📄 options.c
字号:
/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2004 James Yonan <jim@yonan.net> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program (see the file COPYING included with this * distribution); if not, write to the Free Software Foundation, Inc., * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *//* * 2004-01-28: Added Socks5 proxy support * (Christof Meerwald, http://cmeerw.org) */#ifdef WIN32#include "config-win32.h"#else#include "config.h"#endif#include "syshead.h"#include "buffer.h"#include "error.h"#include "common.h"#include "shaper.h"#include "crypto.h"#include "ssl.h"#include "options.h"#include "misc.h"#include "socket.h"#include "packet_id.h"#include "win32.h"#include "push.h"#include "memdbg.h"const char title_string[] = PACKAGE_STRING " " TARGET_ALIAS#ifdef USE_CRYPTO#ifdef USE_SSL " [SSL]"#else " [CRYPTO]"#endif#endif#ifdef USE_LZO " [LZO]"#endif#if EPOLL " [EPOLL]"#endif#ifdef USE_PTHREAD " [PTHREAD]"#endif " built on " __DATE__;static const char usage_message[] = "%s\n" "\n" "General Options:\n" "--config file : Read configuration options from file.\n" "--help : Show options.\n" "--version : Show copyright and version information.\n" "\n" "Tunnel Options:\n" "--local host : Local host name or ip address.\n" "--remote host [port] : Remote host name or ip address.\n" "--remote-random : If multiple --remote options specified, choose one randomly.\n" "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n" "--proto p : Use protocol p for communicating with peer.\n" " p = udp (default), tcp-server, or tcp-client\n" "--connect-retry n : For --proto tcp-client, number of seconds to wait\n" " between connection retries (default=%d).\n" "--http-proxy s p [up]: Connect to remote host through an HTTP proxy at address\n" " s and port p. If proxy authentication is required, up is a\n" " file containing username/password on 2 lines.\n" "--http-proxy-retry : Retry indefinitely on HTTP proxy errors.\n" "--socks-proxy s [p]: Connect to remote host through a Socks5 proxy at address\n" " s and port p (default port = 1080).\n" "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n" "--resolv-retry n: If hostname resolve fails for --remote, retry\n" " resolve for n seconds before failing (disabled by default).\n" " Set n=\"infinite\" to retry indefinitely.\n" "--float : Allow remote to change its IP address/port, such as through\n" " DHCP (this is the default if --remote is not used).\n" "--ipchange cmd : Execute shell command cmd on remote ip address initial\n" " setting or change -- execute as: cmd ip-address port#\n" "--port port : TCP/UDP port # for both local and remote.\n" "--lport port : TCP/UDP port # for local (default=%d).\n" "--rport port : TCP/UDP port # for remote (default=%d).\n" "--nobind : Do not bind to local address and port.\n" "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n" "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n" " this option only if the tun/tap device used with --dev\n" " does not begin with \"tun\" or \"tap\".\n" "--dev-node node : Explicitly set the device node rather than using\n" " /dev/net/tun, /dev/tun, /dev/tap, etc.\n" "--tun-ipv6 : Build tun link capable of forwarding IPv6 traffic.\n" "--ifconfig l rn : TUN: configure device to use IP address l as a local\n" " endpoint and rn as a remote endpoint. l & rn should be\n" " swapped on the other peer. l & rn must be private\n" " addresses outside of the subnets used by either peer.\n" " TAP: configure device to use IP address l as a local\n" " endpoint and rn as a subnet mask.\n" "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n" " pass --ifconfig parms by environment to scripts.\n" "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n" " connection doesn't match the remote side.\n" "--route network [netmask] [gateway] [metric] :\n" " Add route to routing table after connection\n" " is established. Multiple routes can be specified.\n" " netmask default: 255.255.255.255\n" " gateway default: taken from --route-gateway or --ifconfig\n" " Specify default by leaving blank or setting to \"nil\".\n" "--route-gateway gw : Specify a default gateway for use with --route.\n" "--route-delay n : Delay n seconds after connection initiation before\n" " adding routes (may be 0). If not specified, routes will\n" " be added immediately after tun/tap open.\n" "--route-up cmd : Execute shell cmd after routes are added.