From patchwork Wed Feb 28 02:19:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 251 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id HDlQBzGullo6cwAAIUCqbw for ; Wed, 28 Feb 2018 08:27:13 -0500 Received: from proxy1.mail.ord1c.rsapps.net ([172.28.255.1]) by director7.mail.ord1d.rsapps.net (Dovecot) with LMTP id a3vtCzGullqlTQAAovjBpQ ; Wed, 28 Feb 2018 08:27:13 -0500 Received: from smtp17.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1c.rsapps.net (Dovecot) with LMTP id OXyqBTGullrdTQAA2VeTtA ; Wed, 28 Feb 2018 08:27:13 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp17.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=openvpn.net X-Classification-ID: 15901180-1c8b-11e8-964c-bc305beffb0c-1-1 Received: from [216.105.38.7] ([216.105.38.7:10096] helo=lists.sourceforge.net) by smtp17.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F2/C7-27639-03EA69A5; Wed, 28 Feb 2018 08:27:13 -0500 Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1er1ke-001VTr-Q8; Wed, 28 Feb 2018 13:26:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1er1kd-001VTl-JD for openvpn-devel@lists.sourceforge.net; Wed, 28 Feb 2018 13:26:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=IGY8spM89dgWP6TH+FvR73AgVcWF+eno7zu2UlFqFFA=; b=fPqTlWbPHQtWlsjMISLbC7ez9S yDZscHXAVYyoPaA2lLG/IaWvv3249zwQ5Orz8edkiFQUJ7JYhrxjWisFiRHUcnaj1AoQ7kQJY5bgJ t4gVg73RVECop5mz9M9pV95BIDZAl4G/AZUeynQ2pble3dtEOqltxjR+8qA5myYDRohc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=IGY8spM89dgWP6TH+FvR73AgVcWF+eno7zu2UlFqFFA=; b=UT1x53vmHWLD3+BNZT/griRS6f EuOfCT/bCRfIc/ZsbWBJWF61ADBw6T5wwzJQTpy4V+jwepcHfYUHh55Qk/axBkaodQZxQdTYFspsR Jxl1L/x990AapSqNtPdtNVDhiqCO2IOmfAq7CZn+AQexpGXjAN6IX6Th4Pv2TMv25a0E=; Received: from sfi-lb-mx.v20.lw.sourceforge.com ([172.30.20.201] helo=winterfell.topphemmelig.net) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1er1kc-009R8q-1b for openvpn-devel@lists.sourceforge.net; Wed, 28 Feb 2018 13:26:31 +0000 Received: from localhost (unknown [IPv6:::1]) by winterfell.topphemmelig.net (Postfix) with ESMTP id 7EC488281DD for ; Wed, 28 Feb 2018 13:19:25 +0000 (UTC) Received: from winterfell.topphemmelig.net ([127.0.0.1]) by localhost (winterfell.topphemmelig.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MAKEB9TOClFC for ; Wed, 28 Feb 2018 14:19:24 +0100 (CET) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by winterfell.topphemmelig.net (Postfix) with ESMTPS id 214A2824372 for ; Wed, 28 Feb 2018 14:19:23 +0100 (CET) Received: from localhost (localhost [IPv6:::1]) by zimbra.sommerseth.email (Postfix) with ESMTP id 82C76401FA40 for ; Wed, 28 Feb 2018 14:19:22 +0100 (CET) Received: from zimbra.sommerseth.email ([IPv6:::1]) by localhost (zimbra.sommerseth.email [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id r8eGAB_qWx2v for ; Wed, 28 Feb 2018 14:19:22 +0100 (CET) Received: from optimus.homebase.sommerseths.net (unknown [10.35.0.233]) by zimbra.sommerseth.email (Postfix) with ESMTPS id 2C0FB401FA32 for ; Wed, 28 Feb 2018 14:19:22 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Wed, 28 Feb 2018 14:19:16 +0100 Message-Id: <20180228131918.12954-1-davids@openvpn.net> X-Mailer: git-send-email 2.13.5 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1er1kc-009R8q-1b Subject: [Openvpn-devel] [PATCH 1/3] man: Add .TQ groff support macro X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This introduces the .TQ groff macro. Even though this can be found in newer groff versions, not all platforms we support carries this one. This macro makes it possible to have mulitple lines of options as headers before describing all of these options in the same segment. Signed-off-by: David Sommerseth Acked-by: Gert Doering --- doc/openvpn.8 | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 364aee8a..bd9f2606 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -33,7 +33,15 @@ .\" .ft -- normal face .\" .in +|-{n} -- indent .\" -.TH openvpn 8 "31 January 2018" +.\" Support macros - this is not present on all platforms +.\" Continuation line for .TP header. +.de TQ +. br +. ns +. TP \\$1\" no doublequotes around argument! +.. +.