@@ -20,6 +20,8 @@
When configured to authenticate with NTLMv1 (``ntlm`` keyword in
``--http-proxy``) OpenVPN will try NTLMv2 instead.
+``persist-key`` option has been enabled by default.
+ All the keys will be kept in memory across restart.
Overview of changes in 2.6
==========================
@@ -39,7 +39,6 @@
http-proxy 192.168.0.8 8080
</connection>
- persist-key
persist-tun
pkcs12 client.p12
remote-cert-tls server
@@ -302,17 +302,6 @@
Change process priority after initialization (``n`` greater than 0 is
lower priority, ``n`` less than zero is higher priority).
---persist-key
- Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``.
-
- This option can be combined with ``--user`` to allow restarts
- triggered by the :code:`SIGUSR1` signal. Normally if you drop root
- privileges in OpenVPN, the daemon cannot be restarted since it will now
- be unable to re-read protected key files.
-
- This option solves the problem by persisting keys across :code:`SIGUSR1`
- resets, so they don't need to be re-read.
-
--providers providers
Load the list of (OpenSSL) providers. This is mainly useful for using an
external provider for key management like tpm2-openssl or to load the
@@ -402,7 +391,7 @@
Like with chroot, complications can result when scripts or restarts are
executed after the setcon operation, which is why you should really
- consider using the ``--persist-key`` and ``--persist-tun`` options.
+ consider using the ``--persist-tun`` option.
--status args
Write operational status to ``file`` every ``n`` seconds. ``n`` defaults
@@ -283,7 +283,7 @@
See the signals section below for more information on :code:`SIGUSR1`.
Note that the behavior of ``SIGUSR1`` can be modified by the
- ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and
+ ``--persist-tun``, ``--persist-local-ip`` and
``--persist-remote-ip`` options.
Also note that ``--ping-exit`` and ``--ping-restart`` are mutually
@@ -452,7 +452,7 @@
``--route``, ``--route-gateway``, ``--route-delay``,
``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``,
``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``,
- ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``,
+ ``--setenv``, ``--auth-token``, ``--persist-tun``,
``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``,
``--rcvbuf``, ``--session-timeout``
@@ -10,9 +10,8 @@
Like :code:`SIGHUP``, except don't re-read configuration file, and
possibly don't close and reopen TUN/TAP device, re-read key files,
preserve local IP address/port, or preserve most recently authenticated
- remote IP address/port based on ``--persist-tun``, ``--persist-key``,
- ``--persist-local-ip`` and ``--persist-remote-ip`` options respectively
- (see above).
+ remote IP address/port based on ``--persist-tun``, ``--persist-local-ip``
+ and ``--persist-remote-ip`` options respectively (see above).
This signal may also be internally generated by a timeout condition,
governed by the ``--ping-restart`` option.
@@ -42,3 +42,6 @@
--prng
Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library.
+
+--persist-key
+ Ignored since OpenVPN 2.7. Keys are now always persisted across restarts.
\ No newline at end of file
@@ -62,7 +62,6 @@
;group openvpn
# Try to preserve some state across restarts.
-persist-key
persist-tun
# If you are connecting through an
@@ -274,11 +274,10 @@
;user openvpn
;group openvpn
-# The persist options will try to avoid
+# The persist option will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
-persist-key
persist-tun
# Output a short status file showing
@@ -73,7 +73,6 @@
; ping-restart 45
; ping-timer-rem
; persist-tun
-; persist-key
# Verbosity level.
# 0 -- quiet except for fatal errors.
@@ -76,7 +76,6 @@
; ping-restart 45
; ping-timer-rem
; persist-tun
-; persist-key
# Verbosity level.
# 0 -- quiet except for fatal errors.
@@ -89,7 +89,6 @@
; ping-restart 60
; ping-timer-rem
; persist-tun
-; persist-key
; resolv-retry 86400
# keep-alive ping
@@ -3559,14 +3559,6 @@
{
msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
}
- if (!o->persist_key
-#ifdef ENABLE_PKCS11
- && !o->pkcs11_id
-#endif
- )
- {
- msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
- }
}
if (o->chroot_dir && !(o->username && o->groupname))
@@ -3857,7 +3849,7 @@
do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
{
/*
- * always free the tls_auth/crypt key. If persist_key is true, the key will
+ * always free the tls_auth/crypt key. The key will
* be reloaded from memory (pre-cached)
*/
free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
@@ -3866,7 +3858,7 @@
buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
free_buf(&c->c1.ks.tls_crypt_v2_wkc);
- if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
+ if (!(c->sig->signal_received == SIGUSR1))
{
key_schedule_free(&c->c1.ks, free_ssl_ctx);
}
@@ -48,7 +48,7 @@
/*
* Our global key schedules, packaged thusly
- * to facilitate --persist-key.
+ * to facilitate key persistence.
*/
struct key_schedule
@@ -273,7 +273,6 @@
"--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
"--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
"--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
- "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
#if PASSTOS_CAPABILITY
"--passtos : TOS passthrough (applies to IPv4 only).\n"
#endif
@@ -1857,7 +1856,6 @@
SHOW_BOOL(persist_tun);
SHOW_BOOL(persist_local_ip);
SHOW_BOOL(persist_remote_ip);
- SHOW_BOOL(persist_key);
#if PASSTOS_CAPABILITY
SHOW_BOOL(passtos);
@@ -3240,18 +3238,16 @@
ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
}
- /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
+ /* Pre-cache tls-auth/crypt(-v2) key file if
* keys were not already embedded in the config file.
*/
- if (o->persist_key)
- {
- connection_entry_preload_key(&ce->tls_auth_file,
- &ce->tls_auth_file_inline, &o->gc);
- connection_entry_preload_key(&ce->tls_crypt_file,
- &ce->tls_crypt_file_inline, &o->gc);
- connection_entry_preload_key(&ce->tls_crypt_v2_file,
- &ce->tls_crypt_v2_file_inline, &o->gc);
- }
+ connection_entry_preload_key(&ce->tls_auth_file,
+ &ce->tls_auth_file_inline, &o->gc);
+ connection_entry_preload_key(&ce->tls_crypt_file,
+ &ce->tls_crypt_file_inline, &o->gc);
+ connection_entry_preload_key(&ce->tls_crypt_v2_file,
+ &ce->tls_crypt_v2_file_inline, &o->gc);
+
if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
{
@@ -6963,7 +6959,8 @@
else if (streq(p[0], "persist-key") && !p[1])
{
VERIFY_PERMISSION(OPT_P_PERSIST);
- options->persist_key = true;
+ msg(M_WARN, "DEPRECATED: --persist-key option ignored. "
+ "Keys are now always persisted across restarts. ");
}
else if (streq(p[0], "persist-local-ip") && !p[1])
{
@@ -344,7 +344,6 @@
bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
- bool persist_key; /* Don't re-read key files on SIGUSR1 or PING_RESTART */
#if PASSTOS_CAPABILITY
bool passtos;