\n" "--route-noexec : Don't add routes automatically. Instead pass routes to\n" " --route-up script using environmental variables.\n" "--redirect-gateway ['local']: (Experimental) Automatically execute routing\n" " commands to redirect all outgoing IP traffic through the\n" " VPN. Add 'local' flag if both OpenVPN servers are directly\n" " connected via a common subnet, such as with wireless.\n" "--setenv name value : Set a custom environmental variable to pass to script.\n" "--shaper n : Restrict output to peer to n bytes per second.\n" "--inactive n : Exit after n seconds of inactivity on tun/tap device.\n" "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n" "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n" "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n" " remote address.\n" "--ping n : Ping remote once every n seconds over TCP/UDP port.\n" "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n" "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n" "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n" "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"#if PASSTOS_CAPABILITY "--passtos : TOS passthrough (applies to IPv4 only).\n"#endif "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n" " TCP/UDP MTU from it (default=%d).\n" "--tun-mtu-extra n : Assume that tun/tap device might return as many\n" " as n bytes more than the tun-mtu size on read\n" " (default TUN=0 TAP=%d).\n" "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n" " from it.\n" "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n" " 'no' -- Never send DF (Don't Fragment) frames\n" " 'maybe' -- Use per-route hints\n" " 'yes' -- Always DF (Don't Fragment)\n" "--mtu-test : Empirically measure and report MTU.\n" "--fragment max : Enable internal datagram fragmentation so that no UDP\n" " datagrams are sent which are larger than max bytes.\n" " Adds 4 bytes of overhead per datagram.\n" "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n" " or --fragment max value, whichever is lower.\n" "--sndbuf size : Set the TCP/UDP send buffer size.\n" "--rcvbuf size : Set the TCP/UDP receive buffer size.\n" "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n" "--mlock : Disable Paging -- ensures key material and tunnel\n" " data will never be written to disk.\n" "--up cmd : Shell cmd to execute after successful tun device open.\n" " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n" " ifconfig-local-ip ifconfig-remote-ip\n" " (pre --user or --group UID/GID change)\n" "--up-delay : Delay tun/tap open and possible --up script execution\n" " until after TCP/UDP connection establishment with peer.\n" "--down cmd : Shell cmd to run after tun device close.\n" " (post --user/--group UID/GID change and/or --chroot)\n" " (script parameters are same as --up option)\n" "--up-restart : Run up/down scripts for all restarts including those\n" " caused by --ping-restart or SIGUSR1\n" "--user user : Set UID to user after initialization.\n" "--group group : Set GID to group after initialization.\n" "--chroot dir : Chroot to this directory after initialization.\n" "--cd dir : Change to this directory before initialization.\n" "--daemon [name] : Become a daemon after initialization.\n" " The optional 'name' parameter will be passed\n" " as the program name to the system logger.\n" "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n" " See --daemon above for a description of the 'name' parm.\n" "--log file : Output log to file which is created/truncated on open.\n" "--log-append file : Append log to file, or create file if nonexistent.\n" "--writepid file : Write main process ID to file.\n" "--nice n : Change process priority (>0 = lower, <0 = higher).\n"#ifdef USE_PTHREAD "--nice-work n : Change thread priority of work thread. The work\n" " thread is used for background processing such as\n" " RSA key number crunching.\n"#endif "--verb n : Set output verbosity to n (default=%d):\n" " (Level 3 is recommended if you want a good summary\n" " of what's happening without being swamped by output).\n" " : 0 -- no output except fatal errors\n" " : 1 -- startup info + connection initiated messages +\n" " non-fatal encryption & net errors\n" " : 2 -- show TLS negotiations\n" " : 3 -- show extra TLS info + --gremlin net outages +\n" " adaptive compress info\n" " : 4 -- show parameters\n" " : 5 -- show 'RrWw' chars on console for each packet sent\n" " and received from TCP/UDP (caps) or tun/tap (lc)\n" " : 6 to 11 -- debug messages of increasing verbosity\n" "--mute n : Log at most n consecutive messages in the same category.