Cross Reference: /netgear-R7000-V1.0.7.12_1.2.5/src/router/arm-uclibc/target/usr/local/sbin/openvpn

    libnvram.so strcpy ioctl getpid memcpy system malloc mmap fprintf acosNvramConfig_get strncmp strncpy fopen memset fclose strcmp sprintf stderr fwrite __errno_location strlen fcntl libnsl.so.0 libresolv.so.0 libssl.so.1.0.0 TLSv1_method SSL_set_ex_data SSL_set_bio __register_frame_info EVP_DigestInit BIO_free BIO_s_mem SSL_CTX_set_client_CA_list sk_pop_free BIO_free_all TLSv1_client_method BIO_ctrl BN_num_bits HMAC_CTX_init EVP_CIPHER_CTX_block_size EVP_CIPHER_CTX_iv_length EVP_CIPHER_iv_length EVP_CIPHER_CTX_init _Jv_RegisterClasses DH_size X509_NAME_dup SSL_CTX_set_verify EVP_get_cipherbyname _fini gettimeofday PEM_read_bio_PrivateKey sk_value RSA_size SSL_load_error_strings HMAC_Update SSL_get_cipher_list SSL_CTX_use_RSAPrivateKey SSL_CTX_check_private_key EVP_CIPHER_block_size X509_NAME_cmp SSL_get_peer_certificate BIO_new BIO_f_ssl X509_get_subject_name HMAC_Final SSL_free SSL_CIPHER_get_version ERR_clear_error sk_new PEM_read_bio_X509 SSL_CTX_add_client_CA BIO_test_flags CRYPTO_free SSL_set_connect_state SSL_CTX_new SSL_set_accept_state memmove HMAC_Init_ex RAND_bytes SSL_CTX_use_PrivateKey EVP_MD_CTX_md X509_verify_cert_error_string EVP_MD_CTX_cleanup OBJ_nid2sn EVP_CIPHER_CTX_cleanup SSL_get_current_cipher BIO_push RSA_new sk_find RSA_free HMAC_CTX_cleanup SSL_alert_desc_string_long SSL_CIPHER_get_name EVP_MD_type EVP_CIPHER_CTX_key_length SSL_state_string_long sk_num fputs EVP_PKEY_free EVP_Digest ERR_peek_error SSL_alert_type_string_long SSL_library_init SSL_CTX_set_default_passwd_cb BIO_write SSL_get_ex_data X509_get_pubkey SSL_CTX_set_cipher_list SSL_new EVP_get_digestbyname SSL_CTX_use_certificate BN_dup SSL_CTX_get_cert_store memcmp SSL_get_ex_data_X509_STORE_CTX_idx X509_free EVP_MD_CTX_init TLSv1_server_method SSL_get_ex_new_index SSL_CTX_set_info_callback BIO_read EVP_CIPHER_key_length SSL_get_version ERR_load_crypto_strings SSL_CTX_set_tmp_rsa_callback SSL_CTX_ctrl DH_free ERR_put_error SSL_CTX_free sk_push EVP_MD_size OBJ_obj2nid EVP_DigestUpdate EVP_CIPHER_flags __deregister_frame_info libcrypto.so.1.0.0 X509_NAME_entry_count OBJ_txt2nid poll BIO_new_mem_buf bind RSA_set_method ENGINE_get_name BIO_f_base64 DES_set_odd_parity getenv EVP_CipherUpdate __ctype_b_loc ENGINE_get_next X509_CRL_free ASN1_STRING_to_UTF8 BN_bn2dec ENGINE_register_all_complete PKCS12_free connect EVP_CipherFinal X509_LOOKUP_ctrl X509_NAME_oneline ENGINE_get_first PEM_read_bio_X509_CRL OPENSSL_add_all_algorithms_noconf X509_NAME_get_index_by_NID getsockname strcat openlog PEM_X509_INFO_read_bio strcasecmp X509_STORE_set_flags strrchr dlsym sendto strtol X509_NAME_get_entry d2i_PKCS12_fp ENGINE_cleanup EVP_CIPHER_CTX_flags X509_get_ext_by_NID EVP_CIPHER_nid X509_get_ext_d2i dlerror ERR_free_strings setsockopt X509_INFO_free EVP_cleanup X509_NAME_print_ex X509_get_ext DES_is_weak_key getsockopt fputc DES_check_key_parity ENGINE_get_id ERR_get_error fgets sscanf X509_LOOKUP_hash_dir PEM_read_bio_DHparams PEM_write_X509 ERR_error_string ASN1_INTEGER_to_BN X509_NAME_ENTRY_get_object closelog X509V3_EXT_print fflush X509_STORE_CTX_get_ex_data ASN1_INTEGER_cmp X509_get_serialNumber abort EVP_DigestFinal recvfrom syslog socket stdin DES_set_key_unchecked EVP_CipherInit X509_STORE_add_crl exit ASN1_BIT_STRING_free DES_ecb_encrypt BIO_new_file ENGINE_set_default X509_STORE_add_lookup X509_get_issuer_name ENGINE_free ENGINE_load_builtin_engines OBJ_obj2txt RSA_generate_key accept atoi ENGINE_ctrl_cmd_string EVP_CIPHER_CTX_set_key_length strchr listen dlopen BN_free signal X509_NAME_ENTRY_get_data ENGINE_by_id ASN1_OBJECT_free PKCS12_parse d2i_PKCS12_bio X509_STORE_add_cert dlclose ASN1_BIT_STRING_get_bit libz.so.1 vsnprintf libdl.so.0 raise calloc libc.so.0 putchar in6addr_any chroot waitpid writev if_indextoname stdout recv epoll_wait inet_pton __xpg_basename munmap execve dirname dup2 getpass sleep select setgroups ftruncate lseek send freeaddrinfo epoll_ctl getnameinfo pipe gai_strerror ctime readv chdir umask strstr flock setgid sendmsg __cmsg_nxthdr unlink epoll_create fork __uClibc_main strdup inet_ntoa nice getpwnam fgetc difftime strcspn getpeername srandom getaddrinfo socketpair stat access inet_ntop getgrnam __ctype_toupper_loc daemon recvmsg setuid mlockall _edata __bss_start __bss_start__ __bss_end__ __end__ _end
attemped allocation of excessively large array fatal buffer size error, size=%lu Write error on file '%s' buffer.c %02x [more...] [NULL] IN ** CNAT %s %s %s -> %s *** CNAT list CNAT[%d] t=%d %s/%s/%s WARNING: client-nat table overflow (max %d entries) snat dnat client-nat: type must be 'snat' or 'dnat' client-nat: bad network: %s client-nat: bad netmask: %s client-nat: bad foreign network: %s BEFORE AFTER Authenticate/Decrypt packet error Non-Hex character ('%c') found at line %d in key file '%s' (%d/%d/%d bytes found/min/max) Non-Hex, unprintable character (0x%02x) found at line %d in key file '%s' (%d/%d/%d bytes found/min/max) -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- ERROR: Random number generator cannot obtain entropy for PRNG %s: missing authentication info %s: packet HMAC authentication failed crypto.c %s: missing IV info DECRYPT IV: %s %s: missing payload %s: cipher init failed %s: buffer overflow %s: cipher update failed %s: cipher final failed DECRYPT TO: %s %s: error reading CBC packet-id %s: error reading CFB/OFB packet-id %s: error reading packet-id %s: bad packet ID (may be a replay): %s -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Cipher '%s' uses a mode not supported by OpenVPN in your current configuration. CBC mode is always supported, while CFB and OFB modes are supported only when using SSL/TLS authentication and key exchange mode, and when OpenVPN has been built with ALLOW_NON_CBC_CIPHERS. ******* WARNING *******: null cipher specified, no encryption will be used ******* WARNING *******: null MAC specified, no authentication will be used %s: Cipher '%s' initialized with %d bit key %s: CIPHER KEY: %s %s: CIPHER block_size=%d iv_size=%d %s: Using %d bit message hash '%s' for HMAC authentication %s: HMAC KEY: %s %s: HMAC size=%d block_size=%d CRYPTO INFO: WARNING: zero key detected CRYPTO INFO: fixup_key: before=%s after=%s --no-replay or --no-iv cannot be used with a CFB or OFB mode cipher ERROR: Random number generator cannot obtain entropy for key generation Cipher source entropy: %s HMAC source entropy: %s %s (cipher): %s %s (hmac): %s [[INLINE]] Cannot open file key file '%s' Read error on key file ('%s') Key file ('%s') can be a maximum of %d bytes Insufficient key material or header text not found in file '%s' (%d/%d/%d bytes found/min/max) Footer text not found in file '%s' (%d/%d/%d bytes found/min/max) Cannot open passphrase file: '%s' Read error on passphrase file: '%s' Passphrase file '%s' is too small (must have at least %d characters) Cannot open shared secret file '%s' for write # # %d bit OpenVPN static key # Close error on shared secret file %s Key file '%s' used in --%s contains insufficient key material [keys found=%d required=%d] -- try generating a new key file with 'openvpn --genkey --secret [file]', or use the existing key file in bidirectional mode by specifying --%s without a key direction parameter Unknown key direction '%s' -- must be '0' or '1' Control Channel Authentication: tls-auth using INLINE static key file INLINE tls-auth file lacks the requisite 2 keys Control Channel Authentication: using '%s' as a OpenVPN static key file Control Channel Authentication: using '%s' as a free-form passphrase file Outgoing Control Channel Authentication Incoming Control Channel Authentication Key #%d in '%s' is bad. Try making a new key with --genkey. TLS Error: error reading key from remote TLS Error: key length mismatch, local cipher/hmac %d/%d, remote cipher/hmac %d/%d PRNG init md=%s size=%d packet_id.h ENCRYPT IV: %s ENCRYPT FROM: %s ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d ENCRYPT TO: %s Entering OpenVPN crypto self-test mode. TESTING ENCRYPT/DECRYPT of packet length=%d SELF TEST FAILED, src.len=%d buf.len=%d SELF TEST FAILED, pos=%d in=%d out=%d OpenVPN crypto self-test mode SUCCEEDED. crypto_openssl.c auto Initializing OpenSSL auto engine support SO_PATH LOAD OpenSSL error: cannot load engine '%s' OpenSSL error: ENGINE_set_default failed on engine '%s' Initializing OpenSSL support for engine '%s' variable fixed The following ciphers and cipher modes are available for use with OpenVPN. Each cipher shown below may be used as a parameter to the --cipher option. The default key size is shown as well as whether or not it can be changed with the --keysize directive. Using a CBC mode is recommended. %s %d bit default key (%s) The following message digests are available for use with OpenVPN. A message digest is used in conjunction with the HMAC function, to authenticate received packets. You can specify a message digest as parameter to the --auth option. %s %d bit digest size OpenSSL Crypto Engines %s [%s] DES- DESX- CRYPTO INFO: n_DES_cblocks=%d CRYPTO INFO: check_key_DES: insufficient key material CRYPTO INFO: check_key_DES: weak key detected CRYPTO INFO: check_key_DES: bad parity detected CRYPTO INFO: fixup_key_DES: insufficient key material Cipher algorithm '%s' not found Cipher algorithm '%s' uses a default key size (%d bytes) which is larger than OpenVPN's current maximum key size (%d bytes) [null-cipher] EVP cipher init #1 EVP set key size EVP cipher init #2 Message hash algorithm '%s' not found Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than OpenVPN's current maximum hash size (%d bytes) [null-digest] Extracted DHCP router address: %s OpenVPN: Out of Memory openvpn %s: %s (errno=%d) %s (OpenSSL) Options error: %s %s %s%s%s%s Exiting due to fatal error NOTE: --mute triggered... %d variation(s) on previous %d message(s) suppressed by --mute %s %s returned %d %s %s: %s (code=%d) Warning: Error redirecting stdout/stderr to --log file: %s --log file redirection error on stdout --log file redirection error on stderr Assertion failed at %s:%d event.c PO_CTL rwflags=0x%04x ev=%d arg=0x%08lx Error: poll: too many I/O wait events PO_DEL ev=%d SE_WAIT[%d,%d] rwflags=0x%04x arg=0x%08lx SE_CTL rwflags=0x%04x ev=%d fast=%d cap=%d maxfd=%d arg=0x%08lx Error: select: too many I/O wait events, fd=%d cap=%d SE_DEL ev=%d Error: select/se_del: too many I/O wait events SE_RESET PO_INIT maxevents=%d flags=0x%08x [scalable] PO_WAIT[%d,%d] fd=%d rev=0x%08x rwflags=0x%04x arg=0x%08lx %s Error: poll: unknown revents=0x%04x SE_WAIT_FAST maxfd=%d tv=%d/%d SE_WAIT_SCALEABLE maxfd=%d tv=%d/%d EP_WAIT[%d] rwflags=0x%04x ev=0x%08x arg=0x%08lx EP_DEL ev=%d EP_CTL fd=%d rwflags=0x%04x ev=0x%08x arg=0x%08lx EVENT: epoll_ctl EPOLL_CTL_ADD failed, sd=%d EVENT: epoll_ctl EPOLL_CTL_MOD failed, sd=%d EP_INIT maxevents=%d flags=0x%08x Note: sys_epoll API is unavailable, falling back to poll/select API Set socket to non-blocking mode failed Set FD_CLOEXEC flag on file descriptor failed route_country_lookup ip_country_lookup ,route %s %s %s,route 57.0.0.0 255.0.0.0 %s,route 90.0.0.0 255.128.0.0 %s,route 78.192.0.0 255.192.0.0 %s,route 92.128.0.0 255.192.0.0 %s,route 86.192.0.0 255.192.0.0 %s,route 176.128.0.0 255.192.0.0 %s,route 25.0.0.0 255.0.0.0 %s,route 51.0.0.0 255.0.0.0 %s,route 86.128.0.0 255.192.0.0 %s,route 53.0.0.0 255.0.0.0 %s,route 84.128.0.0 255.192.0.0 %s,route 93.192.0.0 255.192.0.0 %s,route 176.0.0.0 255.192.0.0 %s,route 151.3.0.0 255.128.0.0 %s ,route %s %s %s,route 3.0.0.0 255.0.0.0 %s,route 4.0.0.0 255.0.0.0 %s,route 8.0.0.0 255.0.0.0 %s,route 9.0.0.0 255.0.0.0 %s,route 14.0.0.0 255.0.0.0 %s,route 16.0.0.0 255.0.0.0 %s,route 18.0.0.0 255.0.0.0 %s,route 23.0.0.0 255.0.0.0 %s,route 47.128.0.0 255.128.0.0 %s,route 54.0.0.0 255.0.0.0 %s,route 184.0.0.0 255.0.0.0 %s,route 69.0.0.0 255.0.0.0 %s,route 204.245.0.0 255.255.0.0 %s,route 173.224.0.0 255.255.0.0 %s ,route %s %s %s socket.h wget "http://www.speedtest.net/api/country" -O /tmp/Router_country_lookup echo '##########%s(%d)buff=%s' > /dev/console echo '[OpenVPN]route_country_lookup() failed' > /dev/console echo '[OpenVPN]route_country_lookup() connection failed' > /dev/console US EU FR GB DE wget "http://www.speedtest.net/api/country?ip=%s" -O /tmp/IPcountry_lookup echo '[OpenVPN]ip_country_lookup() failed' > /dev/console echo '[OpenVPN]ip_country_lookup() connection failed' > /dev/console CA I/O WAIT %s|%s|%s|%s %s auth-control-exit Fatal TLS error (check_tls_errors_co), restarting tls-error AUTH_FAILED PUSH_ RESTART HALT WARNING: Received unknown control message: %s WARNING: Receive control message failed PUSH_REPLY lan_ipaddr lan_netmask openvpn_redirectGW onlylan SENT CONTROL [%s]: '%s' (status=%d) Inactivity timeout (--inactive), exiting inactive Server poll timeout, restarting server_poll Delayed exit in %d seconds delayed-exit [OpenVPN, connection drop]IP address:%s forward.c port-share-redirect connection-reset-inetd Connection reset, inetd/xinetd exit [%d] Connection reset during exit notification period, ignoring [%d] Connection reset, restarting [%d] read %s READ [%d] from %s: %s decryption-error Fatal decryption error (process_incoming_link), restarting RECEIVED PING PACKET read from TUN/TAP TUN READ [%d] shaper.h %s WRITE [%d] to %s: %s TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d) TCP/UDP packet too large on write to %s (tried=%d,max=%d) TUN WRITE [%d] write to TUN/TAP TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d) tun packet too large on write (tried=%d,max=%d) TIMER: coarse timer wakeup %d seconds RANDOM USEC=%d event_wait I/O WAIT status=0x%04x integer.h FRAG_OUT len=%d type=%d seq_id=%d frag_id=%d frag_size=%d flags=0x%08x fragment.c flags not found in packet spurrious FRAG_WHOLE flags bad fragment size FRAG_TEST not implemented fragment buffer overflow FRAG_IN buf->len=%d type=FRAG_WHOLE flags=0x%08x FRAG_IN len=%d type=%d seq_id=%d frag_id=%d size=%d flags=0x%08x FRAG_IN error flags=0x%08x: %s FRAG: outgoing buffer is not empty, len=[%d,%d] FRAG_OUT error, len=%d frag_size=%d MAX_FRAGS=%d: %s too many fragments would be required to send datagram FRAG TTL expired i=%d d d < x < X < d 2 d 2 gremlin.c GREMLIN: CONNECTION GOING %s FOR %d SECONDS GREMLIN: Random packet drop GREMLIN: Packet Corruption, method=%d %s %d helper.c route %s %s route %s %s (/%d) route-gateway %s %s IP addresses %s and %s are not in the same %s subnet --server-bridge --server-ipv6 must be used together with --server --server-ipv6 is incompatible with 'nopool' option --server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly --server and --client cannot be used together --server and --server-bridge cannot be used together --server and --secret cannot be used together (you must use SSL/TLS keys) --server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly --server directive only makes sense with --dev tun or --dev tap --server directive network/netmask combination is invalid --server directive netmask is invalid --server directive netmask allows for too many host addresses (subnet must be %s or higher) --server directive when used with --dev tun must define a subnet of %s or lower topology %s --server directive when used with --dev tap must define a subnet of %s or lower --server-bridge and --client cannot be used together --server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly --server-bridge and --secret cannot be used together (you must use SSL/TLS keys) --server-bridge directive only makes sense with --dev tap route-gateway dhcp --client requires --key-method 2 --keepalive parameters must be > 0 the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60. --keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives. ping-restart socket-flags TCP_NODELAY md5-sess auth-int %s %s hw ether %s /sbin/ifconfig ERROR: Unable to set link layer address. TUN/TAP link layer address set to %s will be delayed because of --client, --pull, or --up-delay ambitWriteLog Initialization Sequence Completed ERROR: Sorry, this command is currently only implemented on Windows init.c STATIC Static Encrypt Static Decrypt Re-using pre-shared static key Closing TUN/TAP interface init route-pre-down Error: private key password verification failed private-key-password-failure Re-using SSL/TLS context CN daemon() failed or unsupported NOTE: chroot %s NOTE: UID/GID downgrade %s ACCEPT SKIP MOD Bad proxy port number: %s HTTP HTTP proxy support only works for TCP based connections SOCKS Bad proxy command WARNING: Failed running command (%s) --route-up /dev/aglog r+ %s:open /dev/aglog fail shared secret output file (--secret) Randomly generated %d bit key written to %s TUN/TAP device (--dev) options --mktun or --rmtun should only be used together with --dev [%s] SUCCESS %s With Errors redirect_gateway WARNING: route-up plugin call failed script_type Preserving previous TUN/TAP instance: %s OPTIONS IMPORT: --verb and/or --mute level changed OPTIONS IMPORT: timers and/or timeouts modified OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp OPTIONS IMPORT: explicit notify parm(s) modified OPTIONS IMPORT: LZO parms modified OPTIONS IMPORT: traffic shaper enabled OPTIONS IMPORT: --sndbuf/--rcvbuf options modified OPTIONS IMPORT: --socket-flags option modified OPTIONS IMPORT: --persist options modified OPTIONS IMPORT: --ifconfig/up options modified OPTIONS IMPORT: route options modified OPTIONS IMPORT: route-related options modified OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified OPTIONS IMPORT: environment modified NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. Signal received from management interface, exiting OpenVPN started by inetd/xinetd cannot restart... Exiting. TCP Restart pause, %d second(s) No usable connection profiles are present >REMOTE:%s,%d,%s >PROXY:%u,%s,%s WARNING: --ping should normally be used with --ping-restart or --ping-exit WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure WARNING: using --pull/--client and --ifconfig together is probably not what you want NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want WARNING: --ifconfig-pool-persist will not work with --duplicate-cn WARNING: --keepalive option is missing from server config WARNING: You have disabled Replay Protection (--no-replay) which may make OpenVPN less secure WARNING: You have disabled Crypto IVs (--no-iv) which may make OpenVPN less secure WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. NOTE: the current --script-security setting may allow this configuration to call user-defined scripts NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables NOTE: --fast-io is disabled since we are not using UDP NOTE: --fast-io is disabled since we are using --shaper ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d) Control Channel MTU parms TLS-Auth MTU parms Data Channel MTU parms Fragmentation MTU parms Local Options String: '%s' Expected Remote Options String: '%s' Local Options hash (VER=%s): '%s' Expected Remote Options hash (VER=%s): '%s' Fatal error: Port sharing failed init_instance list.c Cannot initialize LZO compression library LZO compression initialized lzo.c lzo_adaptive_compress_test: comp=%d total=%d Adaptive compression state %s LZO compression buffer overflow LZO compression error: %d LZO decompression error: %d decompress %d -> %d Bad LZO decompression header byte: %d pre-compress bytes,%llu post-compress bytes,%llu pre-decompress bytes,%llu post-decompress bytes,%llu MANAGEMENT: unix domain socket client connection rejected -- ? ? &? 1? =? K? [? m? ? ? ? ? ? ? ? JO @ ? ? @ @ @ @ S' %@ 0@ 8@ [[BLANK]] SUCCESS: client-auth command succeeded ERROR: client-auth command failed ERROR: The client-auth command is not supported by the current daemon mode SUCCESS: client-pf command succeeded ERROR: client-pf command failed ERROR: The client-pf command is not supported by the current daemon mode %s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user %s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group %s cannot get UID/GID of socket peer SUCCESS: %d client(s) at address %s:%d killed ERROR: client at address %s:%d not found ERROR: port number is out of range: %s ERROR: error parsing IP address: %s SUCCESS: common name '%s' found, %d client(s) killed ERROR: common name '%s' not found ERROR: kill parse ERROR: The 'kill' command is not supported by the current daemon mode ERROR: cannot parse CID ERROR: cannot parse KID MANAGEMENT MANAGEMENT: listen() failed MANAGEMENT: unix domain socket listening on %s MANAGEMENT: TCP Socket listening on %s X509_ >%s:ENV,%s >%s:ENV,END >INFO:OpenVPN Management Interface Version %d -- type 'help' for more info at least manage.c ERROR: the '%s' command requires %s%d parameter%s MANAGEMENT: TCP %s error: %s >CLIENT:ENV,%s validation failed on peer_info line received from client n_clients SUCCESS: '%s' %s entered, but not yet verified ERROR: %s of type '%s' entered, but we need one of type '%s' ERROR: no %s is currently needed at this time >BYTECOUNT:%s,%s >BYTECOUNT_CLI:%lu,%s,%s >UPDOWN:%s UPDOWN >NOTIFY:%s,%s,%s REAUTH >CLIENT:%s,%lu,%u >CLIENT:ESTABLISHED,%lu >CLIENT:DISCONNECT,%lu >CLIENT:ADDRESS,%lu,%s,%d >PASSWORD:Verification Failed: '%s' ['%s'] >PASSWORD:Verification Failed: '%s' >PASSWORD:Auth-Token:%s MANAGEMENT: Client disconnected MANAGEMENT: Triggering management signal management-disconnect MANAGEMENT: Triggering management exit management-exit >FATAL: >LOG: >ECHO: >STATE: %u, %s, %d, MANAGEMENT: %s SUCCESS: real-time %s notification set to ON off SUCCESS: real-time %s notification set to OFF ERROR: %s parameter must be 'on' or 'off' or some number n or 'all' state SUCCESS: password is correct ERROR: bad password MAN: client connection rejected after %d failed password attempts MANAGEMENT: CMD 'password [...]' load-stats MANAGEMENT: CMD '%s' quit help Management Interface for %s Commands: auth-retry t : Auth failure retry mode (none,interact,nointeract). bytecount n : Show bytes in/out, update every n secs (0=off). echo [on|off] [N|all] : Like log, but only show messages in echo buffer. exit|quit : Close management session. forget-passwords : Forget passwords entered so far. help : Print this message. hold [on|off|release] : Set/show hold flag to on/off state, or release current hold and start tunnel. kill cn : Kill the client instance(s) having common name cn. kill IP:port : Kill the client instance connecting from IP:port. load-stats : Show global server load stats. log [on|off] [N|all] : Turn on/off realtime log display + show last N lines or 'all' for entire history. mute [n] : Set log mute level to n, or show level if n is absent. needok type action : Enter confirmation for NEED-OK request of 'type', where action = 'ok' or 'cancel'. needstr type action : Enter confirmation for NEED-STR request of 'type', where action is reply string. net : (Windows only) Show network info and routing table. password type p : Enter password p for a queried OpenVPN password. remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP. proxy type [host port flags] : Enter dynamic proxy server info. pid : Show process ID of the current OpenVPN process. client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE) client-auth-nt CID KID : Authenticate client-id/key-id CID/KID client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason text R and optional client reason text CR client-kill CID [M] : Kill client instance CID with message M (def=RESTART) env-filter [level] : Set env-var filter level client-pf CID : Define packet filter for client CID (MULTILINE) rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge Enter signature base64 on subsequent lines followed by END signal s : Send signal s to daemon, s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2. state [on|off] [N|all] : Like log, but show state history. status [n] : Show current daemon status info using format #n. test n : Produce n lines of output for testing/debugging. username type u : Enter username u for a queried OpenVPN username. verb [n] : Set log verbosity level to n, or show if n is absent. version : Show current version number. OpenVPN Version: %s Management Version: %d SUCCESS: pid=%d nclients SUCCESS: nclients=%d ERROR: The nclients command is not supported by the current daemon mode env-filter SUCCESS: env_filter_level=%d SUCCESS: signal %s thrown ERROR: signal '%s' is currently ignored ERROR: signal '%s' is not a known signal type SUCCESS: nclients=%d,bytesin=%llu,bytesout=%llu ERROR: The 'status' command is not supported by the current daemon mode verb SUCCESS: verb level changed ERROR: verb level is out of range SUCCESS: verb=%d SUCCESS: mute level changed ERROR: mute level is out of range SUCCESS: mute=%d auth-retry SUCCESS: auth-retry parameter changed ERROR: bad auth-retry parameter SUCCESS: auth-retry=%s echo forget-passwords SUCCESS: Passwords were forgotten needok needok-confirmation needstr needstr-string ERROR: The 'net' command is not supported by the current daemon mode SUCCESS: hold flag set to ON SUCCESS: hold flag set to OFF SUCCESS: hold release succeeded ERROR: bad hold command parameter SUCCESS: hold=%d bytecount SUCCESS: bytecount interval changed client-kill SUCCESS: client-kill command succeeded ERROR: client-kill command failed ERROR: The client-kill command is not supported by the current daemon mode client-deny SUCCESS: client-deny command succeeded ERROR: client-deny command failed ERROR: The client-deny command is not supported by the current daemon mode client-auth-nt rsa-sig ERROR: The rsa-sig command is not currently available SUCCESS: proxy command succeeded ERROR: proxy command failed ERROR: The proxy command is not supported by the current daemon mode SUCCESS: remote command succeeded ERROR: remote command failed ERROR: The remote command is not supported by the current daemon mode [%d] The purpose of this command is to generate large amounts of output. ERROR: unknown command, enter 'help' for more options recv Client connected from send Need password(s) from management interface, waiting... Need hold release from management interface, waiting... Need information from management interface, waiting... >HOLD:Waiting for hold release >RSA_SIGN:%s SUCCESS: rsa-sig command succeeded ERROR: rsa-sig command failed NEED-OK NEED-STR PASSWORD username/password >%s:Need '%s' %s MSG:%s SC:%d,%s ENTER PASSWORD: MANAGEMENT: %s %s MANAGEMENT: connect to unix socket %s failed: %s MANAGEMENT: connect to %s failed: %s management-connect-failed %s %d MANAGEMENT: failed to write peer info to file %s Connected to management server at Management MANAGEMENT: client_uid=%d MANAGEMENT: client_gid=%d tunnel username= password= X509_0_CN= tls_serial_ untrusted_ip= ifconfig_local= ifconfig_netmask= daemon_start_time= daemon_pid= dev= ifconfig_pool_remote_ip= ifconfig_pool_netmask= time_duration= bytes_sent= bytes_received= ASSIGN_IP ADD_ROUTES CONNECTED RECONNECTING EXITING WAIT GET_CONFIG RESOLVE TCP_CONNECT mbuf.c MBUF: mbuf packet dropped MBUF: dereferenced queued packet misc.c Open error on pid file %s %u Close error on pid file %s /dev/null INETD_SOCKET_DESCRIPTOR dup(%d) failed WARNING: cannot stat file '%s' WARNING: file '%s' is group or others accessible external program fork failed external program did not exit normally external program exited normally could not execute external program external program exited with error status: %d %s=%s OPENVPN_%s setenv_str_safe: name overflow %u.%u.%u.%u TEST FILE '%s' [%d] %s-0x%s.%s openvpn_%s_%s.tmp Failed to create temporary filename and path Could not create temporary file '%s': %s Failed to create temporary file after %i attempts CRV1 Note: previous '%s' credentials failed management previous auth credentials failed ERROR: could not read %s username/password/ok/string from management interface NEED-OK|%s|%s: ERROR: could not read %s ok-confirmation from stdin CHALLENGE: %s Response: ERROR: could not read challenge response from stdin CRV1::%s::%s ERROR: received malformed challenge request from server Enter %s Username: Enter %s Password: ERROR: could not read %s username from stdin ERROR: %s username is empty ERROR: could not not read %s password from stdin ERROR: could not read static challenge response from stdin ERROR: could not base64-encode password/static_response SCRV1:%s:%s Sorry, '%s' password cannot be read from a file Error opening '%s' auth file: %s Error reading password from %s authfile: %s Error reading username and password (must be on two consecutive lines) from %s authfile: %s ERROR: username from %s authfile '%s' is empty WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this ENV [%d] '%s' openvpn_popen: unable to fork openvpn_popen: unable to create stdout pipe WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info. openvpn_popen: called with empty argv openvpn_execve: unable to fork openvpn_execve: called with empty argv make_arg_array SCRIPT-ARGV %s%sc script_context tun_mtu link_mtu dev_type ERROR: up/down plugin call failed %sc %s %d %d %s %s %s --up/--down SESS_ID_ echo chroot to '%s' failed cd to '%s' failed chroot to '%s' and cd to '%s' succeeded failed to find UID for user %s setuid('%s') failed UID set to %s failed to find GID for group %s setgid('%s') failed GID set to %s setgroups('%s') failed WARNING: nice %d failed: %s nice %d succeeded WARNING: mlockall call failed mlockall call succeeded /dev/tty console.c MROUTE CIDR netlen: /%d IP packet with unknown IP version=%d seen mroute.c ARP/ UNKNOWN mss.c MSS: %d -> %d mstats_open: filename too long mstats_open: cannot open: %s mstats_open: write error: %s mstats_open: close error: %s memstats data will be written to %s mstats_close: munmap error N N N N N O .O :O GO RO ]O MULTI TCP: queuing deferred packet mtcp.c MULTI TCP: TCP client address is undefined MULTI: TCP INIT maxclients=%d maxevents=%d MULTI TCP: multi_tcp_post %s -> %s MULTI TCP: multi_tcp_action a=%s p=%d MULTI TCP: multi_tcp_wait_lite a=%s mi=0x%08lx MULTI TCP: multi_tcp_wait_lite, unhandled action=%d MULTI TCP: I/O wait required blocking in multi_tcp_action, action=%d MULTI TCP: multi_tcp_dispatch a=%s mi=0x%08lx multi.h MULTI TCP: transmitting previously deferred packet MULTI TCP: multi_tcp_dispatch, unhandled action=%d MULTI TCP: new incoming client address matches existing client address -- new client takes precedence MULTI TCP: instance added: %s MULTI TCP: new client instance failed TA_UNDEF TA_SOCKET_READ TA_SOCKET_READ_RESIDUAL TA_SOCKET_WRITE TA_SOCKET_WRITE_READY TA_SOCKET_WRITE_DEFERRED TA_TUN_READ TA_TUN_WRITE TA_INITIAL TA_TIMEOUT TA_TUN_WRITE_TIMEOUT mtu.c MTU DYNAMIC mtu=%d, flags=%u, %d -> %d %s L:%d D:%d EF:%d EB:%d ET:%d EL:%d AF:%u/%d ] TUN MTU value (%d) must be at least %d MTU is too small Error setting IP_MTU_DISCOVER type=%d on TCP/UDP socket yes maybe invalid --mtu-disc type: '%s' -- valid types are 'yes', 'maybe', or 'no' mudp.c [succeeded] [created] MULTI: Connection from %s would exceed new connection frequency limit as controlled by --connect-freq GET INST BY REAL: %s %s multi.c MULTI: connection rejected: %s, CLI:%s ifconfig_pool_local_ip ifconfig_pool_remote_ip ifconfig_pool_netmask WARNING: learn-address plugin call failed %sc %s %s --learn-address MULTI: REAP range %d -> %d MULTI: REAP DEL %s delete MULTI: multi_init called, r=%d v=%d Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds %s/ (Not enabled) MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then. MULTI_sva: pool returned IPv4=%s, IPv6=%s MULTI: no --ifconfig-pool netmask parameter is available to push to %s MULTI: no free --ifconfig-pool addresses are available MULTI_sva: push_ifconfig_ipv6 %s/%d MULTI: problem deleting temporary file: %s MULTI: multi_close_instance called bytes_received bytes_sent time_duration WARNING: client-disconnect plugin call failed --client-disconnect OpenVPN CLIENT LIST Updated,%s Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since %s,%s,%llu,%llu,0x%x,0x%x,%s ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref %s%s,%s,%s,%s GLOBAL STATS Max bcast/mcast queue length,%d TITLE%c%s TIME%c%s%c%u HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername CLIENT_LIST%c%s%c%s%c%s%c%llu%c%llu%c%s%c%u%c%s HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t) ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u GLOBAL_STATS%cMax bcast/mcast queue length%c%d ERROR: bad status format version number MULTI: packet dropped due to output saturation (multi_add_mbuf) UNDEF_I bcast_c2c PF: client[%s] -> client[%s] packet dropped by BCAST packet filter bcast_src_addr PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter MULTI: C2C/MCAST/BCAST MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option) update add MULTI: Learn%s: %s -> %s GET INST BY VIRT: %s -> %s via %s GET INST BY VIRT: %s [failed] GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d MULTI: Checking stale routes MULTI: Deleting stale route for address '%s' client-instance MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. common_name time_ascii time_unix WARNING: client-connect plugin call failed WARNING: client-connect-v2 plugin call failed %sc %s --client-connect MULTI: client has been rejected due to 'disable' directive MULTI: no dynamic or static remote --ifconfig address is available for %s MULTI ERROR: primary virtual IP for %s (%s) violates tunnel network/netmask constraint (%s/%s) MULTI: primary virtual IP for %s: %s MULTI: primary virtual IPv6 for %s: %s MULTI: internal route %s/%d -> %s MULTI: internal route %s -> %s MULTI: --iroute options rejected for %s -- iroute only works with tun-style tunnels MULTI: Outgoing TUN queue full, dropped packet len=%d tun_tap_src_addr PF: addr[%s] -> client packet dropped by packet filter MULTI: packet dropped due to output saturation (multi_process_incoming_tun) MULTI: bad source address from client [%s], packet dropped tun_c2c PF: client -> client[%s] packet dropped by TUN packet filter tun_dest_addr PF: client -> addr[%s] packet dropped by TUN packet filter tap_c2c PF: client -> client[%s] packet dropped by TAP packet filter tap_dest_addr PF: client -> addr[%s] packet dropped by TAP packet filter MULTI: multi_create_instance called MULTI: new incoming connection would exceed maximum number of clients (%d) MULTI: unable to add real address [%s] to iterator hash table MULTI: signal occurred during client instance initialization NTLMSSP TlRMTVNTUAABAAAAAgIAAA== ntlm.c MD4 Warning: Username or domain too long p p p p p p 8 8 8 8 8 8 j j j j j j (4k z -V E NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of OpenVPN before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent OpenVPN from running (%llu bytes received from peer, %llu bytes authenticated data channel traffic) -- you can disable the options consistency check with --disable-occ. NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes. NOTE: failed to empirically measure MTU (requires OpenVPN 1.5 or higher at other end of connection). occ.c SENT OCC_REQUEST SENT OCC_REPLY SENT OCC_MTU_REQUEST SENT OCC_MTU_REPLY SENT OCC_MTU_LOAD_REQUEST SENT OCC_MTU_LOAD min_int(%d-%d-%d-%d,%d) size=%d SENT OCC_EXIT RECEIVED OCC_REQUEST RECEIVED OCC_MTU_REQUEST RECEIVED OCC_MTU_LOAD_REQUEST RECEIVED OCC_REPLY RECEIVED OCC_MTU_REPLY NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[%d,%d] remote->local=[%d,%d] NOTE: This connection is unable to accomodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround. RECEIVED OCC_EXIT remote-exit openvpn.c %s General Options: --config file : Read configuration options from file. --help : Show options. --version : Show copyright and version information. Tunnel Options: --local host : Local host name or ip address. Implies --bind. --remote host [port] : Remote host name or ip address. --remote-random : If multiple --remote options specified, choose one randomly. --remote-random-hostname : Add a random string to remote DNS name. --mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'. --proto p : Use protocol p for communicating with peer. p = udp (default), tcp-server, or tcp-client --proto-force p : only consider protocol p in list of connection profiles. p = udp6, tcp6-server, or tcp6-client (ipv6) --connect-retry n : For --proto tcp-client, number of seconds to wait between connection retries (default=%d). --connect-timeout n : For --proto tcp-client, connection timeout (in seconds). --connect-retry-max n : Maximum connection attempt retries, default infinite. --http-proxy s p [up] [auth] : Connect to remote host through an HTTP proxy at address s and port p. If proxy authentication is required, up is a file containing username/password on 2 lines, or 'stdin' to prompt from console. Add auth='ntlm' if the proxy requires NTLM authentication. --http-proxy s p 'auto[-nct]' : Like the above directive, but automatically determine auth method and query