704 5704 
 option we used above.  That tells OpenVPN to renegotiate
5705 5705 
 the data channel keys every minute.
5706 5706 
 Since we used
5707 
-.B --verb 5
5707 
+.B \-\-verb 5
5708 5708 
 above, you will see status information on each new key negotiation.
5709 5709
5710 5710 
 For production operations, a key renegotiation interval of 60 seconds
5711 5711 
 is probably too frequent.  Omit the
5712 
-.B --reneg-sec 60
5712 
+.B \-\-reneg-sec 60
5713 5713 
 option to use OpenVPN's default key renegotiation interval of one hour.
5714 5714 
 .\"*********************************************************
5715 5715 
 .SS Routing:
... ... 
@@ -5745,7 +5751,7 @@ over the secure tunnel (or vice versa).
5745 5745
5746 5746 
 In a production environment, you could put the route command(s)
5747 5747 
 in a shell script and execute with the
5748 
-.B --up
5748 
+.B \-\-up
5749 5749 
 option.
5750 5750 
 .\"*********************************************************
5751 5751 
 .SH FIREWALLS
... ... 
@@ -5753,7 +5759,7 @@ OpenVPN's usage of a single UDP port makes it fairly firewall-friendly.
5753 5753 
 You should add an entry to your firewall rules to allow incoming OpenVPN
5754 5754 
 packets.  On Linux 2.4+:
5755 5755 
 .IP
5756 
-.B iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT
5756 
+.B iptables -A INPUT -p udp -s 1.2.3.4 \-\-dport 1194 -j ACCEPT
5757 5757 
 .LP
5758 5758 
 This will allow incoming packets on UDP port 1194 (OpenVPN's default UDP port)
5759 5759 
 from an OpenVPN peer at 1.2.3.4.
... ... 
@@ -5764,7 +5770,7 @@ address can be considered optional, since HMAC packet authentication
5764 5764 
 is a much more secure method of verifying the authenticity of
5765 5765 
 a packet source.  In that case:
5766 5766 
 .IP
5767 
-.B iptables -A INPUT -p udp --dport 1194 -j ACCEPT
5767 
+.B iptables -A INPUT -p udp \-\-dport 1194 -j ACCEPT
5768 5768 
 .LP
5769 5769 
 would be adequate and would not render the host inflexible with
5770 5770 
 respect to its peer having a dynamic IP address.
... ... 
@@ -5773,7 +5779,7 @@ OpenVPN also works well on stateful firewalls.  In some cases, you may
5773 5773 
 not need to add any static rules to the firewall list if you are
5774 5774 
 using a stateful firewall that knows how to track UDP connections.
5775 5775 
 If you specify
5776 
-.B --ping n,
5776 
+.B \-\-ping n,
5777 5777 
 OpenVPN will be guaranteed
5778 5778 
 to send a packet to its peer at least once every
5779 5779 
 .B n
options.c
History View file @ c70135d
... ... 
@@ -4252,7 +4252,7 @@ add_option (struct options *options,
4252 4252
4253 4253 
       VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4254 4254 
       port = atoi (p[1]);
4255 
-      if (!legal_ipv4_port (port))
4255 
+      if ((port != 0) && !legal_ipv4_port (port))
4256 4256 
 	{
4257 4257 
 	  msg (msglevel, "Bad local port number: %s", p[1]);
4258 4258 
 	  goto err;
pf.c
History View file @ c70135d
... ... 
@@ -109,6 +109,11 @@ add_subnet (const char *line, const char *prefix, const int line_num, struct pf_
109 109 
 	  return false;
110 110 
 	}
111 111 
       netmask = netbits_to_netmask (netbits);
112 
+      if ((network.s_addr & htonl (netmask)) != network.s_addr)
113 
+        {
114 
+          network.s_addr &= htonl (netmask);
115 
+          msg (M_WARN, "WARNING: PF: %s/%d: incorrect subnet %s/%d changed to %s/%d", prefix, line_num, line, netbits, inet_ntoa (network), netbits);
116 
+        }
112 117 
     }
113 118 
   else
114 119 
     {
... ... 
