Document that --push-remove is generally more suitable than --push-reset

It's a long-standing and well-known problem that --push-reset removes
"critical" options from the push list (like "topology subnet") which
will then lead to non-working client configs.  This can not be
reasonably fixed, because the list of "critical" options depends on
overall server config.

So just document the fact, and point people towards --push-remove as
a more selective tool.

Trac: #29

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200908111511.9271-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20899.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index f1f0667a94efe5b3e631e8e6305c7cfdc682af7e..2009953c244818cf1f56f3eb572d6ddd091508d7 100644 (file)
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -530,6 +530,14 @@ fast hardware. SSL/TLS authentication must be used in this mode.
   ``--client-config-dir`` configuration file. This option will ignore
   ``--push`` options at the global config file level.
 
+  *NOTE*: ``--push-reset`` is very thorough: it will remove almost
+  all options from the list of to-be-pushed options.  In many cases,
+  some of these options will need to be re-configured afterwards -
+  specifically, ``--topology subnet`` and ``--route-gateway`` will get
+  lost and this will break client configs in many cases.  Thus, for most
+  purposes, ``--push-remove`` is better suited to selectively remove
+  push options for individual clients.
+
 --server args
   A helper directive designed to simplify the configuration of OpenVPN's
   server mode. This directive will set up an OpenVPN server which will