\" End of TQ macro +.TH openvpn 8 "28 February 2018" .\"********************************************************* .SH NAME openvpn \- secure IP tunnel daemon. From patchwork Wed Feb 28 02:19:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 252 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id +wlEAFeulloVHQAAIUCqbw for ; Wed, 28 Feb 2018 08:27:51 -0500 Received: from director7.mail.ord1c.rsapps.net ([172.28.255.1]) by director12.mail.ord1d.rsapps.net (Dovecot) with LMTP id g0goAFeullpgNAAAIasKDg ; Wed, 28 Feb 2018 08:27:51 -0500 Received: from smtp17.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by director7.mail.ord1c.rsapps.net (Dovecot) with LMTP id QKIUO1aullqTGAAAqdfm7w ; Wed, 28 Feb 2018 08:27:50 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp17.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=openvpn.net X-Classification-ID: 2c116076-1c8b-11e8-964c-bc305beffb0c-1-1 Received: from [216.105.38.7] ([216.105.38.7:52031] helo=lists.sourceforge.net) by smtp17.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 02/08-27639-65EA69A5; Wed, 28 Feb 2018 08:27:50 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1er1kf-001LA2-4x; Wed, 28 Feb 2018 13:26:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1er1kd-001L9w-UD for openvpn-devel@lists.sourceforge.net; Wed, 28 Feb 2018 13:26:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vTqqzFI00BoGwzEpasQr8Yx6IfxdSqUrNKTGoZA83qg=; b=LOkboepuGKSJDjoDmbW6/jt7RW MURlX508tSJAl7HpcSVg2k/GEr4NYFHSG4Jjsb0J1ZCfuUvhjy+YX/+oemJcCmn2FOj6KU/nOkQUl YSwXsYkrhKIq1TvZDspbgWHh1dG/yZHxJ6Or+4q39WGy6QGY0tQR09yuJcbVM4aBMAto=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vTqqzFI00BoGwzEpasQr8Yx6IfxdSqUrNKTGoZA83qg=; b=F0EkMNsXhJR5XVg7UvF9ClAy0V NLKf0sQd+EV0+53Uzmyf3k92C3B7vmWSxWrtPHGHy1C6/L0+nG1fkJckR9dVVxPIfaZfM+aTk5wRy Vxe09tyjBdbR3eD0iS3xtzqXC88AhkxxCgLaMo6klNBCC6nAi/t/Mu8yI6mCdxVjY1tc=; Received: from sfi-lb-mx.v20.lw.sourceforge.com ([172.30.20.201] helo=winterfell.topphemmelig.net) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1er1kc-0082Dg-1o for openvpn-devel@lists.sourceforge.net; Wed, 28 Feb 2018 13:26:31 +0000 Received: from localhost (unknown [IPv6:::1]) by winterfell.topphemmelig.net (Postfix) with ESMTP id CE48A80B051 for ; Wed, 28 Feb 2018 13:19:29 +0000 (UTC) Received: from winterfell.topphemmelig.net ([127.0.0.1]) by localhost (winterfell.topphemmelig.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8rZnwt8MQ7Qq for ; Wed, 28 Feb 2018 14:19:28 +0100 (CET) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by winterfell.topphemmelig.net (Postfix) with ESMTPS id 374E98239A6 for ; Wed, 28 Feb 2018 14:19:23 +0100 (CET) Received: from localhost (localhost [IPv6:::1]) by zimbra.sommerseth.email (Postfix) with ESMTP id B0121401FA32 for ; Wed, 28 Feb 2018 14:19:22 +0100 (CET) Received: from zimbra.sommerseth.email ([IPv6:::1]) by localhost (zimbra.sommerseth.email [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id 2g1p2q48leX8 for ; Wed, 28 Feb 2018 14:19:22 +0100 (CET) Received: from optimus.homebase.sommerseths.net (unknown [10.35.0.233]) by zimbra.sommerseth.email (Postfix) with ESMTPS id 41B72401FA39 for ; Wed, 28 Feb 2018 14:19:22 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Wed, 28 Feb 2018 14:19:17 +0100 Message-Id: <20180228131918.12954-2-davids@openvpn.net> X-Mailer: git-send-email 2.13.5 In-Reply-To: <20180228131918.12954-1-davids@openvpn.net> References: <20180228131918.12954-1-davids@openvpn.net> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1er1kc-0082Dg-1o Subject: [Openvpn-devel] [PATCH 2/3] man: Reword --management to prefer unix sockets over TCP X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox It is more secure to use unix sockets instead of TCP ports for the management interface, so reword it and provide some details why TCP is not recommended. Also re-arranged this section to be somewhat easier to read and clearer on a few related details. Signed-off-by: David Sommerseth Acked-by: Gert Doering --- This patch depends on the .TQ macro. If the support macro patch has not been applied, it will not render nicely on platforms not containing .TQ support. --- doc/openvpn.8 | 76 +++++++++++++++++++++++++++++------------------------------ 1 file changed, 37 insertions(+), 39 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index bd9f2606..a923da02 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2555,54 +2555,52 @@ the compression efficiency will be very low, triggering openvpn to disable compression for a period of time until the next re\-sample test. .