1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
|
======================
openvpn3-config-manage
======================
--------------------------------------------------
OpenVPN 3 Linux - Configuration Profile Management
--------------------------------------------------
:Manual section: 1
:Manual group: OpenVPN 3 Linux
SYNOPSIS
========
| ``openvpn3 config-manage`` ``-o DBUS-PATH`` | ``--path DBUS-PATH`` | ``--config CONFIG-NAME`` [OPTIONS]
| ``openvpn3 config-manage`` ``-h`` | ``--help``
DESCRIPTION
===========
Manage settings for an imported configuration profile. This allows one to override parts
of the original config profile. Note that this will not be reflected in the output
of ``openvpn3 config-dump``. Use ``openvpn3 config-manage --show`` to see the existing
overrides.
OPTIONS
=======
-h, --help Print usage and help details to the terminal
-o DBUS-PATH, --path DBUS-PATH
D-Bus configuration path to the
configuration to delete. This can be found in
``openvpn3 configs-list``.
--config-path DBUS-PATH
Alias for ``--path``.
-c CONFIG-NAME, --config CONFIG-NAME
Can be used instead of ``--path`` where the
configuration profile name is given instead. Available
configuration names can be found via
``openvpn3 configs-list``.
-r NEW-CONFIG-NAME, --rename NEW-CONFIG-NAME
Renames the configuration profile
--tag TAG-VALUE
Adds a tag value to a configuration profile
--remove-tag TAG-VALUE
Remove a tag value from a configuration profile
-s, --show
Show the current profile settings
--exists
Checks if a configuration profile exists. Requires
either ``--config`` or ``--path``. Will exit
with `0` if configuration profile is found, otherwise
`1`.
--quiet
Don't display informative information when modifying
the configuration profile.
--dco BOOL
Enable kernel based Data Channel Offload. This moves
the tunnelled network traffic to be handled inside the
kernel. This improves the processing of the network
traffic and moves the encryption, decryption and packet
authentication for the tunnelled network traffic to be
handled inside the kernel instead of begin passed via
the OpenVPN client process in user space.
This option is only available if openvpn3-linux has been
built with this support.
*WARNING:*
This is currently a **tech preview** feature
and is **not** ready for production environments.
It also requires the `ovpn-dco` kernel module to be
installed to work and at least a Linux 5.4 kernel.
--server-override HOST
Override the remote server hostname/IP address to
connect against.
--port-override PORT
Override the remote server port to connect against.
Valid values: :code:`1` to :code:`65535`.
--proto-override PROTO
Override the connection protocol. Valid values are
:code:`tcp` and :code:`udp`.
--ipv6 ARG
Sets the IPv6 connect policy for the client. Valid
values are :code:`yes`, :code:`no` and :code:`default`
--persist-tun BOOL
Overrides the ``--persist-tun`` argument in the
configuration profile. If set to true, the tun
adapter will persist during the reconnect. If false,
the tun adapter will be torn down before reconnects.
Valid values are: :code:`true`, :code:`false`
--log-level LEVEL
Overrides the default log level. The default log level
is ``3`` if the configuration file does not contain a
``--verb`` option. This override will take place over
any other log verbosity settings. Valid values are
between ``1`` and ``6``.
--dns-fallback-google BOOL
If set to true, the DNS resolver settings will include
Google DNS servers. Valid values are: :code:`true`,
:code:`false`
--dns-scope SCOPE
Defines the DNS query scope. This is currently only
supported when enabling the `systemd-resolved`\(8)
resolver support in `openvpn3-service-netcfg`\(8).
Supported values are:
:code:`global`: (default)
The VPN service provided DNS server(s) will be used
for all types of DNS queries.
:code:`tunnel`:
The VPN service provided DNS server(s) will only be
used for queries for DNS domains pushed by the
VPN service.
**NOTE**
The DNS domains pushed by the VPN service may be
queried by DNS servers with `systemd-resolved`\(8)
service if their respective interfaces are
configured to do global DNS queries. But other
non-listed DNS domains will not be sent to this
VPN service provider's DNS server.
--dns-setup-disabled BOOL
If set to true, DNS settings will not be configured
on the system. Valid values are: :code:`true`,
:code:`false`
--dns-sync-lookup BOOL
If set to true, DNS lookups will happen synchronously.
Valid values are: :code:`true`, :code:`false`
--enterprise-profile PROFILE_NAME
This enables device posture checks if the server
requests it. The profile name need to match a
device posture profile found in the
``@DEVPOSTURE_PROFILEDIR@`` directory. The
*PROFILE_NAME* is without any file extension. For
a successful device posture check, the profile must
match the protocol the server side expects. This
information need to be provided by your VPN server
administrator.
--auth-fail-retry BOOL
If set to true, the client will try to reconnect instead
of disconnecting if authentication fails. Valid values
are: :code:`true`, :code:`false`
--allow-compression ARG
This controls whether the client wants to allow
compression on traffic between the client to the server.
Valid argument values:
:code:`no`:
Do not compress at all
:code:`asym`:
Only allow server to send compressed data
:code:`yes`:
Both client and server can use compression
--enable-legacy-algorithms BOOL
By default, OpenVPN 3 Linux only expects to work with
servers capable of doing AEAD ciphers on the data
channel, such as AES-GCM or ChaCha20-Poly1305 (if
supported by the TLS library). To connect to legacy
servers not capable of AEAD ciphers on the data channel,
it might help to enable legacy cipher algorithms.
--tls-version-min ARG
Sets the minimum TLS version for the control channel.
For this to be functional, the SSL/TLS library in use
needs to support this restriction on both server and
client. Valid argument values are:
:code:`tls_1_0`:
Enforce minimum TLSv1.0
:code:`tls_1_1`:
Enforce minimum TLSv1.1
:code:`tls_1_2`:
Enforce minimum TLSv1.2
:code:`tls_1_3`:
Enforce minimum TLSv1.3. This is currently only
supported by OpenSSL 1.1.1.
--tls-cert-profile ARG
This sets the acceptable certificate and key parameters.
Valid argument values are:
:code:`legacy`:
Allows minimum 1024 bits RSA keys with certificates
signed with SHA1.
:code:`preferred`:
Allows minimum 2048 bits RSA keys with certificates
signed with SHA256 or higher. (default)
:code:`suiteb`:
This follows the NSA Suite-B specification.
--proxy-host PROXY-SERVER
HTTP proxy to establish the VPN connection via.
--proxy-port PROXY-PORT
Port where the HTTP proxy is available.
--proxy-username PROXY-USER
Username to use for the HTTP proxy connection
--proxy-password PROXY-PASSWORD
Password to use for the HTTP proxy connection
--proxy-auth-cleartext BOOL
Allow HTTP proxy authentication to happen in clear-text.
Valid values are: :code:`true`, :code:`false`
--automatic-restart MODE
Instructs the Session Manager how to handle
sessions if the OpenVPN 3 Client process disappears
unexpectedly. The :code:`MODE` argument can be
either :code:`on-failure` to enable this feature or
:code:`no` to disable it. The default is :code:`no`.
--unset-override OVERRIDE
This removes an override setting from the configuration
profile. The ``OVERRIDE`` value is the setting
arguments enlisted here but without the leading ``--``.
For example, if ``--tls-cert-profile suiteb`` was set,
it can be unset with
``--unset-override tls-cert-profile``.
SEE ALSO
========
``openvpn3``\(1)
``openvpn3-config-acl``\(1)
``openvpn3-config-import``\(1)
``openvpn3-configs-list``\(1)
``openvpn3-config-remove``\(1)
|
