From patchwork Mon Dec 8 11:42:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4660 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:29c3:b0:7b1:439f:bdf with SMTP id g3csp598539max; Mon, 8 Dec 2025 03:42:42 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXyC7t77kt90Ald6zkZczyc0ByEdCoAHCcsr3S5r8G25NtduqAU4rlXuaj7k0CVAQl5aRoc3GMTmGY=@openvpn.net X-Google-Smtp-Source: AGHT+IEwSTKKj3EoGueDNxw+tNxFw5+paA08aG9axWF2ITyQoSuMXfuwspVqBYJz110KP1nszy6j X-Received: by 2002:a4a:edcb:0:b0:659:9a49:8f01 with SMTP id 006d021491bc7-6599a8c0089mr3079738eaf.18.1765194162722; Mon, 08 Dec 2025 03:42:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1765194162; cv=none; d=google.com; s=arc-20240605; b=Ivd13vvRsCIvaYHtMSNl8ooZhy7bApuO08Ek2/1suL9yKiC1iKU3y7CypnJdoCWf2c 3JoHVYc4ai8M5iaTQwfbBBA4A/URev983A/+gCC1W7ZKLtaUbYRedac0FW0gWztrL8kC kb2/t5i6NgfJXS1nq0BYLYGQI9ME96AxSjkkuoKB8qKoN5+SFPN1qT3hvaGAqPjy101F scgm8lX+jMryTOKQGj+KJzP0j5wS2qEyg8SfeYVsSP6rIpJBtgdI9ZqQGxyyTp1mN+mG qexxlQlw4eF1iAnMgQxfZUJ3CTYCmXthavFGSWgkPNoJwu0ZGtzZgm96gjAOKQWw9FNi 7hgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=kqvLS2Ix37G6sQahvPBVOGqhRN3NfWVz9oTNc+IdO0w=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=jkFG87U+s5fFFQ+M2SO2vru5mPb6m60K+1p8EfNlCejcPoU8ozGsqTJ5aFQSudC/xc toHJRfc/AreMV6KDN+YaO4xUA8haDvi0wcxYjhemQlUgMsHbjFPLJUF57CpS9sxEsh5q iBIg7W2W87hcVVQgpA5foNhU5sE3OUKJwazTXtO1HYBsb9Eh4iz3GA/mcYzAAA6Hsi0C nFkrqFNoH8rmHdkGcG8gF95xn5NzF6+wrv/zIesCrLOoQjOxUhRw8298szaIudDlETbi yVGmAbEbk2Sm7e7IuCFSgGdxkrWwbIDCetcpuOhsrqNEzI7jKyZRBfF275oIEOqtiS2v i4/Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=gGRvvu7B; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=XagTFoVT; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=JFA8HZE9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3f50b50f6aesi6320401fac.347.2025.12.08.03.42.42 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Dec 2025 03:42:42 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=gGRvvu7B; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=XagTFoVT; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=JFA8HZE9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=kqvLS2Ix37G6sQahvPBVOGqhRN3NfWVz9oTNc+IdO0w=; b=gGRvvu7Bg9DxKn//IJenh7uBK6 znbtWGwgzzd27KOCzX5sffEieLnpmw3sE2F09F6GuVZ+7n0hS1CiUdr4qLjP0sZYY1nU24LGj7M4r /UJ1A0z4wCDbzptXbQankRh5nGm2Kfv8FFSW/MIsv/+0bpR2xJqYt46OkIY0hh6671VM=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vSZdX-0007U0-LD; Mon, 08 Dec 2025 11:42:39 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vSZdW-0007Tu-IA for openvpn-devel@lists.sourceforge.net; Mon, 08 Dec 2025 11:42:38 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=DAZzJZ7F2KJT+5Z8VYn38jeXilEuM+M+p47jd0s5VjU=; b=XagTFoVTiUaTQR5dgWMuq6gJHt AEQSMySlLvfEcdYEHTS6GY/cBxwKPuAjq2BtqeeibEIQ99NGes7pSPVSLViDj8N0qXu/i97R7rS9m fUWVkfTPUVsKPegGg8h/VTDi++vGS+FEcuEzoQOwemJJ/XIflpvtIFWjF9T8CFsO8vm4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DAZzJZ7F2KJT+5Z8VYn38jeXilEuM+M+p47jd0s5VjU=; b=JFA8HZE9vIEioyaM9/YniY4fWu Wq5IgqSDyZjf7DrZM5bJ3nS7kEv4lxMUnAKFq7WD40ax8HxnPKUl16jbZa+wCiheXUEvH8JmKXCiP g4cSe0MDvYKtj1oJ0F5VWLnlDhIRgY0wkfgzy2ZKu4qVqgtiniyPxP4gjkuncZ6lvwJI=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vSZdU-0007iV-Se for openvpn-devel@lists.sourceforge.net; Mon, 08 Dec 2025 11:42:38 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5B8BgPSc010245 for ; Mon, 8 Dec 2025 12:42:25 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5B8BgPM9010242 for openvpn-devel@lists.sourceforge.net; Mon, 8 Dec 2025 12:42:25 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 8 Dec 2025 12:42:18 +0100 Message-ID: <20251208114224.10223-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld This started as a fix for OpenVPN/openvpn#606 but while reviewing the documentation referenced from there I identified more and more issues. There a few classes of changes in here: - Fix wrong `...` syntax, which makes no sense in rst. - Remove some very old references to OpenVPN v1 behavior. - Fix typos or other small text issues. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [193.149.48.134 listed in list.dnswl.org] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vSZdU-0007iV-Se Subject: [Openvpn-devel] [PATCH v2] Documentation: Various syntax fixes and text improvements X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1850940234700588762?