[Openvpn-devel] Manpage Plus Alpha Directives Index

[debbie10t]

Hi,

from what I could gather .. the developer mailing list appears to be
the preferred method of submittal for this sort of change.
https://community.openvpn.net/openvpn/wiki/Contributing#Writingdocumentation

So, I offer this document for review as a new HTTP manual page.
I have checked it thoroughly but there may still be mistakes ...

I have added an alphabetic index of all Openvpn directives at the end
(as directed by Samuli, after the man2html ending)
but there are index markers in the manual text as well

I have also tried to improve some of the formatting a little by

* changing '' to ''
(That change may have been a bad idea ..
but all the unterminated s played havoc with my html editor)

* tidied up some of the  formatting to  as
 does not wrap and  does.
I can do the rest if it is considered suitable
example: --script-security > --up example

* added  to some of the  text
to increase indentation
Example:  profile example

* Swapped around these two items

--link-mtu
--redirect-private

as they appear to be in the wrong order to me.

Many of these changes may be over-written by man2html
which is why I submit it here instead.

Preview it on the wiki
Regards
Rich


=== Begin ===


{{{#!comment
Editors note: awk code to clean up man2html output to remove un-wanted
localhost URIs:
https://gist.github.com/QueuingKoala/5985986
}}}

{{{
#!html
openvpn
Section: Maintenance Commands (8)Index

 
NAME

openvpn - secure IP tunnel daemon.



 
SYNOPSIS

openvpn [ options ... ]



 
INTRODUCTION

OpenVPN is an open source VPN daemon by James Yonan.
Because OpenVPN tries tobe a universal VPN tool offering
a great deal of flexibility, there are a lot of options
on this manual page.  If you're new to OpenVPN, you might
want to skip ahead to the examples section where you will
see how to construct simple VPNs on the command line without
even needing a configuration file.



Also note that there's more documentation and examples on
the OpenVPN web site:
http://openvpn.net/";>http://openvpn.net/



And if you would like to see a shorter version of this manual,
see the openvpn usage message which can be obtained by
running

openvpn

without any parameters.



 
DESCRIPTION

OpenVPN is a robust and highly flexible VPN daemon.
OpenVPN supports SSL/TLS security, ethernet bridging,
TCP or UDP tunnel transport through proxies or NAT,
support for dynamic IP addresses and DHCP,
scalability to hundreds or thousands of users,
and portability to most major OS platforms.



OpenVPN is tightly bound to the OpenSSL library, and derives much
of its crypto capabilities from it.



OpenVPN supports conventional encryption using a pre-shared secret key

(Static Key mode)

or public key security

(SSL/TLS mode)

using client & server certificates. OpenVPN also supports non-encrypted
TCP/UDP tunnels.



OpenVPN is designed to work with the

TUN/TAP

virtual networking interface that exists on most platforms.



Overall, OpenVPN aims to offer many of the key features of
IPSec but with a relatively lightweight footprint.

 
OPTIONS

OpenVPN allows any option to be placed either on the command line
or in a configuration file.  Though all command line options are preceded
by a double-leading-dash ("--"), this prefix can be removed when
an option is placed in a configuration file.




 
--help

Show options.




 --config file

Load additional config options from

file

where each line corresponds to one command line option,
but with the leading '--' removed.

If
--config file

is the only option to the openvpn command, the

--config

can be removed, and the command can be given as

openvpn file



Note that configuration files can be nested to a reasonable depth.



Double quotation or single quotation characters ("", '')
can be used to enclose single parameters containing whitespace,
and "#" or ";" characters in the first column
can be used to denote comments.



Note that OpenVPN 2.0 and higher performs backslash-based shell
escaping for characters not in single quotations,
so the following mappings should be observed:


\\   Maps to a single backslash character (\).
\"   Pass a literal doublequote character ("),
don't interpret it as enclosing a parameter.
\[SPACE] Pass a literal space or tab character,
don't interpret it as a parameter delimiter.