\"********************************************************* .TP +.B \-\-management socket\-name unix [pw\-file] \ \ \ \ \ (recommended) +.TQ .B \-\-management IP port [pw\-file] -Enable a TCP server on -.B IP:port -to handle daemon management functions. -.B pw\-file, -if specified, -is a password file (password on first line) -or "stdin" to prompt from standard input. The password -provided will set the password which TCP clients will need -to provide in order to access management functions. +Enable a management server on a +.B socket\-name +Unix socket on those platforms supporting it, or on +a designated TCP port. -The management interface can also listen on a unix domain socket, -for those platforms that support it. To use a unix domain socket, specify -the unix socket pathname in place of -.B IP -and set -.B port -to 'unix'. While the default behavior is to create a unix domain socket -that may be connected to by any process, the +.B pw\-file +, if specified, is a password file where the password must be on first line. +Instead of a filename it can use the keyword stdin which will prompt the user +for a password to use when OpenVPN is starting. + +For unix sockets, the default behaviour is to create a unix domain socket +that may be connected to by any process. Use the .B \-\-management\-client\-user and .B \-\-management\-client\-group -directives can be used to restrict access. +directives to restrict access. -The management interface provides a special mode where the TCP -management link can operate over the tunnel itself. To enable this mode, -set -.B IP -= "tunnel". Tunnel mode will cause the management interface -to listen for a TCP connection on the local VPN address of the -TUN/TAP interface. +The management interface provides a special mode where the TCP management link +can operate over the tunnel itself. To enable this mode, set IP to +.B tunnel. +Tunnel mode will cause the management interface to listen for a +TCP connection on the local VPN address of the TUN/TAP interface. -While the management port is designed for programmatic control -of OpenVPN by other applications, it is possible to telnet -to the port, using a telnet client in "raw" mode. Once connected, -type "help" for a list of commands. +.B BEWARE +of enabling the management interface over TCP. In these cases you should +.I ALWAYS +make use of +.B pw\-file +to password protect the management interface. Any user who can connect to this +TCP +.B IP:port +will be able to manage and control (and interfere with) the OpenVPN process. +It is also strongly recommended to set IP to 127.0.0.1 (localhost) to restrict +accessibility of the management server to local clients. -For detailed documentation on the management interface, see -the management\-notes.txt file in the -.B management -folder of -the OpenVPN source distribution. +While the management port is designed for programmatic control of OpenVPN by +other applications, it is possible to telnet to the port, using a telnet client +in "raw" mode. Once connected, type "help" for a list of commands. + +For detailed documentation on the management interface, see the +.I management\-notes.txt +file in the management folder of the OpenVPN source distribution. -It is strongly recommended that -.B IP -be set to 127.0.0.1 -(localhost) to restrict accessibility of the management -server to local clients. .TP .B \-\-management\-client Management interface will connect as a TCP/unix domain client to From patchwork Wed Feb 28 02:19:18 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 250 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id XH3UKzCulloVHQAAIUCqbw for ; Wed, 28 Feb 2018 08:27:12 -0500 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net (Dovecot) with LMTP id 30VJADCullruNgAApN4f7A ; Wed, 28 Feb 2018 08:27:12 -0500 Received: from smtp9.