33 #ifdef HAVE_CONFIG_VERSION_H
34 #include "config-version.h"
69 #ifdef CONFIGURE_GIT_REVISION
70 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS
"]"
73 #if defined(ENABLE_CRYPTO_MBEDTLS)
75 #elif defined(ENABLE_CRYPTO_OPENSSL)
87 #ifdef ENABLE_COMP_STUB
94 #ifdef PRODUCT_TAP_DEBUG
100 #if ENABLE_IP_PKTINFO
101 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
103 #elif defined(IP_RECVDSTADDR)
111 #ifdef CONFIGURE_GIT_REVISION
112 " built on " __DATE__
122 "--config file : Read configuration options from file.\n"
123 "--help : Show options.\n"
124 "--version : Show copyright and version information.\n"
127 "--local host : Local host name or ip address. Implies --bind.\n"
128 "--remote host [port] : Remote host name or ip address.\n"
129 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
130 "--remote-random-hostname : Add a random string to remote DNS name.\n"
131 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
132 "--proto p : Use protocol p for communicating with peer.\n"
133 " p = udp (default), tcp-server, tcp-client\n"
134 " udp4, tcp4-server, tcp4-client\n"
135 " udp6, tcp6-server, tcp6-client\n"
136 "--proto-force p : only consider protocol p in list of connection profiles.\n"
138 "--connect-retry n [m] : For client, number of seconds to wait between\n"
139 " connection retries (default=%d). On repeated retries\n"
140 " the wait time is exponentially increased to a maximum of m\n"
142 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
143 "--http-proxy s p [up] [auth] : Connect to remote host\n"
144 " through an HTTP proxy at address s and port p.\n"
145 " If proxy authentication is required,\n"
146 " up is a file containing username/password on 2 lines, or\n"
147 " 'stdin' to prompt from console. Add auth='ntlm' if\n"
148 " the proxy requires NTLM authentication.\n"
149 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
150 " determine auth method and query for username/password\n"
151 " if needed. auto-nct disables weak proxy auth methods.\n"
152 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
153 " Repeat to set multiple options.\n"
154 " VERSION version (default=1.0)\n"
155 " AGENT user-agent\n"
156 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
157 " address s and port p (default port = 1080).\n"
158 " If proxy authentication is required,\n"
159 " up is a file containing username/password on 2 lines, or\n"
160 " 'stdin' to prompt for console.\n"
161 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
162 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
163 " resolve for n seconds before failing (disabled by default).\n"
164 " Set n=\"infinite\" to retry indefinitely.\n"
165 "--float : Allow remote to change its IP address/port, such as through\n"
166 " DHCP (this is the default if --remote is not used).\n"
167 "--ipchange cmd : Run command cmd on remote ip address initial\n"
168 " setting or change -- execute as: cmd ip-address port#\n"
169 "--port port : TCP/UDP port # for both local and remote.\n"
170 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
171 "--rport port : TCP/UDP port # for remote (default=%s).\n"
172 "--bind : Bind to local address and port. (This is the default unless\n"
173 " --proto tcp-client"
177 "--nobind : Do not bind to local address and port.\n"
178 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
179 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
180 " this option only if the tun/tap device used with --dev\n"
181 " does not begin with \"tun\" or \"tap\".\n"
182 "--dev-node node : Explicitly set the device node rather than using\n"
183 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
184 #if defined(ENABLE_DCO)
185 "--disable-dco : Do not attempt using Data Channel Offload.\n"
187 "--lladdr hw : Set the link layer address of the tap device.\n"
188 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
189 #ifdef ENABLE_IPROUTE
190 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
192 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
193 " endpoint and rn as a remote endpoint. l & rn should be\n"
194 " swapped on the other peer. l & rn must be private\n"
195 " addresses outside of the subnets used by either peer.\n"
196 " TAP: configure device to use IP address l as a local\n"
197 " endpoint and rn as a subnet mask.\n"
198 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
199 " endpoint (as a /64) and r as remote endpoint\n"
200 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
201 " pass --ifconfig parms by environment to scripts.\n"
202 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
203 " connection doesn't match the remote side.\n"
204 "--route network [netmask] [gateway] [metric] :\n"
205 " Add route to routing table after connection\n"
206 " is established. Multiple routes can be specified.\n"
207 " netmask default: 255.255.255.255\n"
208 " gateway default: taken from --route-gateway or --ifconfig\n"
209 " Specify default by leaving blank or setting to \"default\".\n"
210 "--route-ipv6 network/bits [gateway] [metric] :\n"
211 " Add IPv6 route to routing table after connection\n"
212 " is established. Multiple routes can be specified.\n"
213 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
214 " in --ifconfig-ipv6\n"
215 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
216 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
217 "--route-metric m : Specify a default metric for use with --route.\n"
218 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
219 " adding routes (may be 0). If not specified, routes will\n"
220 " be added immediately after tun/tap open. On Windows, wait\n"
221 " up to w seconds for TUN/TAP adapter to come up.\n"
222 "--route-up cmd : Run command cmd after routes are added.\n"
223 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
224 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
225 " --route-up script using environmental variables.\n"
226 "--route-nopull : When used with --client or --pull, accept options pushed\n"
227 " by server EXCEPT for routes, dns, and dhcp options.\n"
228 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
229 " --ifconfig, --route, and --route-gateway.\n"
230 "--redirect-gateway [flags]: Automatically execute routing\n"
231 " commands to redirect all outgoing IP traffic through the\n"
232 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
233 " connected via a common subnet, such as with WiFi.\n"
234 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
235 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
236 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
237 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
238 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
239 " the default gateway. Useful when pushing private subnets.\n"
240 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
241 " ICMPv6 host unreachable messages on the client.\n"
242 " (Server) Instead of forwarding IPv6 packets send\n"
243 " ICMPv6 host unreachable packets to the client.\n"
244 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
245 "--push-peer-info : (client only) push client info to server.\n"
246 "--setenv name value : Set a custom environmental variable to pass to script.\n"
247 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
248 " directives for future OpenVPN versions to be ignored.\n"
249 "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
250 " these options to be ignored when unknown\n"
251 "--script-security level: Where level can be:\n"
252 " 0 -- strictly no calling of external programs\n"
253 " 1 -- (default) only call built-ins such as ifconfig\n"
254 " 2 -- allow calling of built-ins and scripts\n"
255 " 3 -- allow password to be passed to scripts via env\n"
256 "--shaper n : Restrict output to peer to n bytes per second.\n"
257 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
258 " ping once every n seconds, restart if ping not received\n"
260 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
