From patchwork Wed Jul 15 12:30:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 1251 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id GIs8NAGED18cDgAAIUCqbw for ; Wed, 15 Jul 2020 18:32:33 -0400 Received: from proxy5.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id qPgjMQGED1+lbwAAvGGmqA ; Wed, 15 Jul 2020 18:32:33 -0400 Received: from smtp23.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3b.rsapps.net with LMTP id 8HRhKgGED1/NUwAA13hMnw ; Wed, 15 Jul 2020 18:32:33 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=openvpn.net X-Suspicious-Flag: YES X-Classification-ID: 1303d1ce-c6eb-11ea-9a01-525400aa5716-1-1 Received: from [216.105.38.7] ([216.105.38.7:33196] helo=lists.sourceforge.net) by smtp23.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F1/7C-31247-1048F0F5; Wed, 15 Jul 2020 18:32:33 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jvpwR-000148-53; Wed, 15 Jul 2020 22:31:55 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvpwP-00013x-TC for openvpn-devel@lists.sourceforge.net; Wed, 15 Jul 2020 22:31:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=QYsJyzx6Q9WqDOlk/EZ7aM+Qn5Ye4oXaQEgIEmFeA8g=; b=Ck62D9rivPqroVHjJPCi3no+qQ dBYdOSw8o9RCVaeV0LCuMVNxExHTb8cUUFTh/DvxQIRHX0DHxBvknCOVvY7f4w18bQOrBkOPp4NJc E7iZ0o0o7c1vYOKCvNyV8pezmRa1whzVLfhx5fmHz7P8qVqyohFTB/AxuSAjKYnUE9Zc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=QYsJyzx6Q9WqDOlk/EZ7aM+Qn5Ye4oXaQEgIEmFeA8g=; b=GK/pvV0wvkpvyEPsx9+T0WvX9t ZFp7XPsorRS/10Bd9tdRtskEtTwGt47aW2Fuarx1zYVRdIyxCIUpM85fnLbpXDFM5zvjcm5LfXhHl KF/mES1QYK3mRwuVA+FXLakQCVCjdd3qpCISh9WJoi02Du/r6q0rScZibIj9z3tOvTrw=; Received: from mx0.basenordic.cloud ([185.212.44.139]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jvpwN-009MnV-Av for openvpn-devel@lists.sourceforge.net; Wed, 15 Jul 2020 22:31:53 +0000 Received: from localhost (unknown [IPv6:::1]) by mx0.basenordic.cloud (Postfix) with ESMTP id 61E5F82F9FB for ; Wed, 15 Jul 2020 22:31:34 +0000 (UTC) Received: from mx0.basenordic.cloud ([IPv6:::1]) by localhost (winterfell.topphemmelig.net [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 5acnOASWYkWC for ; Thu, 16 Jul 2020 00:31:31 +0200 (CEST) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx0.basenordic.cloud (Postfix) with ESMTPS id 0451283E566 for ; Thu, 16 Jul 2020 00:30:42 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.sommerseth.email (Postfix) with ESMTP id 4BE5F401209E for ; Thu, 16 Jul 2020 00:30:39 +0200 (CEST) Received: from zimbra.sommerseth.email ([127.0.0.1]) by localhost (zimbra.sommerseth.email [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id oa5bwI8vHalQ for ; Thu, 16 Jul 2020 00:30:39 +0200 (CEST) Received: from optimus.homebase.sommerseths.net (unknown [10.35.7.3]) by zimbra.sommerseth.email (Postfix) with ESMTPS id 1E6004015589 for ; Thu, 16 Jul 2020 00:30:35 +0200 (CEST) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Thu, 16 Jul 2020 00:30:00 +0200 Message-Id: <20200715223013.11726-4-davids@openvpn.net> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200715223013.11726-1-davids@openvpn.net> References: <20200715223013.11726-1-davids@openvpn.net> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1jvpwN-009MnV-Av Subject: [Openvpn-devel] [PATCH 03/16] doc/man: Move profiles section X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The profile documentation has been enlisted in between all the other OpenVPN options. As is not strictly an option by itself but a grouping mechanism, move it into its own section in the man page. This also makes the HTML rendering look much nicer and better structured. Signed-off-by: David Sommerseth --- doc/openvpn.8.rst | 149 ++++++++++++++++++++++++---------------------- 1 file changed, 78 insertions(+), 71 deletions(-) diff --git a/doc/openvpn.8.rst b/doc/openvpn.8.rst index 4627a7d3..fc3ecdb8 100644 --- a/doc/openvpn.8.rst +++ b/doc/openvpn.8.rst @@ -204,77 +204,6 @@ Tunnel Options: prevent DNS caching. For example, "foo.bar.gov" would be modified to ".foo.bar.gov". -```` - Define a client connection profile. Client connection profiles are - groups of OpenVPN options that describe how to connect to a given - OpenVPN server. Client connection profiles are specified within an - OpenVPN configuration file, and each profile is bracketed by - ```` and ````. - - An OpenVPN client will try each connection profile sequentially until it - achieves a successful connection. - - ``--remote-random`` can