From: Antonio Quartulli Date: Wed, 29 Jan 2025 09:41:25 +0000 (+0100) Subject: man: extend --persist-tun section X-Git-Tag: v2.7_alpha1~101 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=519209da6902e107eec9d43aa2479635b64541cd;p=thirdparty%2Fopenvpn.git man: extend --persist-tun section The current persist-tun section has no mention of retaining IP/routes and its potential usage in traffic leaking protection. Spell this out to allow the user to better understand when this option can play an important role. Change-Id: I6816f61b308ca9f6d1f9f687a6dc8e0aa2d044e0 Signed-off-by: Antonio Quartulli Acked-by: Frank Lichtenheld Message-Id: <20250129094125.13420-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30684.html Signed-off-by: Gert Doering --- diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index fc76939ea..67f7e1f99 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -312,6 +312,15 @@ routing. :code:`SIGUSR1` is a restart signal similar to :code:`SIGHUP`, but which offers finer-grained control over reset options. + On Linux, this option can be useful when OpenVPN is not executed as + root and the CAP_NET_ADMIN has not been granted, because the process + would otherwise not be allowed to bring the interface down and back up. + + Alongside the above, using ``--persist-tun`` allows the tunnel interface + to retain all IP/route settings, thus allowing the user to implement + any advanced traffic leaking protection (please note that for full + protection, extra route/firewall rules must be in place). + --redirect-gateway flags Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. This is a client-side option.