261 " produces a combined in/out byte count < bytes.\n"
262 "--session-timeout n: Limit connection time to n seconds.\n"
263 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
264 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
265 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
267 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
268 #if ENABLE_IP_PKTINFO
269 "--multihome : Configure a multi-homed UDP server.\n"
271 "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
272 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
273 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
274 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
275 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
276 "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
277 #if PASSTOS_CAPABILITY
278 "--passtos : TOS passthrough (applies to IPv4 only).\n"
280 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
281 " TCP/UDP MTU from it (default=%d).\n"
282 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
283 " as n bytes more than the tun-mtu size on read\n"
284 " (default TUN=0 TAP=%d).\n"
285 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
287 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
288 " 'no' -- Never send DF (Don't Fragment) frames\n"
289 " 'maybe' -- Use per-route hints\n"
290 " 'yes' -- Always DF (Don't Fragment)\n"
291 "--mtu-test : Empirically measure and report MTU.\n"
292 #ifdef ENABLE_FRAGMENT
293 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
294 " datagrams are sent which are larger than max bytes.\n"
295 " Adds 4 bytes of overhead per datagram.\n"
297 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
298 " or --fragment max value, whichever is lower.\n"
299 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
300 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
301 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
302 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
303 " can be matched in policy routing and packetfilter rules.\n"
304 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
305 " listening for connections. This allows sending encrypted packets\n"
306 " via a VRF present on the system.\n"
308 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
309 #ifdef ENABLE_MEMSTATS
310 "--memstats file : Write live usage stats to memory mapped binary file.\n"
312 "--mlock : Disable Paging -- ensures key material and tunnel\n"
313 " data will never be written to disk.\n"
314 "--up cmd : Run command cmd after successful tun device open.\n"
315 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
316 " ifconfig-local-ip ifconfig-remote-ip\n"
317 " (pre --user or --group UID/GID change)\n"
318 "--up-delay : Delay tun/tap open and possible --up script execution\n"
319 " until after TCP/UDP connection establishment with peer.\n"
320 "--down cmd : Run command cmd after tun device close.\n"
321 " (post --user/--group UID/GID change and/or --chroot)\n"
322 " (command parameters are same as --up option)\n"
323 "--down-pre : Run --down command before TUN/TAP close.\n"
324 "--up-restart : Run up/down commands for all restarts including those\n"
325 " caused by --ping-restart or SIGUSR1\n"
326 "--user user : Set UID to user after initialization.\n"
327 "--group group : Set GID to group after initialization.\n"
328 "--chroot dir : Chroot to this directory after initialization.\n"
329 #ifdef ENABLE_SELINUX
330 "--setcon context: Apply this SELinux context after initialization.\n"
332 "--cd dir : Change to this directory before initialization.\n"
333 "--daemon [name] : Become a daemon after initialization.\n"
334 " The optional 'name' parameter will be passed\n"
335 " as the program name to the system logger.\n"
336 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
337 " See --daemon above for a description of the 'name' parm.\n"
338 "--log file : Output log to file which is created/truncated on open.\n"
339 "--log-append file : Append log to file, or create file if nonexistent.\n"
340 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
341 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
342 "--writepid file : Write main process ID to file.\n"
343 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
344 "--echo [parms ...] : Echo parameters to log output.\n"
345 "--verb n : Set output verbosity to n (default=%d):\n"
346 " (Level 3 is recommended if you want a good summary\n"
347 " of what's happening without being swamped by output).\n"
348 " : 0 -- no output except fatal errors\n"
349 " : 1 -- startup info + connection initiated messages +\n"
350 " non-fatal encryption & net errors\n"
351 " : 2,3 -- show TLS negotiations & route info\n"
352 " : 4 -- show parameters\n"
353 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
354 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
355 " : 6 to 11 -- debug messages of increasing verbosity\n"
356 "--mute n : Log at most n consecutive messages in the same category.\n"
357 "--status file [n] : Write operational status to file every n seconds.\n"
358 "--status-version [n] : Choose the status file format version number.\n"
359 " Currently, n can be 1, 2, or 3 (default=1).\n"
360 "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
362 "--gremlin mask : Special stress testing mode (for debugging only).\n"
364 #if defined(USE_COMP)
365 "--compress alg : Use compression algorithm alg\n"
366 "--allow-compression: Specify whether compression should be allowed\n"
367 #if defined(ENABLE_LZO)
368 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
369 " packet for incompressible data.\n"
370 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
374 #ifdef ENABLE_MANAGEMENT
375 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
376 " management functions. pass is a password file\n"
377 " or 'stdin' to prompt from console.\n"
378 #if UNIX_SOCK_SUPPORT
379 " To listen on a unix domain socket, specific the pathname\n"
380 " in place of ip and use 'unix' as the port number.\n"
382 "--management-client : Management interface will connect as a TCP client to\n"
383 " ip/port rather than listen as a TCP server.\n"
384 "--management-query-passwords : Query management channel for private key\n"
385 " and auth-user-pass passwords.\n"
386 "--management-query-proxy : Query management channel for proxy information.\n"
387 "--management-query-remote : Query management channel for --remote directive.\n"
388 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
389 " of the management interface explicitly starts it.\n"
390 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
391 "--management-forget-disconnect : Forget passwords when management disconnect\n"
393 "--management-up-down : Report tunnel up/down events to management interface.\n"
394 "--management-log-cache n : Cache n lines of log file history for usage\n"
395 " by the management channel.\n"
396 #if UNIX_SOCK_SUPPORT
397 "--management-client-user u : When management interface is a unix socket, only\n"
398 " allow connections from user u.\n"
399 "--management-client-group g : When management interface is a unix socket, only\n"
400 " allow connections from group g.\n"
402 "--management-client-auth : gives management interface client the responsibility\n"
403 " to authenticate clients after their client certificate\n"
404 " has been verified.\n"
407 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
408 " to its initialization function.\n"
410 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
411 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
412 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
414 "Multi-Client Server options (when --mode server is used):\n"
415 "--server network netmask : Helper option to easily configure server mode.\n"
416 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
417 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
418 " easily configure ethernet bridging server mode.\n"