be used to initially "scramble" the connection - list. - - Here is an example of connection profile usage: - :: - - client - dev tun - - - remote 198.19.34.56 1194 udp - - - - remote 198.19.34.56 443 tcp - - - - remote 198.19.34.56 443 tcp - http-proxy 192.168.0.8 8080 - - - - remote 198.19.36.99 443 tcp - http-proxy 192.168.0.8 8080 - - - persist-key - persist-tun - pkcs12 client.p12 - remote-cert-tls server - verb 3 - - First we try to connect to a server at 198.19.34.56:1194 using UDP. If - that fails, we then try to connect to 198.19.34.56:443 using TCP. If - that also fails, then try connecting through an HTTP proxy at - 192.168.0.8:8080 to 198.19.34.56:443 using TCP. Finally, try to connect - through the same proxy to a server at 198.19.36.99:443 using TCP. - - The following OpenVPN options may be used inside of a ```` - block: - - ``bind``, ``connect-retry``, ``connect-retry-max``, ``connect-timeout``, - ``explicit-exit-notify``, ``float``, ``fragment``, ``http-proxy``, - ``http-proxy-option``, ``key-direction``, ``link-mtu``, ``local``, - ``lport``, ``mssfix``, ``mtu-disc``, ``nobind``, ``port``, ``proto``, - ``remote``, ``rport``, ``socks-proxy``, ``tls-auth``, ``tls-crypt``, - ``tun-mtu and``, ``tun-mtu-extra``. - - A defaulting mechanism exists for specifying options to apply to all - ```` profiles. If any of the above options (with the - exception of ``remote`` ) appear outside of a ```` block, - but in a configuration file which has one or more ```` - blocks, the option setting will be used as a default for - ```` blocks which follow it in the configuration file. - - For example, suppose the ``nobind`` option were placed in the sample - configuration file above, near the top of the file, before the first - ```` block. The effect would be as if ``nobind`` were - declared in all ```` blocks below it. - --proto-force p When iterating through connection profiles, only consider profiles using protocol ``p`` (:code:`tcp` \| :code:`udp`). @@ -5400,6 +5329,84 @@ instances. +CONNECTION PROFILES +=================== + +Client configuration files may contain multiple remote servers which +it will attempt to connect against. But there are some configuration +options which are related to specific ``--remote`` options. For these +use cases, connection profiles is the solution. + +By enacpulating the ``--remote`` option and related options within +```` and ````, these options are handled as a +group. + +An OpenVPN client will try each connection profile sequentially until it +achieves a successful connection. + +``--remote-random`` can be used to initially "scramble" the connection +list. + +Here is an example of connection profile usage: +:: + + client + dev tun + + + remote 198.19.34.56 1194 udp + + + + remote 198.19.34.56 443 tcp + + + + remote 198.19.34.56 443 tcp + http-proxy 192.168.0.8 8080 + + + + remote 198.19.36.99 443 tcp + http-proxy 192.168.0.8 8080 + + + persist-key + persist-tun + pkcs12 client.p12 + remote-cert-tls server + verb 3 + +First we try to connect to a server at 198.19.34.56:1194 using UDP. If +that fails, we then try to connect to 198.19.34.56:443 using TCP. If +that also fails, then try connecting through an HTTP proxy at +192.168.0.8:8080 to 198.19.34.56:443 using TCP. Finally, try to connect +through the same proxy to a server at 198.19.36.99:443 using TCP. + +The following OpenVPN options may be used inside of a ```` +block: + +``bind``, ``connect-retry``, ``connect-retry-max``, ``connect-timeout``, +``explicit-exit-notify``, ``float``, ``fragment``, ``http-proxy``, +``http-proxy-option``, ``key-direction``, ``link-mtu``, ``local``, +``lport``, ``mssfix``, ``mtu-disc``, ``nobind``, ``port``, ``proto``, +``remote``, ``rport``, ``socks-proxy``, ``tls-auth``, ``tls-crypt``, +``tun-mtu and``, ``tun-mtu-extra``. + +A defaulting mechanism exists for specifying options to apply to all +```` profiles. If any of the above options (with the +exception of ``remote`` ) appear outside of a ```` block, +but in a configuration file which has one or more ```` +blocks, the option setting will be used as a default for +```` blocks which follow it in the configuration file. + +For example, suppose the ``nobind`` option were placed in the sample +configuration file above, near the top of the file, before the first +```` block. The effect would be as if ``nobind`` were +declared in all ```` blocks below it. + + + INLINE FILE SUPPORT ===================