From 5c1c57684b6a1e6bce24605d55fe8dc3d9d3480e Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 24 Mar 2025 14:54:33 +0100 Subject: [PATCH] Improve documentation for override-username - Mention that pushing auth-token-user only happens when OpenVPN also generates the auth-token. - mention that OpenVPN will only accept the original and overridden username from a client - suggest to use auth-token-user when a user generates the auth-token Change-Id: Ifc7443974345042ab9945d6a10e1d1b4525e5e05 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20250324135441.26725-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31210.html Signed-off-by: Gert Doering --- doc/man-sections/server-options.rst | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index e93b04d89..ccc13744d 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -432,7 +432,12 @@ fast hardware. SSL/TLS authentication must be used in this mode. The changed username will be picked up by the status output and also by the ``--auth-gen-token`` option. It will also be pushed to the client - using ``--auth-token-user``. + using ``--auth-token-user`` if ``--auth-gen-token`` is enabled. + + Internally on all subsequent renegotiations the client provided username + will be replaced by the username provided by ``--override-username``. + If the client changes to a username that is different from both the initial + and the overridden username, the client will be rejected. Special care should be taken that both the initial username of the client and the overridden username are handled correctly when using @@ -444,6 +449,10 @@ fast hardware. SSL/TLS authentication must be used in this mode. can be used for ``--auth-gen-token`` to allow providing a username in these scenarios. + If the ``--auth-token`` directive is pushed by another script/plugin or + management interface, consider also generating and pushing + ``--auth-token-user``. + --port-share args Share OpenVPN TCP with another service -- 2.47.3