= X-GMAIL-MSGID: =?utf-8?q?1850940234700588762?= From: Frank Lichtenheld This started as a fix for OpenVPN/openvpn#606 but while reviewing the documentation referenced from there I identified more and more issues. There a few classes of changes in here: - Fix wrong `...` syntax, which makes no sense in rst. - Remove some very old references to OpenVPN v1 behavior. - Fix typos or other small text issues. Note: The usage of ``...`` vs :code:`...` is very inconsistent, but fixing that is outside of the scope of this patch. I have tried to make it at least locally consistent. Github: Fixes #606 Change-Id: Iee535f1502ab3dcb7bde7f2593c2e122d27d9189 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1414 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1414 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index 1285e82..1023236 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -30,13 +30,13 @@ and still had some quirks. Its main goal was "upgrade to AES-256-GCM when possible". An OpenVPN 2.4 client that is built against a crypto library that supports AES in GCM mode and does not have ``--ncp-disable`` will always announce support for -`AES-256-GCM` and `AES-128-GCM` to a server by sending :code:`IV_NCP=2`. +``AES-256-GCM`` and ``AES-128-GCM`` to a server by sending :code:`IV_NCP=2`. This only causes a problem if ``--ncp-ciphers`` option has been changed from the default of :code:`AES-256-GCM:AES-128-GCM` to a value that does not include -these two ciphers. When an OpenVPN server tries to use `AES-256-GCM` or -`AES-128-GCM` the connection will then fail. It is therefore recommended to -always have the `AES-256-GCM` and `AES-128-GCM` ciphers to the ``--ncp-ciphers`` +these two ciphers. When an OpenVPN server tries to use ``AES-256-GCM`` or +``AES-128-GCM`` the connection will then fail. It is therefore recommended to +always have the ``AES-256-GCM`` and ``AES-128-GCM`` ciphers to the ``--ncp-ciphers`` options to avoid this behaviour. OpenVPN 3 clients @@ -45,7 +45,7 @@ do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers. These clients will always announce support for all their supported AEAD ciphers -(`AES-256-GCM`, `AES-128-GCM` and in newer versions also `Chacha20-Poly1305`). +(``AES-256-GCM``, ``AES-128-GCM`` and in newer versions also ``Chacha20-Poly1305``). To support OpenVPN 3.x based clients at least one of these ciphers needs to be included in the server's ``--data-ciphers`` option. @@ -66,12 +66,12 @@ OpenVPN 2.4 server `````````````````` -When a client indicates support for `AES-128-GCM` and `AES-256-GCM` +When a client indicates support for ``AES-128-GCM`` and ``AES-256-GCM`` (with ``IV_NCP=2``) an OpenVPN 2.4 server will send the first cipher of the ``--ncp-ciphers`` to the OpenVPN client regardless of what the cipher is. To emulate the behaviour of an OpenVPN 2.4 client as close as possible and have compatibility to a setup that depends on this quirk, -adding `AES-128-GCM` and `AES-256-GCM` to the client's ``--data-ciphers`` +adding ``AES-128-GCM`` and ``AES-256-GCM`` to the client's ``--data-ciphers`` option is required. OpenVPN 2.5+ will only announce the ``IV_NCP=2`` flag if those ciphers are present. @@ -90,10 +90,10 @@ Blowfish in CBC mode (BF-CBC) deprecation ````````````````````````````````````````` -The ``--cipher`` option defaulted to `BF-CBC` in OpenVPN 2.4 and older +The ``--cipher`` option defaulted to ``BF-CBC`` in OpenVPN 2.4 and older version. The default was never changed to ensure backwards compatibility. In OpenVPN 2.5 this behaviour has now been changed so that if the ``--cipher`` -is not explicitly set it does not allow the weak `BF-CBC` cipher any more +is not explicitly set it does not allow the weak ``BF-CBC`` cipher any more and needs to explicitly added as ``--cipher BFC-CBC`` or added to ``--data-ciphers``. diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index e8523d9..ca4c8e9 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -437,8 +437,8 @@ This may be set by the client UI/GUI using ``--setenv``. On Windows systems it is automatically determined by openvpn itself. On other platforms OpenVPN will default to sending - the information returned by the `uname()` system call in - the `release` field, which is usually the currently running + the information returned by the ``uname()`` system call in + the ``release`` field, which is usually the currently running kernel version. This is highly system specific, though. :code:`UV_=` diff --git a/doc/man-sections/example-fingerprint.rst b/doc/man-sections/example-fingerprint.rst index 31ca0c1..7bd322d 100644 --- a/doc/man-sections/example-fingerprint.rst +++ b/doc/man-sections/example-fingerprint.rst @@ -12,29 +12,26 @@ ------------ 1. Install openvpn - Compile from source-code (see `INSTALL` file) or install via a distribution (apt/yum/ports) + Compile from source-code (see ``INSTALL`` file) or install via a distribution (apt/yum/ports) or via installer (Windows). -2. Generate a self-signed certificate for the server: - :: +2. Generate a self-signed certificate for the server:: openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server' 3. Generate SHA256 fingerprint of the server certificate Use the OpenSSL command line utility to view the fingerprint of just - created certificate: - :: + created certificate:: openssl x509 -fingerprint -sha256 -in server.crt -noout - This outputs something similar to: - :: + This outputs something similar to:: SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff -4. Write a server configuration (`server.conf`):: +4. Write a server configuration (``server.conf``):: # The server certificate we created in step 1 cert server.crt @@ -73,10 +70,8 @@ 5. Add at least one client as described in the client section. 6. Start the server. - - On systemd based distributions move `server.crt`, `server.key` and - `server.conf` to :code:`/etc/openvpn/server` and start it via systemctl - - :: + - On systemd based distributions move ``server.crt``, ``server.key`` and + ``server.conf`` to ``/etc/openvpn/server`` and start it via systemctl:: sudo mv server.conf server.key server.crt /etc/openvpn/server @@ -94,8 +89,7 @@ openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout - -nodes -sha256 -days 3650 -subj '/CN=alice' This generate a certificate and a key for the client. The output of the command will look - something like this: - :: + something like this:: -----BEGIN PRIVATE KEY----- [base64 content] @@ -107,9 +101,7 @@ 3. Create a new client configuration file. In this example we will name the file - `alice.ovpn`: - - :: + ``alice.ovpn``:: # The name of your server to connect to remote yourserver.example.net @@ -146,24 +138,19 @@ 4. Generate the fingerprint of the client certificate. For that we will let OpenSSL read the client configuration file as the x509 command will - ignore anything that is not between the begin and end markers of the certificate: - - :: + ignore anything that is not between the begin and end markers of the certificate:: openssl x509 -fingerprint -sha256 -noout -in alice.ovpn - This will again output something like - :: + This will again output something like:: SHA256 Fingerprint=ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00 -5. Edit the `server.conf` configuration file and add this new client +5. Edit the ``server.conf`` configuration file and add this new client fingerprint as additional line between :code:`` and :code:`` - After adding *two* clients the part of configuration would look like this: - - :: + After adding *two* clients the part of configuration would look like this:: ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00 @@ -172,15 +159,13 @@ 6. (optional) if the client is an older client that does not support the :code:`peer-fingerprint` (e.g. OpenVPN 2.5 and older, OpenVPN Connect 3.3 - and older), the client config `alice.ovpn` can be modified to still work with + and older), the client config ``alice.ovpn`` can be modified to still work with these clients. Remove the line starting with :code:`peer-fingerprint`. Then add a new :code:`` section at the end of the configuration file - with the contents of the :code:`server.crt` created in step 2 of the - server setup. The end of `alice.ovpn` file should like: - - :: + with the contents of the ``server.crt`` created in step 2 of the + server setup. The end of ``alice.ovpn`` file should look like:: [...] # Beginning of the file skipped diff --git a/doc/man-sections/examples.rst b/doc/man-sections/examples.rst index 94cc726..80ef2df 100644 --- a/doc/man-sections/examples.rst +++ b/doc/man-sections/examples.rst @@ -132,7 +132,7 @@ ping 10.4.0.1 -Note: This