From patchwork Thu Dec 9 06:11:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 2149 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id KC4kEic5smF9aAAAqwncew (envelope-from ) for ; Thu, 09 Dec 2021 12:13:11 -0500 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id 4LsTLSc5smFBCgAAalYnBA (envelope-from ) for ; Thu, 09 Dec 2021 12:13:11 -0500 Received: from smtp40.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTPS id sMmVLCc5smGRXgAAetu3IA (envelope-from ) for ; Thu, 09 Dec 2021 12:13:11 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp40.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=lichtenheld.com X-Suspicious-Flag: YES X-Classification-ID: 48e98d86-5913-11ec-ad7c-525400f204c2-1-1 Received: from [216.105.38.7] ([216.105.38.7:38156] helo=lists.sourceforge.net) by smtp40.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E7/DA-02138-62932B16; Thu, 09 Dec 2021 12:13:10 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mvMxi-0004O7-4U; Thu, 09 Dec 2021 17:12:06 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mvMxg-0004O1-QV for openvpn-devel@lists.sourceforge.net; Thu, 09 Dec 2021 17:12:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Wie3o6XBSxrjmsAl+oi2wFDIFn9nDXqVHUF45eIycGk=; b=Grrlm6QgjgOkN8vYzXlzz7kg9I 9MenqbLWBGfb0+X5jy8HbwfkL/lHyMD9Lh3mrW4NxmhxjLYilGgouQ92SJanYv440DPXeXiCBRVzm pbjkMe11aJXBkgZTrtpgRSVG3rXQTR+BvGTx34evDMPDZ/A3srS7U6hnOKnj1B0/0o3w=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Wie3o6XBSxrjmsAl+oi2wFDIFn9nDXqVHUF45eIycGk=; b=i cYyFf7Em+PbRrblf1CiTIoznpoMwG5XSIhJTSXdcXwCOcUFoC8DnAVwDXmtzmT343UN9QNkFvcfHO 7J9xKVfN9sxC+Aa35aUvbriPeLnHCI0E7KwNmoxpl2iTOoSe16gQdQ6fvP/Hqzg+xMZU73qhjbosi +eYsl9dXvKYweQtY=; Received: from mout-p-102.mailbox.org ([80.241.56.152]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mvMxe-00ACRP-SM for openvpn-devel@lists.sourceforge.net; Thu, 09 Dec 2021 17:12:04 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:105:465:1:4:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4J90vH72qQzQkBr; Thu, 9 Dec 2021 18:11:55 +0100 (CET) From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Dec 2021 18:11:36 +0100 Message-Id: <20211209171138.8589-1-frank@lichtenheld.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: For now the dependencies are statically defined, which should be fine and is still a much better solution than to have no dependencies. Signed-off-by: Frank Lichtenheld --- doc/Makefile.am | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) Content analysis details: (-0.7 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.152 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [80.241.56.152 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mvMxe-00ACRP-SM Subject: [Openvpn-devel] [PATCH 1/3] doc/Makefile: rebuild rst docs if input files change X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox For now the dependencies are statically defined, which should be fine and is still a much better solution than to have no dependencies. Signed-off-by: Frank Lichtenheld Acked-By: David Sommerseth --- doc/Makefile.am | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/doc/Makefile.am b/doc/Makefile.am index 1a67f7b5..a31b8097 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -23,16 +23,11 @@ build_html_pages = openvpn.8.html openvpn-examples.5.html dist_doc_DATA = \ management-notes.txt gui-notes.txt -dist_noinst_DATA = \ - README.plugins interactive-service-notes.rst \ - openvpn.8.rst \ - openvpn-examples.5.rst \ +openvpn_sections = \ man-sections/advanced-options.rst \ man-sections/client-options.rst \ man-sections/connection-profiles.rst \ man-sections/encryption-options.rst \ - man-sections/example-fingerprint.rst \ - man-sections/examples.rst \ man-sections/generic-options.rst \ man-sections/inline-files.rst \ man-sections/link-options.rst \ @@ -53,6 +48,20 @@ dist_noinst_DATA = \ man-sections/vpn-network-options.rst \ man-sections/windows-options.rst +openvpn_examples_sections = \ + man-sections/example-fingerprint.rst \ + man-sections/examples.rst + +dist_noinst_DATA = \ + README.plugins interactive-service-notes.rst \ + openvpn.8.rst \ + openvpn-examples.5.rst \ + $(openvpn_sections) \ + $(openvpn_examples_sections) + +# dependencies +openvpn.8 openvpn.8.html: $(openvpn_sections) +openvpn-examples.5 openvpn-examples.5.html: $(openvpn_examples_sections) ###### GENERIC RULES ########## From patchwork Thu Dec 9 06:11:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 2150 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 4GZyIyg5smGiaAAAqwncew (envelope-from ) for ; Thu, 09 Dec 2021 12:13:12 -0500 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id uB2XECg5smEDewAAIasKDg (envelope-from ) for ; Thu, 09 Dec 2021 12:13:12 -0500 Received: from smtp32.