419 "--push \"option\" : Push a config file option back to the peer for remote\n"
420 " execution. Peer must specify --pull in its config file.\n"
421 "--push-reset : Don't inherit global push list for specific\n"
422 " client instance.\n"
423 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
424 " a specific client instance.\n"
425 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
426 " to be dynamically allocated to connecting clients.\n"
427 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
428 " data to file, at seconds intervals (default=600).\n"
429 " If seconds=0, file will be treated as read-only.\n"
430 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
431 " to be dynamically allocated to connecting clients.\n"
432 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
433 " overrides --ifconfig-pool dynamic allocation.\n"
434 " Only valid in a client-specific config file.\n"
435 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
436 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
437 " Only valid in a client-specific config file.\n"
438 "--iroute network [netmask] : Route subnet to client.\n"
439 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
440 " Sets up internal routes only.\n"
441 " Only valid in a client-specific config file.\n"
442 "--disable : Client is disabled.\n"
443 " Only valid in a client-specific config file.\n"
444 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
445 " mandatory client certificate verification.\n"
446 " Default is to require the client to supply a certificate.\n"
447 "--username-as-common-name : For auth-user-pass authentication, use\n"
448 " the authenticated username as the common name,\n"
449 " rather than the common name from the client cert.\n"
450 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
451 " run command cmd to verify. If method='via-env', pass\n"
452 " user/pass via environment, if method='via-file', pass\n"
453 " user/pass via temporary file.\n"
454 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
455 " to each client, replacing the password. Useful when\n"
456 " OTP based two-factor auth mechanisms are in use and\n"
457 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
458 " for generated tokens can be set.\n"
459 "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
460 " with those of the server will be disconnected.\n"
461 "--auth-user-pass-optional : Allow connections by clients that don't\n"
462 " specify a username/password.\n"
463 "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
464 " any printable character.\n"
465 "--client-to-client : Internally route client-to-client traffic.\n"
466 "--duplicate-cn : Allow multiple clients with the same common name to\n"
467 " concurrently connect.\n"
468 "--client-connect cmd : Run command cmd on client connection.\n"
469 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
470 "--client-config-dir dir : Directory for custom client config files.\n"
471 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
472 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
473 "--hash-size r v : Set the size of the real address hash table to r and the\n"
474 " virtual address table to v.\n"
475 "--bcast-buffers n : Allocate n broadcast buffers.\n"
476 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
477 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
478 " as well as pushes it to connecting clients.\n"
479 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
480 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
481 "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
482 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
483 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
484 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
485 " older than n seconds. Run this check every t\n"
486 " seconds (defaults to n).\n"
487 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
488 " clients. n = 1 - reconnect to same server,\n"
489 " 2 - advance to next server, default=1.\n"
491 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
492 " sessions to a web server at host:port. dir specifies an\n"
493 " optional directory to write origin IP:port data.\n"
496 "Client options (when connecting to a multi-client server):\n"
497 "--client : Helper option to easily configure client mode.\n"
498 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
499 " up is a file containing the username on the first line,\n"
500 " and a password on the second. If either the password or both\n"
501 " the username and the password are omitted OpenVPN will prompt\n"
502 " for them from console.\n"
503 "--pull : Accept certain config file options from the peer as if they\n"
504 " were part of the local config file. Must be specified\n"
505 " when connecting to a '--mode server' remote host.\n"
506 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
507 " server if it starts with the text t. The action flag accept,\n"
508 " ignore or reject causes the option to be allowed, removed or\n"
509 " rejected with error. May be specified multiple times, and\n"
510 " each filter is applied in the order of appearance.\n"
511 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
512 " Valid options are :\n"
513 " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
514 " resolve-domains <domain> [domain ...] : split domains\n"
515 " exclude-domains <domain> [domain ...] : domains not to resolve\n"
516 " dnssec <yes|no|optional> : option to use DNSSEC\n"
517 " type <DoH|DoT> : query server over HTTPS / TLS\n"
518 " sni <domain> : DNS server name indication\n"
519 "--dns search-domains <domain> [domain ...]:\n"
520 " Add domains to DNS domain search list\n"
521 "--auth-retry t : How to handle auth failures. Set t to\n"
522 " none (default), interact, or nointeract.\n"
523 "--static-challenge t e : Enable static challenge/response protocol using\n"
524 " challenge text t, with e indicating echo flag (0|1)\n"
525 "--connect-timeout n : when polling possible remote servers to connect to\n"
526 " in a round-robin fashion, spend no more than n seconds\n"
527 " waiting for a response before trying the next server.\n"
528 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
529 " incoming tun packets with same destination as host.\n"
530 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
531 " server/remote. n = # of retries, default=1.\n"
533 "Data Channel Encryption Options (must be compatible between peers):\n"
534 "(These options are meaningful for both Static Key & TLS-mode)\n"
535 "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n"
536 " Use shared secret file f, generate with --genkey.\n"
537 " The optional d parameter controls key directionality.\n"
538 " If d is specified, use separate keys for each\n"
539 " direction, set d=0 on one side of the connection,\n"
540 " and d=1 on the other side.\n"
541 "--auth alg : Authenticate packets with HMAC using message\n"
542 " digest algorithm alg (default=%s).\n"
543 " (usually adds 16 or 20 bytes per packet)\n"
544 " Set alg=none to disable authentication.\n"
545 "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
546 " You should usually use --data-ciphers instead.\n"
547 " Set alg=none to disable encryption.\n"
548 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
549 #ifndef ENABLE_CRYPTO_MBEDTLS
550 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
552 "--no-replay : (DEPRECATED) Disable replay protection.\n"
553 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
554 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
555 " and a time window of t seconds.\n"
556 " Default n=%d t=%d\n"
557 "--replay-persist file : Persist replay-protection state across sessions\n"
559 "--test-crypto : Run a self-test of crypto features enabled.\n"
560 " For debugging only.\n"
561 #ifdef ENABLE_PREDICTION_RESISTANCE
562 "--use-prediction-resistance: Enable prediction resistance on the random\n"
563 " number generator.\n"