@@ -554,24 +559,25 @@ pf_init_context (struct context *c)
554 554 
 #ifdef PLUGIN_PF
555 555 
   if (plugin_defined (c->plugins, OPENVPN_PLUGIN_ENABLE_PF))
556 556 
     {
557 
-      const char *pf_file = create_temp_filename (c->options.tmp_dir, "pf", &gc);
558 
-      delete_file (pf_file);
559 
-      setenv_str (c->c2.es, "pf_file", pf_file);
560 
-
561 
-      if (plugin_call (c->plugins, OPENVPN_PLUGIN_ENABLE_PF, NULL, NULL, c->c2.es) == OPENVPN_PLUGIN_FUNC_SUCCESS)
562 
-	{
563 
-	  event_timeout_init (&c->c2.pf.reload, 1, now);
564 
-	  c->c2.pf.filename = string_alloc (pf_file, NULL);
565 
-	  c->c2.pf.enabled = true;
557 
+      const char *pf_file = create_temp_file (c->options.tmp_dir, "pf", &gc);
558 
+      if( pf_file ) {
559 
+        setenv_str (c->c2.es, "pf_file", pf_file);
560 
+
561 
+        if (plugin_call (c->plugins, OPENVPN_PLUGIN_ENABLE_PF, NULL, NULL, c->c2.es) == OPENVPN_PLUGIN_FUNC_SUCCESS)
562 
+          {
563 
+            event_timeout_init (&c->c2.pf.reload, 1, now);
564 
+            c->c2.pf.filename = string_alloc (pf_file, NULL);
565 
+            c->c2.pf.enabled = true;
566 566 
 #ifdef ENABLE_DEBUG
567 
-	  if (check_debug_level (D_PF_DEBUG))
568 
-	    pf_context_print (&c->c2.pf, "pf_init_context#1", D_PF_DEBUG);
567 
+            if (check_debug_level (D_PF_DEBUG))
568 
+              pf_context_print (&c->c2.pf, "pf_init_context#1", D_PF_DEBUG);
569 569 
 #endif
570 
-	}
571 
-      else
572 
-	{
573 
-	  msg (M_WARN, "WARNING: OPENVPN_PLUGIN_ENABLE_PF disabled");
574 
-	}
570 
+          }
571 
+        else
572 
+          {
573 
+            msg (M_WARN, "WARNING: OPENVPN_PLUGIN_ENABLE_PF disabled");
574 
+          }
575 
+      }
575 576 
     }
576 577 
 #endif
577 578 
 #ifdef MANAGEMENT_PF
plugin/auth-pam/auth-pam.c
History View file @ c70135d
... ... 
@@ -111,6 +111,35 @@ struct user_pass {
111 111 
 /* Background process function */
112 112 
 static void pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list);
113 113
114 
+/*  Read 'tosearch', replace all occurences of 'searchfor' with 'replacewith' and return
115 
+ *  a pointer to the NEW string.  Does not modify the input strings.  Will not enter an
116 
+ *  infinite loop with clever 'searchfor' and 'replacewith' strings.
117 
+ *  Daniel Johnson - Progman2000@usa.net / djohnson@progman.us
118 
+ */
119 
+static char *
120 
+searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith)
121 
+{
122 
+  if (!tosearch || !searchfor || !replacewith) return 0;
123 
+  if (!strlen(tosearch) || !strlen(searchfor) || !strlen(replacewith)) return 0;
124 
+
125 
+  const char *searching=tosearch;
126 
+  char *scratch;
127 
+  char temp[strlen(tosearch)*10];
128 
+  temp[0]=0;
129 
+
130 
+  scratch = strstr(searching,searchfor);
131 
+  if (!scratch) return strdup(tosearch);
132 
+
133 
+  while (scratch) {
134 
+    strncat(temp,searching,scratch-searching);
135 
+    strcat(temp,replacewith);
136 
+
137 
+    searching=scratch+strlen(searchfor);
138 
+    scratch = strstr(searching,searchfor);
139 
+  }
140 
+  return strdup(temp);
141 
+}
142 
+
114 143 
 /*
115 144 
  * Given an environmental variable name, search
116 145 
  * the envp array for its value, returning it
... ... 
