From patchwork Wed Feb 28 02:19:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 252 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id +wlEAFeulloVHQAAIUCqbw for ; Wed, 28 Feb 2018 08:27:51 -0500 Received: from director7.mail.ord1c.rsapps.net ([172.28.255.1]) by director12.mail.ord1d.rsapps.net (Dovecot) with LMTP id g0goAFeullpgNAAAIasKDg ; Wed, 28 Feb 2018 08:27:51 -0500 Received: from smtp17.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by director7.mail.ord1c.rsapps.net (Dovecot) with LMTP id QKIUO1aullqTGAAAqdfm7w ; Wed, 28 Feb 2018 08:27:50 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp17.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=openvpn.net X-Classification-ID: 2c116076-1c8b-11e8-964c-bc305beffb0c-1-1 Received: from [216.105.38.7] ([216.105.38.7:52031] helo=lists.sourceforge.net) by smtp17.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 02/08-27639-65EA69A5; Wed, 28 Feb 2018 08:27:50 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1er1kf-001LA2-4x; Wed, 28 Feb 2018 13:26:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1er1kd-001L9w-UD for openvpn-devel@lists.sourceforge.net; Wed, 28 Feb 2018 13:26:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vTqqzFI00BoGwzEpasQr8Yx6IfxdSqUrNKTGoZA83qg=; b=LOkboepuGKSJDjoDmbW6/jt7RW MURlX508tSJAl7HpcSVg2k/GEr4NYFHSG4Jjsb0J1ZCfuUvhjy+YX/+oemJcCmn2FOj6KU/nOkQUl YSwXsYkrhKIq1TvZDspbgWHh1dG/yZHxJ6Or+4q39WGy6QGY0tQR09yuJcbVM4aBMAto=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vTqqzFI00BoGwzEpasQr8Yx6IfxdSqUrNKTGoZA83qg=; b=F0EkMNsXhJR5XVg7UvF9ClAy0V NLKf0sQd+EV0+53Uzmyf3k92C3B7vmWSxWrtPHGHy1C6/L0+nG1fkJckR9dVVxPIfaZfM+aTk5wRy Vxe09tyjBdbR3eD0iS3xtzqXC88AhkxxCgLaMo6klNBCC6nAi/t/Mu8yI6mCdxVjY1tc=; Received: from sfi-lb-mx.v20.lw.sourceforge.com ([172.30.20.201] helo=winterfell.topphemmelig.net) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1er1kc-0082Dg-1o for openvpn-devel@lists.sourceforge.net; Wed, 28 Feb 2018 13:26:31 +0000 Received: from localhost (unknown [IPv6:::1]) by winterfell.topphemmelig.net (Postfix) with ESMTP id CE48A80B051 for ; Wed, 28 Feb 2018 13:19:29 +0000 (UTC) Received: from winterfell.topphemmelig.net ([127.0.0.1]) by localhost (winterfell.topphemmelig.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8rZnwt8MQ7Qq for ; Wed, 28 Feb 2018 14:19:28 +0100 (CET) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by winterfell.topphemmelig.net (Postfix) with ESMTPS id 374E98239A6 for ; Wed, 28 Feb 2018 14:19:23 +0100 (CET) Received: from localhost (localhost [IPv6:::1]) by zimbra.sommerseth.email (Postfix) with ESMTP id B0121401FA32 for ; Wed, 28 Feb 2018 14:19:22 +0100 (CET) Received: from zimbra.sommerseth.email ([IPv6:::1]) by localhost (zimbra.sommerseth.email [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id 2g1p2q48leX8 for ; Wed, 28 Feb 2018 14:19:22 +0100 (CET) Received: from optimus.homebase.sommerseths.net (unknown [10.35.0.233]) by zimbra.sommerseth.email (Postfix) with ESMTPS id 41B72401FA39 for ; Wed, 28 Feb 2018 14:19:22 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Wed, 28 Feb 2018 14:19:17 +0100 Message-Id: <20180228131918.12954-2-davids@openvpn.net> X-Mailer: git-send-email 2.13.5 In-Reply-To: <20180228131918.12954-1-davids@openvpn.net> References: <20180228131918.12954-1-davids@openvpn.net> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1er1kc-0082Dg-1o Subject: [Openvpn-devel] [PATCH 2/3] man: Reword --management to prefer unix sockets over TCP X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox It is more secure to use unix sockets instead of TCP ports for the management interface, so reword it and provide some details why TCP is not recommended. Also re-arranged this section to be somewhat easier to read and clearer on a few related details. Signed-off-by: David Sommerseth Acked-by: Gert Doering --- This patch depends on the .TQ macro. If the support macro patch has not been applied, it will not render nicely on platforms not containing .TQ support. --- doc/openvpn.8 | 76 +++++++++++++++++++++++++++++------------------------------ 1 file changed, 37 insertions(+), 39 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index bd9f2606..a923da02 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2555,54 +2555,52 @@ the compression efficiency will be very low, triggering openvpn to disable compression for a period of time until the next re\-sample test. .