Deprecated features
-------------------
+For an up-to-date list of all deprecated options, see this wiki page:
+https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
+
- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5. Migrate
away from ``--key-method 1`` as soon as possible. The recommended approach
is to remove the ``--key-method`` option from the configuration files, OpenVPN
- ``--keysize`` is deprecated and will be removed in v2.6 together
with the support of ciphers with cipher block size less than 128 bits.
+- ``--comp-lzo`` is deprecated in OpenVPN 2.4. Use ``--compress`` instead.
+
+- ``--ifconfig-pool-linear`` has been deprecated since OpenVPN 2.1 and will be
+ removed in v2.5. Use ``--topology p2p`` instead.
+
+- ``--client-cert-not-required`` is deprecated in OpenVPN 2.4 and will be removed
+ in v2.5. Use ``--verify-client-cert none`` for a functional equivalent.
+
+- ``--ns-cert-type`` is deprecated in OpenVPN 2.3.18 and v2.4. It will be removed
+ in v2.5. Use the far better ``--remote-cert-tls`` option which replaces this
+ feature.
+
User-visible Changes
--------------------
when none of the connecting clients are Windows systems. This mode
is functionally equivalent to the
.B \-\-ifconfig\-pool\-linear
-directive which is available in OpenVPN 2.0 and is now deprecated.
+directive which is available in OpenVPN 2.0, is deprecated and will be
+removed in OpenVPN 2.5
.B subnet \-\-
Use a subnet rather than a point-to-point topology by
.\"*********************************************************
.TP
.B \-\-comp\-lzo [mode]
+.B DEPRECATED
+This option will be removed in a future OpenVPN release. Use the
+newer
+.B \-\-compress
+instead.
+
Use LZO compression -- may add up to 1 byte per
packet for incompressible data.
.B mode
may be "yes", "no", or "adaptive" (default).
-This option is deprecated in favor of the newer
-.B --compress
-option.
-
In a server mode setup, it is possible to selectively turn
compression on or off for individual clients.
name will always receive the given IP address. If you want guaranteed
assignment, use
.B \-\-ifconfig\-push
+
.\"*********************************************************
.TP
.B \-\-ifconfig\-pool\-linear
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5
+
Modifies the
.B \-\-ifconfig\-pool
directive to
to detect this condition and respond accordingly.
.\"*********************************************************
.TP
-.B \-\-client\-cert\-not\-required (DEPRECATED)
+.B \-\-client\-cert\-not\-required
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5
+
Don't require client certificate, client will authenticate
using username/password only. Be aware that using this directive
is less secure than requiring certificates from all clients.
-
.B Please note:
-This option is now deprecated and will be removed in OpenVPN v2.5.
-It is replaced by
+This is replaced by
.B \-\-verify\-client\-cert
which allows for more flexibility. The option
.B \-\-verify\-client\-cert none
rather than the common name from the client cert.
.\"*********************************************************
.TP
-.B \-\-compat\-names [no\-remapping] (DEPRECATED)
+.B \-\-compat\-names [no\-remapping]
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5
+
Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted
like this:
.IP
removed in OpenVPN v2.5. So please update your scripts/plug-ins where necessary.
.\"*********************************************************
.TP
-.B \-\-no\-name\-remapping (DEPRECATED)
+.B \-\-no\-name\-remapping
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5
+
The
.B \-\-no\-name\-remapping
option is an alias for
.B \-\-cipher alg
Encrypt data channel packets with cipher algorithm
.B alg.
+
The default is
.B BF-CBC,
-an abbreviation for Blowfish in Cipher Block Chaining mode.
+an abbreviation for Blowfish in Cipher Block Chaining mode. When cipher
+negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server
+side will automatically upgrade to
+.B AES-256-GCM.
+See
+.B \-\-ncp\-ciphers
+and
+.B \-\-ncp\-disable
+for more details on NCP.
-Using BF-CBC is no longer recommended, because of it's 64-bit block size. This
+Using
+.B BF-CBC
+is no longer recommended, because of its 64-bit block size. This
small block size allows attacks based on collisions, as demonstrated by SWEET32.
-See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
+See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. Due to
+this, support for
+.B BF-CBC, DES, CAST5, IDEA
+and
+.B RC2
+ciphers will be removed in OpenVPN 2.6.
To see other ciphers that are available with OpenVPN, use the
.B \-\-show\-ciphers
.B alg=none
to disable encryption.
-As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by
-.B \-\-cipher\fR.
-See
-.B \-\-ncp\-ciphers
-and
-.B \-\-ncp\-disable
-for more on NCP.
-
.\"*********************************************************
.TP
.B \-\-ncp\-ciphers cipher_list
.\"*********************************************************
.TP
.B \-\-no\-iv
-
.B DEPRECATED
This option will be removed in OpenVPN 2.5.
.\"*********************************************************
.TP
.B \-\-key\-method m
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5
+
Use data channel key negotiation method
.B m.
The key method must match on both sides of the connection.
options can be defined to track multiple attributes.
.\"*********************************************************
.TP
-.B \-\-ns\-cert\-type client|server (DEPRECATED)
-This option is deprecated. Use the more modern equivalent
+.B \-\-ns\-cert\-type client|server
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5. Use the more modern equivalent
.B \-\-remote\-cert\-tls
instead. This option will be removed in OpenVPN 2.5.
" client instance.\n"
"--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
" to be dynamically allocated to connecting clients.\n"
- "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n"
- " in tun mode. Not compatible with Windows clients.\n"
+ "--ifconfig-pool-linear : (DEPRECATED) Use individual addresses rather \n"
+ " than /30 subnets\n in tun mode. Not compatible with\n"
+ " Windows clients.\n"
"--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
" data to file, at seconds intervals (default=600).\n"
" If seconds=0, file will be treated as read-only.\n"
" Only valid in a client-specific config file.\n"
"--disable : Client is disabled.\n"
" Only valid in a client-specific config file.\n"
- "--client-cert-not-required : Don't require client certificate, client\n"
+ "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n"
" will authenticate using username/password.\n"
"--verify-client-cert [none|optional|require] : perform no, optional or\n"
" mandatory client certificate verification.\n"
" with those of the server will be disconnected.\n"
"--auth-user-pass-optional : Allow connections by clients that don't\n"
" specify a username/password.\n"
- "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
+ "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
" any printable character.\n"
"--client-to-client : Internally route client-to-client traffic.\n"
"--duplicate-cn : Allow multiple clients with the same common name to\n"
"--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
" nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
- "--keysize n : Size of cipher key in bits (optional).\n"
+ "--keysize n : (DEPRECATED) Size of cipher key in bits (optional).\n"
" If unspecified, defaults to cipher-specific default.\n"
#endif
#ifndef ENABLE_CRYPTO_MBEDTLS
"(These options are meaningful only for TLS-mode)\n"
"--tls-server : Enable TLS and assume server role during TLS handshake.\n"
"--tls-client : Enable TLS and assume client role during TLS handshake.\n"
- "--key-method m : Data channel key exchange method. m should be a method\n"
+ "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
" number, such as 1 (default), 2, etc.\n"
"--ca file : Certificate authority file in .pem format containing\n"
" root certificate.\n"
{
VERIFY_PERMISSION(OPT_P_GENERAL);
options->topology = TOP_P2P;
+ msg(M_WARN, "DEPRECATED OPTION: --ifconfig-pool-linear, use --topology p2p instead");
}
else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
{
projects / thirdparty / openvpn.git / commitdiff