@@ -551,7 +580,7 @@ my_conv (int n, const struct pam_message **msg_array,
551 551 
 	      if (name_value_match (msg->msg, match_name))
552 552 
 		{
553 553 
 		  /* found name/value match */
554 
-		  const char *return_value = NULL;
554 
+		  aresp[i].resp = NULL;
555 555
556 556 
 		  if (DEBUG (up->verb))
557 557 
 		    fprintf (stderr, "AUTH-PAM: BACKGROUND: name match found, query/match-string ['%s', '%s'] = '%s'\n",
... ... 
@@ -559,14 +588,13 @@ my_conv (int n, const struct pam_message **msg_array,
559 559 
 			     match_name,
560 560 
 			     match_value);
561 561
562 
-		  if (!strcmp (match_value, "USERNAME"))
563 
-		    return_value = up->username;
564 
-		  else if (!strcmp (match_value, "PASSWORD"))
565 
-		    return_value = up->password;
562 
+		  if (strstr(match_value, "USERNAME"))
563 
+		    aresp[i].resp = searchandreplace(match_value, "USERNAME", up->username);
564 
+		  else if (strstr(match_value, "PASSWORD"))
565 
+		    aresp[i].resp = searchandreplace(match_value, "PASSWORD", up->password);
566 566 
 		  else
567 
-		    return_value = match_value;
567 
+		    aresp[i].resp = strdup (match_value);
568 568
569 
-		  aresp[i].resp = strdup (return_value);
570 569 
 		  if (aresp[i].resp == NULL)
571 570 
 		    ret = PAM_CONV_ERR;
572 571 
 		  break;
push.c
History View file @ c70135d
... ... 
@@ -177,6 +177,7 @@ send_push_reply (struct context *c)
177 177 
   static char cmd[] = "PUSH_REPLY";
178 178 
   const int extra = 64; /* extra space for possible trailing ifconfig and push-continuation */
179 179 
   const int safe_cap = BCAP (&buf) - extra;
180 
+  bool push_sent = false;
180 181
181 182 
   buf_printf (&buf, cmd);
182 183
... ... 
@@ -192,6 +193,7 @@ send_push_reply (struct context *c)
192 192 
 		const bool status = send_control_channel_string (c, BSTR (&buf), D_PUSH);
193 193 
 		if (!status)
194 194 
 		  goto fail;
195 
+		push_sent = true;
195 196 
 		multi_push = true;
196 197 
 		buf_reset_len (&buf);
197 198 
 		buf_printf (&buf, cmd);
... ... 
@@ -218,6 +220,21 @@ send_push_reply (struct context *c)
218 218 
     {
219 219 
       const bool status = send_control_channel_string (c, BSTR (&buf), D_PUSH);
220 220 
       if (!status)
221 
+        goto fail;
222 
+      push_sent = true;
223 
+    }
224 
+
225 
+  /* If nothing have been pushed, send an empty push,
226 
+   * as the client is expecting a response
227 
+   */
228 
+  if (!push_sent)
229 
+    {
230 
+      bool status = false;
231 
+
232 
+      buf_reset_len (&buf);
233 
+      buf_printf (&buf, cmd);
234 
+      status = send_control_channel_string (c, BSTR(&buf), D_PUSH);
235 
+      if (!status)
221 236 
 	goto fail;
222 237 
     }
223 238
sample-config-files/firewall.sh
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 # A Sample OpenVPN-aware firewall.
4 4
sample-scripts/bridge-start
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 #################################
4 4 
 # Set up Ethernet bridge on Linux
sample-scripts/bridge-stop
History View file @ c70135d
... ... 
@@ -1,4 +1,4 @@
1 
-#!/bin/bash
1 
+#!/bin/sh
2 2
3 3 
 ####################################
4 4 
 # Tear Down Ethernet bridge on Linux
sample-scripts/verify-cn
History View file @ c70135d
... ... 