\n" "--status file n : Write operational status to file every n seconds.\n" "--disable-occ : Disable options consistency check between peers.\n" "--gremlin : Simulate dropped & corrupted packets + network outages\n" " to test robustness of protocol (for debugging only).\n"#ifdef USE_LZO "--comp-lzo : Use fast LZO compression -- may add up to 1 byte per\n" " packet for uncompressible data.\n" "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n" " is specified.\n"#endif#if P2MP "\n" "Multi-Client Server options (when --mode server is used):\n" "--push \"option\" : Push a config file option back to the peer for remote\n" " execution. Peer must specify --pull in its config file.\n" "--push-reset : Don't inherit global push list for specific\n" " client instance.\n" "--ifconfig-pool start-IP end-IP : Set aside a pool of subnets to be\n" " dynamically allocated to connecting clients.\n" "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n" " overrides --ifconfig-pool dynamic allocation.\n" " Must be associated with a specific client instance.\n" "--iroute network [netmask] : Route subnet to client.\n" " Sets up internal routes only, and must be\n" " associated with a specific client instance.\n" "--client-to-client : Internally route client-to-client traffic.\n" "--duplicate-cn : Allow multiple clients with the same common name to\n" " concurrently connect.\n" "--client-connect cmd : Run script cmd on client connection.\n" "--client-disconnect cmd : Run script cmd on client disconnection.\n" "--client-config-dir dir : Directory for custom client config files.\n" "--tmp-dir dir : Temporary directory, used for --client-connect return file.\n" "--hash-size r v : Set the size of the real address hash table to r and the\n" " virtual address table to v.\n" "--bcast-buffers n : Allocate n broadcast buffers.\n" "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n" "--learn-address cmd : Run script cmd to validate client virtual addresses.\n" "\n" "Client options (when connecting to a multi-client server):\n" "--pull : Accept certain config file options from the peer as if they\n" " were part of the local config file. Must be specified\n" " when connecting to a '--mode server' remote host.\n"#endif#ifdef USE_CRYPTO "\n" "Data Channel Encryption Options (must be compatible between peers):\n" "(These options are meaningful for both Static Key & TLS-mode)\n" "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n" " Use shared secret file f, generate with --genkey.\n" " The optional d parameter controls key directionality.\n" " If d is specified, use separate keys for each\n" " direction, set d=0 on one side of the connection,\n" " and d=1 on the other side.\n" "--auth alg : Authenticate packets with HMAC using message\n" " digest algorithm alg (default=%s).\n" " (usually adds 16 or 20 bytes per packet)\n" " Set alg=none to disable authentication.\n" "--cipher alg : Encrypt packets with cipher algorithm alg\n" " (default=%s).\n" " Set alg=none to disable encryption.\n"#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH "--keysize n : Size of cipher key in bits (optional).\n" " If unspecified, defaults to cipher-specific default.\n"#endif "--engine : Enable OpenSSL hardware crypto engine functionality.\n" "--no-replay : Disable replay protection.\n" "--replay-window n [t] : Use a replay protection sliding window of size n\n" " and a time window of t seconds.\n" " Default n=%d t=%d\n" "--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n" "--replay-persist file : Persist replay-protection state across sessions\n" " using file.\n" "--test-crypto : Run a self-test of crypto features enabled.\n" " For debugging only.\n"#ifdef USE_SSL "\n" "TLS Key Negotiation Options:\n" "(These options are meaningful only for TLS-mode)\n" "--tls-server : Enable TLS and assume server role during TLS handshake.\n" "--tls-client : Enable TLS and assume client role during TLS handshake.\n" "--key-method m : Data channel key exchange method. m should be a method\n" " number, such as 1 (default), 2, etc.\n" "--ca file : Certificate authority file in .pem format containing\n" " root certificate.\n" "--dh file : File containing Diffie Hellman parameters\n" " in .pem format (for --tls-server only).\n" " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n" "--cert file : Local certificate in .pem format -- must be signed\n" " by a Certificate Authority in --ca file.