for username/password if needed. auto-nct disables weak proxy auth methods. --http-proxy-retry : Retry indefinitely on HTTP proxy errors. --http-proxy-timeout n : Proxy timeout in seconds, default=5. --http-proxy-option type [parm] : Set extended HTTP proxy options. Repeat to set multiple options. VERSION version (default=1.0) AGENT user-agent --socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at address s and port p (default port = 1080). If proxy authentication is required, up is a file containing username/password on 2 lines, or 'stdin' to prompt for console. --socks-proxy-retry : Retry indefinitely on Socks proxy errors. --resolv-retry n: If hostname resolve fails for --remote, retry resolve for n seconds before failing (disabled by default). Set n="infinite" to retry indefinitely. --float : Allow remote to change its IP address/port, such as through DHCP (this is the default if --remote is not used). --ipchange cmd : Run command cmd on remote ip address initial setting or change -- execute as: cmd ip-address port# --port port : TCP/UDP port # for both local and remote. --lport port : TCP/UDP port # for local (default=%d). Implies --bind. --rport port : TCP/UDP port # for remote (default=%d). --bind : Bind to local address and port. (This is the default unless --proto tcp-client or --http-proxy or --socks-proxy is used). --nobind : Do not bind to local address and port. --dev tunX|tapX : tun/tap device (X can be omitted for dynamic device. --dev-type dt : Which device type are we using? (dt = tun or tap) Use this option only if the tun/tap device used with --dev does not begin with "tun" or "tap". --dev-node node : Explicitly set the device node rather than using /dev/net/tun, /dev/tun, /dev/tap, etc. --lladdr hw : Set the link layer address of the tap device. --topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'. --tun-ipv6 : Build tun link capable of forwarding IPv6 traffic. --ifconfig l rn : TUN: configure device to use IP address l as a local endpoint and rn as a remote endpoint. l & rn should be swapped on the other peer. l & rn must be private addresses outside of the subnets used by either peer. TAP: configure device to use IP address l as a local endpoint and rn as a subnet mask. --ifconfig-ipv6 l r : configure device to use IPv6 address l as local endpoint (as a /64) and r as remote endpoint --ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead pass --ifconfig parms by environment to scripts. --ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the connection doesn't match the remote side. --route network [netmask] [gateway] [metric] : Add route to routing table after connection is established. Multiple routes can be specified. netmask default: 255.255.255.255 gateway default: taken from --route-gateway or --ifconfig Specify default by leaving blank or setting to "nil". --route-ipv6 network/bits [gateway] [metric] : Add IPv6 route to routing table after connection is established. Multiple routes can be specified. gateway default: taken from --route-ipv6-gateway or --ifconfig --max-routes n : Specify the maximum number of routes that may be defined or pulled from a server. --route-gateway gw|'dhcp' : Specify a default gateway for use with --route. --route-metric m : Specify a default metric for use with --route. --route-delay n [w] : Delay n seconds after connection initiation before adding routes (may be 0). If not specified, routes will be added immediately after tun/tap open. On Windows, wait up to w seconds for TUN/TAP adapter to come up. --route-up cmd : Run command cmd after routes are added. --route-pre-down cmd : Run command cmd before routes are removed. --route-noexec : Don't add routes automatically. Instead pass routes to --route-up script using environmental variables. --route-nopull : When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options. --allow-pull-fqdn : Allow client to pull DNS names from server for --ifconfig, --route, and --route-gateway. --redirect-gateway [flags]: Automatically execute routing commands to redirect all outgoing IP traffic through the VPN. Add 'local' flag if both OpenVPN servers are directly connected via a common subnet, such as with WiFi. Add 'def1' flag to set default route using using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp' flag to add a direct route to DHCP server, bypassing tunnel. Add 'bypass-dns' flag to similarly bypass tunnel for DNS. --redirect-private [flags]: Like --redirect-gateway, but omit actually changing the default gateway. Useful when pushing private subnets. --client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule. --push-peer-info : (client only) push client info to server. --setenv name value : Set a custom environmental variable to pass to script. --setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow directives for future OpenVPN versions to be ignored. --script-security level: Where level can be: 0 -- strictly no calling of external programs 1 -- (default) only call built-ins such as ifconfig 2 -- allow calling of built-ins and scripts 3 -- allow password to be passed to scripts via env --shaper n : Restrict output to peer to n bytes per second. --keepalive n m : Helper option for setting timeouts in server mode. Send ping once every n seconds, restart if ping not received for m seconds. --inactive n [bytes] : Exit after n seconds of activity on tun/tap device produces a combined in/out byte count < bytes. --ping-exit n : Exit if n seconds pass without reception of remote ping. --ping-restart n: Restart if n seconds pass without reception of remote ping. --ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a remote address. --ping n : Ping remote once every n seconds over TCP/UDP port. --multihome : Configure a multi-homed UDP server. --fast-io : (experimental) Optimize TUN/TAP/UDP writes. --remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM'). --persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart. --persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart. --persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart. --persist-key : Don't re-read key files across SIGUSR1 or --ping-restart. --passtos : TOS passthrough (applies to IPv4 only). --tun-mtu n : Take the tun/tap device MTU to be n and derive the TCP/UDP MTU from it (default=%d). --tun-mtu-extra n : Assume that tun/tap device might return as many as n bytes more than the tun-mtu size on read (default TUN=0 TAP=%d). --link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU from it. --mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel? 'no' -- Never send DF (Don't Fragment) frames 'maybe' -- Use per-route hints 'yes' -- Always DF (Don't Fragment) --mtu-test : Empirically measure and report MTU. --fragment max : Enable internal datagram fragmentation so that no UDP datagrams are sent which are larger than max bytes. Adds 4 bytes of overhead per datagram. --mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size or --fragment max value, whichever is lower. --sndbuf size : Set the TCP/UDP send buffer size. --rcvbuf size : Set the TCP/UDP receive buffer size. --mark value : Mark encrypted packets being sent with value. The mark value can be matched in policy routing and packetfilter rules. --txqueuelen n : Set the tun/tap TX queue length to n (Linux only). --memstats file : Write live usage stats to memory mapped binary file. --mlock : Disable Paging -- ensures key material and tunnel data will never be written to disk. --up cmd : Run command cmd after successful tun device open. Execute as: cmd tun/tap-dev tun-mtu link-mtu \ ifconfig-local-ip ifconfig-remote-ip (pre --user or --group UID/GID change) --up-delay : Delay tun/tap open and possible --up script execution until after TCP/UDP connection establishment with peer. --down cmd : Run command cmd after tun device close. (post --user/--group UID/GID change and/or --chroot) (command parameters are same as --up option) --down-pre : Run --down command before TUN/TAP close. --up-restart : Run up/down commands for all restarts including those caused by --ping-restart or SIGUSR1 --user user : Set UID to user after initialization. --group group : Set GID to group after initialization. --chroot dir : Chroot to this directory after initialization. --cd dir : Change to this directory before initialization. --daemon [name] : Become a daemon after initialization. The optional 'name' parameter will be passed as the program name to the system logger. --syslog [name] : Output to syslog, but do not become a daemon. See --daemon above for a description of the 'name' parm. --inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server. See --daemon above for a description of the 'name' parm. --log file : Output log to file which is created/truncated on open. --log-append file : Append log to file, or create file if nonexistent. --suppress-timestamps : Don't log timestamps to stdout/stderr. --writepid file : Write main process ID to file. --nice n : Change process priority (>0 = lower, <0 = higher). --echo [parms ...] : Echo parameters to log output. --verb n : Set output verbosity to n (default=%d): (Level 3 is recommended if you want a good summary of what's happening without being swamped by output). : 0 -- no output except fatal errors : 1 -- startup info + connection initiated messages + non-fatal encryption & net errors : 2,3 -- show TLS negotiations & route info : 4 -- show parameters : 5 -- show 'RrWw' chars on console for each packet sent and received from TCP/UDP (caps) or tun/tap (lc) : 6 to 11 -- debug messages of increasing verbosity --mute n : Log at most n consecutive messages in the same category. --status file n : Write operational status to file every n seconds. --status-version [n] : Choose the status file format version number. Currently, n can be 1, 2, or 3 (default=1). --disable-occ : Disable options consistency check between peers. --gremlin mask : Special stress testing mode (for debugging only). --comp-lzo : Use fast LZO compression -- may add up to 1 byte per packet for uncompressible data. --comp-noadapt : Don't use adaptive compression when --comp-lzo is specified. --management ip port [pass] : Enable a TCP server on ip:port to handle management functions. pass is a password file or 'stdin' to prompt from console. To listen on a unix domain socket, specific the pathname in place of ip and use 'unix' as the port number. --management-client : Management interface will connect as a TCP client to ip/port rather than listen as a TCP server. --management-query-passwords : Query management channel for private key and auth-user-pass passwords. --management-query-proxy : Query management channel for proxy information. --management-query-remote : Query management channel for --remote directive. --management-hold : Start OpenVPN in a hibernating state, until a client of the management interface explicitly starts it. --management-signal : Issue SIGUSR1 when management disconnect event occurs. --management-forget-disconnect : Forget passwords when management disconnect event occurs. --management-up-down : Report tunnel up/down events to management interface. --management-log-cache n : Cache n lines of log file history for usage by the management channel. --management-client-user u : When management interface is a unix socket, only allow connections from user u. --management-client-group g : When management interface is a unix socket, only allow connections from group g. --management-client-auth : gives management interface client the responsibility to authenticate clients after their client certificate has been verified. --management-client-pf : management interface clients must specify a packet filter file for each connecting client. --plugin m [str]: Load plug-in module m passing str as an argument to its initialization function. Multi-Client Server options (when --mode server is used): --server network netmask : Helper option to easily configure server mode. --server-ipv6 network/bits : Configure IPv6 server mode. --server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to easily configure ethernet bridging server mode. --push "option" : Push a config file option back to the peer for remote execution. Peer must specify --pull in its config file. --push-reset : Don't inherit global