\"********************************************************* .TP +.B \-\-management socket\-name unix [pw\-file] \ \ \ \ \ (recommended) +.TQ .B \-\-management IP port [pw\-file] -Enable a TCP server on -.B IP:port -to handle daemon management functions. -.B pw\-file, -if specified, -is a password file (password on first line) -or "stdin" to prompt from standard input. The password -provided will set the password which TCP clients will need -to provide in order to access management functions. +Enable a management server on a +.B socket\-name +Unix socket on those platforms supporting it, or on +a designated TCP port. -The management interface can also listen on a unix domain socket, -for those platforms that support it. To use a unix domain socket, specify -the unix socket pathname in place of -.B IP -and set -.B port -to 'unix'. While the default behavior is to create a unix domain socket -that may be connected to by any process, the +.B pw\-file +, if specified, is a password file where the password must be on first line. +Instead of a filename it can use the keyword stdin which will prompt the user +for a password to use when OpenVPN is starting. + +For unix sockets, the default behaviour is to create a unix domain socket +that may be connected to by any process. Use the .B \-\-management\-client\-user and .B \-\-management\-client\-group -directives can be used to restrict access. +directives to restrict access. -The management interface provides a special mode where the TCP -management link can operate over the tunnel itself. To enable this mode, -set -.B IP -= "tunnel". Tunnel mode will cause the management interface -to listen for a TCP connection on the local VPN address of the -TUN/TAP interface. +The management interface provides a special mode where the TCP management link +can operate over the tunnel itself. To enable this mode, set IP to +.B tunnel. +Tunnel mode will cause the management interface to listen for a +TCP connection on the local VPN address of the TUN/TAP interface. -While the management port is designed for programmatic control -of OpenVPN by other applications, it is possible to telnet -to the port, using a telnet client in "raw" mode. Once connected, -type "help" for a list of commands. +.B BEWARE +of enabling the management interface over TCP. In these cases you should +.I ALWAYS +make use of +.B pw\-file +to password protect the management interface. Any user who can connect to this +TCP +.B IP:port +will be able to manage and control (and interfere with) the OpenVPN process. +It is also strongly recommended to set IP to 127.0.0.1 (localhost) to restrict +accessibility of the management server to local clients. -For detailed documentation on the management interface, see -the management\-notes.txt file in the -.B management -folder of -the OpenVPN source distribution. +While the management port is designed for programmatic control of OpenVPN by +other applications, it is possible to telnet to the port, using a telnet client +in "raw" mode. Once connected, type "help" for a list of commands. + +For detailed documentation on the management interface, see the +.I management\-notes.txt +file in the management folder of the OpenVPN source distribution. -It is strongly recommended that -.B IP -be set to 127.0.0.1 -(localhost) to restrict accessibility of the management -server to local clients. .TP .B \-\-management\-client Management interface will connect as a TCP/unix domain client to