For example on Windows, use double backslashes to represent pathnames:


secret "c:\\OpenVPN\\secret.key"


For examples of configuration files,see
http://openvpn.net/examples.html";>http://openvpn.net/examples.html

Here is an example configuration file:


#
# Sample OpenVPN configuration file for
# using a pre-shared static key.
#
# '#' or ';' may be used to delimit comments.

# Use a dynamic tun device.
dev tun

# Our remote peer
remote mypeer.mydomain

# 10.1.0.1 is our local VPN endpoint
# 10.1.0.2 is our remote VPN endpoint
ifconfig 10.1.0.1 10.1.0.2

# Our pre-shared static key
secret static.key





 
Tunnel Options:



 
--mode m

Set OpenVPN major mode.  By 

[Openvpn-devel] [PATCH applied] Re: Fix FreeBSD ifconfig for topology subnet tunnels.

[Gert Doering]

Lazy-ACK.  5 weeks on the list, no concerns (except from David about
endianness, which I've tested for - i386 and sparc64).

Patch has been applied to the master and release/2.3 branch.

commit 60fd44e501f2002459a49c6c9bc64370ea26ca87 (master)
commit e1182281f41ccd6c5820a13dad4382841f4832e6 (release/2.3)

Author: Gert Doering
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Apr 26 20:03:58 2015 +0200

 Fix FreeBSD ifconfig for topology subnet tunnels.

 Signed-off-by: Gert Doering 
 Acked-by: Gert Doering 
 Message-Id: <1430071438-31675-1-git-send-email-g...@greenie.muc.de>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9606


--
kind regards,

Gert Doering

[Openvpn-devel] [Patch] Version 2: Fail if options have extra parameters

[Jonathan K. Bullard]

This is a new thread with version 2 of the patch; the first submission
included the wrong .patch file and was withdrawn.

The attached patch causes an error if an option has extra
parameters; previously they were ignored (ticket #557 at
https://community.openvpn.net/openvpn/ticket/557).

This feature was discussed on the openvpn-devel mailing list (
http://thread.gmane.org/gmane.network.openvpn.devel/9599).

The patch is for the master branch only -- the consensus of the
mailing list discussion was that the patch should not be included in
the 2.3 branch.

The (modified) message "Unrecognized option or missing or extra
parameter(s)" is used except for a few options:

 * The --help option: An extra parameter for --help generates a
specific error message after showing the syntax message. This is done
to help a user who tries "--help tls-cipher" or similar, hoping to get
more information about the "tls-cipher" option.

 * The --dhcp-option option: It has its own similar message, into
which " or extra" has been inserted.

 * Ten options such as --up that accept a command (instead of a
path) already detect extra parameters and generate specific error
messages that mention double-quoting commands which contain imbedded
spaces.


extra-parameters-v2.patch
Description: Binary data

Re: [Openvpn-devel] How to create openvpn channel between multiple interface linux machines.

[Jan Just Keijser]

Arun Kumar wrote:

Hi,
I have two ubuntu machine say host1 and host2.
Each have two interfaces say eth0 and eth1.
I want to create seperate openvpn channels between the interfaces of 
two hosts.
i tried openvpn and create secure key. and add eth0 and eth1 in config 
file, but only one vpn channel created.

what is my mistake and how to make it.
please help me on this.


you will need two instances of openvpn for this
1) set up openvpn on one end, bind it to the IP address of eth0; assign 
it its own VPN IP address e.g. 10.200.0.1
2) create the first "client" that connects the IP address of eth0 
(--remote 

3) set up the second openvpn listener, bind it to the IP address of 
eth1; assign it its own VPN IP address e.g. 10.201.0.1
4) create the second "client" that connects the IP address of eth1 
(--remote 

if this does not work , post your configs and log files and perhaps we 
can help you further.