\n" "--key file : Local private key in .pem format.\n" "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n" " : Use --show-tls to see a list of supported TLS ciphers.\n" "--tls-timeout n : Packet retransmit timeout on TLS control channel\n" " if no ACK from remote within n seconds (default=%d).\n" "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n" "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n" "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n" "--hand-window n : Data channel key exchange must finalize within n seconds\n" " of handshake initiation by any peer (default=%d).\n" "--tran-window n : Transition window -- old key can live this many seconds\n" " after new key renegotiation begins (default=%d).\n" "--single-session: Allow only one session (reset state on restart).\n" "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n" " control channel to protect against DoS attacks.\n" " f (required) is a shared-secret passphrase file.\n" " The optional d parameter controls key directionality,\n" " see --secret option for more info.\n" "--askpass : Get PEM password from controlling tty before we daemonize.\n" "--crl-verify crl: Check peer certificate against a CRL.\n" "--tls-verify cmd: Execute shell command cmd to verify the X509 name of a\n" " pending TLS connection that has otherwise passed all other\n" " tests of certification. cmd should return 0 to allow\n" " TLS handshake to proceed, or 1 to fail. (cmd is\n" " executed as 'cmd certificate_depth X509_NAME_oneline')\n" "--tls-remote x509name: Accept connections only from a host with X509 name\n" " x509name. The remote host must also pass all other tests\n" " of verification.\n"#endif /* USE_SSL */ "\n" "SSL Library information:\n" "--show-ciphers : Show cipher algorithms to use with --cipher option.\n" "--show-digests : Show message digest algorithms to use with --auth option.\n"#ifdef USE_SSL "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"#endif#ifdef WIN32 "\n" "Windows Specific:\n" "--show-adapters : Show all TAP-Win32 adapters.\n" "--ip-win32 method : When using --ifconfig on Windows, set TAP-Win32 adapter\n" " IP address using method = manual, netsh, ipapi, or\n" " dynamic (default = ipapi).\n" " Dynamic method allows two optional parameters:\n" " offset: DHCP server address offset (> -256 and < 256).\n" " If 0, use network address, if >0, take nth\n" " address forward from network address, if <0,\n" " take nth address backward from broadcast\n" " address.\n" " Default is 0.\n" " lease-time: Lease time in seconds.\n" " Default is one year.\n" "--dhcp-option type [parm] : Set extended TAP-Win32 properties, must\n" " be used with --ip-win32 dynamic. For options\n" " which allow multiple addresses,\n" " --dhcp-option must be repeated.\n" " DOMAIN name : Set DNS suffix\n" " DNS addr : Set domain name server address(es)\n" " NTP : Set NTP server address(es)\n" " NBDD : Set NBDD server address(es)\n" " WINS addr : Set WINS server address(es)\n" " NBT type : Set NetBIOS over TCP/IP Node type\n" " 1: B, 2: P, 4: M, 8: H\n" " NBS id : Set NetBIOS scope ID\n" "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n" " attempting to set adapter properties.\n" "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n" "--pause-exit : When run from a console window, pause before exiting.\n" "--service ex [0|1] : For use when OpenVPN is being instantiated by a\n" " service, and should not be used directly by end-users.\n" " ex is the name of an event object which, when\n" " signaled, will cause OpenVPN to exit. A second\n" " optional parameter controls the initial state of ex.\n"#endif "\n" "Generate a random key (only for non-TLS static key encryption mode):\n" "--genkey : Generate a random key to be used as a shared secret,\n" " for use with the --secret option.\n" "--secret file : Write key to file.\n"#endif /* USE_CRYPTO */#ifdef TUNSETPERSIST "\n" "Tun/tap config mode (available with linux 2.4+):\n" "--mktun : Create a persistent tunnel.\n" "--rmtun : Remove a persistent tunnel.\n" "--dev tunX|tapX : tun/tap device\n" "--dev-type dt : Device type. See tunnel options above for details.\n"#endif ;/* * This is where the options defaults go. * Any option not explicitly set here * will be set to 0. */voidinit_options (struct options *o){ CLEAR (*o); gc_init (&o->gc); o->mode = MODE_POINT_TO_POINT; o->proto = PROTO_UDPv4; o->connect_retry_seconds = 5;#ifdef TUNSETPERSIST⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -