From: Arne Schwabe Date: Mon, 24 Mar 2025 13:54:33 +0000 (+0100) Subject: Improve documentation for override-username X-Git-Tag: v2.7_alpha1~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5c1c57684b6a1e6bce24605d55fe8dc3d9d3480e;p=thirdparty%2Fopenvpn.git Improve documentation for override-username - Mention that pushing auth-token-user only happens when OpenVPN also generates the auth-token. - mention that OpenVPN will only accept the original and overridden username from a client - suggest to use auth-token-user when a user generates the auth-token Change-Id: Ifc7443974345042ab9945d6a10e1d1b4525e5e05 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20250324135441.26725-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31210.html Signed-off-by: Gert Doering --- diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index e93b04d8..ccc13744 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -432,7 +432,12 @@ fast hardware. SSL/TLS authentication must be used in this mode. The changed username will be picked up by the status output and also by the ``--auth-gen-token`` option. It will also be pushed to the client - using ``--auth-token-user``. + using ``--auth-token-user`` if ``--auth-gen-token`` is enabled. + + Internally on all subsequent renegotiations the client provided username + will be replaced by the username provided by ``--override-username``. + If the client changes to a username that is different from both the initial + and the overridden username, the client will be rejected. Special care should be taken that both the initial username of the client and the overridden username are handled correctly when using @@ -444,6 +449,10 @@ fast hardware. SSL/TLS authentication must be used in this mode. can be used for ``--auth-gen-token`` to allow providing a username in these scenarios. + If the ``--auth-token`` directive is pushed by another script/plugin or + management interface, consider also generating and pushing + ``--auth-token-user``. + --port-share args Share OpenVPN TCP with another service