JJK

Re: [Openvpn-devel] Topics for next Monday's (1st Jun 2015) community meeting

[Samuli Seppänen]

Hi,

Here's the summary of today's IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Monday 1st Jun 2015
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



The next meeting is scheduled to two weeks from this meeting:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock and syzzer participated in this meeting

---

Discussed the way Trac ticket fields should be used. The proposal made by 
mattock was accepted as-is:



--

Discussed the "Make check doesn't play nicely with automake 1.12 and up" issue:



It was agreed to use the configure.ac hack from libguestfs instead of patching 
the buildslaves only. This way our users won't have to be so careful about 
their automake versions.

--

Discussed the OpenVPN 2.3.7 release. Some tickets which had no easy resolution 
in sight were moved to the 2.3.8 milestone. The remaining issues have been or 
can be fixed. We will try to push out the 2.3.7 release later this week.

--

Discussed the OpenVPN 2.4 release. We will try to get a pre-alpha version with 
the interactive service out very soon. The primary reason is to allow testing 
on the Windows platform.

--

Full chatlog is included as an attachment.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(20:56:12) cron2: mattock1: well, it would need "git master + patch from list" 
- I do not want to commit it if it won't work...
(20:56:16) cron2: besides, I'm here :)
(20:57:21) mattock: cron2: which patch?
(20:57:33) mattock: I can trigger a manual Windows build now
(20:57:47) cron2: http://article.gmane.org/gmane.network.openvpn.devel/9768
(20:57:50) vpnHelper: Title: Gmane -- PATCH Use EAI AGAIN instead of EAI SYSTEM 
for openvpn getaddrinfo . (at article.gmane.org)
(20:57:55) cron2: this one :)
(20:59:11) mattock: ok
(21:04:36) mattock: I wonder if everyone else forgot the meeting
(21:04:40) syzzer: I'm here too
(21:04:52) mattock: ah hi!
(21:05:01) mattock: I was about to throw in the towel :P
(21:05:22) syzzer: heh, so I was just in time ;)
(21:05:32) mattock: yep
(21:05:34) cron2: syzzer: welcome back :)
(21:06:06) mattock: so here's the topic list: 
https://community.openvpn.net/openvpn/wiki/Topics-2015-06-01
(21:06:07) vpnHelper: Title: Topics-2015-06-01 – OpenVPN Community (at 
community.openvpn.net)
(21:06:23) syzzer: let me try a windows build locally
(21:06:28) mattock: I need to split in about an hour
(21:06:41) mattock: syzzer: feel free, though I was about to do it
(21:06:51) syzzer: also fine - less work for me ;)
(21:06:56) mattock: ok
(21:07:57) cron2: anyway, topic #1 - trac fields. I think what you wrote up 
works
(21:08:31) mattock: ok, great!
(21:08:49) mattock: I'll remove the text about proposals etc.
(21:09:03) mattock: topic #2: https://community.openvpn.net/openvpn/ticket/427
(21:09:05) cron2: the judgement of "it can be reasonably be resolved" might 
differ between people who look at tickets .-) (I feel confident hacking socket 
issues, but won't resolve windows stuff) but with these as general guidelines, 
we should be good
(21:09:07) vpnHelper: Title: #427 (make check doesn't play nicely with automake 
1.12 and up) – OpenVPN Community (at community.openvpn.net)
(21:09:32) cron2: *sigh* (did I mention I hate automake?)
(21:09:32) mattock: cron2: yeah, what I meant is "can be expected to get 
resolved"
(21:10:10) cron2: "whatever" :) - it is good enough as an orientation, and we 
can always refine it
(21:10:16) mattock: yep
(21:10:30) mattock: so automake
(21:10:33) ***syzzer looks
(21:10:50) mattock: cron2: have you tried the automake hack from libguestfs?
(21:11:10) cron2: haven't tried, but I'm reasonably sure that it works
(21:11:25) cron2: if we decide to go there, I'd test it on my most recent 
(1.15) and oldest (1.10) box
(21:11:31) syzzer: I don't understand why that works, but tbh I don't want to 
know :p
(21:11:46) cron2: syzzer: configure.ac can pass automake options, and they can 
be m4 macros...
(21:11:59) cron2: and yes, I share that sentiment :)
(21:12:35) cron2: basically, we have two alternatives - "stick to what we have" 
(and work around it by a buildbot script) or "go for the configure.ac hack"...
(21:12:47) ***syzzer votes hack
(21:13:10) mattock: I think the configure hack is less painful, and breaks less 
often
(21:13:33) mattock: we might want to pretest it to ensure all buildslaves 
accept it
(21:13:49) mattock: maybe push the changes to a temporary branch and manually 
force a build on all buildslaves?
(21:14:01) cron2: that's what I meant - if it works on freebsd 

