Browse code
man: Reword --management to prefer unix sockets over TCP
It is more secure to use unix sockets instead of TCP ports for the
management interface, so reword it and provide some details why TCP is
not recommended.
Also re-arranged this section to be somewhat easier to read and clearer
on a few related details.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180228131918.12954-2-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16573.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth authored on 2018/02/28 22:19:17Showing 1 changed files
| ... | ... |
@@ -2555,54 +2555,52 @@ the compression efficiency will be very low, triggering openvpn to disable |
| 2555 | 2555 |
compression for a period of time until the next re\-sample test. |
| 2556 | 2556 |
.\"********************************************************* |
| 2557 | 2557 |
.TP |
| 2558 |
+.B \-\-management socket\-name unix [pw\-file] \ \ \ \ \ (recommended) |
|
| 2559 |
+.TQ |
|
| 2558 | 2560 |
.B \-\-management IP port [pw\-file] |
| 2559 |
-Enable a TCP server on |
|
| 2560 |
-.B IP:port |
|
| 2561 |
-to handle daemon management functions. |
|
| 2562 |
-.B pw\-file, |
|
| 2563 |
-if specified, |
|
| 2564 |
-is a password file (password on first line) |
|
| 2565 |
-or "stdin" to prompt from standard input. The password |
|
| 2566 |
-provided will set the password which TCP clients will need |
|
| 2567 |
-to provide in order to access management functions. |
|
| 2568 |
- |
|
| 2569 |
-The management interface can also listen on a unix domain socket, |
|
| 2570 |
-for those platforms that support it. To use a unix domain socket, specify |
|
| 2571 |
-the unix socket pathname in place of |
|
| 2572 |
-.B IP |
|
| 2573 |
-and set |
|
| 2574 |
-.B port |
|
| 2575 |
-to 'unix'. While the default behavior is to create a unix domain socket |
|
| 2576 |
-that may be connected to by any process, the |
|
| 2561 |
+Enable a management server on a |
|
| 2562 |
+.B socket\-name |
|
| 2563 |
+Unix socket on those platforms supporting it, or on |
|
| 2564 |
+a designated TCP port. |
|
| 2565 |
+ |
|
| 2566 |
+.B pw\-file |
|
| 2567 |
+, if specified, is a password file where the password must be on first line. |
|
| 2568 |
+Instead of a filename it can use the keyword stdin which will prompt the user |
|
| 2569 |
+for a password to use when OpenVPN is starting. |
|
| 2570 |
+ |
|
| 2571 |
+For unix sockets, the default behaviour is to create a unix domain socket |
|
| 2572 |
+that may be connected to by any process. Use the |
|
| 2577 | 2573 |
.B \-\-management\-client\-user |
| 2578 | 2574 |
and |
| 2579 | 2575 |
.B \-\-management\-client\-group |
| 2580 |
-directives can be used to restrict access. |
|
| 2581 |
- |
|
| 2582 |
-The management interface provides a special mode where the TCP |
|
| 2583 |
-management link can operate over the tunnel itself. To enable this mode, |
|
| 2584 |
-set |
|
| 2585 |
-.B IP |
|
| 2586 |
-= "tunnel". Tunnel mode will cause the management interface |
|
| 2587 |
-to listen for a TCP connection on the local VPN address of the |
|
| 2588 |
-TUN/TAP interface. |
|
| 2576 |
+directives to restrict access. |
|
| 2577 |
+ |
|
| 2578 |
+The management interface provides a special mode where the TCP management link |
|
| 2579 |
+can operate over the tunnel itself. To enable this mode, set IP to |
|
| 2580 |
+.B tunnel. |
|
| 2581 |
+Tunnel mode will cause the management interface to listen for a |
|
| 2582 |
+TCP connection on the local VPN address of the TUN/TAP interface. |
|
| 2583 |
+ |
|
| 2584 |
+.B BEWARE |
|
| 2585 |
+of enabling the management interface over TCP. In these cases you should |
|
| 2586 |
+.I ALWAYS |
|
| 2587 |
+make use of |
|
| 2588 |
+.B pw\-file |
|
| 2589 |
+to password protect the management interface. Any user who can connect to this |
|
| 2590 |
+TCP |
|
| 2591 |
+.B IP:port |
|
| 2592 |
+will be able to manage and control (and interfere with) the OpenVPN process. |
|
| 2593 |
+It is also strongly recommended to set IP to 127.0.0.1 (localhost) to restrict |
|
| 2594 |
+accessibility of the management server to local clients. |
|
| 2595 |
+ |
|
| 2596 |
+While the management port is designed for programmatic control of OpenVPN by |
|
| 2597 |
+other applications, it is possible to telnet to the port, using a telnet client |
|
| 2598 |
+in "raw" mode. Once connected, type "help" for a list of commands. |
|
| 2599 |
+ |
|
| 2600 |
+For detailed documentation on the management interface, see the |
|
| 2601 |
+.I management\-notes.txt |
|
| 2602 |
+file in the management folder of the OpenVPN source distribution. |
|
| 2589 | 2603 |
|
| 2590 |
-While the management port is designed for programmatic control |
|
| 2591 |
-of OpenVPN by other applications, it is possible to telnet |
|
| 2592 |
-to the port, using a telnet client in "raw" mode. Once connected, |
|
| 2593 |
-type "help" for a list of commands. |
|
| 2594 |
- |
|
| 2595 |
-For detailed documentation on the management interface, see |
|
| 2596 |
-the management\-notes.txt file in the |
|
| 2597 |
-.B management |
|
| 2598 |
-folder of |
|
| 2599 |
-the OpenVPN source distribution. |
|
| 2600 |
- |
|
| 2601 |
-It is strongly recommended that |
|
| 2602 |
-.B IP |
|
| 2603 |
-be set to 127.0.0.1 |
|
| 2604 |
-(localhost) to restrict accessibility of the management |
|
| 2605 |
-server to local clients. |
|
| 2606 | 2604 |
.TP |
| 2607 | 2605 |
.B \-\-management\-client |
| 2608 | 2606 |
Management interface will connect as a TCP/unix domain client to |