566 "TLS Key Negotiation Options:\n"
567 "(These options are meaningful only for TLS-mode)\n"
568 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
569 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
570 "--ca file : Certificate authority file in .pem format containing\n"
571 " root certificate.\n"
572 #ifndef ENABLE_CRYPTO_MBEDTLS
573 "--capath dir : A directory of trusted certificates (CAs"
576 "--dh file : File containing Diffie Hellman parameters\n"
577 " in .pem format (for --tls-server only).\n"
578 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
579 "--cert file : Local certificate in .pem format -- must be signed\n"
580 " by a Certificate Authority in --ca file.\n"
581 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
582 "--key file : Local private key in .pem format.\n"
583 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
584 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
585 " is specified, require max TLS version supported by SSL implementation.\n"
586 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
587 #ifndef ENABLE_CRYPTO_MBEDTLS
588 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
589 " and optionally the root CA certificate.\n"
591 #ifdef ENABLE_X509ALTUSERNAME
592 "--x509-username-field : Field in x509 certificate containing the username.\n"
593 " Default is CN in the Subject field.\n"
595 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
596 " Valid algo flags are SHA1 and SHA256. \n"
598 "--cryptoapicert select-string : Load the certificate and private key from the\n"
599 " Windows Certificate System Store.\n"
601 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
602 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
603 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
604 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
605 " (default=legacy).\n"
606 "--providers l : A list l of OpenSSL providers to load.\n"
607 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
608 " if no ACK from remote within n seconds (default=%d).\n"
609 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
610 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
611 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
612 " and at least min (defaults to 90%% of max on servers and equal\n"
613 " to max on clients).\n"
614 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
615 " of handshake initiation by any peer (default=%d).\n"
616 "--tran-window n : Transition window -- old key can live this many seconds\n"
617 " after new key renegotiation begins (default=%d).\n"
618 "--single-session: Allow only one session (reset state on restart).\n"
619 "--tls-exit : Exit on TLS negotiation failure.\n"
620 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
621 " control channel to protect against attacks on the TLS stack\n"
622 " and DoS attacks.\n"
623 " f (required) is a shared-secret key file.\n"
624 " The optional d parameter controls key directionality,\n"
625 " see --secret option for more info.\n"
626 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
627 " of the TLS control channel to hide the TLS certificate,\n"
628 " provide basic post-quantum security and protect against\n"
629 " attacks on the TLS stack and DoS attacks.\n"
630 " key (required) provides the pre-shared key file.\n"
631 " see --secret option for more info.\n"
632 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
633 " For servers: use key to decrypt client-specific keys. For\n"
634 " key generation (--genkey tls-crypt-v2-client): use key to\n"
635 " encrypt generated client-specific key. (See --tls-crypt.)\n"
636 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
637 " fresh tls-crypt-v2 client key, and store to\n"
638 " keyfile. If supplied, include metadata in wrapped key.\n"
639 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
640 " fresh tls-crypt-v2 server key, and store to keyfile\n"
641 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
642 " client-supplied tls-crypt-v2 client key\n"
643 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
644 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
645 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
646 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
647 " pending TLS connection that has otherwise passed all other\n"
648 " tests of certification. cmd should return 0 to allow\n"
649 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
650 " executed as 'cmd certificate_depth subject')\n"
651 "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
652 " in an openvpn temporary file in [directory]. Peer cert is \n"
653 " stored before tls-verify script execution and deleted after.\n"
654 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
655 " DN name. The remote host must also pass all other tests\n"
656 " of verification.\n"
657 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
658 " an explicit nsCertType designation t = 'client' | 'server'.\n"
659 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
660 " plugins and management interface.\n"
661 #ifdef HAVE_EXPORT_KEYING_MATERIAL
662 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
663 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
665 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
666 " explicit key usage, you can specify more than one value.\n"
667 " value should be given in hex format.\n"
668 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
669 " explicit extended key usage. Extended key usage can be encoded\n"
670 " as an object identifier or OpenSSL string representation.\n"
671 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
672 " key usage and extended key usage based on RFC3280 TLS rules.\n"
673 " t = 'client' | 'server'.\n"
677 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
678 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
679 " path. Set for each provider.\n"
680 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
681 " 0 : Try to determine automatically (default).\n"
683 " 2 : Use SignRecover.\n"
684 " 4 : Use Decrypt.\n"
686 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
687 " certificate can be accessed. Set for each provider.\n"
688 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
689 " cache until token is removed.\n"
690 "--pkcs11-id-management : Acquire identity from management interface.\n"
691 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
694 "SSL Library information:\n"
695 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
696 "--show-digests : Show message digest algorithms to use with --auth option.\n"
697 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
698 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
701 "Windows Specific:\n"
702 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
703 " from SystemRoot environment variable.\n"
704 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
705 " IP address using method = manual, netsh, ipapi,\n"
706 " dynamic, or adaptive (default = adaptive).\n"
707 " Dynamic method allows two optional parameters:\n"
708 " offset: DHCP server address offset (> -256 and < 256).\n"
709 " If 0, use network address, if >0, take nth\n"
710 " address forward from network address, if <0,\n"
711 " take nth address backward from broadcast\n"
714 " lease-time: Lease time in seconds.\n"
715 " Default is one year.\n"
716 "--route-method : Which method to use for adding routes on Windows?\n"
717 " adaptive (default) -- Try ipapi then fall back to exe.\n"
718 " ipapi -- Use IP helper API.\n"
719 " exe -- Call the route.exe shell command.\n"
720 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
721 " be used with --ip-win32 dynamic. For options\n"
722 " which allow multiple addresses,\n"
723 " --dhcp-option must be repeated.\n"
724 " DOMAIN name : Set DNS suffix\n"
725 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
726 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
727 " NTP : Set NTP server address(es)\n"