@@ -7,24 +7,28 @@
7 7 
 #
8 8 
 # For example in OpenVPN, you could use the directive:
9 9 
 #
10 
-#   tls-verify "./verify-cn Test-Client"
10 
+#   tls-verify "./verify-cn /etc/openvpn/allowed_clients"
11 11 
 #
12 12 
 # This would cause the connection to be dropped unless
13 
-# the client common name is "Test-Client"
13 
+# the client common name is listed on a line in the
14 
+# allowed_clients file.
14 15
15 
-die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3);
16 
+die "usage: verify-cn cnfile certificate_depth X509_NAME_oneline" if (@ARGV != 3);
16 17
17 18 
 # Parse out arguments:
18 
-#   cn    -- The common name which the client is required to have,
19 
-#            taken from the argument to the tls-verify directive
20 
-#            in the OpenVPN config file.
21 
-#   depth -- The current certificate chain depth.  In a typical
22 
-#            bi-level chain, the root certificate will be at level
23 
-#            1 and the client certificate will be at level 0.
24 
-#            This script will be called separately for each level.
25 
-#   x509  -- the X509 subject string as extracted by OpenVPN from
26 
-#            the client's provided certificate.
27 
-($cn, $depth, $x509) = @ARGV;
19 
+#   cnfile -- The file containing the list of common names, one per
20 
+#             line, which the client is required to have,
21 
+#             taken from the argument to the tls-verify directive
22 
+#             in the OpenVPN config file.
23 
+#             The file can have blank lines and comment lines that begin
24 
+#             with the # character.
25 
+#   depth  -- The current certificate chain depth.  In a typical
26 
+#             bi-level chain, the root certificate will be at level
27 
+#             1 and the client certificate will be at level 0.
28 
+#             This script will be called separately for each level.
29 
+#   x509   -- the X509 subject string as extracted by OpenVPN from
30 
+#             the client's provided certificate.
31 
+($cnfile, $depth, $x509) = @ARGV;
28 32
29 33 
 if ($depth == 0) {
30 34 
     # If depth is zero, we know that this is the final
... ... 
@@ -34,11 +38,19 @@ if ($depth == 0) {
34 34 
     # the X509 subject string.
35 35
36 36 
     if ($x509 =~ /\/CN=([^\/]+)/) {
37 
+        $cn = $1;
37 38 
 	# Accept the connection if the X509 common name
38 39 
 	# string matches the passed cn argument.
39 
-	if ($cn eq $1) {
40 
-	    exit 0;
40 
+	open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates!
41 
+        while (defined($line = <FH>)) {
42 
+	    if ($line !~ /^[[:space:]]*(#|$)/o) {
43 
+		chop($line);
44 
+		if ($line eq $cn) {
45 
+		    exit 0;
46 
+		}
47 
+	    }
41 48 
 	}
49 
+	close(FH);
42 50 
     }
43 51
44 52 
     # Authentication failed -- Either we could not parse
socket.c
History View file @ c70135d
... ... 
@@ -1894,7 +1894,7 @@ stream_buf_added (struct stream_buf *sb,
1894 1894
1895 1895 
       if (sb->len < 1 || sb->len > sb->maxlen)
1896 1896 
 	{
1897 
-	  msg (M_WARN, "WARNING: Bad encapsulated packet length from peer (%d), which must be > 0 and <= %d -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attemping restart...]", sb->len, sb->maxlen);
1897 
+	  msg (M_WARN, "WARNING: Bad encapsulated packet length from peer (%d), which must be > 0 and <= %d -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]", sb->len, sb->maxlen);
1898 1898 
 	  stream_buf_reset (sb);
1899 1899 
 	  sb->error = true;
1900 1900 
 	  return false;
ssl.c
History View file @ c70135d
... ... 