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTPS id SCWhChY5smHkRwAAgKDEHA (envelope-from ) for ; Thu, 09 Dec 2021 12:12:54 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp32.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=lichtenheld.com X-Suspicious-Flag: YES X-Classification-ID: 496e1132-5913-11ec-b462-52540099eaf5-1-1 Received: from [216.105.38.7] ([216.105.38.7:37644] helo=lists.sourceforge.net) by smtp32.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 81/90-23534-72932B16; Thu, 09 Dec 2021 12:13:11 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mvMxm-0003y0-3C; Thu, 09 Dec 2021 17:12:10 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mvMxk-0003xu-Qo for openvpn-devel@lists.sourceforge.net; Thu, 09 Dec 2021 17:12:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qe8o6KkUk+rC7j1QhS+11ZJ/kQwKw4Sjvg5JRQPoCjE=; b=DstB4hThg3ZQ89YCg7TtlHVIo9 wK+CqjrpUEKtQWnoQpOXfFkEuHZegdQYgHl5nH9Xd0tdIZGN9TcjeBx3y129Qx+VeDLkwGJq8B8/s uQhEq38RlIVTjWBu7KpRh+t9PEVofo/jgvDRlGIPTp63l1K5L76la79xRgsolgYwB3M8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=qe8o6KkUk+rC7j1QhS+11ZJ/kQwKw4Sjvg5JRQPoCjE=; b=itrkyYig/gyGdlQqGvcL3dEfMZ KunACALj4mdGFSWPSC7cYo2fHJbzx3R5L9REvWdWaNGA5p4FeMIUQ0wEg/pYSXjuzxpPNSaPwy8IR iG0aQgbob+3QVcyaDe31vYo5qq6Wxmte8cDlSMCwxITvuuy2E2IkptbK8c3epji7VzqY=; Received: from mout-p-201.mailbox.org ([80.241.56.171]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mvMxj-0001dT-Lq for openvpn-devel@lists.sourceforge.net; Thu, 09 Dec 2021 17:12:08 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [80.241.60.245]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4J90vK4LNYzQkFV; Thu, 9 Dec 2021 18:11:57 +0100 (CET) From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Dec 2021 18:11:37 +0100 Message-Id: <20211209171138.8589-2-frank@lichtenheld.com> In-Reply-To: <20211209171138.8589-1-frank@lichtenheld.com> References: <20211209171138.8589-1-frank@lichtenheld.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: - Broken/missing formatting - Make it obvious which arguments are optional - In some cases moved the "Valid syntax" block earlier to make sure the text references argument names after they have been d [...] Content analysis details: (-0.7 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.171 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mvMxj-0001dT-Lq Subject: [Openvpn-devel] [PATCH 2/3] doc: fix misc documentation issues X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox - Broken/missing formatting - Make it obvious which arguments are optional - In some cases moved the "Valid syntax" block earlier to make sure the text references argument names after they have been declared. Only the files touched have been reviewed, all other files likely have similar issues. Signed-off-by: Frank Lichtenheld --- doc/man-sections/client-options.rst | 15 +++++------ doc/man-sections/generic-options.rst | 35 +++++++++++++++--------- doc/man-sections/link-options.rst | 38 +++++++++++++++++---------- doc/man-sections/protocol-options.rst | 2 +- src/openvpn/options.c | 2 +- 5 files changed, 56 insertions(+), 36 deletions(-) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index c5b7ad96..3c0bce4b 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -175,17 +175,16 @@ configuration. enabled. --inactive args + Valid syntaxes:: + + inactive n + inactive n bytes + Causes OpenVPN to exit after ``n`` seconds of inactivity on the TUN/TAP device. The time length of inactivity is measured since the last incoming or outgoing tunnel packet. The default value is 0 seconds, which disables this feature. - Valid syntaxes: - :: - - inactive n - inactive n bytes - If the optional ``bytes`` parameter is included, exit if less than ``bytes`` of combined in/out traffic are produced on the tun/tap device in ``n`` seconds. @@ -329,7 +328,7 @@ configuration. If hostname resolve fails for ``--remote``, retry resolve for ``n`` seconds before failing. - Set ``n`` to "infinite" to retry indefinitely. + Set ``n`` to :code:`infinite` to retry indefinitely. By default, ``--resolv-retry infinite`` is enabled. You can disable by setting n=0. @@ -348,7 +347,7 @@ configuration. --server-poll-timeout n When connecting to a remote server do not wait for more than ``n`` seconds for a response before trying the next server. The default value - is 120s. This timeout includes proxy and TCP connect timeouts. + is :code:`120`. This timeout includes proxy and TCP connect timeouts. --static-challenge args Enable static challenge/response protocol diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index