728 " NBDD : Set NBDD server address(es)\n"
729 " WINS addr : Set WINS server address(es)\n"
730 " NBT type : Set NetBIOS over TCP/IP Node type\n"
731 " 1: B, 2: P, 4: M, 8: H\n"
732 " NBS id : Set NetBIOS scope ID\n"
733 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
734 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
735 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
737 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
738 " on connection initiation.\n"
739 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
740 " attempting to set adapter properties.\n"
741 "--pause-exit : When run from a console window, pause before exiting.\n"
742 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
743 " service, and should not be used directly by end-users.\n"
744 " ex is the name of an event object which, when\n"
745 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
746 " optional parameter controls the initial state of ex.\n"
747 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
748 " after TAP adapter is up and routes have been added.\n"
749 "--windows-driver : Which tun driver to use?\n"
750 " ovpn-dco (default)\n"
753 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
754 "Windows Standalone Options:\n"
756 "--show-adapters : Show all TAP-Windows adapters.\n"
757 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
758 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
759 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
760 " to access TAP adapter.\n"
763 "Generate a new key :\n"
764 "--genkey secret file : Generate a new random key of type and write to file\n"
765 " (for use with --secret, --tls-auth or --tls-crypt)."
766 #ifdef ENABLE_FEATURE_TUN_PERSIST
768 "Tun/tap config mode (available with linux 2.4+):\n"
769 "--mktun : Create a persistent tunnel.\n"
770 "--rmtun : Remove a persistent tunnel.\n"
771 "--dev tunX|tapX : tun/tap device\n"
772 "--dev-type dt : Device type. See tunnel options above for details.\n"
773 "--user user : User to set privilege to.\n"
774 "--group group : Group to set privilege to.\n"
778 "PKCS#11 standalone options:\n"
779 #ifdef DEFAULT_PKCS11_MODULE
780 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
782 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
784 " --verb option can be added *BEFORE* this.\n"
787 "General Standalone Options:\n"
789 "--show-gateway : Show info about default gateway.\n"
813 o->
ce.
af = AF_UNSPEC;
837 #ifdef ENABLE_MANAGEMENT
842 #ifdef ENABLE_FEATURE_TUN_PERSIST
875 #ifdef ENABLE_PREDICTION_RESISTANCE
876 o->use_prediction_resistance =
false;
886 #ifdef ENABLE_X509ALTUSERNAME
890 o->pkcs11_pin_cache_period = -1;
935 #define PUF_TYPE_UNDEF 0
936 #define PUF_TYPE_ACCEPT 1
937 #define PUF_TYPE_IGNORE 2
938 #define PUF_TYPE_REJECT 3
974 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
975 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
976 #define SHOW_STR_INLINE(var) SHOW_PARM(var, \
977 o->var ## _inline ? "[INLINE]" : \
978 (o->var ? o->var : "[UNDEF]"), \
980 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
981 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
982 #define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
983 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
984 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
1055 for (i = 0; i <
len; ++i)
1073 msg(
M_WARN,
"foreign_option: name/value overflow");
1084 bool succeeded =
false;
1092 ret =
getaddr(flags, ip_string, 0, &succeeded, NULL);
1093 if (!succeeded && error)
1108 const char *end = strchr(addr,
'/');
1116 size_t len = end - addr;
1118 memcpy(ret, addr,
len);
1126 struct in6_addr t_addr;
1127 unsigned int t_bits;
1135 char *ret = (
char *)
gc_malloc(strlen(src) + 1,
true, gc);
1165 const char *cp = str;
1173 while (*cp && i < nbytes)
1176 if (!isxdigit(cp[0])
1178 || (cp[2] !=
':' && cp[2] !=
'\0')
1179 || sscanf(cp,
"%x", &
byte) != 1)
1181 msg(msglevel,
"format error in hash fingerprint: %s", str);
1185 ret->
hash[i++] = (uint8_t)
byte;
1196 msg(msglevel,
"hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1198 else if (term !=
'\0')
1200 msg(msglevel,
"hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1225 while ((line =
strsep(&lines,
"\n")))
1228 while (isspace(*line))
1233 if (strlen(line) == 0 || *line ==
'#' || *line ==
';')
1256 #ifndef ENABLE_SMALL
1262 for (i = 0; i < len; ++i)
1273 for (i = 0; i < len; ++i)
1309 #if defined(_WIN32) || defined(TARGET_ANDROID)
1313 struct in6_addr addr;
1316 msg(msglevel,
"--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1321 dns6_list[(*len)++] = addr;
1329 msg(msglevel,
"--dhcp-option %s: maximum of %d %s servers can be specified",
1339 const in_addr_t addr =
get_ip_addr(parm, msglevel, &error);
1342 array[(*len)++] = addr;
1347 msg(msglevel,
"dhcp-option parameter %s '%s' must be an IP address", name, parm);
1370 domain = domain->
next;
1374 msg(
M_WARN,
"WARNING: couldn't copy all --dns search-domains to --dhcp-option");
1382 bool overflow =
false;
1407 server = server->
next;
1411 msg(
M_WARN,
"WARNING: couldn't copy all --dns server addresses to --dhcp-option");
1421 if (!domain && !server)
1430 for (
int i = 1; i <= opt_max; ++i)
1436 const char *value = strchr(env_str,
'=') + 1;
1437 if ((domain && strstr(value,
"dhcp-option DOMAIN-SEARCH") == value)
1438 || (server && strstr(value,
"dhcp-option DNS") == value))
1444 setenv_foreign_option(o, &value, 1,
es);
1456 const char *
argv[] = {
1461 setenv_foreign_option(o,
argv, 3,
es);
1465 const char *
argv[] = {
1470 setenv_foreign_option(o,
argv, 3,
es);
1473 server = server->
next;
1477 const char *
argv[] = {
"dhcp-option",
"DOMAIN-SEARCH", domain->
name };
1478 setenv_foreign_option(o,
argv, 3,
es);
1479 domain = domain->
next;
1494 #ifndef ENABLE_SMALL
1541 SHOW_STR(ifconfig_pool_persist_filename);
1542 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1545 SHOW_INT(ifconfig_ipv6_pool_netbits);
1552 SHOW_STR(client_disconnect_script);
1553 SHOW_STR(client_crresponse_script);
1571 SHOW_STR(auth_user_pass_verify_script);
1572 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1595 const char *network_str,
1596 const char *netmask_str,
1612 msg(msglevel,
"in --iroute %s %s : Bad network/subnet specification",
1625 const char *prefix_str,
1634 msg(msglevel,
"in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1643 #ifndef ENABLE_SMALL
1708 #ifndef ENABLE_SMALL
1740 #ifdef ENABLE_FRAGMENT
1747 SHOW_INT(explicit_exit_notification);
1764 for (i = 0; i < l->
len; ++i)
1799 #ifndef ENABLE_SMALL
1806 #ifdef ENABLE_FEATURE_TUN_PERSIST
1828 #if defined(ENABLE_DCO)
1861 #if PASSTOS_CAPABILITY
1872 #ifdef ENABLE_SELINUX
1898 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1932 #ifdef ENABLE_MANAGEMENT
1936 SHOW_INT(management_log_history_cache);
1937 SHOW_INT(management_echo_buffer_size);
1942 #ifdef ENABLE_PLUGIN
1954 #ifndef ENABLE_CRYPTO_MBEDTLS
1963 #ifdef ENABLE_PREDICTION_RESISTANCE
1974 SHOW_PARM(
"cert_file",
"EXTERNAL_CERT",
"%s");
1984 SHOW_PARM(
"priv_key_file",
"EXTERNAL_PRIVATE_KEY",
"%s");
1990 #ifndef ENABLE_CRYPTO_MBEDTLS
1993 #ifdef ENABLE_CRYPTOAPI
2047 #ifdef ENABLE_PKCS11
2050 for (i = 0; i<
MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
2052 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i],
"%s");
2059 SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ?
"ENABLED" :
"DISABLED",
"%s");
2066 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i],
"%08x");
2073 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ?
"ENABLED" :
"DISABLED",
"%s");
2097 #ifdef ENABLE_MANAGEMENT
2112 if (flags && !strcmp(flags,
"nct"))
2135 bool succeed =
false;
2136 for (i = 0; i < l->
len; ++i)
2147 for (i = 0; i < l->
len; ++i)
2158 msg(
M_WARN,
"Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2186 msg(msglevel,
"Unable to process more connection options: out of memory. Number of entries = %d", l->
len);
2219 msg(msglevel,
"Unable to process more remote options: out of memory. Number of entries = %d", l->