@@ -788,9 +788,30 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
788 788
789 789 
   /* export serial number as environmental variable */
790 790 
   {
791 
-    const int serial = (int) ASN1_INTEGER_get (X509_get_serialNumber (ctx->current_cert));
792 
-    openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", ctx->error_depth);
793 
-    setenv_int (opt->es, envname, serial);
791 
+    BIO *bio = NULL;
792 
+    char serial[100];
793 
+    int n1, n2;
794 
+
795 
+    CLEAR (serial);
796 
+    if ((bio = BIO_new (BIO_s_mem ())) == NULL)
797 
+      {
798 
+        msg (M_WARN, "CALLBACK: Cannot create BIO (for tls_serial_%d)", ctx->error_depth);
799 
+      }
800 
+    else
801 
+      {
802 
+        /* "prints" the serial number onto the BIO and read it back */
803 
+        if ( ! ( ( (n1 = i2a_ASN1_INTEGER(bio, X509_get_serialNumber (ctx->current_cert))) >= 0 ) &&
804 
+                 ( (n2 = BIO_read (bio, serial, sizeof (serial)-1)) >= 0 ) &&
805 
+                 ( n1 == n2 ) ) )
806 
+          {
807 
+            msg (M_WARN, "CALLBACK: Error reading/writing BIO (for tls_serial_%d)", ctx->error_depth);
808 
+            CLEAR (serial);     /* empty string */
809 
+          }
810 
+
811 
+        openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", ctx->error_depth);
812 
+        setenv_str (opt->es, envname, serial);
813 
+        BIO_free(bio);
814 
+      }
794 815 
   }
795 816
796 817 
   /* export current untrusted IP */
... ... 
@@ -1094,10 +1115,11 @@ key_state_gen_auth_control_file (struct key_state *ks, const struct tls_options
1094 1094 
   const char *acf;
1095 1095
1096 1096 
   key_state_rm_auth_control_file (ks);
1097 
-  acf = create_temp_filename (opt->tmp_dir, "acf", &gc);
1098 
-  ks->auth_control_file = string_alloc (acf, NULL);
1099 
-  setenv_str (opt->es, "auth_control_file", ks->auth_control_file);
1100 
-
1097 
+  acf = create_temp_file (opt->tmp_dir, "acf", &gc);
1098 
+  if( acf ) {
1099 
+    ks->auth_control_file = string_alloc (acf, NULL);
1100 
+    setenv_str (opt->es, "auth_control_file", ks->auth_control_file);
1101 
+  } /* FIXME: Should have better error handling? */
1101 1102 
   gc_free (&gc);
1102 1103 
 }
1103 1104
... ... 
@@ -3181,17 +3203,22 @@ verify_user_pass_script (struct tls_session *session, const struct user_pass *up
3181 3181 
 	{
3182 3182 
 	  struct status_output *so;
3183 3183
3184 
-	  tmp_file = create_temp_filename (session->opt->tmp_dir, "up", &gc);
3185 
-	  so = status_open (tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
3186 
-	  status_printf (so, "%s", up->username);
3187 
-	  status_printf (so, "%s", up->password);
3188 
-	  if (!status_close (so))
3189 
-	    {
3190 
-	      msg (D_TLS_ERRORS, "TLS Auth Error: could not write username/password to file: %s",
3191 
-		   tmp_file);
3192 
-	      goto done;
3193 
-	    }
3194 
-	}
3184 
+	  tmp_file = create_temp_file (session->opt->tmp_dir, "up", &gc);
3185 
+          if( tmp_file ) {
3186 
+            so = status_open (tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
3187 
+            status_printf (so, "%s", up->username);
3188 
+            status_printf (so, "%s", up->password);
3189 
+            if (!status_close (so))
3190 
+              {
3191 
+                msg (D_TLS_ERRORS, "TLS Auth Error: could not write username/password to file: %s",
3192 
+                     tmp_file);
3193 
+                goto done;
3194 
+              }
3195 
+          } else {
3196 
+            msg (D_TLS_ERRORS, "TLS Auth Error: could not create write "
3197 
+                 "username/password to temp file");
3198 
+          }
3199 
+        }
3195 3200 
       else
3196 3201 
 	{
3197 3202 
 	  setenv_str (session->opt->es, "username", up->username);
... ... 