a8f049f2..c5d5fe62 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -48,7 +48,7 @@ which mode OpenVPN is configured as. Note: The SSL library will probably need /dev/urandom to be available inside the chroot directory ``dir``. This is because SSL libraries - occasionally need to collect fresh random. Newer linux kernels and some + occasionally need to collect fresh randomness. Newer linux kernels and some BSDs implement a getrandom() or getentropy() syscall that removes the need for /dev/urandom to be available. @@ -75,7 +75,7 @@ which mode OpenVPN is configured as. --config file Load additional config options from ``file`` where each line corresponds - to one command line option, but with the leading '--' removed. + to one command line option, but with the leading :code:`--` removed. If ``--config file`` is the only option to the openvpn command, the ``--config`` can be removed, and the command can be given as ``openvpn @@ -130,6 +130,11 @@ which mode OpenVPN is configured as. secret static.key --daemon progname + Valid syntaxes:: + + daemon + daemon progname + Become a daemon after all initialization functions are completed. This option will cause all message and error output to be sent to the syslog file (such as :code:`/var/log/messages`), except for the output of @@ -166,6 +171,8 @@ which mode OpenVPN is configured as. renegotiation (and reauthentication) occurs. --disable-occ + Disable "options consistency check" (OCC). + Don't output a warning message if option inconsistencies are detected between peers. An example of an option inconsistency would be where one peer uses ``--dev tun`` while the other peer uses ``--dev tap``. @@ -175,6 +182,11 @@ which mode OpenVPN is configured as. version. --engine engine-name + Valid syntaxes:: + + engine + engine engine-name + Enable OpenSSL hardware-based crypto engine functionality. If ``engine-name`` is specified, use a specific crypto engine. Use the @@ -221,16 +233,15 @@ which mode OpenVPN is configured as. May be used in order to execute OpenVPN in unprivileged environment. --keying-material-exporter args + Valid syntax:: + + keying-material-exporter label len + Save Exported Keying Material [RFC5705] of len bytes (must be between 16 and 4095 bytes) using ``label`` in environment (:code:`exported_keying_material`) for use by plugins in :code:`OPENVPN_PLUGIN_TLS_FINAL` callback. - Valid syntax: - :: - - keying-material-exporter label len - Note that exporter ``labels`` have the potential to collide with existing PRF labels. In order to prevent this, labels *MUST* begin with :code:`EXPORTER`. @@ -295,7 +306,7 @@ which mode OpenVPN is configured as. --remap-usr1 signal Control whether internally or externally generated :code:`SIGUSR1` signals are remapped to :code:`SIGHUP` (restart without persisting state) or - SIGTERM (exit). + :code:`SIGTERM` (exit). ``signal`` can be set to :code:`SIGHUP` or :code:`SIGTERM`. By default, no remapping occurs. @@ -372,14 +383,14 @@ which mode OpenVPN is configured as. consider using the ``--persist-key`` and ``--persist-tun`` options. --status args - Write operational status to ``file`` every ``n`` seconds. - - Valid syntaxes: - :: + Valid syntaxes:: status file status file n + Write operational status to ``file`` every ``n`` seconds. ``n`` defaults + to :code:`60` if not specified. + Status can also be written to the syslog by sending a :code:`SIGUSR2` signal. diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 32e72a1b..901751bb 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -51,13 +51,15 @@ the local and the remote host. UDP multicast stream which requires fragmentation. --keepalive args + Valid syntax:: + + keepalive interval timeout + A helper directive designed to simplify the expression of ``--ping`` and ``--ping-restart``. - Valid syntax: - :: - - keepalive interval timeout + Send ping once every ``interval`` seconds, restart if ping is not received + for ``timeout`` seconds. This option can be used on both client and server side, but it is enough to add this on the server side as it will push appropriate ``--ping`` @@ -96,7 +98,7 @@ the local and the remote host. ``--nobind`` option. --mark value - Mark encrypted packets being sent with value. The mark value can be + Mark encrypted packets being sent with ``value``. The mark value can be matched in policy routing and packetfilter rules. This option is only supported in Linux and does nothing on other operating systems. @@ -106,6 +108,11 @@ the local and the remote host. implements a multi-client server capability. --mssfix max + Valid syntaxes:: + + mssfix + mssfix max + Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not @@ -167,7 +174,7 @@ the local and the remote host. Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable - for peers which will be initiating connections by using the --remote + for peers which will be initiating connections by using the ``--remote`` option. --passtos @@ -191,6 +198,8 @@ the local and the remote host. (2) To provide a basis for the remote to test the existence of its peer using the ``--ping-exit`` option. + When using OpenVPN in server mode see also ``--keepalive``. + --ping-exit n Causes OpenVPN to exit after ``n`` seconds pass without reception of a ping or other packet from remote. This option can be combined with @@ -291,18 +300,19 @@ the local and the remote host. --replay-window args Modify the replay protection sliding-window size and time window. - Valid syntax: - :: + Valid syntaxes:: - replay-window n [t] + replay-window n + replay-window n t - Use a replay protection sliding-window of size **n** and a time window - of **t** seconds. + Use a replay protection sliding-window of size ``n`` and a time window + of ``t`` seconds. - By default **n** is 64 (the IPSec default) and **t** is 15 seconds. + By default ``n`` is :code:`64` (the IPSec default) and ``t`` is + :code:`15` seconds. - This option is only relevant in UDP mode, i.e. when either **--proto - udp** is specified, or no **--proto** option is specified. + This option is only relevant in UDP mode, i.e. when either ``--proto + udp`` is specified, or no ``--proto`` option is specified. When OpenVPN tunnels IP packets over UDP, there is the possibility that packets might be dropped or delivered out of order. Because OpenVPN, diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 1c6b1200..b3edc499 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -125,7 +125,7 @@ configured in a compatible way between both the local and remote side. configuration if supported by the client and otherwise switch to ``comp-lzo no`` and add ``--push comp-lzo`` to the client specific configuration. - ***Security Considerations*** + **Security Considerations** Compression and encryption is a tricky combination. If an attacker knows or is able to control (parts of) the plain-text of packets that contain diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ac13412a..c1ec7ed0 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -343,7 +343,7 @@ static const char usage_message[] = " and received from TCP/UDP (caps) or tun/tap (lc)\n" " : 6 to 11 -- debug messages of increasing verbosity\n" "--mute n : Log at most n consecutive messages in the same category.\n" - "--status file n : Write operational status to file every n seconds.\n" + "--status file [n] : Write operational status to file every n seconds.\n" "--status-version [n] : Choose the status file format version number.\n" " Currently, n can be 1, 2, or 3 (default=1).\n" "--disable-occ : Disable options consistency check between peers.\n" From patchwork Thu Dec 9 06:11:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 2148 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 8HZzICY5smFjaAAAqwncew (envelope-from ) for ; Thu, 09 Dec 2021 12:13:10 -0500 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id 0O1COyY5smEMcgAAfY0hYg (envelope-from ) for ; Thu, 09 Dec 2021 12:13:10 -0500 Received: from smtp22.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net with LMTPS id qJPjOiY5smFfPgAAGdz6CA (envelope-from ) for ; Thu, 09 Dec 2021 12:13:10 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp22.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=lichtenheld.com X-Suspicious-Flag: YES X-Classification-ID: 488efc4a-5913-11ec-abac-5254001a15c2-1-1 Received: from [216.105.38.7] ([216.105.38.7:38154] helo=lists.sourceforge.net) by smtp22.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 1D/9F-14080-62932B16; Thu, 09 Dec 2021 12:13:10 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mvMxo-0004OP-9w; Thu, 09 Dec 2021 17:12:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mvMxn-0004OJ-7o for openvpn-devel@lists.sourceforge.net; Thu, 09 Dec 2021 17:12:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=OXJey7rRzL5uDtt7pHBPkv7Tg38xaJxeWNSIC5Uzk6k=; b=KhYp1GIdNpCjN9YU2sMjmxmjro O8ODcUppl33smL+P3mF3xygwxWjq+R6y4G4acKQiXrDYRJHpazExcE8mGDVwrcvIwyFrG96T5r7VY IL7NM/QvrUJ4QVbXW7tWG5T1uXVbgxyUUNZh59+mrpHNhogE5Tq0UZTubba7Abmz15nY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=OXJey7rRzL5uDtt7pHBPkv7Tg38xaJxeWNSIC5Uzk6k=; b=KHdoLkM4p76Cm9qxvWg+/iiEEk g/+OEKocq7C1f5m6fkUJtqG8B9EHkTNT/qslilv0CsMQM2uSRrmv/pmSmIfTyYplQh/sJoQc3Vr+z ow6ysIOdUL0ouEcEdgyy4b59krDtRSW+sP38j5J/4yOmFQqGjPpukjqduJzcUrb5jMro=; Received: from mout-p-202.mailbox.org ([80.241.56.172]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mvMxj-0001dR-Sn for openvpn-devel@lists.sourceforge.net; Thu, 09 Dec 2021 17:12:11 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [80.241.60.245]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4J90vK0LTVzQjmg; Thu, 9 Dec 2021 18:11:57 +0100 (CET) From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Dec 2021 18:11:38 +0100 Message-Id: <20211209171138.8589-3-frank@lichtenheld.com> In-Reply-To: <20211209171138.8589-1-frank@lichtenheld.com> References: <20211209171138.8589-1-frank@lichtenheld.