len);
2286 if (key_file && *key_file && !(*key_inline))
2291 msg(
M_FATAL,
"Cannot pre-load keyfile (%s)", *key_file);
2294 *key_file = (
const char *) in.
data;
2305 #ifndef ENABLE_CRYPTO_MBEDTLS
2313 const char *
const str =
"You must define CA file (--ca)"
2314 #ifndef ENABLE_CRYPTO_MBEDTLS
2315 " or CA path (--capath)"
2317 " and/or peer fingerprint verification (--peer-fingerprint)";
2352 "--proto tcp is ambiguous in this context. Please specify "
2353 "--proto tcp-server or --proto tcp-client");
2358 msg(
M_USAGE,
"--lladdr can only be used in --dev tap mode");
2366 msg(
M_USAGE,
"only one of --tun-mtu or --link-mtu may be defined");
2371 msg(
M_USAGE,
"--mtu-test only makes sense with --proto udp");
2385 msg(
M_USAGE,
"--remote and --local addresses are the same");
2392 "--local and --remote addresses must be distinct from --ifconfig "
2400 "--local addresses must be distinct from --ifconfig addresses");
2407 "local and remote/netmask --ifconfig addresses must be different");
2412 msg(
M_USAGE,
"--bind and --nobind can't be used together");
2418 "--local and --nobind don't make sense when used together");
2424 "--lport and --nobind don't make sense when used together");
2429 msg(
M_USAGE,
"--nobind doesn't make sense unless used with --remote");
2435 #ifdef ENABLE_MANAGEMENT
2440 msg(
M_USAGE,
"--management is not specified, however one or more options which modify the behavior of --management were specified");
2446 msg(
M_USAGE,
"--management-client-(user|group) can only be used on unix domain sockets");
2453 msg(
M_WARN,
"WARNING: Using --management on a TCP port WITHOUT "
2454 "passwords is STRONGLY discouraged and considered insecure");
2459 #if !defined(HAVE_XKEY_PROVIDER)
2465 msg(
M_FATAL,
"management-external-key with TLS 1.3 or later requires "
2466 "nopadding argument/support");
2476 msg(
M_USAGE,
"On Windows, --ifconfig is required when --dev tun is used");
2482 msg(
M_USAGE,
"On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2487 const char *prefix =
"Some dhcp-options require DHCP server";
2490 msg(
M_USAGE,
"%s, which is not supported by selected %s driver",
2496 msg(
M_USAGE,
"%s, which requires --ip-win32 dynamic or adaptive",
2503 msg(
M_USAGE,
"--windows-driver wintun requires --dev tun");
2511 #ifdef ENABLE_FRAGMENT
2514 msg(
M_USAGE,
"--fragment can only be used with --proto udp");
2520 msg(
M_USAGE,
"--remote MUST be used in TCP Client mode");
2526 "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2533 "--http-proxy not specified but other http proxy options present");
2539 "--http-proxy can not be used together with --socks-proxy");
2544 msg(
M_USAGE,
"--socks-proxy can not be used in TCP Server mode");
2549 msg(
M_USAGE,
"TCP server mode allows at most one --remote address");
2557 #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
2558 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2559 #ifdef TARGET_ANDROID
2560 msg(
M_FATAL,
"--mode server not supported on Android");
2564 msg(
M_USAGE,
"--mode server only works with --dev tun or --dev tap");
2568 msg(
M_USAGE,
"--pull cannot be used with --mode server");
2572 msg(
M_WARN,
"--pull-filter ignored for --mode server");
2582 msg(
M_USAGE,
"--port-share only works in TCP server mode "
2583 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2588 msg(
M_USAGE,
"--mode server requires --tls-server");
2592 msg(
M_USAGE,
"--remote cannot be used with --mode server");
2596 msg(
M_USAGE,
"--nobind cannot be used with --mode server");
2600 msg(
M_USAGE,
"--http-proxy cannot be used with --mode server");
2604 msg(
M_USAGE,
"--socks-proxy cannot be used with --mode server");
2612 msg(
M_USAGE,
"<connection> cannot be used with --mode server");
2617 msg(
M_USAGE,
"--shaper cannot be used with --mode server");
2622 "--ipchange cannot be used with --mode server (use "
2623 "--client-connect instead)");
2631 msg(
M_USAGE,
"--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2635 msg(
M_USAGE,
"The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2639 msg(
M_USAGE,
"--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2643 msg(
M_USAGE,
"--route-delay cannot be used with --mode server");
2647 msg(
M_USAGE,
"--up-delay cannot be used with --mode server");
2654 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2658 msg(
M_USAGE,
"--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2662 msg(
M_USAGE,
"--allow-recursive-routing cannot be used with --mode server");
2666 msg(
M_USAGE,
"--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2670 msg(
M_USAGE,
"--ccd-exclusive must be used with --client-config-dir");
2674 msg(
M_USAGE,
"--auth-gen-token needs a non-infinite "
2675 "--renegotiate_seconds setting");
2680 msg(
M_USAGE,
"--auth-gen-token renewal time needs to be at least "
2681 " two times --hand-window (%d).",
2689 const char *postfix =
"must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2692 msg(
M_USAGE,
"--verify-client-cert none|optional %s", postfix);
2696 msg(
M_USAGE,
"--username-as-common-name %s", postfix);
2700 msg(
M_USAGE,
"--auth-user-pass-optional %s", postfix);
2706 msg(
M_USAGE,
"--vlan-tagging must be used with --dev tap");
2712 msg(
M_USAGE,
"--vlan-accept requires --vlan-tagging");
2716 msg(
M_USAGE,
"--vlan-pvid requires --vlan-tagging");
2728 msg(
M_USAGE,
"--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2732 msg(
M_USAGE,
"--ifconfig-ipv6-pool requires --mode server");
2737 msg(
M_USAGE,
"--hash-size requires --mode server");
2741 msg(
M_USAGE,
"--learn-address requires --mode server");
2745 msg(
M_USAGE,
"--client-connect requires --mode server");
2749 msg(
M_USAGE,
"--client-crresponse requires --mode server");
2753 msg(
M_USAGE,
"--client-disconnect requires --mode server");
2757 msg(
M_USAGE,
"--client-config-dir/--ccd-exclusive requires --mode server");
2761 msg(
M_USAGE,
"--client-to-client requires --mode server");
2765 msg(
M_USAGE,
"--duplicate-cn requires --mode server");
2769 msg(
M_USAGE,
"--connect-freq requires --mode server");
2773 msg(
M_USAGE,
"--verify-client-cert requires --mode server");
2777 msg(
M_USAGE,
"--username-as-common-name requires --mode server");
2781 msg(
M_USAGE,
"--auth-user-pass-optional requires --mode server");
2785 msg(
M_USAGE,
"--opt-verify requires --mode server");
2789 msg(
M_WARN,
"WARNING: setting tcp-nodelay on the client side will not "
2790 "affect the server. To have TCP_NODELAY in both direction use "
2791 "tcp-nodelay in the server configuration instead.");
2795 msg(
M_USAGE,
"--auth-user-pass-verify requires --mode server");
2799 msg(
M_USAGE,
"--auth-gen-token requires --mode server");
2804 msg(
M_USAGE,
"--port-share requires TCP server mode (--mode server --proto tcp-server)");
2810 msg(
M_USAGE,
"--stale-routes-check requires --mode server");
2815 msg(
M_USAGE,
"--vlan-tagging requires --mode server");
2826 msg(
M_USAGE,
"--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2835 msg(
M_USAGE,
"specify only one of --tls-server, --tls-client, or --secret");
2840 msg(
M_INFO,
"DEPRECATION: No tls-client or tls-server option in "
2841 "configuration detected. OpenVPN 2.7 will remove the "
2842 "functionality to run a VPN without TLS. "
2843 "See the examples section in the manual page for "
2844 "examples of a similar quick setup with peer-fingerprint.");
2849 msg(
M_WARN,
"WARNING: POTENTIALLY DANGEROUS OPTION "
2850 "--verify-client-cert none|optional "
2851 "may accept clients which do not present a certificate");
2857 const int tls_version_min =
2863 msg(
M_USAGE,
"--tls-version-min bigger than --tls-version-max");
2869 #ifdef ENABLE_PKCS11
2872 msg(
M_WARN,
"Option pkcs11-id is ignored as no pkcs11-providers are specified");
2874 else if (!
options->pkcs11_providers[0] &&
options->pkcs11_id_management)
2876 msg(
M_WARN,
"Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2879 if (
options->pkcs11_providers[0])
2883 msg(
M_USAGE,
"Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2885 if (!
options->pkcs11_id_management &&
options->pkcs11_id == NULL)
2887 msg(
M_USAGE,
"Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2891 msg(
M_USAGE,
"Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2895 msg(
M_USAGE,
"Parameter --key cannot be used when --pkcs11-provider is also specified.");
2899 msg(
M_USAGE,
"Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2903 msg(
M_USAGE,
"Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2907 msg(
M_USAGE,
"Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2909 #ifdef ENABLE_CRYPTOAPI
2912 msg(
M_USAGE,
"Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2920 msg(
M_USAGE,
"--key and --management-external-key are mutually exclusive");
2926 msg(
M_USAGE,
"--cert and --management-external-cert are mutually exclusive");
2930 msg(
M_USAGE,
"--management-external-cert must be used with --management-external-key");
2934 #ifdef ENABLE_CRYPTOAPI
2939 msg(
M_USAGE,
"Parameter --cert cannot be used when --cryptoapicert is also specified.");
2943 msg(
M_USAGE,
"Parameter --key cannot be used when --cryptoapicert is also specified.");
2947 msg(
M_USAGE,
"Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2951 msg(
M_USAGE,
"Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2955 msg(
M_USAGE,
"Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2962 #ifdef ENABLE_CRYPTO_MBEDTLS
2963 msg(
M_USAGE,
"Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2967 msg(
M_USAGE,
"Parameter --capath cannot be used when --pkcs12 is also specified.");
2971 msg(
M_USAGE,
"Parameter --cert cannot be used when --pkcs12 is also specified.");
2975 msg(
M_USAGE,
"Parameter --key cannot be used when --pkcs12 is also specified.");
2979 msg(
M_USAGE,
"Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2983 msg(
M_USAGE,
"Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2989 #ifdef ENABLE_CRYPTO_MBEDTLS
2992 msg(
M_USAGE,
"Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
3006 msg(
M_USAGE,
"No client-side authentication method is "
3007 "specified. You must use either "
3008 "--cert/--key, --pkcs12, or "
3009 "--auth-user-pass");
3014 msg(
M_USAGE,
"If you use one of --cert or --key, you must use them both");
3031 msg(
M_USAGE,
"--tls-auth and --tls-crypt are mutually exclusive");
3036 msg(
M_USAGE,
"--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
3046 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
3049 const char err[] =
"Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
3056 #ifndef ENABLE_CRYPTO_MBEDTLS
3081 #ifdef ENABLE_PKCS11
3093 #undef MUST_BE_UNDEF
3097 msg(
M_USAGE,
"--auth-user-pass requires --pull");
3156 if (
ce->
af == AF_INET6)
3158 msg(
M_INFO,
"WARNING: '--proto udp6' is not compatible with "
3159 "'--socks-proxy' today. Forcing IPv4 mode." );
3163 msg(
M_INFO,
"NOTICE: dual-stack mode for '--proto udp' does not "
3164 "work correctly with '--socks-proxy' today. Forcing IPv4." );
3191 #ifdef ENABLE_FRAGMENT
3253 msg(
M_WARN,
"NOTICE: --explicit-exit-notify ignored for --proto tcp");
3268 msg(
M_INFO,
"Flag 'def1' added to --redirect-gateway (iservice is in use)");
3442 #ifdef DEFAULT_PKCS11_MODULE
3446 if (!
options->pkcs11_providers[0]
3449 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3474 msg(
M_WARN,
"Note: --client-to-client has no effect when using data "
3475 "channel offload: packets are always sent to the VPN "
3476 "interface and then routed based on the system routing table");
3495 bool can_do_chacha =
cipher_valid(
"CHACHA20-POLY1305");
3505 o->
ncp_ciphers =
"AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";
3539 msg(
M_INFO,
"Note: --cipher is not set. OpenVPN versions before 2.5 "
3540 "defaulted to BF-CBC as fallback when cipher negotiation "
3541 "failed in this case. If you need this fallback please add "
3542 "'--data-ciphers-fallback BF-CBC' to your configuration "
3543 "and/or add BF-CBC to --data-ciphers.");
3548 msg(
M_WARN,
"DEPRECATED OPTION: --cipher set to '%s' but missing in "
3549 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3585 if (tls_ver_min == 0)
3594 else if (tls_ver_max == 0 || tls_ver_max >=
TLS_VER_1_2)
3668 msg(
M_USAGE,
"--data-ciphers list contains unsupported ciphers or is too long.");
3677 for (i = 0; i < rl->
len; ++i)
3716 msg(
M_WARN,
"WARNING: Ignoring option 'dh' in tls-client mode, please only "
3717 "include this in your server configuration");
3720 #if ENABLE_MANAGEMENT
3729 msg(
M_INFO,
"Using certificate fingerprint to verify peer (no CA "
3736 msg(
M_USAGE,
"Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3737 "incompatible with each other.");
3762 msg(
M_WARN,
"Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3773 msg(
M_WARN,
"Note: ignoring --dev-node as it has no effect when using "
3774 "data channel offload");
3795 #if defined(_WIN32) || defined(TARGET_ANDROID)
3798 foreign_options_copy_dns(o,
es);
3812 #ifndef ENABLE_SMALL
3814 #define CHKACC_FILE (1<<0)
3815 #define CHKACC_DIRPATH (1<<1)
3816 #define CHKACC_FILEXSTWR (1<<2)
3817 #define CHKACC_ACPTSTDIN (1<<3)
3818 #define CHKACC_PRIVATE (1<<4)
3843 char *dirpath =
dirname(fullpath);
3878 if (st.st_mode & (S_IRWXG|S_IRWXO))
3880 msg(
M_WARN,
"WARNING: file '%s' is group or others accessible", file);
3893 return (errcode != 0 ?
true :
false);
3915 struct buffer chroot_file;
3935 const int type,
const char *file,
3936 const int mode,
const char *opt)
3952 const int mode,
const char *opt)
4059 "--crl-verify directory");
4066 R_OK,
"--crl-verify");
4099 #ifdef ENABLE_MANAGEMENT
4102 "--management user/password file");
4107 "--auth-user-pass");
4110 R_OK|X_OK,
"--chroot directory");
4112 R_OK|W_OK,
"--writepid");
4116 R_OK|W_OK,
"--status");
4120 R_OK|W_OK|X_OK,
"--tls-export-cert");
4122 R_OK|X_OK,
"--client-config-dir");
4124 R_OK|W_OK|X_OK,
"Temporary directory (--tmp-dir)");
4128 msg(
M_USAGE,
"Please correct these errors.");
4143 #ifndef ENABLE_SMALL
4160 #if defined(_WIN32) || defined(TARGET_ANDROID)
4163 foreign_options_copy_dns(o,
es);
4220 bool tt_local =
false;
4282 if (tt && p2p_nopull)
4285 if (ios && strlen(ios))
4303 #ifdef ENABLE_FRAGMENT
4310 #define TLS_CLIENT (o->tls_client)
4311 #define TLS_SERVER (o->tls_server)
4372 #ifdef ENABLE_PREDICTION_RESISTANCE
4373 if (o->use_prediction_resistance)
4375 buf_printf(&out,
",use-prediction-resistance");
4464 const bool report_inconsistent,
4466 const struct buffer *b2_src,
4467 const char *b1_name,
4468 const char *b2_name)
4477 ||
streq(p1,
"tls-auth")
4487 struct buffer b2 = *b2_src;
4497 if (!strcmp(p1, p2))
4501 if (!strcmp(p1_prefix, p2_prefix))
4503 if (report_inconsistent)
4505 msg(msglevel,
"WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4517 msg(msglevel,
"WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4532 const bool report_inconsistent,
4533 const struct buffer *b1_src,
