OpenVPN/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2025-06-27 06:13:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
openvpn/doc/man-sections/management-options.rst
Selva Nair a04e3ac047 Allow management client to announce pss padding support 
The --management-external-key option can currently indicate support
for 'nopadding' or 'pkcs1' signatures in the client. Add 'pss' as an
option to announce that PSS signing requests are accepted.

To match, extend the algorithm string in PK_SIGN request to
include the following format:

- RSA_PKCS1_PSS_PADDING,hashalg=name,saltlen=[max|digest]

Here 'name' is the short common name of the hash algorithm.
E.g., SHA1, SHA256 etc.

Existing formats 'ECDSA' and 'RSA_PKCS1_PADDING' are unchanged.

v2 changes: Fix typos and other sloppiness in documentation and
commit message.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-10-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23430.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2022-01-20 16:29:45 +01:00

137 lines
5.1 KiB
ReStructuredText
Raw Blame History

Management Interface Options
----------------------------
OpenVPN provides a feature rich socket based management interface for both
server and client mode operations.
--management args
Enable a management server on a ``socket-name`` Unix socket on those
platforms supporting it, or on a designated TCP port.
Valid syntaxes:
::
management socket-name unix #
management socket-name unix pw-file # (recommended)
management IP port # (INSECURE)
management IP port pw-file #
``pw-file``, if specified, is a password file where the password must
be on first line. Instead of a filename it can use the keyword stdin
which will prompt the user for a password to use when OpenVPN is
starting.
For unix sockets, the default behaviour is to create a unix domain
socket that may be connected to by any process. Use the
``--management-client-user`` and ``--management-client-group``
directives to restrict access.
The management interface provides a special mode where the TCP
management link can operate over the tunnel itself. To enable this mode,
set IP to ``tunnel``. Tunnel mode will cause the management interface to
listen for a TCP connection on the local VPN address of the TUN/TAP
interface.
***BEWARE*** of enabling the management interface over TCP. In these cases
you should *ALWAYS* make use of ``pw-file`` to password protect the
management interface. Any user who can connect to this TCP ``IP:port``
will be able to manage and control (and interfere with) the OpenVPN
process. It is also strongly recommended to set IP to 127.0.0.1
(localhost) to restrict accessibility of the management server to local
clients.
While the management port is designed for programmatic control of
OpenVPN by other applications, it is possible to telnet to the port,
using a telnet client in "raw" mode. Once connected, type :code:`help`
for a list of commands.
For detailed documentation on the management interface, see the
*management-notes.txt* file in the management folder of the OpenVPN
source distribution.
--management-client
Management interface will connect as a TCP/unix domain client to
``IP:port`` specified by ``--management`` rather than listen as a TCP
server or on a unix domain socket.
If the client connection fails to connect or is disconnected, a SIGTERM
signal will be generated causing OpenVPN to quit.
--management-client-auth
Gives management interface client the responsibility to authenticate
clients after their client certificate has been verified. See
:code:`management-notes.txt` in OpenVPN distribution for detailed notes.
--management-client-group g
When the management interface is listening on a unix domain socket, only
allow connections from group ``g``.
--management-client-user u
When the management interface is listening on a unix domain socket, only
allow connections from user ``u``.
--management-external-cert certificate-hint
Allows usage for external certificate instead of ``--cert`` option
(client-only). ``certificate-hint`` is an arbitrary string which is
passed to a management interface client as an argument of
*NEED-CERTIFICATE* notification. Requires ``--management-external-key``.
--management-external-key args
Allows usage for external private key file instead of ``--key`` option
(client-only).
Valid syntaxes:
::
management-external-key
management-external-key nopadding
management-external-key pkcs1
management-external-key pss
or any combination like:
::
management-external-key nopadding pkcs1
management-external-key pkcs1 pss
The optional parameters :code:`nopadding` :code:`pkcs1` and :code:`pss` signal
support for different padding algorithms. See
:code:`doc/mangement-notes.txt` for a complete description of this
feature.
--management-forget-disconnect
Make OpenVPN forget passwords when management session disconnects.
This directive does not affect the ``--http-proxy`` username/password.
It is always cached.
--management-hold
Start OpenVPN in a hibernating state, until a client of the management
interface explicitly starts it with the :code:`hold release` command.
--management-log-cache n
Cache the most recent ``n`` lines of log file history for usage by the
management channel.
--management-query-passwords
Query management channel for private key password and
``--auth-user-pass`` username/password. Only query the management
channel for inputs which ordinarily would have been queried from the
console.
--management-query-proxy
Query management channel for proxy server information for a specific
``--remote`` (client-only).
--management-query-remote
Allow management interface to override ``--remote`` directives
(client-only).
--management-signal
Send SIGUSR1 signal to OpenVPN if management session disconnects. This
is useful when you wish to disconnect an OpenVPN session on user logoff.
For ``--management-client`` this option is not needed since a disconnect
will always generate a :code:`SIGTERM`.
--management-up-down
Report tunnel up/down events to management interface.
Reference in New Issue View Git Blame Copy Permalink