From patchwork Thu Apr 2 12:04:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 4866 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:fe4d:b0:83c:d90d:321 with SMTP id da13csp758473mac; Thu, 2 Apr 2026 05:05:00 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVfbjzWbFwXbRN6tl0wRPfkVDdNA+YiQVVKs9O1WFcOZQiBcgJ5CH+382hqpdvlcIKxczltOx5CseE=@openvpn.net X-Received: by 2002:a05:6808:3088:b0:467:91:fb34 with SMTP id 5614622812f47-46ae0205566mr3573510b6e.55.1775131499835; Thu, 02 Apr 2026 05:04:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1775131499; cv=none; d=google.com; s=arc-20240605; b=K8674pExL1oHKp/3iAjid+aZFBlj3MCkPD0DqMGyrOXG+XLB9BaMHZOdlRzdBDMOu3 OVzKLDMPK8VQ9CiWlhX1c9JC08DcIdISS3x071W2wFoTUpL6kSO1tubQczpFPyDcz5JM QF5C6YHypg9h5GMK5ummh/XeApBm9uAhtJBHkYqtc+0+XVIRBmnfuIaahQRBwNY1AxmG sv+AlzzIW5cgnmA6T6R7vR4m3vuDqhqDH7C0qOswRBQWgT5XF/KAvoOYzMFLMgCcIk/6 QAbXm7p9HwwBGroTBcgmK1bsv2dlEo3BYUnqLEvM2I7JT3DNjl3tjtcF9GXMdsL12rko mcBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=tzYUlcx8bxJ0dzfQg15pc5LDs+43eFcwgRKdascMzJA=; fh=CfxSpwd5kfiMJoL3kcov7PTxVKT7pGe/79idnx9XlBs=; b=ADC0eaXonkRItL8Ty13jVAZsMN4/0HFK7FVXZUP72TRStsnwOFCzoCT1Uo/VfFvJye 06DfgUdeDuIb2hXPvSslHrSp+3mGNi9AxbAkkVpaSlu5Xr3Q0MKFm8pM1Fep+jG647Fp zsO5h+pK3D5FJLx40o3ToryBGhu4syEofJwfMiwqwvnOsYpS5UurX8ofQd734A0r8KC5 p8TIO0DuyDE6BTBH7jKDnVPF6z2tYsuABMZfrr10lidjIGNNWPETHmIlH7KucH74KG75 Rq1mZJXUiRr/VvtsdLbJ149YatQ3meI6XQ2goHsIEms88M3NCsD05qIdxP3XSPH967dn jksw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=NGIworEk; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=nRezmYdp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Ll7XMwKK; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=0xZucToU; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7dba74586b8si2006701a34.107.2026.04.02.05.04.59 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Apr 2026 05:04:59 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=NGIworEk; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=nRezmYdp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Ll7XMwKK; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=0xZucToU; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=tzYUlcx8bxJ0dzfQg15pc5LDs+43eFcwgRKdascMzJA=; b=NGIworEkX9s7KQwiw4bXtgf0cL yFpLxMSR8lhI2dgy1COK56jNyonMw/c8Xim/qEy+9IkyX1hoOUnHk/DZ0QBTLuMOERK1C3YU2chkR mXBCAgxJx3t/Ii7i+MxVEVulAte4PtjR5mobP8S83V98ePlSIdUFztJfHWTHDTGr7Zto=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w8Gn2-0001EL-G9; Thu, 02 Apr 2026 12:04:49 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w8Gn0-0001E4-Qc for openvpn-devel@lists.sourceforge.net; Thu, 02 Apr 2026 12:04:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gv73dZZGRlEojHsYeRLQX+ZWNVsEJ2kSV85wG5YXFgc=; b=nRezmYdpD4eBvkdfMmnYOo99XZ X7dmwiyHu5RDX8NWKIBqnsZL08Tnq4swBpK8pUjPog7Jfx84wLJeQxEBI6fN9oNzu9wTqOiW5QCMc oV9rZpVNxxxL3ZH7XZyPotTwMnljFwmGwpa1NiJjdJF+dsmrpzS9aFfPEO9t7bVLg0CQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=gv73dZZGRlEojHsYeRLQX+ZWNVsEJ2kSV85wG5YXFgc=; b=Ll7XMwKKtbggMJsXWFdwED8xF+ 5CUyI7H9EInlVdyV/kYBuZHbVwgbaXEq4QAz//JhfwhYesKdQNSCeHM4e/AB+tL2cwnggzLMAKtqn 9SRmelw7NibrmO2/YCIyMRgw5zj2KwNLWeILOCy0dv6ZnviahV4VuA2g2nCC1PZRtbGc=; Received: from mout-p-202.mailbox.org ([80.241.56.172]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1w8Gn0-0005Kd-Jp for openvpn-devel@lists.sourceforge.net; Thu, 02 Apr 2026 12:04:47 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4fmgWn6xPJz9tSq; Thu, 2 Apr 2026 14:04:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1775131478; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gv73dZZGRlEojHsYeRLQX+ZWNVsEJ2kSV85wG5YXFgc=; b=0xZucToUFiobuzHPg1RwaCMDOBqyGGduj9q5Wz6OkGO9tjcq8iXKYY6b7m5mqvdpQYsrDU 9HqCTgS2+0/Yne4khIpICQaR85zBlLnN6R8/xFPcfBkildhxWs5zhpqQwd3p1F62cQGZpf h+JykbkyuPm3tasuqlggAK6iHAg/rwqIpOu722qZivq0c2BES0ZXeovsAmIBJ89CftlxEy TwRDaXfVIuAKZUF10JjiH++pteyTjR+6G1wZ5tcNaCR5DQGBRN11SLu63suhfxs2b4aW9n KD3jpZfCmmylKZ1VNfjsyH1o35w+F8GeU97TdZRLUi4RVuH9lp+xhuQNb3BMaw== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Thu, 2 Apr 2026 14:04:35 +0200 Message-ID: <20260402120435.39983-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Just streamline the documentation a bit. Change-Id: Ieaaf3a79642c8f7914f9bfc6762ad601c4f5695b Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URI: openvpn.net] [URI: lichtenheld.com] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [80.241.56.172 listed in list.dnswl.org] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1w8Gn0-0005Kd-Jp Subject: [Openvpn-devel] [PATCH v1] doc: Remove some explanations for pre-2.3 configurations X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Arne Schwabe Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1861360287303293005?= X-GMAIL-MSGID: =?utf-8?q?1861360287303293005?= Just streamline the documentation a bit. Change-Id: Ieaaf3a79642c8f7914f9bfc6762ad601c4f5695b Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1603 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1603 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 8132b48..415b81f 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -43,11 +43,11 @@ however complications can result when scripts or restarts are executed after the chroot operation. - Note: The SSL library will probably need /dev/urandom to be available + Note: The SSL library will probably need ``/dev/urandom`` to be available inside the chroot directory ``dir``. This is because SSL libraries occasionally need to collect fresh randomness. Newer linux kernels and some BSDs implement a getrandom() or getentropy() syscall that removes the - need for /dev/urandom to be available. + need for ``/dev/urandom`` to be available. --compat-mode version This option provides a convenient way to alter the defaults of OpenVPN @@ -170,9 +170,7 @@ Note: as soon as OpenVPN has daemonized, it can not ask for usernames, passwords, or key pass phrases anymore. This has certain consequences, namely that using a password-protected private key will fail unless the - ``--askpass`` option is used to tell OpenVPN to ask for the pass phrase - (this requirement is new in v2.3.7, and is a consequence of calling - daemon() before initializing the crypto layer). + ``--askpass`` option is used to tell OpenVPN to ask for the pass phrase. Further, using ``--daemon`` together with ``--auth-user-pass`` (entered on console) and ``--auth-nocache`` will fail as soon as key @@ -330,32 +328,22 @@ OpenVPN releases before v2.3 also supported a ``method`` flag which indicated how OpenVPN should call external commands and scripts. This could be either :code:`execve` or :code:`system`. As of OpenVPN 2.3, this - flag is no longer accepted. In most \*nix environments the execve() - approach has been used without any issues. + flag is no longer accepted. Some directives such as ``--up`` allow options to be passed to the external script. In these cases make sure the script name does not contain any spaces or the configuration parser will choke because it can't determine where the script name ends and script options start. - To run scripts in Windows in earlier OpenVPN versions you needed to - either add a full path to the script interpreter which can parse the - script or use the ``system`` flag to run these scripts. As of OpenVPN - 2.3 it is now a strict requirement to have full path to the script + On Windoes it is a strict requirement to have the full path to the script interpreter when running non-executables files. This is not needed for executable files, such as .exe, .com, .bat or .cmd files. For example, - if you have a Visual Basic script, you must use this syntax now: - - :: + if you have a Visual Basic script, you must use this syntax:: --up 'C:\\Windows\\System32\\wscript.exe C:\\Program\ Files\\OpenVPN\\config\\my-up-script.vbs' Please note the single quote marks and the escaping of the backslashes - (\\) and the space character. - - The reason the support for the :code:`system` flag was removed is due to - the security implications with shell expansions when executing scripts - via the :code:`system()` call. + (``\\``) and the space character. --setcon context Apply SELinux ``context`` after initialization. This essentially