mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
f500c49c8e
To avoid keeping around a full-size openvpn.rst file which is never needed but will take space in the repo forever, patches 01...04 of the big documentation overhaul projects were squashed togehter, keeping the individual commit logs and URL references below. Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is a combination of 4 commits. * This is the 1st commit message: doc/man: Add an .rst formatted version of the man page This is the first step to move away from a manually editing g/nroff encoded man page. Some modifications was needed to ensure formatting was consistent and rendered reasonably okay in GitHub and that the generated man page (using rst2man) is looking as a proper man page. Unsupported options has also been moved into its own section. HTML rendering directly using rst2html has also been used to validate the conversion. The rst2man and rst2html utilities comes from the python-docutils project: https://docutils.sourceforge.io/ Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-2-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063370/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #2: doc/man: Replace old man page with generated man page The doc/openvpn.8 and doc/openvpn.8.html files are now being removed from the git tree, as it will be generated from the doc/openvpn.8.rst file using python-docutils. An additional dist-hook is added so these files are generated automatically when source tarballs are generated for releases. This means users compiling directly from the source tarball will not need python-docutils installed. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-3-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063373/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #3: doc/man: Split up and reorganize main man page The openvpn.8.rst file is quite long and hard to edit, as it covers several hundred options. Some options were even documented multiple places. The example has also received some attention, cleaning up old and outdated infomration. In this commit the main man page is split up into multiple sections and options are sorted into each of the corresponding section. Inside each category, each option is for now sorted alphabetically. The main openvpn.8.rst file is currently kept unchanged and will be handled in the next commit. Many language improvements contributed by Richard Bonhomme has also been incorproated. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-4-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063376/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #4: doc/man: Complete openvpn.8.rst splitting This rebuilds the openvpn.8.rst content by using the text which was split out in the previous commit by using RST ..include statements. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-5-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063377/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
136 lines
5.2 KiB
ReStructuredText
136 lines
5.2 KiB
ReStructuredText
Management Interface Options
|
|
----------------------------
|
|
OpenVPN provides a feature rich socket based management interface for both
|
|
server and client mode operations.
|
|
|
|
--management args
|
|
Enable a management server on a ``socket-name`` Unix socket on those
|
|
platforms supporting it, or on a designated TCP port.
|
|
|
|
Valid syntaxes:
|
|
::
|
|
|
|
management socket-name unix #
|
|
management socket-name unix pw-file # (recommended)
|
|
management IP port # (INSECURE)
|
|
management IP port pw-file #
|
|
|
|
``pw-file``, if specified, is a password file where the password must
|
|
be on first line. Instead of a filename it can use the keyword stdin
|
|
which will prompt the user for a password to use when OpenVPN is
|
|
starting.
|
|
|
|
For unix sockets, the default behaviour is to create a unix domain
|
|
socket that may be connected to by any process. Use the
|
|
``--management-client-user`` and ``--management-client-group``
|
|
directives to restrict access.
|
|
|
|
The management interface provides a special mode where the TCP
|
|
management link can operate over the tunnel itself. To enable this mode,
|
|
set IP to ``tunnel``. Tunnel mode will cause the management interface to
|
|
listen for a TCP connection on the local VPN address of the TUN/TAP
|
|
interface.
|
|
|
|
***BEWARE*** of enabling the management interface over TCP. In these cases
|
|
you should *ALWAYS* make use of ``pw-file`` to password protect the
|
|
management interface. Any user who can connect to this TCP ``IP:port``
|
|
will be able to manage and control (and interfere with) the OpenVPN
|
|
process. It is also strongly recommended to set IP to 127.0.0.1
|
|
(localhost) to restrict accessibility of the management server to local
|
|
clients.
|
|
|
|
While the management port is designed for programmatic control of
|
|
OpenVPN by other applications, it is possible to telnet to the port,
|
|
using a telnet client in "raw" mode. Once connected, type :code:`help`
|
|
for a list of commands.
|
|
|
|
For detailed documentation on the management interface, see the
|
|
*management-notes.txt* file in the management folder of the OpenVPN
|
|
source distribution.
|
|
|
|
--management-client
|
|
Management interface will connect as a TCP/unix domain client to
|
|
``IP:port`` specified by ``--management`` rather than listen as a TCP
|
|
server or on a unix domain socket.
|
|
|
|
If the client connection fails to connect or is disconnected, a SIGTERM
|
|
signal will be generated causing OpenVPN to quit.
|
|
|
|
--management-client-auth
|
|
Gives management interface client the responsibility to authenticate
|
|
clients after their client certificate has been verified. See
|
|
:code:`management-notes.txt` in OpenVPN distribution for detailed notes.
|
|
|
|
--management-client-group g
|
|
When the management interface is listening on a unix domain socket, only
|
|
allow connections from group ``g``.
|
|
|
|
--management-client-pf
|
|
Management interface clients must specify a packet filter file for each
|
|
connecting client. See :code:`management-notes.txt` in OpenVPN
|
|
distribution for detailed notes.
|
|
|
|
--management-client-user u
|
|
When the management interface is listening on a unix domain socket, only
|
|
allow connections from user ``u``.
|
|
|
|
--management-external-cert certificate-hint
|
|
Allows usage for external certificate instead of ``--cert`` option
|
|
(client-only). ``certificate-hint`` is an arbitrary string which is
|
|
passed to a management interface client as an argument of
|
|
*NEED-CERTIFICATE* notification. Requires ``--management-external-key``.
|
|
|
|
--management-external-key args
|
|
Allows usage for external private key file instead of ``--key`` option
|
|
(client-only).
|
|
|
|
Valid syntaxes:
|
|
::
|
|
|
|
management-external-key
|
|
management-external-key nopadding
|
|
management-external-key pkcs1
|
|
management-external-key nopadding pkcs1
|
|
|
|
The optional parameters :code:`nopadding` and :code:`pkcs1` signal
|
|
support for different padding algorithms. See
|
|
:code:`doc/mangement-notes.txt` for a complete description of this
|
|
feature.
|
|
|
|
--management-forget-disconnect
|
|
Make OpenVPN forget passwords when management session disconnects.
|
|
|
|
This directive does not affect the ``--http-proxy`` username/password.
|
|
It is always cached.
|
|
|
|
--management-hold
|
|
Start OpenVPN in a hibernating state, until a client of the management
|
|
interface explicitly starts it with the :code:`hold release` command.
|
|
|
|
--management-log-cache n
|
|
Cache the most recent ``n`` lines of log file history for usage by the
|
|
management channel.
|
|
|
|
--management-query-passwords
|
|
Query management channel for private key password and
|
|
``--auth-user-pass`` username/password. Only query the management
|
|
channel for inputs which ordinarily would have been queried from the
|
|
console.
|
|
|
|
--management-query-proxy
|
|
Query management channel for proxy server information for a specific
|
|
``--remote`` (client-only).
|
|
|
|
--management-query-remote
|
|
Allow management interface to override ``--remote`` directives
|
|
(client-only).
|
|
|
|
--management-signal
|
|
Send SIGUSR1 signal to OpenVPN if management session disconnects. This
|
|
is useful when you wish to disconnect an OpenVPN session on user logoff.
|
|
For ``--management-client`` this option is not needed since a disconnect
|
|
will always generate a :code:`SIGTERM`.
|
|
|
|
--management-up-down
|
|
Report tunnel up/down events to management interface.
|