mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
60f5889ae6
The non-TLS mode is a relict from OpenVPN 1.x or 2.0. When TLS mode was introduced the advantages of TLS over non-TLS were small but TLS mode evolved to include a lot more features (NCP, multipeer, AEAD ciphers to name a few). Today VPN setups that use --secret are mainly used because this mode is easier to setup and does not require setting up a PKI. This shortcoming of TLS mode should be addressed now with the peer-fingerprint option. The primary reason to deprecate --secret is that it is not secure enough anymore for modern environments. This mode uses a fixed pre-shared key and no session keys. Thus, no forward secrecy is possible, which means that any captured VPN traffic can be decrypted later should the --secret key get into the wrong hands. The cryptography overall used here was okay when --secret was introduced but is not acceptable by today's standard anymore. Finally, modern hardware-accelerated crypto modes like AES-GCM can only be used in TLS mode (due to IV requirements). Patch V2: Improve commit message Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20210328090530.10653-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21868.html Signed-off-by: Gert Doering <gert@greenie.muc.de> |
||
|---|---|---|
| .. | ||
| doxygen | ||
| man-sections | ||
| android.txt | ||
| gui-notes.txt | ||
| interactive-service-notes.rst | ||
| keying-material-exporter.txt | ||
| Makefile.am | ||
| management-notes.txt | ||
| openvpn.8.rst | ||
| README.man | ||
| README.plugins | ||
| tls-crypt-v2.txt | ||
OpenVPN Plugins
---------------
Starting with OpenVPN 2.0-beta17, compiled plugin modules are
supported on any *nix OS which includes libdl or on Windows.
One or more modules may be loaded into OpenVPN using
the --plugin directive, and each plugin module is capable of
intercepting any of the script callbacks which OpenVPN supports:
(1) up
(2) down
(3) route-up
(4) ipchange
(5) tls-verify
(6) auth-user-pass-verify
(7) client-connect
(8) client-disconnect
(9) learn-address
See the openvpn-plugin.h file in the top-level directory of the
OpenVPN source distribution for more detailed information
on the plugin interface.
Included Plugins
----------------
auth-pam -- Authenticate using PAM and a split privilege
execution model which functions even if
root privileges or the execution environment
have been altered with --user/--group/--chroot.
Tested on Linux only.
down-root -- Enable the running of down scripts with root privileges
even if --user/--group/--chroot have been used
to drop root privileges or change the execution
environment. Not applicable on Windows.
examples -- A simple example that demonstrates a portable
plugin, i.e. one which can be built for *nix
or Windows from the same source.
Building Plugins
----------------
cd to the top-level directory of a plugin, and use the
"make" command to build it. The examples plugin is
built using a build script, not a makefile.