push list for specific client instance. --ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets to be dynamically allocated to connecting clients. --ifconfig-pool-linear : Use individual addresses rather than /30 subnets in tun mode. Not compatible with Windows clients. --ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool data to file, at seconds intervals (default=600). If seconds=0, file will be treated as read-only. --ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block to be dynamically allocated to connecting clients. --ifconfig-push local remote-netmask : Push an ifconfig option to remote, overrides --ifconfig-pool dynamic allocation. Only valid in a client-specific config file. --ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to remote, overrides --ifconfig-ipv6-pool allocation. Only valid in a client-specific config file. --iroute network [netmask] : Route subnet to client. --iroute-ipv6 network/bits : Route IPv6 subnet to client. Sets up internal routes only. Only valid in a client-specific config file. --disable : Client is disabled. Only valid in a client-specific config file. --client-cert-not-required : Don't require client certificate, client will authenticate using username/password. --username-as-common-name : For auth-user-pass authentication, use the authenticated username as the common name, rather than the common name from the client cert. --auth-user-pass-verify cmd method: Query client for username/password and run command cmd to verify. If method='via-env', pass user/pass via environment, if method='via-file', pass user/pass via temporary file. --opt-verify : Clients that connect with options that are incompatible with those of the server will be disconnected. --auth-user-pass-optional : Allow connections by clients that don't specify a username/password. --no-name-remapping : Allow Common Name and X509 Subject to include any printable character. --client-to-client : Internally route client-to-client traffic. --duplicate-cn : Allow multiple clients with the same common name to concurrently connect. --client-connect cmd : Run command cmd on client connection. --client-disconnect cmd : Run command cmd on client disconnection. --client-config-dir dir : Directory for custom client config files. --ccd-exclusive : Refuse connection unless custom client config is found. --tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication. --hash-size r v : Set the size of the real address hash table to r and the virtual address table to v. --bcast-buffers n : Allocate n broadcast buffers. --tcp-queue-limit n : Maximum number of queued TCP output packets. --tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server as well as pushes it to connecting clients. --learn-address cmd : Run command cmd to validate client virtual addresses. --connect-freq n s : Allow a maximum of n new connections per s seconds. --max-clients n : Allow a maximum of n simultaneously connected clients. --max-routes-per-client n : Allow a maximum of n internal routes per client. --stale-routes-check n [t] : Remove routes with a last activity timestamp older than n seconds. Run this check every t seconds (defaults to n). --port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS sessions to a web server at host:port. dir specifies an optional directory to write origin IP:port data. Client options (when connecting to a multi-client server): --client : Helper option to easily configure client mode. --auth-user-pass [up] : Authenticate with server using username/password. up is a file containing username/password on 2 lines, or omit to prompt from console. --pull : Accept certain config file options from the peer as if they were part of the local config file. Must be specified when connecting to a '--mode server' remote host. --auth-retry t : How to handle auth failures. Set t to none (default), interact, or nointeract. --static-challenge t e : Enable static challenge/response protocol using challenge text t, with e indicating echo flag (0|1) --server-poll-timeout n : when polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. --explicit-exit-notify [n] : On exit/restart, send exit signal to server/remote. n = # of retries, default=1. Data Channel Encryption Options (must be compatible between peers): (These options are meaningful for both Static Key & TLS-mode) --secret f [d] : Enable Static Key encryption mode (non-TLS). Use shared secret file f, generate with --genkey. The optional d parameter controls key directionality. If d is specified, use separate keys for each direction, set d=0 on one side of the connection, and d=1 on the other side. --auth alg : Authenticate packets with HMAC using message digest algorithm alg (default=%s). (usually adds 16 or 20 bytes per packet) Set alg=none to disable authentication. --cipher alg : Encrypt packets with cipher algorithm alg (default=%s). Set alg=none to disable encryption. --prng alg [nsl] : For PRNG, use digest algorithm alg, and nonce_secret_len=nsl. Set alg=none to disable PRNG. --keysize n : Size of cipher key in bits (optional). If unspecified, defaults to cipher-specific default. --engine [name] : Enable OpenSSL hardware crypto engine functionality. --no-replay : Disable replay protection. --mute-replay-warnings : Silence the output of replay warnings to log file. --replay-window n [t] : Use a replay protection sliding window of size n and a time window of t seconds. Default n=%d t=%d --no-iv : Disable cipher IV -- only allowed with CBC mode ciphers. --replay-persist file : Persist replay-protection state across sessions using file. --test-crypto : Run a self-test of crypto features enabled. For debugging only. TLS Key Negotiation Options: (These options are meaningful only for TLS-mode) --tls-server : Enable TLS and assume server role during TLS handshake. --tls-client : Enable TLS and assume client role during TLS handshake. --key-method m : Data channel key exchange method. m should be a method number, such as 1 (default), 2, etc. --ca file : Certificate authority file in .pem format containing root certificate. --capath dir : A directory of trusted certificates (CAs and CRLs). --dh file : File containing Diffie Hellman parameters in .pem format (for --tls-server only). Use "openssl dhparam -out dh1024.pem 1024" to generate. --cert file : Local certificate in .pem format -- must be signed by a Certificate Authority in --ca file. --extra-certs file : one or more PEM certs that complete the cert chain. --key file : Local private key in .pem format. --pkcs12 file : PKCS#12 file containing local private key, local certificate and optionally the root CA certificate. --verify-hash : Specify SHA1 fingerprint for level-1 cert. --tls-cipher l : A list l of allowable TLS ciphers separated by : (optional). : Use --show-tls to see a list of supported TLS ciphers. --tls-timeout n : Packet retransmit timeout on TLS control channel if no ACK from remote within n seconds (default=%d). --reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd. --reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd. --reneg-sec n : Renegotiate data chan. key after n seconds (default=%d). --hand-window n : Data channel key exchange must finalize within n seconds of handshake initiation by any peer (default=%d). --tran-window n : Transition window -- old key can live this many seconds after new key renegotiation begins (default=%d). --single-session: Allow only one session (reset state on restart). --tls-exit : Exit on TLS negotiation failure. --tls-auth f [d]: Add an additional layer of authentication on top of the TLS control channel to protect against DoS attacks. f (required) is a shared-secret passphrase file. The optional d parameter controls key directionality, see --secret option for more info. --askpass [file]: Get PEM password from controlling tty before we daemonize. --auth-nocache : Don't cache --askpass or --auth-user-pass passwords. --crl-verify crl ['dir']: Check peer certificate against a CRL. --tls-verify cmd: Run command cmd to verify the X509 name of a pending TLS connection that has otherwise passed all other tests of certification. cmd should return 0 to allow TLS handshake to proceed, or 1 to fail. (cmd is executed as 'cmd certificate_depth subject') --tls-export-cert [directory] : Get peer cert in PEM format and store it in an openvpn temporary file in [directory]. Peer cert is stored before tls-verify script execution and deleted after. --verify-x509-name name: Accept connections only from a host with X509 subject DN name. The remote host must also pass all other tests of verification. --ns-cert-type t: Require that peer certificate was signed with an explicit nsCertType designation t = 'client' | 'server'. --x509-track x : Save peer X509 attribute x in environment for use by plugins and management interface. --remote-cert-ku v ... : Require that the peer certificate was signed with explicit key usage, you can specify more than one value. value should be given in hex format. --remote-cert-eku oid : Require that the peer certificate was signed with explicit extended key usage. Extended key usage can be encoded as an object identifier or OpenSSL string representation. --remote-cert-tls t: Require that peer certificate was signed with explicit key usage and extended key usage based on RFC3280 TLS rules. t = 'client' | 'server'. SSL Library information: --show-ciphers : Show cipher algorithms to use with --cipher option. --show-digests : Show message digest algorithms to use with --auth option. --show-engines : Show hardware crypto accelerator engines (if available). --show-tls : Show all TLS ciphers (TLS used only as a control channel). Generate a random key (only for non-TLS static key encryption mode): --genkey : Generate a random key to be used as a shared secret, for use with the --secret option. --secret file : Write key to file. Tun/tap config mode (available with linux 2.4+): --mktun : Create a persistent tunnel. --rmtun : Remove a persistent tunnel. --dev tunX|tapX : tun/tap device --dev-type dt : Device type. See tunnel options above for details. --user user : User to set privilege to. --group group : Group to set privilege to. General Standalone Options: --show-gateway : Show info about default gateway. OpenVPN 2.3.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Mar 3 2017 + 3 M D B options.c </%s> Multiple --%s scripts defined. The previously configured script is overridden. option '%s' cannot be used in this context (%s) Maximum number of 'connection' options (%d) exceeded [UNDEF] ENABLED DISABLED proto = %s local = '%s' local_port = %d remote = '%s' remote_port = %d remote_float = %s bind_defined = %s bind_local = %s connect_retry_seconds = %d connect_timeout = %d connect_retry_max = %d BEGIN http_proxy server = '%s' port = %d auth_method_string = '%s' auth_file = '%s' retry = %s timeout = %d http_version = '%s' user_agent = '%s' END http_proxy socks_proxy_server = '%s' socks_proxy_port = %d socks_proxy_retry = %s tun_mtu = %d tun_mtu_defined = %s link_mtu = %d link_mtu_defined = %s tun_mtu_extra = %d tun_mtu_extra_defined = %s mtu_discover_type = %d fragment = %d mssfix = %d explicit_exit_notification = %d %s fails with '%s': %s %s fails with '%s': No path to executable. proto WARNING: '%s' is used inconsistently, %s='%s', %s='%s' WARNING: '%s' is present in %s config but missing in %s config, %s='%s' version %s the --%s directive should have at most %d parameter%s.