example use a elliptic curve (`secp384`), which allows +Note: This example use a elliptic curve (``secp384``), which allows ``--dh`` to be set to ``none``. Example 3: A tunnel with full PKI and TLS-based security diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 6eac14c..52ce5a8 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -185,7 +185,7 @@ :code:`AES-192-CBC`. Cipher negotiation is enabled in client-server mode only. I.e. if - ``--mode`` is set to `server` (server-side, implied by setting + ``--mode`` is set to ``server`` (server-side, implied by setting ``--server`` ), or if ``--pull`` is specified (client-side, implied by setting ``--client``). diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index cadd464..58baf1e 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -149,7 +149,7 @@ :code:`auth_pending_file`. The first line must be the timeout in seconds, the required method on the second line (e.g. crtext) and third line must be the EXTRA as documented in the - ``client-pending-auth`` section of `doc/management.txt`. + ``client-pending-auth`` section of ``doc/management.txt``. This directive is designed to enable a plugin-style interface for extending OpenVPN's authentication capabilities. @@ -588,7 +588,7 @@ *--auth-user-pass username* Same as Common Name, with one exception: - starting with OpenVPN 2.0.1, the username is passed to the + The username is passed to the :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plugin in its raw form, without string remapping. @@ -597,11 +597,9 @@ a character which will cause the C library isprint() function to return true. -*--client-config-dir filename as derived from common name or`username* - Alphanumeric, underbar ('\_'), dash ('-'), and dot ('.') except for "." - or ".." as standalone strings. As of v2.0.1-rc6, the at ('@') character - has been added as well for compatibility with the common name character - class. +*--client-config-dir filename as derived from common name or username* + Alphanumeric, underbar ('\_'), dash ('-'), at ('@'), and dot ('.') + except for "." or ".." as standalone strings. *Environmental variable names* Alphanumeric or underbar ('\_'). @@ -620,7 +618,7 @@ Once set, a variable is persisted indefinitely until it is reset by a new value or a restart, -As of OpenVPN 2.0-beta12, in server mode, environmental variables set by +In server mode, environmental variables set by OpenVPN are scoped according to the client objects they are associated with, so there should not be any issues with scripts having access to stale, previously set variables which refer to different client @@ -861,7 +859,7 @@ :code:`route_ipv6_{parm}_{n}` A set of variables which define each IPv6 route to be added, and are - set prior to **--up** script execution. + set prior to ``--up`` script execution. ``parm`` will be one of :code:`network`, :code:`gateway` or :code:`metric`. ``route_ipv6_network_{n}`` contains :code:`netmask` @@ -877,9 +875,9 @@ :code:`route_redirect_gateway_ipv4` :code:`route_redirect_gateway_ipv6` - Set to `1` if the corresponding default gateway should be redirected - into the tunnel, and to `2` if also the local LAN segment should be - blocked (`block-local`). Not set otherwise. Set prior to **--up** script + Set to :code:`1` if the corresponding default gateway should be redirected + into the tunnel, and to :code:`2` if also the local LAN segment should be + blocked (:code:`block-local`). Not set otherwise. Set prior to ``--up`` script execution. :code:`script_context` diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 3760694..370c670 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -509,7 +509,7 @@ ``--rcvbuf``, ``--session-timeout`` Note: using ``--push`` requires OpenVPN to run in ``--mode server`` (or - using of one of `--server`, `--server-bridge` helper directives). + using of one of ``--server``, ``--server-bridge`` helper directives). --push-remove opt Selectively remove all ``--push`` options matching "opt" from the option diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 01e8e5b..35617aa 100644 --- a/doc/man-sections/signals.rst +++ b/doc/man-sections/signals.rst @@ -7,7 +7,7 @@ connections. :code:`SIGUSR1` - Like :code:`SIGHUP``, except don't re-read configuration file, and + Like :code:`SIGHUP`, except don't re-read configuration file, and