4534 const struct buffer *b2_src,
4535 const char *b1_name,
4536 const char *b2_name)
4539 struct buffer b = *b1_src;
4559 actual[actual_n - 1] = 0;
4584 actual[actual_n - 1] = 0;
4585 if (strncmp(actual, expected, 2))
4587 msg(
D_SHOW_OCC,
"NOTE: Options consistency check may be skewed by version differences");
4592 ret = !strcmp(actual, expected);
4618 const size_t opt_name_len = strlen(opt_name);
4623 if (0 == strncmp(p, opt_name, opt_name_len)
4624 && strlen(p) > (opt_name_len+1) && p[opt_name_len] ==
' ')
4627 const char *start = &p[opt_name_len+1];
4628 const char *end = strchr(p,
',');
4629 size_t val_len = end ? end - start : strlen(start);
4631 memcpy(ret, start, val_len);
4654 if (
streq(str,
"tap-windows6"))
4658 else if (
streq(str,
"wintun"))
4663 else if (
streq(str,
"ovpn-dco"))
4669 msg(msglevel,
"--windows-driver must be tap-windows6, wintun "
4683 if (
streq(str,
"net30"))
4687 else if (
streq(str,
"p2p"))
4691 else if (
streq(str,
"subnet"))
4697 msg(msglevel,
"--topology must be net30, p2p, or subnet");
4739 if (
streq(option,
"interact"))
4743 else if (
streq(option,
"nointeract"))
4747 else if (
streq(option,
"none"))
4753 msg(msglevel,
"--auth-retry method must be 'interact', 'nointeract', or 'none'");
4768 return "nointeract";
4788 fprintf(fp,
"Usage message not available\n");
4844 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4846 #define LZO_LIB_VER_STR "", ""
4852 #undef LZO_LIB_VER_STR
4866 #ifndef ENABLE_SMALL
4867 #ifdef CONFIGURE_DEFINES
4870 #ifdef CONFIGURE_SPECIAL_BUILD
4882 msg(
M_USAGE,
"You must define %s", description);
4891 return !strcmp(s1, s2);
4901 ping_rec_err(
int msglevel)
4903 msg(msglevel,
"only one of --ping-exit or --ping-restart options may be specified");
4910 const int i = atoi(str);
4911 return i < 0 ? 0 : i;
4918 unsigned int val = 0;
4919 sscanf(str,
"%u", &val);
4927 return c ==
'\0' || isspace(c);
4939 const int STATE_INITIAL = 0;
4940 const int STATE_READING_QUOTED_PARM = 1;
4941 const int STATE_READING_UNQUOTED_PARM = 2;
4942 const int STATE_DONE = 3;
4943 const int STATE_READING_SQUOTED_PARM = 4;
4945 const char *error_prefix =
"";
4948 const char *c = line;
4949 int state = STATE_INITIAL;
4950 bool backslash =
false;
4954 unsigned int parm_len = 0;
4960 error_prefix =
"ERROR: ";
4968 if (!backslash && in ==
'\\' && state != STATE_READING_SQUOTED_PARM)
4974 if (state == STATE_INITIAL)
4978 if (in ==
';' || in ==
'#')
4982 if (!backslash && in ==
'\"')
4984 state = STATE_READING_QUOTED_PARM;
4986 else if (!backslash && in ==
'\'')
4988 state = STATE_READING_SQUOTED_PARM;
4993 state = STATE_READING_UNQUOTED_PARM;
4997 else if (state == STATE_READING_UNQUOTED_PARM)
4999 if (!backslash &&
space(in))
5008 else if (state == STATE_READING_QUOTED_PARM)
5010 if (!backslash && in ==
'\"')
5019 else if (state == STATE_READING_SQUOTED_PARM)
5030 if (state == STATE_DONE)
5033 p[ret] =
gc_malloc(parm_len + 1,
true, gc);
5034 memcpy(p[ret], parm, parm_len);
5035 p[ret][parm_len] =
'\0';
5036 state = STATE_INITIAL;
5041 if (backslash && out)
5043 if (!(out ==
'\\' || out ==
'\"' ||
space(out)))
5046 msg(msglevel,
"%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
5048 msg(msglevel,
"%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
5059 if (parm_len >=
SIZE(parm))
5061 parm[
SIZE(parm) - 1] = 0;
5062 msg(msglevel,
"%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5063 error_prefix, file, line_num, (
int)
SIZE(parm), parm);
5066 parm[parm_len++] = out;
5075 }
while (*c++ !=
'\0');
5077 if (state == STATE_READING_QUOTED_PARM)
5079 msg(msglevel,
"%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
5082 if (state == STATE_READING_SQUOTED_PARM)
5084 msg(msglevel,
"%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
5087 if (state != STATE_INITIAL)
5089 msg(msglevel,
"%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
5095 for (i = 0; i < ret; ++i)
5107 if (strlen(*p) >= 3 && !strncmp(*p,
"--", 2))
5114 #define IS_TYPE_FP 1
5115 #define IS_TYPE_BUF 2
5133 if ((
int) strlen(line) + 1 < size)
5148 int *num_lines,
struct gc_arena *gc)
5153 bool endtagfound =
false;
5158 char *line_ptr = line;
5160 while (isspace(*line_ptr))
5164 if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
5169 if (!
buf_safe(&buf, strlen(line)+1))
5182 msg(
M_FATAL,
"ERROR: Endtag %s missing", close_tag);
5194 int num_inline_lines = 0;
5199 if (arg[0] ==
'<' && arg[strlen(arg)-1] ==
'>')
5203 arg[strlen(arg) - 1] =
'\0';
5205 close_tag =
alloc_buf(strlen(p[0]) + 4);
5212 return num_inline_lines;
5242 const unsigned int permission_mask,
5243 unsigned int *option_types_found,
5250 const char *top_file,
5253 const unsigned int permission_mask,
5254 unsigned int *option_types_found,
5257 const int max_recursive_levels = 10;
5264 if (level <= max_recursive_levels)
5266 if (
streq(file,
"stdin"))
5277 while (fgets(line,
sizeof(line),
fp))
5284 msg(msglevel,
"In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5289 if (line_num == 1 && strncmp(line,
"\xEF\xBB\xBF", 3) == 0)
5298 msglevel, permission_mask, option_types_found,
5300 line_num += lines_inline;
5310 msg(msglevel,
"In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
5315 msg(msglevel,
"In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
5326 const unsigned int permission_mask,
5327 unsigned int *option_types_found,
5334 buf_set_read(&multiline, (uint8_t *)config, strlen(config));
5336 while (
buf_parse(&multiline,
'\n', line,
sizeof(line)))
5346 permission_mask, option_types_found,
es);
5347 line_num += lines_inline;
5359 const unsigned int permission_mask,
5360 unsigned int *option_types_found,
5370 if (argc == 2 && strncmp(
argv[1],
"--", 2))
5377 option_types_found,
es);
5382 for (
int i = 1; i < argc; ++i)
5387 if (strncmp(p[0],
"--", 2))
5389 msg(msglevel,
"I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
5401 char *arg =
argv[i + j];
5402 if (strncmp(arg,
"--", 2))
5413 option_types_found,
es);
5438 while (isspace(*line))
5447 msg(
D_LOW,
"Pushed option accepted by filter: '%s'", line);
5452 msg(
D_PUSH,
"Pushed option removed by filter: '%s'", line);
5458 msg(
M_WARN,
"Pushed option rejected by filter: '%s'. Restarting.", line);
5470 unsigned int permission_mask,
5471 unsigned int *option_types_found,
5476 const char *file =
"[PUSH-OPTIONS]";
5479 while (
buf_parse(buf,
',', line,
sizeof(line)))
5491 permission_mask, option_types_found,
es);
5499 const char *filename,
5501 unsigned int permission_mask,
5502 unsigned int *option_types_found,
5505 msg(
D_PUSH,
"OPTIONS IMPORT: reading client specific options from: %s", filename);
5521 const unsigned int permission_mask,
5522 unsigned int *option_types_found,
5528 #define VERIFY_PERMISSION(mask) { \
5529 if (!verify_permission(p[0], file, line, (mask), permission_mask, \