From patchwork Mon Jul 6 12:41:46 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tincanteksup X-Patchwork-Id: 1206 X-Patchwork-Delegate: davids@openvpn.net Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id QDIoH/+oA19AMgAAIUCqbw for ; Mon, 06 Jul 2020 18:43:11 -0400 Received: from proxy19.mail.iad3b.rsapps.net ([172.31.255.6]) by director12.mail.ord1d.rsapps.net with LMTP id QPXVHP+oA19PGQAAIasKDg ; Mon, 06 Jul 2020 18:43:11 -0400 Received: from smtp34.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.iad3b.rsapps.net with LMTP id gOG9F/+oA180CwAAIG4riQ ; Mon, 06 Jul 2020 18:43:11 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 11556b2a-bfda-11ea-a7e7-5254005e8ddb-1-1 Received: from [216.105.38.7] ([216.105.38.7:58732] helo=lists.sourceforge.net) by smtp34.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 28/87-26769-EF8A30F5; Mon, 06 Jul 2020 18:43:11 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jsZog-0006Wa-5n; Mon, 06 Jul 2020 22:42:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jsZof-0006WT-6N for openvpn-devel@lists.sourceforge.net; Mon, 06 Jul 2020 22:42:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vxjyRaTeD2YYYDIEFaeqvBaqT3Ojusn/G1mNox9YwmI=; b=SlsStjD+Jvwnc2eFPu5/P42OLf M55LjmsVwaP5uMwhbFZNTJOC80E8G1aoaQ4GmpqbcxItVZryrwXgAYr2q5y+krR9BZuvyWfJe80S1 Y9aZ+X1ajPxxA51vh0OHAv04VsnN6ZFOQEH/Yb0nkTZ7GBPXgSqE42QaNwmkLF5F49JA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vxjyRaTeD2YYYDIEFaeqvBaqT3Ojusn/G1mNox9YwmI=; b=JmwVOIoUg+Z+eqJh1AvYvY0CYz u5eo35PG6W5MBycmVbftQexAISZaZ4VVebuHKLBoKbo2PjBRqd4EGr+A/TujMWY2eYjs7MLV9YkEG 8QldBq5ybjeX4fG0wRkAVzVd6UsY1MwTPwdASCXSlM7V5PvUVpTwXgktLPw8uFRMToA4=; Received: from mail-wm1-f67.google.com ([209.85.128.67]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1jsZod-00FXzR-7f for openvpn-devel@lists.sourceforge.net; Mon, 06 Jul 2020 22:42:25 +0000 Received: by mail-wm1-f67.google.com with SMTP id j18so40886757wmi.3 for ; Mon, 06 Jul 2020 15:42:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=vxjyRaTeD2YYYDIEFaeqvBaqT3Ojusn/G1mNox9YwmI=; b=d8pzsQxSn5RYOQxyGkJI1+cqbbfd2ZJq4c6dOxbzaVBhX6LuWacZgb9Y21yba9Z5ga NTcZL/OH1BIlk/OxHJ8brboitcsp4fTdu1rTz/Z+2+h5MNC/Lo0uT/DjEIJq6Bk9EKyn 3McPm0HSVmQv2Q+GAFTA7ZR3HotD3RpjUVBzuiIpOeCwTk7NQhr2HUsFN7Y9FalRpItz sSd4vNUzzHofeXpm3AN+FJWGjCxikV93d5TROoxLpFqI1IB1SwrE7j1VthZoGsCSVejJ /6JYts3jGV4hV4S5QUGo+013eNm3gHAWrxk3yEHOTnlqVRm8pxjBGVvEL7v4lmoiLMX4 2wWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=vxjyRaTeD2YYYDIEFaeqvBaqT3Ojusn/G1mNox9YwmI=; b=K2NhNHgDJMdnUud8tPRublZWCSYgwPPmGOtEdk0QsmfG+3PcBXThx8/i1pX4IiBkfV GeXxk6SRLm4boITRbSP7/prDpXcYUI9pUAyqY9PO5/SK9R7KSVacy70A8BDixIAyEGGc HJL5hYZzXir4YcS6U1a4hOjQUMMzxaanfkTqeaztNE/dI9ASg+J61C9DPpOcRCyCMCMS soXvDGg+ohZu1pYSEa5T+l+yTBa7NmqNC9wxmUgmdFTpWsRIlHAn2hD7hQ6YMm/CerRc vaEHTmNCrfp1ywcCZ47kP1ec/GR0sZI3l+yBnKYyqgvAjyyr/pfK1rCGaBPXpPLkQN5o dyjg== X-Gm-Message-State: AOAM532Vyv49PebKnrKYGujNCMnRBY4MaB0ChpZnrJUahcNk6q4aXITV 53Nuz/fY5OxTQLj/73LF5n63T/GU X-Google-Smtp-Source: ABdhPJzVfUZkIVsIfyWl1fmqrPb4eCaC9E9pl0YdnhxusAQUz3hSiGh1IEiiv/H6E6JlfZB35qSzGA== X-Received: by 2002:a1c:6408:: with SMTP id y8mr1196542wmb.122.1594075336447; Mon, 06 Jul 2020 15:42:16 -0700 (PDT) Received: from localhost.localdomain (79-71-166-1.dynamic.dsl.as9105.com. [79.71.166.1]) by smtp.gmail.com with ESMTPSA id z1sm25896096wru.30.2020.07.06.15.42.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Jul 2020 15:42:15 -0700 (PDT) From: Richard Bonhomme To: openvpn-devel@lists.sourceforge.net Date: Mon, 6 Jul 2020 23:41:46 +0100 Message-Id: <20200706224146.2432-1-tincanteksup@gmail.com> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.67 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (tincanteksup[at]gmail.com) -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.67 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1jsZod-00FXzR-7f Subject: [Openvpn-devel] [Patch] New man page corrections - server-options.rst X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Richard Bonhomme --- doc/man-sections/server-options.rst | 38 ++++++++++++++--------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index ada387a2..218d4f35 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -18,13 +18,13 @@ fast hardware. SSL/TLS authentication must be used in this mode. After successful user/password authentication, the OpenVPN server will with this option generate a temporary authentication token and push that - to client. On the following renegotiations, the OpenVPN client will pass + to the client. On the following renegotiations, the OpenVPN client will pass this token instead of the users password. On the server side the server will do the token authentication internally and it will NOT do any additional authentications against configured external user/password authentication mechanisms. - The tokens implemented by this mechanism include a initial timestamp and + The tokens implemented by this mechanism include an initial timestamp and a renew timestamp and are secured by HMAC. The ``lifetime`` argument defines how long the generated token is valid. @@ -39,7 +39,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. time, while at the same time permitting much longer token lifetimes for active clients. - This feature is useful for environments which is configured to use One + This feature is useful for environments which are configured to use One Time Passwords (OTP) as part of the user/password authentications and that authentication mechanism does not implement any auth-token support. @@ -49,11 +49,11 @@ fast hardware. SSL/TLS authentication must be used in this mode. verification suceeds or fails. This option postpones this decision to the external authentication - methods and check the validity of the account and do other checks. + methods and checks the validity of the account and do other checks. - In this mode the environment will have a session\_id variable that hold - the session id from auth-gen-token. Also a environment variable - session\_state is present. This variable tells whether the auth-token + In this mode the environment will have a session\_id variable that holds + the session id from auth-gen-token. Also an environment variable + session\_state is present. This variable indicates whether the auth-token has succeeded or not. It can have the following values: :code:`Initial` @@ -69,9 +69,9 @@ fast hardware. SSL/TLS authentication must be used in this mode. Token is invalid (failed HMAC or wrong length) :code:`AuthenticatedEmptyUser` / :code:`ExpiredEmptyUser` - The token is not valid with the username send from the client but - would be valid (or expired) if we assume an empty username was - used instead. These two cases are a workaround for behaviour in + The token is not valid with the username sent from the client but + would be valid (or expired) if we assume an empty username was + used instead. These two cases are a workaround for behaviour in OpenVPN 3. If this workaround is not needed these two cases should be handled in the same way as :code:`Invalid`. @@ -86,16 +86,16 @@ fast hardware. SSL/TLS authentication must be used in this mode. password from a script). --auth-gen-token-secret file - Specifies a file that hold a secret for the HMAC used in + Specifies a file that holds a secret for the HMAC used in ``--auth-gen-token`` If ``file`` is not present OpenVPN will generate a random secret on startup. This file should be used if auth-token should - valid after restarting a server or if client should be able to roam - between multiple OpenVPN server with their auth-token. + validate after restarting a server or if client should be able to roam + between multiple OpenVPN servers with their auth-token. --auth-user-pass-optional Allow connections by clients that do not specify a username/password. Normally, when ``--auth-user-pass-verify`` or - ``--management-client-auth`` is specified (or an authentication plugin + ``--management-client-auth`` are specified (or an authentication plugin module), the OpenVPN server daemon will require connecting clients to specify a username and password. This option makes the submission of a username/password by clients optional, passing the responsibility to the @@ -626,8 +626,8 @@ fast hardware. SSL/TLS authentication must be used in this mode. tls-server --stale-routes-check args - Remove routes haven't had activity for ``n`` seconds (i.e. the ageing - time). This check is ran every ``t`` seconds (i.e. check interval). + Remove routes which haven't had activity for ``n`` seconds (i.e. the ageing + time). This check is run every ``t`` seconds (i.e. check interval). Valid syntax: :: @@ -650,7 +650,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. Possible ``mode`` options are: :code:`none` - A client certificate is not required. the client need to + A client certificate is not required. the client needs to authenticate using username/password only. Be aware that using this directive is less secure than requiring certificates from all clients. @@ -675,7 +675,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. script could potentially compromise the security of your VPN. :code:`require` - This is the default option. A client is required topresent a + This is the default option. A client is required to present a certificate, otherwise VPN access is refused. If you don't use this directive (or use ``--verify-client-cert require``) @@ -712,7 +712,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. OpenVPN accepts any Ethernet frame and does not perform any special processing for VLAN-tagged packets. - The option can only be activated in ``--dev tap mode``. + This option can only be activated in ``--dev tap mode``. --vlan-accept args Configure the VLAN tagging policy for the server TAP device.