@@ -3225,7 +3252,7 @@ verify_user_pass_script (struct tls_session *session, const struct user_pass *up
3225 3225 
     }
3226 3226
3227 3227 
  done:
3228 
-  if (strlen (tmp_file) > 0)
3228 
+  if (tmp_file && strlen (tmp_file) > 0)
3229 3229 
     delete_file (tmp_file);
3230 3230
3231 3231 
   argv_reset (&argv);
... ... 
@@ -3867,7 +3894,8 @@ tls_process (struct tls_multi *multi,
3867 3867 
 	   && ks->n_packets >= session->opt->renegotiate_packets)
3868 3868 
        || (packet_id_close_to_wrapping (&ks->packet_id.send))))
3869 3869 
     {
3870 
-      msg (D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d bytes=%d/%d pkts=%d/%d",
3870 
+      msg (D_TLS_DEBUG_LOW,
3871 
+           "TLS: soft reset sec=%d bytes=" counter_format "/%d pkts=" counter_format "/%d",
3871 3872 
 	   (int)(ks->established + session->opt->renegotiate_seconds - now),
3872 3873 
 	   ks->n_bytes, session->opt->renegotiate_bytes,
3873 3874 
 	   ks->n_packets, session->opt->renegotiate_packets);
ssl.h
History View file @ c70135d
... ... 
@@ -376,8 +376,8 @@ struct key_state
376 376 
   struct reliable *rec_reliable;  /* order incoming ciphertext packets before we pass to TLS */
377 377 
   struct reliable_ack *rec_ack;	  /* buffers all packet IDs we want to ACK back to sender */
378 378
379 
-  int n_bytes;			 /* how many bytes sent/recvd since last key exchange */
380 
-  int n_packets;		 /* how many packets sent/recvd since last key exchange */
379 
+  counter_type n_bytes;		 /* how many bytes sent/recvd since last key exchange */
380 
+  counter_type n_packets;	 /* how many packets sent/recvd since last key exchange */
381 381
382 382 
   /*
383 383 
    * If bad username/password, TLS connection will come up but 'authenticated' will be false.
syshead.h
History View file @ c70135d
... ... 
@@ -85,6 +85,10 @@
85 85 
 #endif
86 86
87 87 
 #ifdef HAVE_SYS_SOCKET_H
88 
+# if defined(TARGET_LINUX) && !defined(_GNU_SOURCE)
89 
+   /* needed for peercred support on glibc-2.8 */
90 
+#  define _GNU_SOURCE
91 
+# endif
88 92 
 #include <sys/socket.h>
89 93 
 #endif
90 94
tun.c
History View file @ c70135d
... ... 
@@ -860,26 +860,15 @@ do_ifconfig (struct tuntap *tt,
860 860 
 			  ifconfig_remote_netmask,
861 861 
 			  tun_mtu
862 862 
 			  );
863 
-      else {
864 
-	if (tt->topology == TOP_SUBNET)
865 
-            argv_printf (&argv,
866 
-                              "%s %s %s netmask %s mtu %d up",
863 
+      else
864 
+	argv_printf (&argv,
865 
+		      "%s %s %s netmask %s mtu %d up",
867 866 
                               IFCONFIG_PATH,
868 867 
                               actual,
869 868 
                               ifconfig_local,
870 869 
                               ifconfig_remote_netmask,
871 870 
                               tun_mtu
872 871 
                               );
873 
-	else
874 
-  	    argv_printf (&argv,
875 
-			  "%s %s %s netmask %s mtu %d up",
876 
-			  IFCONFIG_PATH,
877 
-			  actual,
878 
-			  ifconfig_local,
879 
-			  ifconfig_remote_netmask,
880 
-			  tun_mtu
881 
-			  );
882 
-      }
883 872
884 873 
       argv_msg (M_INFO, &argv);
885 874 
       openvpn_execve_check (&argv, es, S_FATAL, "FreeBSD ifconfig failed");