Re: [Openvpn-devel] How to create openvpn channel between multiple interface linux machines.

[Gert Doering]

Hi,

On Tue, Jun 02, 2015 at 01:17:26PM +0530, Arun Kumar wrote:
> I have two ubuntu machine say host1 and host2.
> Each have two interfaces say eth0 and eth1.
> I want to create seperate openvpn channels between the interfaces of two
> hosts.
> i tried openvpn and create secure key. and add eth0 and eth1 in config
> file, but only one vpn channel created.
> what is my mistake and how to make it.
> please help me on this.

First mistake: wrong list.  Openvpn-users is the list for user questions.

Second mistake: please describe more precisely what you want to achieve - 
OpenVPN does not care for "eth0/eth1", it will connect to an IP address
of the remote host.

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpS5uazD0nXk.pgp
Description: PGP signature

[Openvpn-devel] [PATCH applied] Re: Improve documentation in --script-security section of the man-page

[Gert Doering]

ACK. Your patch has been applied to the master and release/2.3 branch.

commit 001384e2952b54089e889edbda3196283b21641d (master)
commit 9f1d4545049bb643bf214498709e2af001bbe106 (release/2.3)

Author: Samuli Seppänen
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Tue Jun 2 10:59:42 2015 +0300

 Improve documentation in --script-security section of the man-page

 Signed-off-by: Samuli Seppänen 
 Acked-by: Gert Doering 
 Message-Id: <1433231982-24945-1-git-send-email-sam...@openvpn.net>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9777
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH applied] Re: Move res_init() call to inner openvpn_getaddrinfo() loop

[Gert Doering]

Patch has been applied to the master and release/2.3 branch.

commit 288a819af7d3a6fab9e0b69ae8dbaac74b36307b (master)
commit 4e7eb95e43f0daed79e25e0ad6a9a20705b57376 (release/2.3)

Author: Gert Doering
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun May 31 15:59:09 2015 +0200

 Move res_init() call to inner openvpn_getaddrinfo() loop

 Signed-off-by: Gert Doering 
 Acked-by: Arne Schwabe 
 Message-Id: <1433080749-6892-1-git-send-email-g...@greenie.muc.de>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9763


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH] Improve documentation in --script-security section of the man-page

[samuli]

From: Samuli Seppänen 

Trac: #395

Signed-off-by: Samuli Seppänen 
---
 doc/openvpn.8 | 5 +
 1 file changed, 5 insertions(+)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index df16a7f..3eb2493 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2007,6 +2007,11 @@ or
 As of OpenVPN v2.3, this flag is no longer accepted.  In most *nix 
environments the execve()
 approach has been used without any issues.
 
+Some directives such as \-\-up allow options to be passed to the external
+script. In these cases make sure the script name does not contain any spaces or
+the configuration parser will choke because it can't determine where the script
+name ends and script options start.
+
 To run scripts in Windows in earlier OpenVPN
 versions you needed to either add a full path to the script interpreter which 
can parse the
 script or use the
-- 
2.1.4

[Openvpn-devel] How to create openvpn channel between multiple interface linux machines.

[Arun Kumar]

Hi,
I have two ubuntu machine say host1 and host2.
Each have two interfaces say eth0 and eth1.
I want to create seperate openvpn channels between the interfaces of two
hosts.
i tried openvpn and create secure key. and add eth0 and eth1 in config
file, but only one vpn channel created.
what is my mistake and how to make it.
please help me on this.

Thanks
Kumar raj