%s To pass a list of arguments as one of the parameters, try enclosing them in double quotes (""). BF-CBC SHA1 TMPDIR /tmp proto local_port remote_port http_proxy_server http_proxy_port socks_proxy_server socks_proxy_port daemon daemon_log_redirect daemon_start_time daemon_pid IPv6 prefix '%s': invalid '/bits' spec IPv6 prefix '%s': invalid IPv6 address Current Parameter Settings: config = '%s' mode = %d persist_config = %s persist_mode = %d show_ciphers = %s show_digests = %s show_engines = %s genkey = %s key_pass_file = '%s' show_tls_ciphers = %s Connection profiles [default]: Connection profiles [%d]: Connection profiles END remote_random = %s ipchange = '%s' dev = '%s' dev_type = '%s' dev_node = '%s' lladdr = '%s' topology = %d tun_ipv6 = %s ifconfig_local = '%s' ifconfig_remote_netmask = '%s' ifconfig_noexec = %s ifconfig_nowarn = %s ifconfig_ipv6_local = '%s' ifconfig_ipv6_netbits = %d ifconfig_ipv6_remote = '%s' shaper = %d mtu_test = %d mlock = %s keepalive_ping = %d keepalive_timeout = %d inactivity_timeout = %d ping_send_timeout = %d ping_rec_timeout = %d ping_rec_timeout_action = %d ping_timer_remote = %s remap_sigusr1 = %d persist_tun = %s persist_local_ip = %s persist_remote_ip = %s persist_key = %s passtos = %s resolve_retry_seconds = %d username = '%s' groupname = '%s' chroot_dir = '%s' cd_dir = '%s' writepid = '%s' up_script = '%s' down_script = '%s' down_pre = %s up_restart = %s up_delay = %s daemon = %s inetd = %d log = %s suppress_timestamps = %s nice = %d verbosity = %d mute = %d gremlin = %d status_file = '%s' status_file_version = %d status_file_update_freq = %d occ = %s rcvbuf = %d sndbuf = %d mark = %d sockflags = %d fast_io = %s lzo = %d route_script = '%s' route_default_gateway = '%s' route_default_metric = %d route_noexec = %s route_delay = %d route_delay_window = %d route_delay_defined = %s route_nopull = %s route_gateway_via_dhcp = %s max_routes = %d allow_pull_fqdn = %s management_addr = '%s' management_port = %d management_user_pass = '%s' management_log_history_cache = %d management_echo_buffer_size = %d management_write_peer_info_file = '%s' management_client_user = '%s' management_client_group = '%s' management_flags = %d shared_secret_file = '%s' key_direction = %d ciphername_defined = %s ciphername = '%s' authname_defined = %s authname = '%s' prng_hash = '%s' prng_nonce_secret_len = %d keysize = %d engine = %s replay = %s mute_replay_warnings = %s replay_window = %d replay_time = %d packet_id_file = '%s' use_iv = %s test_crypto = %s tls_server = %s tls_client = %s key_method = %d ca_file = '%s' ca_path = '%s' dh_file = '%s' cert_file = '%s' "priv_key_file" = %s EXTERNAL_PRIVATE_KEY priv_key_file = '%s' pkcs12_file = '%s' cipher_list = '%s' tls_verify = '%s' tls_export_cert = '%s' verify_x509_type = %d verify_x509_name = '%s' crl_file = '%s' ns_cert_type = %d remote_cert_ku[i] = %d remote_cert_eku = '%s' ssl_flags = %d tls_timeout = %d renegotiate_bytes = %d renegotiate_packets = %d renegotiate_seconds = %d handshake_window = %d transition_window = %d single_session = %s push_peer_info = %s tls_exit = %s tls_auth_file = '%s' server_network = %s server_netmask = %s server_network_ipv6 = %s server_netbits_ipv6 = %d server_bridge_ip = %s server_bridge_netmask = %s server_bridge_pool_start = %s server_bridge_pool_end = %s push_entry = '%s' ifconfig_pool_defined = %s ifconfig_pool_start = %s ifconfig_pool_end = %s ifconfig_pool_netmask = %s ifconfig_pool_persist_filename = '%s' ifconfig_pool_persist_refresh_freq = %d ifconfig_ipv6_pool_defined = %s ifconfig_ipv6_pool_base = %s ifconfig_ipv6_pool_netbits = %d n_bcast_buf = %d tcp_queue_limit = %d real_hash_size = %d virtual_hash_size = %d client_connect_script = '%s' learn_address_script = '%s' client_disconnect_script = '%s' client_config_dir = '%s' ccd_exclusive = %s tmp_dir = '%s' push_ifconfig_defined = %s push_ifconfig_local = %s push_ifconfig_remote_netmask = %s push_ifconfig_ipv6_defined = %s push_ifconfig_ipv6_local = %s/%d push_ifconfig_ipv6_remote = %s enable_c2c = %s duplicate_cn = %s cf_max = %d cf_per = %d max_clients = %d max_routes_per_client = %d auth_user_pass_verify_script = '%s' auth_user_pass_verify_script_via_file = %s port_share_host = '%s' port_share_port = %d client = %s pull = %s auth_user_pass_file = '%s' Note: option http-proxy-override ignored because no TCP-based connection profiles are defined V4 ,dev-type %s ,link-mtu %d ,tun-mtu %d ,proto %s ,tun-ipv6 ,ifconfig %s ,comp-lzo ,mtu-dynamic ,keydir %s ,cipher %s ,auth %s ,keysize %d ,secret ,no-replay ,no-iv ,tls-auth ,key-method %d ,tls-server ,tls-client NOTE: Options consistency check may be skewed by version differences net30 p2p --topology must be net30, p2p, or subnet unknown nointeract none --auth-retry method must be 'interact', 'nointeract', or 'none' Use --help for more information. You must define %s key file (--secret) --proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client only one of --daemon or --inetd may be specified --local or --remote cannot be used with --inetd --proto tcp-client cannot be used with --inetd --inetd nowait can only be used with --proto tcp-server --inetd nowait can only be used in TLS mode --inetd nowait only makes sense in --dev tap mode --lladdr can only be used in --dev tap mode --connect-retry doesn't make sense unless also used with --proto tcp-client or tcp6-client --connect-timeout doesn't make sense unless also used with --proto tcp-client or tcp6-client only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d) --mtu-test only makes sense with --proto udp --remote and --local addresses are the same --local and --remote addresses must be distinct from --ifconfig addresses --local addresses must be distinct from --ifconfig addresses local and remote/netmask --ifconfig addresses must be different --bind and --nobind can't be used together --local and --nobind don't make sense when used together --lport and --nobind don't make sense when used together --nobind doesn't make sense unless used with --remote --management is not specified, however one or more options which modify the behavior of --management were specified --management-client-(user|group) can only be used on unix domain sockets --fragment can only be used with --proto udp --remote MUST be used in TCP Client mode --http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client) --http-proxy can not be used together with --socks-proxy --socks-proxy can not be used in TCP Server mode TCP server mode allows at most one --remote address --mode server only works with --dev tun or --dev tap --pull cannot be used with --mode server --mode server currently only supports --proto udp or --proto tcp-server or proto tcp6-server --port-share only works in TCP server mode (--proto tcp-server or tcp6-server) --mode server requires --tls-server --remote cannot be used with --mode server --nobind cannot be used with --mode server --http-proxy cannot be used with --mode server --socks-proxy cannot be used with --mode server <connection> cannot be used with --mode server --shaper cannot be used with --mode server --inetd cannot be used with --mode server --ipchange cannot be used with --mode server (use --client-connect instead) --mode server currently only supports --proto udp or --proto tcp-server or --proto tcp6-server --connect-freq only works with --mode server --proto udp. Try --max-clients instead. The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode --explicit-exit-notify cannot be used with --mode server --redirect-gateway cannot be used with --mode server (however --push "redirect-gateway" is fine) --route-delay cannot be used with --mode server --up-delay cannot be used with --mode server --ifconfig-pool-persist must be used with --ifconfig-pool --ifconfig-ipv6-pool needs --ifconfig-ipv6 Warning: --ifconfig-ipv6 without --tun-ipv6 will not do IPv6 --auth-user-pass cannot be used with --mode server (it should be used on the client side only) --ccd-exclusive must be used with --client-config-dir --mode server requires --key-method 2 --client-cert-not-required %s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin --username-as-common-name %s --auth-user-pass-optional %s --ifconfig-pool/--ifconfig-pool-persist requires --mode server --ifconfig-ipv6-pool requires --mode server --hash-size requires --mode server --learn-address requires --mode server --client-connect requires --mode server --client-disconnect requires --mode server --client-config-dir/--ccd-exclusive requires --mode server --client-to-client requires --mode server --duplicate-cn requires --mode server --connect-freq requires --mode server --client-cert-not-required requires --mode server --username-as-common-name requires --mode server --auth-user-pass-optional requires --mode server --opt-verify requires --mode server --tcp-nodelay requires --mode server --auth-user-pass-verify requires --mode server --port-share requires TCP server mode (--mode server --proto tcp-server) --stale-routes-check requires --mode server --compat-x509-names no-remapping requires --mode server --replay-window only makes sense with --proto udp --replay-window doesn't make sense when replay protection is disabled with --no-replay specify only one of --tls-server, --tls-client, or --secret DH file (--dh) --key and --management-external-key are mutually exclusive Parameter --capath cannot be used when --pkcs12 is also specified. Parameter --cert cannot be used when --pkcs12 is also specified. Parameter --key cannot be used when --pkcs12 is also specified. Parameter --external-management-key cannot be used when --pkcs12 is also specified. You must define CA file (--ca) or CA path (--capath) No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass If you use one of --cert or --key, you must use them both certificate file (--cert) or PKCS#12 file (--pkcs12) private key file (--key) or PKCS#12 file (--pkcs12) ca_file ca_path dh_file cert_file priv_key_file pkcs12_file cipher_list tls_verify tls_export_cert verify_x509_name tls_timeout renegotiate_bytes renegotiate_packets renegotiate_seconds handshake_window transition_window tls_auth_file single_session push_peer_info tls_exit crl_file key_method ns_cert_type remote_cert_ku[0] remote_cert_eku --auth-user-pass requires --pull Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. --dh --ca --capath --cert --extra-certs --key --pkcs12 --crl-verify directory --crl-verify --tls-auth --replay-persist --askpass --management user/password file --chroot directory --writepid --status --tls-export-cert Temporary directory (--tmp-dir) --auth-user-pass-verify script --client-connect script --client-disconnect script --tls-verify script --up script --down script --ipchange script --route-up script --route-pre-down script --learn-address script Please correct these errors. ERROR: %sOptions warning: Bad backslash ('\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as "c:\\openvpn\\static.key" %sOptions error: Parameter at %s:%d is too long (%d chars max): %s %sOptions error: No closing quotation (") in %s:%d %sOptions error: No closing single quotation (') in %s:%d %sOptions error: Residual parse state (%d) in %s:%d [CMD-LINE] Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> Compile time defines: %s enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no show-gateway echo/parameter option overflow port number associated with --management directive is out of range management-query-passwords management-query-remote management-query-proxy management-hold management-signal management-forget-disconnect management-up-down management-client management-external-key management-client-auth x509-track management-client-pf management-log-cache --management-log-cache parameter is out of range plugin add failed: %s Bad --mode parameter: %s dev-type dev-node lladdr lladdr parm '%s' must be a MAC address topology ifconfig parms '%s' and '%s' must be valid addresses ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d' ifconfig-ipv6 parms '%s' and '%s' must be valid addresses ifconfig-noexec ifconfig-nowarn remote-random connection [CONNECTION-OPTIONS] Each 'connection' block must contain exactly one 'remote' directive remote-ip-hint http-proxy-override Bad http-proxy port number: %s OpenVPN-Autoproxy/1.0 remote: port number associated with host %s is out of range remote: bad protocol associated with host %s: '%s' Maximum number of 'remote' options (%d) exceeded resolv-retry infinite connect-retry connect-timeout connect-retry-max float gremlin chroot cd down-pre up-delay up-restart syslog WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.) when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging nowait suppress-timestamps log-append memstats mlock multihome errors-to-stderr status-version --status-version must be 1 to 3 remap-usr1 SIGHUP SIGTERM --remap-usr1 parm must be 'SIGHUP' or 'SIGTERM' link-mtu udp-mtu tun-mtu tun-mtu-extra --mtu-dynamic has been replaced by --fragment mtu-disc mtu-test nice rcvbuf sndbuf mark socket-flags unknown socket flag: %s txqueuelen Bad shaper value, must be between %d and %d Bad port number: %s lport Bad