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The family specific options were generally omitted. --- doc/man-sections/client-options.rst | 5 +++++ doc/man-sections/link-options.rst | 5 ++++- src/openvpn/options.c | 17 +++++++++-------- 3 files c [...] Content analysis details: (-0.7 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.172 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [80.241.56.172 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mvMxj-0001dR-Sn Subject: [Openvpn-devel] [PATCH 3/3] doc/options: clean up documentation for --proto and related options X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The family specific options were generally omitted. --- doc/man-sections/client-options.rst | 5 +++++ doc/man-sections/link-options.rst | 5 ++++- src/openvpn/options.c | 17 +++++++++-------- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index 3c0bce4b..3a836226 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -198,6 +198,11 @@ configuration. When iterating through connection profiles, only consider profiles using protocol ``p`` (:code:`tcp` \| :code:`udp`). + Note that this specifically only affects the protocol, not the inet + family (i.e. IPv4 vs. IPv6). While the option actually accepts + values like :code:`udp6`, there is no difference to specifying + :code:`udp`. + --pull This option must be used on a client which is connecting to a multi-client server. It indicates to OpenVPN that it should accept diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 901751bb..a4c3166b 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -258,7 +258,10 @@ the local and the remote host. --proto p Use protocol ``p`` for communicating with remote host. ``p`` can be - :code:`udp`, :code:`tcp-client`, or :code:`tcp-server`. + :code:`udp`, :code:`tcp-client`, or :code:`tcp-server`. You can also + limit OpenVPN to use only IPv4 or only IPv6 by specifying ``p`` as + :code:`udp4`, :code:`tcp4-client`, :code:`tcp4-server` or :code:`udp6`, + :code:`tcp6-client`, :code:`tcp6-server`, respectively. The default protocol is :code:`udp` when ``--proto`` is not specified. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c1ec7ed0..c7cf3400 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -125,9 +125,11 @@ static const char usage_message[] = "--remote-random-hostname : Add a random string to remote DNS name.\n" "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n" "--proto p : Use protocol p for communicating with peer.\n" - " p = udp (default), tcp-server, or tcp-client\n" + " p = udp (default), tcp-server, tcp-client\n" + " udp4, tcp4-server, tcp4-client\n" + " udp6, tcp6-server, tcp6-client\n" "--proto-force p : only consider protocol p in list of connection profiles.\n" - " p = udp6, tcp6-server, or tcp6-client (ipv6)\n" + " p = udp or tcp\n" "--connect-retry n [m] : For client, number of seconds to wait between\n" " connection retries (default=%d). On repeated retries\n" " the wait time is exponentially increased to a maximum of m\n" @@ -2314,15 +2316,16 @@ options_postprocess_verify_ce(const struct options *options, } if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER)) { - msg(M_USAGE, "--mode server currently only supports " - "--proto udp or --proto tcp-server or proto tcp6-server"); +#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \ + "--proto values of udp, tcp-server, tcp4-server, or tcp6-server" + msg(M_USAGE, USAGE_VALID_SERVER_PROTOS); } #if PORT_SHARE if ((options->port_share_host || options->port_share_port) && (ce->proto != PROTO_TCP_SERVER)) { msg(M_USAGE, "--port-share only works in TCP server mode " - "(--proto tcp-server or tcp6-server)"); + "(--proto values of tcp-server, tcp4-server, or tcp6-server)"); } #endif if (!options->tls_server) @@ -2366,9 +2369,7 @@ options_postprocess_verify_ce(const struct options *options, } if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER)) { - msg(M_USAGE, - "--mode server currently only supports --proto udp or --proto " - "tcp-server or --proto tcp6-server"); + msg(M_USAGE, USAGE_VALID_SERVER_PROTOS); } if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per)) {