possibly don't close and reopen TUN/TAP device, re-read key files, preserve local IP address/port, or preserve most recently authenticated remote IP address/port based on ``--persist-tun``, ``--persist-local-ip`` diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 63cb32f..846dfdd 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -220,7 +220,7 @@ Local peer's private key in .pem format or a URI. Use the private key which was generated when you built your peer's certificate (see ``--cert file`` above). URI is supported only when built with OpenSSL 3.0 - or later and any required providers are loaded. (See `--cert` for more details). + or later and any required providers are loaded. (See ``--cert`` for more details). --pkcs12 file Specify a PKCS #12 file containing local private key, local certificate, @@ -390,7 +390,7 @@ by using ``--ecdh-curve``, the groups for ecdh will also be picked from this list. - OpenVPN maps the curve name `secp256r1` to `prime256v1` to allow + OpenVPN maps the curve name ``secp256r1`` to ``prime256v1`` to allow specifying the same tls-groups option for mbedTLS and OpenSSL. Warning: this option not only affects elliptic curve certificates @@ -404,7 +404,7 @@ The following profiles are supported: :code:`insecure` - Identical for mbed TLS to `legacy` + Identical for mbed TLS to :code:`legacy` :code:`legacy` (default) SHA1 and newer, RSA 2048-bit+, any elliptic curve. @@ -433,7 +433,7 @@ OpenVPN will migrate to 'preferred' as default in the future. Please ensure that your keys already comply. -*WARNING:* ``--tls-ciphers``, ``--tls-ciphersuites`` and ``tls-groups`` +*WARNING:* ``--tls-cipher``, ``--tls-ciphersuites`` and ``tls-groups`` These options are expert features, which - if used correctly - can improve the security of your VPN connection. But it is also easy to unwittingly use them to carefully align a gun with your foot, or just @@ -442,7 +442,7 @@ --tls-cipher l A list ``l`` of allowable TLS ciphers delimited by a colon (":code:`:`"). - These setting can be used to ensure that certain cipher suites are used + This setting can be used to ensure that certain cipher suites are used (or not used) for the TLS connection. OpenVPN uses TLS to secure the control channel, over which the keys that are used to protect the actual VPN traffic are exchanged. @@ -452,7 +452,7 @@ OpenSSL and/or mbed TLS documentation for details on the cipher list interpretation. - For OpenSSL, the ``--tls-cipher`` is used for TLS 1.2 and below. + For OpenSSL, the ``--tls-cipher`` option is used for TLS 1.2 and below. Use ``--show-tls`` to see a list of TLS ciphers supported by your crypto library. @@ -466,7 +466,7 @@ Same as ``--tls-cipher`` but for TLS 1.3 and up. mbed TLS has no TLS 1.3 support yet and only the ``--tls-cipher`` setting is used. - The default for `--tls-ciphersuites` is to use the crypto library's + The default for ``--tls-ciphersuites`` is to use the crypto library's default. --tls-client diff --git a/doc/man-sections/virtual-routing-and-forwarding.rst b/doc/man-sections/virtual-routing-and-forwarding.rst index db5f1ab..bb599fc 100644 --- a/doc/man-sections/virtual-routing-and-forwarding.rst +++ b/doc/man-sections/virtual-routing-and-forwarding.rst @@ -35,7 +35,7 @@ ip link set master vrf_external dev eth0 Any prefixes configured on :code:`eth0` will be moved from the :code`main` -routing table into routing table `1023` +routing table into routing table :code:`1023` VRF setup with ifupdown diff --git a/doc/openvpn.8.rst b/doc/openvpn.8.rst index 81cfe27..65130b1 100644 --- a/doc/openvpn.8.rst +++ b/doc/openvpn.8.rst @@ -161,7 +161,7 @@ COPYRIGHT ========= -Copyright (C) 2002-2020 OpenVPN Inc This program is free software; you +Copyright (C) 2002-2025 OpenVPN Inc This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 8501693..741f40a 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -4108,8 +4108,8 @@ show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false); printf("\n" - "Be aware that that whether a cipher suite in this list can actually work\n" - "depends on the specific setup of both peers. See the man page entries of\n" + "Note: Whether a cipher suite in this list can actually work depends\n" + "on the specific setup of both peers. See the man page entries of\n" "--tls-cipher and --show-tls for more details.\n\n"); }