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net (Dovecot) with LMTP id OrGKNjCullqJNAAAyH2SIw ; Wed, 28 Feb 2018 08:27:12 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=openvpn.net X-Classification-ID: 15574ddc-1c8b-11e8-a89e-0026b95bddb7-1-1 Received: from [216.105.38.7] ([216.105.38.7:10532] helo=lists.sourceforge.net) by smtp9.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C8/8C-28096-03EA69A5; Wed, 28 Feb 2018 08:27:12 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1er1kg-009YmA-Nf; Wed, 28 Feb 2018 13:26:34 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1er1kd-009Ylh-JX for openvpn-devel@lists.sourceforge.net; Wed, 28 Feb 2018 13:26:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=EUxjIM+m/vu+gxnBBlgzIBKYjILUxFRImbcDu4KWgdc=; b=iZvxF6NiT1TNtpbyFEOQPpWEtF fzllCz0OMERbZ7Rn4h9TsCfRqsCZs/9jS0w8Mq8NAND9yFUdxx+YmHPGOrzS4VZZuS6RSj15KUero x7usn5T4mDP5ExPCUUsjcJs38U8v8UibY73RKUx/bcbq1522Mdkxg606r2yT/vvPkWRs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=EUxjIM+m/vu+gxnBBlgzIBKYjILUxFRImbcDu4KWgdc=; b=PlOEx9q0VHwKTbkDqXHLdkf7aF +zqOPnICnIOFIdELB2iKlxP7XTh7J4DH9PX6wX4Nj2KG8qs/YBJlQn2pUKhiGTe0PaF23kGP8mcze t4zlpm+ZTN0YCUhUrdIFDy6AQtxJlzf/1ACLQO7eBZ8LuAOAtOmA/6sTgmxawRl3hht4=; Received: from sfi-lb-mx.v20.lw.sourceforge.com ([172.30.20.201] helo=winterfell.topphemmelig.net) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1er1ka-008Nvw-Fw for openvpn-devel@lists.sourceforge.net; Wed, 28 Feb 2018 13:26:29 +0000 Received: from localhost (unknown [IPv6:::1]) by winterfell.topphemmelig.net (Postfix) with ESMTP id 55E71824372 for ; Wed, 28 Feb 2018 13:19:27 +0000 (UTC) Received: from winterfell.topphemmelig.net ([127.0.0.1]) by localhost (winterfell.topphemmelig.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 38uM1V7tPX0r for ; Wed, 28 Feb 2018 14:19:26 +0100 (CET) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by winterfell.topphemmelig.net (Postfix) with ESMTPS id 2B8AC80B051 for ; Wed, 28 Feb 2018 14:19:23 +0100 (CET) Received: from localhost (localhost [IPv6:::1]) by zimbra.sommerseth.email (Postfix) with ESMTP id A047B401FA45 for ; Wed, 28 Feb 2018 14:19:22 +0100 (CET) Received: from zimbra.sommerseth.email ([IPv6:::1]) by localhost (zimbra.sommerseth.email [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id kwWucTR10joE for ; Wed, 28 Feb 2018 14:19:22 +0100 (CET) Received: from optimus.homebase.sommerseths.net (unknown [10.35.0.233]) by zimbra.sommerseth.email (Postfix) with ESMTPS id 59D64401FA3A for ; Wed, 28 Feb 2018 14:19:22 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Wed, 28 Feb 2018 14:19:18 +0100 Message-Id: <20180228131918.12954-3-davids@openvpn.net> X-Mailer: git-send-email 2.13.5 In-Reply-To: <20180228131918.12954-1-davids@openvpn.net> References: <20180228131918.12954-1-davids@openvpn.net> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1er1ka-008Nvw-Fw Subject: [Openvpn-devel] [PATCH 3/3] management: Warn if TCP port is used without password X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox It is not recommended to use --management on a TCP port without also adding a password authentication, as this can easily be abused by other users or processes being able to connect to the managmement interface. Thus issue a warning that this configuration is strongly discouraged. Signed-off-by: David Sommerseth Acked-By: Arne Schwabe --- src/openvpn/options.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 41a42cf2..e0c0894b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); } + + if (!(options->management_flags & MF_UNIX_SOCK) + && (!options->management_user_pass)) + { + msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " + "passwords is STRONGLY discouraged and considered insecure"); + } + #endif /*