This collects some minor typo fixes that are not
worth each their own commit.
Fixes: OpenVPN/openvpn#644Fixes: OpenVPN/openvpn#442
Change-Id: Ifad21a2841e97e910775f3618ddac1c483d74b65
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241128123016.10444-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29956.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Remove compression settings. Not recommended anymore.
- Remove old cipher setting. Replaced by data-ciphers negotiation.
- Add comment how to set data-ciphers for very old clients.
- Remove/reword some old comments. e.g. no need to reference
OpenVPN 1.x anymore.
- Mention peer-fingerprint alternative.
- comment out "tls-auth" as that is not needed for a bare-bones VPN config
and needs additional setup.
Github: #511
Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240325071320.11348-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28451.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Change the default behavior of the OpenVPN configuration
by enabling the persist-key option by default.
This means that all the keys will be kept in memory
across restart.
Trac: #1405
Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Message-Id: <20240307140355.32644-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28347.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These are mostly redundant with client/server.conf
Let's try to manage to maintain one set of sample
configurations before we branch out further.
Change-Id: I199541fea5a76c8edef7f67d2dbfc476987dc2f7
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240304161556.2036270-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28316.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Old expiration was October 2024, less than a year away.
Give everyone the chance to get the new keys before tests
start failing.
Change-Id: Ie264ec1ec61fd71e8cc87987be3e2adc2735c201
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231121110430.16893-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27530.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Recommend to create an user dedicated to openvpn
so that there is no priviledge escalation between
different services using that user.
cf. https://wiki.ubuntu.com/nobody
Trac: #1335
CC: tincantech <tincantech@protonmail.com>
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221129144731.35105-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25573.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The man page says:
[!] -s, --source address[/mask][,...]
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20211107174000.16210-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23128.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This code is from another time and has almost no relevance today.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201214172407.30451-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21360.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The change in name signals that data-ciphers is the preferred way to
configure data channel (and not --cipher). The data prefix is chosen
to avoid ambiguity and make it distinct from tls-cipher for the TLS
ciphers.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200717134739.21168-8-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20444.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We have no real test rig for "inline" key material (key, cert, ca,
tls-auth, tls-crypt*) yet. This change adds the "sample" key set
as inline config to the "loopback-client" config, while keeping
file-based configs for "loopback-server" - that way, testing both
methods of loading keys etc. in one go.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200513141147.17171-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19883.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since these are examples, people might use them as a basis for their own
configs. In the non-push/pull configs, we should specify a decent cipher.
Further, I don't think we should recommend anyone to still use a static key
configuration, so remove the static key config examples.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191109174235.20511-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19081.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This unifies our key generation and also migrates the generation
of the tls-crypt-v2 keys. Since tls-crypt-v2 is not included in any
released version, we remove the the old syntax without compatibility.
PATCH V4: Introduce warning/error when using --secret with --genkey
Update non code usages to use new --genkey syntax
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190613134834.5709-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18524.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A simple clean-up where the version references have been unified
all those places I could find now. The versioning scheme used is:
* OpenVPN 2.x
* v2.x
We want to avoid:
* 2.x (2.4 can be just an ordindary decimal number,
OID reference, a version number or anything else)
* OpenVPN v2.x (OpenVPN indicates we're talking about a version)
In addition, several places where it made sense I tried to ensure
the first version reference uses "OpenVPN 2.x" and the following
references in the same section/paragraph uses "v2.x", to set the
context for the version reference.
In Changes.rst modified paragraphs exceeding 80 chars lines where
reformatted as well.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170815205301.14542-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15260.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
For two reasons:
1) May motivate people to use tls-auth in their setups
2) Verify tls-auth functionality when running 'make check'
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1424614268-5078-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9467
Signed-off-by: Gert Doering <gert@greenie.muc.de>
I kept most of the certificate properties equal to the old
certs, since some people's test scripts might rely on them (and
it does not require any creativity from my part).
Changes:
* Add script to generate fresh test/sample keys
(but keep sample keys in git for simple testing)
* Switch from 1024 to 4096 bits RSA CA
* Switch from 1024 to 2048 bits client/server RSA keys
* Switch from 1024 to 2048 bits Diffie-Hellman parameters
* Generate EC client and server cert, but sign with RSA CA
(lets us test EC <-> RSA interoperability)
* Remove 3DES cipher from 'sample' config
* Add 'remote-cert-tls server' to client config
* Update config files to deprecate nsCertType in favour of the
keyUsage and extendedKeyUsage extensions.
* Make naming more consistent
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Message-Id: <CAA1AbxKZr_E6Wk9GBbB3xpLyJzyBxSa1k21UDXnC90d8refUzw@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9226
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
On modern systems, topology subnet should always be set, but it's
missing in the configuration file.
Add it with a short explanation.
Signed-off-by: Philipp Hagemeister <phihag@phihag.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BF9998.5020906@phihag.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8878
Signed-off-by: Gert Doering <gert@greenie.muc.de>
