It is more secure to use unix sockets instead of TCP ports for the
management interface, so reword it and provide some details why TCP is
not recommended.
Also re-arranged this section to be somewhat easier to read and clearer
on a few related details.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180228131918.12954-2-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16573.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -2555,54 +2555,52 @@ the compression efficiency will be very low, triggering openvpn to disable |
2555 | 2555 |
compression for a period of time until the next re\-sample test. |
2556 | 2556 |
.\"********************************************************* |
2557 | 2557 |
.TP |
2558 |
+.B \-\-management socket\-name unix [pw\-file] \ \ \ \ \ (recommended) |
|
2559 |
+.TQ |
|
2558 | 2560 |
.B \-\-management IP port [pw\-file] |
2559 |
-Enable a TCP server on |
|
2560 |
-.B IP:port |
|
2561 |
-to handle daemon management functions. |
|
2562 |
-.B pw\-file, |
|
2563 |
-if specified, |
|
2564 |
-is a password file (password on first line) |
|
2565 |
-or "stdin" to prompt from standard input. The password |
|
2566 |
-provided will set the password which TCP clients will need |
|
2567 |
-to provide in order to access management functions. |
|
2568 |
- |
|
2569 |
-The management interface can also listen on a unix domain socket, |
|
2570 |
-for those platforms that support it. To use a unix domain socket, specify |
|
2571 |
-the unix socket pathname in place of |
|
2572 |
-.B IP |
|
2573 |
-and set |
|
2574 |
-.B port |
|
2575 |
-to 'unix'. While the default behavior is to create a unix domain socket |
|
2576 |
-that may be connected to by any process, the |
|
2561 |
+Enable a management server on a |
|
2562 |
+.B socket\-name |
|
2563 |
+Unix socket on those platforms supporting it, or on |
|
2564 |
+a designated TCP port. |
|
2565 |
+ |
|
2566 |
+.B pw\-file |
|
2567 |
+, if specified, is a password file where the password must be on first line. |
|
2568 |
+Instead of a filename it can use the keyword stdin which will prompt the user |
|
2569 |
+for a password to use when OpenVPN is starting. |
|
2570 |
+ |
|
2571 |
+For unix sockets, the default behaviour is to create a unix domain socket |
|
2572 |
+that may be connected to by any process. Use the |
|
2577 | 2573 |
.B \-\-management\-client\-user |
2578 | 2574 |
and |
2579 | 2575 |
.B \-\-management\-client\-group |
2580 |
-directives can be used to restrict access. |
|
2581 |
- |
|
2582 |
-The management interface provides a special mode where the TCP |
|
2583 |
-management link can operate over the tunnel itself. To enable this mode, |
|
2584 |
-set |
|
2585 |
-.B IP |
|
2586 |
-= "tunnel". Tunnel mode will cause the management interface |
|
2587 |
-to listen for a TCP connection on the local VPN address of the |
|
2588 |
-TUN/TAP interface. |
|
2576 |
+directives to restrict access. |
|
2577 |
+ |
|
2578 |
+The management interface provides a special mode where the TCP management link |
|
2579 |
+can operate over the tunnel itself. To enable this mode, set IP to |
|
2580 |
+.B tunnel. |
|
2581 |
+Tunnel mode will cause the management interface to listen for a |
|
2582 |
+TCP connection on the local VPN address of the TUN/TAP interface. |
|
2583 |
+ |
|
2584 |
+.B BEWARE |
|
2585 |
+of enabling the management interface over TCP. In these cases you should |
|
2586 |
+.I ALWAYS |
|
2587 |
+make use of |
|
2588 |
+.B pw\-file |
|
2589 |
+to password protect the management interface. Any user who can connect to this |
|
2590 |
+TCP |
|
2591 |
+.B IP:port |
|
2592 |
+will be able to manage and control (and interfere with) the OpenVPN process. |
|
2593 |
+It is also strongly recommended to set IP to 127.0.0.1 (localhost) to restrict |
|
2594 |
+accessibility of the management server to local clients. |
|
2595 |
+ |
|
2596 |
+While the management port is designed for programmatic control of OpenVPN by |
|
2597 |
+other applications, it is possible to telnet to the port, using a telnet client |
|
2598 |
+in "raw" mode. Once connected, type "help" for a list of commands. |
|
2599 |
+ |
|
2600 |
+For detailed documentation on the management interface, see the |
|
2601 |
+.I management\-notes.txt |
|
2602 |
+file in the management folder of the OpenVPN source distribution. |
|
2589 | 2603 |
|
2590 |
-While the management port is designed for programmatic control |
|
2591 |
-of OpenVPN by other applications, it is possible to telnet |
|
2592 |
-to the port, using a telnet client in "raw" mode. Once connected, |
|
2593 |
-type "help" for a list of commands. |
|
2594 |
- |
|
2595 |
-For detailed documentation on the management interface, see |
|
2596 |
-the management\-notes.txt file in the |
|
2597 |
-.B management |
|
2598 |
-folder of |
|
2599 |
-the OpenVPN source distribution. |
|
2600 |
- |
|
2601 |
-It is strongly recommended that |
|
2602 |
-.B IP |
|
2603 |
-be set to 127.0.0.1 |
|
2604 |
-(localhost) to restrict accessibility of the management |
|
2605 |
-server to local clients. |
|
2606 | 2604 |
.TP |
2607 | 2605 |
.B \-\-management\-client |
2608 | 2606 |
Management interface will connect as a TCP/unix domain client to |