local port number: %s rport Bad remote port number: %s nobind fast-io Bad protocol: '%s'. Allowed protocols with --proto option: %s proto-force Bad --proto-force protocol: '%s' http-proxy http-proxy port number not defined auto-nct basic http-proxy-retry http-proxy-timeout http-proxy-option VERSION AGENT Bad http-proxy-option or missing parameter: '%s' Bad socks-proxy port number: %s socks-proxy-retry keepalive ping-timer-rem explicit-exit-notify persist-tun persist-key persist-local-ip persist-remote-ip client-nat route parameter network/IP '%s' must be a valid address route parameter netmask '%s' must be an IP address route parameter gateway '%s' must be a valid address route-ipv6 parameter network/IP '%s' must be a valid address route-ipv6 parameter gateway '%s' must be a valid address max-routes --max-routes parameter is out of range --max-routes must to be specifed before any route/route-ipv6/redirect-gateway option route-gateway route-gateway parm '%s' must be a valid address route-metric route-delay route-noexec route-nopull allow-pull-fqdn redirect-gateway redirect-private autolocal def1 bypass-dhcp bypass-dns block-local unknown --%s flag: %s remote-random-hostname setenv REMOTE_RANDOM_HOSTNAME GENERIC_CONFIG this is a generic configuration and cannot directly be used PUSH_PEER_INFO SERVER_POLL_TIMEOUT FORWARD_COMPATIBLE setenv-safe script-security mssfix disable-occ error parsing --server parameters nopool error parsing --server: %s is not a recognized flag server-ipv6 error parsing --server-ipv6 parameter --server-ipv6 settings: only /64../112 supported right now (not /%d) error parsing --server-ipv6: %s is not a recognized flag error parsing --server-bridge parameters nogw push-reset error parsing --ifconfig-pool parameters ifconfig-pool-persist ifconfig-pool-linear ifconfig-ipv6-pool error parsing --ifconfig-ipv6-pool parameters --ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d) hash-size --hash-size sizes must be >= 1 (preferably a power of 2) --connect-freq parms must be > 0 max-clients --max-clients must be at least 1 max-routes-per-client client-cert-not-required username-as-common-name auth-user-pass-optional via-env via-file second parm to --auth-user-pass-verify must be 'via-env' or 'via-file' --auth-user-pass-verify requires a second parameter ('via-env' or 'via-file') tmp-dir ccd-exclusive bcast-buffers --bcast-buffers parameter must be > 0 tcp-queue-limit --tcp-queue-limit parameter must be > 0 port-share port number associated with --port-share directive is out of range client-to-client iroute in --iroute %s %s : Bad network/subnet specification iroute-ipv6 ifconfig-push cannot parse --ifconfig-push addresses ifconfig-push-constraint cannot parse --ifconfig-push-constraint addresses ifconfig-ipv6-push cannot parse --ifconfig-ipv6-push addresses second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set disable tcp-nodelay stale-routes-check --stale-routes-check aging time and check interval must be >= 1 push-continuation server-poll-timeout static-challenge dhcp-option foreign_option_%d foreign_option: name/value overflow route-method passtos adaptive bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive' comp-noadapt show-ciphers show-digests show-engines key-direction genkey prng prng parameter nonce_secret_len must be between %d and %d replay-window replay-window window size parameter (%d) must be between %d and %d replay-window time window parameter (%d) must be between %d and %d replay-window option is missing window size parameter test-crypto engine keysize Bad keysize: %s show-tls verify-hash format error in hash fingerprint: %s format error in hash fingerprint hex byte: %s format error in hash fingerprint delimiter: %s hash fingerprint is different length than expected (%d bytes): %s auth-nocache auth-token single-session push-peer-info tls-exit tls-cipher tls-verify compat-names you cannot use --compat-names with --verify-x509-name DEPRECATED OPTION: --compat-names, please update your configuration no-remapping you cannot use --no-name-remapping with --verify-x509-name DEPRECATED OPTION: --no-name-remapping, please update your configuration you cannot use --tls-remote with --verify-x509-name DEPRECATED OPTION: --tls-remote, please update your configuration , you cannot use --verify-x509-name with --tls-remote you cannot use --verify-x509-name with --compat-names or --no-name-remapping subject name-prefix unknown X.509 name type: %s ns-cert-type --ns-cert-type must be 'client' or 'server' remote-cert-ku remote-cert-eku remote-cert-tls TLS Web Server Authentication TLS Web Client Authentication --remote-cert-tls must be 'client' or 'server' tls-timeout reneg-bytes reneg-pkts reneg-sec hand-window tran-window key-method key_method parameter (%d) must be >= %d and <= %d rmtun mktun Unrecognized option or missing parameter(s) in %s:%d: %s (%s) 2.3.1 In %s:%d: Error opening configuration file: %s In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself. I'm trying to parse "%s" as an --option parameter but I don't see a leading '--' [PUSH-OPTIONS] OPTIONS IMPORT: reading client specific options from: %s [CONFIG-STRING] undef [%d/%d] us=%d otime.c Assertion Failed: Array index=%d out of bounds for array size=%d in %s:%d packet_id.c [%s-%d] [ %c ] %lu:%u t=%lu[%d] r=[%d,%d,%d,%d,%d] sl=[%d,%d,%d,%d] PID packet_id_init tcp_mode=%d seq_backtrack=%d time_backtrack=%d PID packet_id_free PID_TEST PID_ERR replay-window backtrack occurred PID_ERR large diff PID_ERR replay PID_ERR time backtrack [ #%u / time = (%u) %s Close error on --replay-persist file %s PID Persist Write to %s: %s Cannot write to --replay-persist file %s Cannot seek to beginning of --replay-persist file %s Cannot open --replay-persist file %s for read/write Cannot obtain exclusive lock on --replay-persist file %s PID Persist Read from %s: %s Read error on --replay-persist file %s 3 3 DROP PF: %s/%s/%s %s %s rule=[%s %s] PF: %s/%s/%s %s %s PF: %s/%d: no data after +/-: '%s' PF: %s/%d: bad '/n' subnet specifier: '%s' PF: %s/%d: bad '/n' subnet specifier: must be between 0 and 32: '%s' PF: %s/%d: bad network address: '%s' WARNING: PF: %s/%d: incorrect subnet %s/%d changed to %s/%d pf.c [clients accept] [clients drop] [subnets accept] [subnets drop] [kill] PF: %s/%d unknown tag: '%s' PF: %s/%d line must begin with '+', '-', or '[' : '%s' PF: %s: missing [end] PF: %s: cannot open PF: %s: duplicate common name in [clients] section: '%s' PF: %s rejected due to %d error(s) PF: %s/%s %s %s %s rule=[%s/%s %s] PF: %s/%s %s %s %s PF_CN_MATCH PF_CN_DEFAULT PF_CN_FAULT PF_ADDR_MATCH PF_ADDR_DEFAULT PF_ADDR_FAULT [SERVER-PF] ----- %s : struct pf_context ----- enabled=%d filename='%s' file_last_mod=%u n_check_reload=%u reload=[%d,%u,%u] ----- struct pf_set ----- kill=%d ----- struct pf_subnet_set ----- default_allow=%s %s/%s %s ----- struct pf_cn_set ----- %s %s ---------- %s LOOKUP FAILED -------------------- pf_file pf_init_context#1 WARNING: OPENVPN_PLUGIN_ENABLE_PF disabled pf_init_context#2 pf-kill pf_check_reload SRC DEST * { d - H%sInactivity timeout (--ping-exit), exiting %sInactivity timeout (--ping-restart), restarting ping.c SENT PING ]9 g9 s9 9 9 9 9 9 9 9 : : (: PLUGIN: suppressed log message from plugin with unknown name PLUGIN %s: %s PLUGIN: could not find required symbol '%s' in plugin shared object %s: %s %s[%d] = '%s' ENVP plugin[%d] %s '%s' plugin.c PLUGIN_INIT: could not load plugin shared object %s: %s openvpn_plugin_open_v1 openvpn_plugin_open_v2 openvpn_plugin_open_v3 openvpn_plugin_func_v1 openvpn_plugin_func_v2 openvpn_plugin_func_v3 openvpn_plugin_close_v1 openvpn_plugin_abort_v1 openvpn_plugin_client_constructor_v1 openvpn_plugin_client_destructor_v1 openvpn_plugin_min_version_required_v1 openvpn_plugin_select_initialization_point_v1 PLUGIN: symbol openvpn_plugin_open_vX is undefined in plugin: %s PLUGIN: symbol openvpn_plugin_func_vX is undefined in plugin: %s PLUGIN_INIT: plugin needs interface version %d, but this version of OpenVPN only supports version %d: %s WARNING: plugin '%s' specified by a relative pathname -- using an absolute pathname would be more secure [RETLIST] PLUGIN_INIT: PRE | PLUGIN_INIT: POST %s '%s' intercepted=%s %s PLUGIN_INIT: plugin %s expressed interest in unsupported plugin types: [want=0x%08x, have=0x%08x] PLUGIN_INIT: plugin initialization function failed: %s PLUGIN_CLOSE: %s PLUGIN_CLOSE: dlclose() failed on plugin: %s PLUGIN_??? PLUGIN_CALL: PRE type=%s PLUGIN_CALL: POST %s/%s status=%d PLUGIN_CALL: plugin function %s failed with status %d: %s PLUGIN_RETURN_PRINT %s PLUGIN #%d (%s) [%d] '%s' -> '%s' PLUGIN_UP PLUGIN_DOWN PLUGIN_ROUTE_UP PLUGIN_IPCHANGE PLUGIN_TLS_VERIFY PLUGIN_AUTH_USER_PASS_VERIFY PLUGIN_CLIENT_CONNECT PLUGIN_CLIENT_DISCONNECT PLUGIN_LEARN_ADDRESS PLUGIN_TLS_FINAL PLUGIN_ENABLE_PF PLUGIN_ROUTE_PREDOWN pool.c --ifconfig-pool start IP [%s] is greater than end IP [%s] --ifconfig-pool address range is too large [%s -> %s]. Current maximum is %d addresses, as defined by IFCONFIG_POOL_MAX variable. IFCONFIG POOL IPv6: (IPv4) size=%d, size_ipv6=%d, netbits=%d, base_ipv6=%s IFCONFIG POOL: base=%s size=%d, ipv6=%d ifconfig_pool_read(), in='%s', TODO: IPv6 succeeded -> ifconfig_pool_set() IFCONFIG POOL LIST HTTP Proxy proxy.c send_line: TCP port write failed on send() recv_line: TCP port read timeout expired recv_line: TCP port read failed on select() recv_line: TCP port read failed on recv() recv_line: Non-ASCII character (%d) read on recv() HTTP_PROXY: server not specified ntlm ntlm2 ERROR: unknown HTTP authentication method: '%s' CONNECT %s:%d HTTP/%s Send to HTTP proxy: '%s' Host: %s User-Agent: %s Proxy-Authorization: Basic %s Attempting Basic Proxy-Authorization Proxy-Connection: Keep-Alive Proxy-Authorization: NTLM %s Attempting NTLM Proxy-Authorization phase 1 HTTP proxy returned: '%s' %*s %d Proxy requires authentication %%*s NTLM %%%ds auth string: '%s' Received NTLM Proxy-Authorization phase 2 response Attempting NTLM Proxy-Authorization phase 3 NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server realm nonce algorithm opaque , opaque="%s" 00000001 %s %s HTTP/%s Proxy-Authorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", qop=%s, nc=%s, cnonce="%s", response="%s"%s Proxy-Authenticate: Basic PROXY AUTH BASIC: '%s' Digest PROXY AUTH DIGEST: '%s' NTLM PROXY AUTH HTLM: '%s' HTTP proxy authenticate '%s' HTTP proxy: support for basic auth and other cleartext proxy auth methods is disabled HTTP proxy: do not recognize the authentication method required by proxy HTTP proxy: no support for proxy authentication method HTTP proxy returned bad status PORT SHARE PROXY: unexpected status=%d PORT SHARE: sendmsg sd=%d len=%d PORT SHARE: sendmsg failed -- unable to communicate with background process (%d,%d,%d,%d) PORT SHARE PROXY: delete sd=%d PORT SHARE PROXY: read[%d] %d PORT SHARE PROXY: partial write[%d], tried=%d got=%d PORT SHARE PROXY: wrote[%d] %d PORT SHARE PROXY: proxy starting PORT SHARE PROXY: received unknown message PORT SHARE PROXY: RECEIVED sd=%d PORT SHARE PROXY: cannot create socket PORT SHARE PROXY: connect to port-share server failed PORT SHARE PROXY: connect to port-share server succeeded PORT SHARE PROXY: client origin %s -> %s PORT SHARE: unable to write journal file in %s PORT SHARE PROXY: NEW CONNECTION [c=%d s=%d] PORT SHARE PROXY: RECEIVED COMMAND_EXIT ps.c PORT SHARE PROXY: event_wait failed PORT SHARE PROXY: proxy exiting PORT SHARE: waiting for background process to exit PORT SHARE: background process exited PORT SHARE: socketpair call failed PORT SHARE: unexpected init recv_control status=%d AUTH_FAILED PUSH OPTION FAILED (illegal comma (',') in string): '%s' push.c AUTH: Received control message: %s auth-failure AUTH_FAILED, Auth AUTH_FAILED,CRV1: Connection reset command was pushed by server ('%s') server-pushed-connection-reset Halt command was pushed by server ('%s') server-pushed-halt PUSH_REQUEST No reply from server after sending %d push requests no-push-reply send_push_reply(): safe_cap=%d [OpenVPN, connection successfully]IP address:%s ,ifconfig-ipv6 %s/%d %s --push ifconfig-ipv6 option is too long ,push-continuation 2 --push option is too long ,ifconfig %s %s ,push-continuation 1 PUSH: Received control message: '%s' WARNING: Received bad push/pull message: %s 255.255.255.255 [PUSH_ROUTE_REMOVE] REMOVE PUSH ROUTE: '%s' [%u] ACK read ID %u (buf->len=%d) ACK read ID FAILED (buf->len=%d) ACK acknowledge ID %u (ack->len=%d) ACK acknowledge ID %u FAILED (ack->len=%d) ACK read BAD SESSION-ID FROM REMOTE, local=%s, remote=%s reliable.c ACK write ID %u (ack->len=%d, n=%d) ACK received for pid %u, deleting from send buffer ACK no free receive buffer available: %s ACK %u is a replay: %s ACK %u breaks sequentiality: %s ACK RWBS rel->size=%d rel->packet_id=%08x id=%08x ret=%d ACK output sequence broken: %s ACK reliable_can_send active=%d current=%d : %s ACK reliable_send ID %u (size=%d to=%d) ACK reliable_schedule_now ACK reliable_send_timeout %d %s ACK mark active incoming ID %u ACK mark active outgoing ID %u default vpn_gateway OpenVPN ROUTE: vpn_gateway undefined net_gateway OpenVPN ROUTE: net_gateway undefined -- unable to get default gateway from system remote_host OpenVPN ROUTE: remote_host undefined route_%s_%d route_%s %s del -net %s netmask %s /sbin/route ERROR: Linux route delete command failed OpenVPN ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d) OpenVPN ROUTE: cannot add more than %d routes -- please increase the max-routes option in the client configuration file OpenVPN ROUTE: cannot add more than %d IPv6 routes -- please increase the max-routes option in the client configuration file ROUTE6: default_gateway=UNDEF OpenVPN ROUTE: failed to parse/resolve default gateway: %s OpenVPN ROUTE6: (init) number of route options (%d) is greater than route list capacity (%d) OpenVPNROUTE6: cannot parse gateway spec '%s' OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options OpenVPN ROUTE: route metric for network %s (%s) must be >= 0 OpenVPN ROUTE: failed to parse/resolve route for host/network: %s nil [redirect_default_gateway local=%d] route %s/%s/%s/%s ROUTE_GATEWAY ON_LINK IFACE=%s HWADDR=%s ROUTE network %s netmask %s gateway %s metric %d network route_metric_%d route_ipv6_network_%d route_ipv6_gateway_%d %s add -net %s netmask %s ERROR: Linux route add command failed gw %s add_route_ipv6(): not adding %s/%d, no IPv6 on if %s add_route_ipv6(%s/%d -> %s metric %d) dev %s %s -A inet6 add %s/%d dev %s ERROR: Linux route -6/-A inet6 add command failed delete_route_ipv6(): not deleting %s/%d, no IPv6 on if %s delete_route_ipv6(%s/%d) %s -A inet6 del %s/%d dev %s ERROR: Linux route -6/-A inet6 del command failed %s VPN gateway parameter (--route-gateway or --ifconfig) is missing %s Cannot read current default gateway from system %s Cannot obtain current remote host address ROUTE remote_host is NOT LOCAL ROUTE remote_host is LOCAL ROUTE remote_host protocol differs from tunneled NOTE: unable to redirect default gateway -- /proc/net/route %15s %x %x %x %*s %*s %d %x GDG: socket() failed GDG: ioctl(SIOCGIFCONF) failed GDG: SIOCGIFHWADDR(%s) failed ROUTE: default_gateway=UNDEF ROUTE: bypass_host_route[%d]=%s OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options OpenVPN ROUTE: routes dropped because number of expanded routes is greater than route list capacity (%d) SCHEDULE: %s wakeup=[%s] pri=%u SCHEDULE: %s NULL schedule.c schedule_add_modify schedule_find_least Output Traffic Shaping initialized at %d bytes per second kW rW yW W W W W W hard soft process %s[%s,%s] received, %s exiting %s[%s,%s] received, %s restarting Unknown signal %d [%s,%s] received by %s Unknown signal received OpenVPN STATISTICS TUN/TAP read bytes,%llu TUN/TAP write bytes,%llu TCP/UDP read bytes,%llu TCP/UDP write bytes,%llu Auth read bytes,%llu sig.c exit-with-notification SIGTERM received, sending exit notification to peer SIGINT sigint sigterm sighup SIGUSR1 sigusr1 SIGUSR2 sigusr2 ( ( 0 < < < d d d d 2 d e e e e A e ; )e 6e ;e Bb c c c c c c c Ae STREAM: RESET STREAM: SET NEXT, buf=[%d,%d] next=[%d,%d] len=%d maxlen=%d socket.c NOTE: setsockopt TCP_NODELAY=%d failed Socket flags: TCP_NODELAY=%d succeeded NOTE: setsockopt SO_SNDBUF=%d failed NOTE: setsockopt SO_RCVBUF=%d failed Socket Buffers: R=[%d->%d] S=[%d->%d] :: RESOLVE: Cannot resolve host address: %s: %s RESOLVE: Cannot resolve host address: %s: %s (I would have retried this name query if you had specified the --resolv-retry option.) RESOLVE: Cannot parse IP address: %s GETADDRINFO flags=0x%04x ai_family=%d ai_socktype=%d RESOLVE: Ignored SIGUSR1 signal received during DNS resolution attempt RESOLVE: signal received during DNS resolution attempt Cannot create TCP socket TCP: Cannot setsockopt SO_REUSEADDR on TCP socket TCP: getpeername() failed TCP: accept(%d) failed TCP: Received strange incoming connection with unknown address length=%d TCP/UDP: Closing socket TCP/UDP: Close Socket failed TCP/UDP: Close Socket (ctrl_sd) failed TCP/UDP: No outgoing address to send packet S%s S? STREAM: INIT maxlen=%d STREAM: ADD length_added=%d Non-OpenVPN client protocol detected WARNING: Bad encapsulated packet length from peer (%d), which must be > 0 and <= %d -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] STREAM: ADD returned TRUE, buf_len=%d, residual_len=%d STREAM: ADD returned FALSE (have=%d need=%d) YES NO STREAM: RESIDUAL FULLY FORMED [%s], len=%d [undef] [AF_INET] [AF_INET6] Listening for incoming TCP connection on %s TCP: listen() failed %s: Socket bind failed on local address %s: %s Attempting to establish TCP connection with %s [nonblock] TCP: connect to %s failed, will try again in %d seconds: %s TCP Client TCP connection established with %s (via %s%%%s) (via [getnameinfo() err]%%%s) TCP/UDP: Incoming packet rejected from %s[%d], expected peer address: %s (allow this incoming source address/port by removing --remote or adding --float) TCP: select() failed TCP NOTE: Rejected connection attempt from %s due to --remote setting TCP: close socket failed (new_sd) TCP: close socket failed (sd) %s_ip %s_port %s_ip6 Peer Connection Initiated with %s WARNING: ipchange plugin call failed --ipchange [unknown protocol] RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d TCP/UDP: Preserving recently used remote address: %s (bound) inetd(%s): using sa_family=%d from getsockname(%d) inetd(%s): getsockname(%d) failed, using AF_INET TCP/UDP: Dynamic remote address changed during TCP connection establishment %s link local: [inetd] %s link local%s: %s %s link remote: %s UDP: Cannot create UDP socket UDP: failed setsockopt for IP_PKTINFO UDP: Cannot create UDP6 socket UDP: failed setsockopt for IPV6_RECVPKTINFO NOTE: setsockopt SO_MARK=%d failed getaddr6() failed for local "%s": %s AF_UNSPEC ERROR: received strange incoming packet with an address length of %d -- we only accept address lengths of %d. STREAM: GET NEXT len=%d STREAM: GET FINAL len=%d STREAM: WRITE %d offset=%d Cannot create unix domain socket %s: Socket bind[%d] failed on unix domain socket %s: %s proto-uninitialized proto-NONE UDPv4 TCPv4_SERVER TCPv4_CLIENT tcp TCPv4 udp6 UDPv6 TCPv6_SERVER TCPv6_CLIENT tcp6 TCPv6 AF_INET6 recv_socks_reply: TCP port read timeout expired recv_socks_reply: TCP port read failed on select() recv_socks_reply: TCP port read failed on recv() recv_socks_reply: Socks proxy returned bad address type recv_socks_reply: Socks proxy returned bad reply socks_handshake: TCP port write failed on send() socks_handshake: TCP port read timeout expired socks_handshake: TCP port read failed on select() socks_handshake: TCP port read failed on recv() socks_handshake: Socks proxy returned bad status socks_handshake: server asked for username/login auth but we were not provided any credentials SOCKS Proxy SOCKS username and/or password exceeds 255 characters. Authentication not possible. %c%s%c%s socks_username_password_auth: TCP port write failed on send() socks_username_password_auth: TCP port read timeout expired socks_username_password_auth: TCP port read failed on select() socks_username_password_auth: TCP port read failed on recv() socks_username_password_auth: server refused the authentication socks_handshake: unknown SOCKS auth method socks.c establish_socks_proxy_passthru: TCP port write failed on send() q s av r q * 3 = \ { ] j     % B g [ , 4 N r 4 X k ) R j ' K N o D | " H N q 2 O v 4 M t 8 S | " G ^ ~ 9 S { ? Y % O n 8 Y m & L a B W z ! L f / J o 8 ] t ' Q j - P e O & K c " + @ ^ q e / H n ' ? d | S_??? P_??? [key#%d state=%s id=%d sid=%s] %s pre_master: %s %s random1: %s %s random2: %s TLS Error: cannot locate HMAC in incoming packet from %s TLS Error: incoming packet authentication failed from %s ERROR: Random number generator cannot obtain entropy for key generation [SSL] SSL TLS: tls_session_init: entry TLS_AUTH TLS: tls_session_init: new session object, sid=%s TM_??? TLS: move_session: dest=%s src=%s reinit_src=%d TLS: move_session: exit Private Key tls1_P_hash sec: %s tls1_P_hash seed: %s tls1_P_hash out: %s tls1_PRF out[%d]: %s Server OpenVPN master secret OpenVPN key expansion Master Encrypt Master Decrypt Data Channel Encrypt Data Channel Decrypt TLS Error: Bad dynamic key generated TLS: soft reset sec=%d bytes=%llu/%d pkts=%llu/%d TLS: tls_process: killed expiring key TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d TLS: Initial Handshake, sid=%s TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity) STATE S_NORMAL_OP STATE S_START STATE S_ACTIVE Control Channel: Reliable -> TCP/UDP TLS Error: Incoming Ciphertext -> TLS object write error Incoming Ciphertext -> TLS TLS Error: TLS object -> incoming plaintext read error TLS -> Incoming Plaintext TLS Error: Bad encrypting key generated TLS Error: write_key failed TLS Error: KM1 write options failed IV_VER=%s IV_PLAT=linux IV_HWADDR=%s UV_ TLS Error: server generate_key_expansion failed TLS Error: Key Method #2 write failed STATE S_SENT_KEY TLS Error: Certificate verification failed (key-method 1) TLS Error: Error reading data channel key from plaintext buffer TLS Error: Bad decrypting key received from peer TLS Error: Missing options string TLS ERROR: Unknown key_method/flags=%d received from remote host TLS Error: Error reading remote data channel key source entropy from plaintext buffer TLS Error: Failed to read required OCC options string TLS Error: Auth Username/Password was not provided by peer TLS Error: Certificate verification failed (key-method 2) Option inconsistency warnings triggering disconnect due to --opt-verify TLS Error: client generate_key_expansion failed STATE S_GOT_KEY TLS ERROR: Outgoing Plaintext -> TLS object write error Outgoing Plaintext -> TLS TLS Error: Ciphertext -> reliable TCP/UDP transport read error Outgoing Ciphertext -> Reliable Dedicated ACK -> TCP/UDP TLS: tls_process: timeout set to %d TLS Error: TLS handshake failed [OpenVPN, connection fail]IP address:%s semi- TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s TLS: tls_multi_process: killed expiring key TLS: tls_multi_process: untrusted session promoted to %strusted TLS: tls_pre_decrypt, key_id=%d, IP=%s TLS Error: local/remote TLS keys are out of sync: %s [%d] TLS Error: unknown opcode received from %s op=%d TLS Error: client->client or server->server connection attempted from %s TLS: control channel, op=%s, IP=%s TLS Error: session-id not found in packet from %s TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s TLS ERROR: received control packet with stale session-id=%s TLS: found match, session[%d], sid=%s TLS ERROR: initial packet local/remote key_method mismatch, local key_method=%d, op=%s TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1] TLS: Initial packet from %s, sid=%s TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2] TLS ERROR: new session local/remote key_method mismatch, local key_method=%d, op=%s TLS: new session incoming connection from %s TLS Error: Unroutable control packet received from %s (si=%d op=%s) TLS Error: Received control packet from unexpected IP addr: %s TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s TLS: received control channel packet s#=%d sid=%s TLS Error: Existing session control channel packet from unknown IP address: %s TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s TLS Error: reading acknowledgement record from packet TLS State Error: No TLS state for client %s, opcode=%d TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected TLS: tls_pre_encrypt: key_id=%d TLS Warning: no data channel send key available: %s DATA UNDEF len=%d %s kid=%d tls_hmac=%s pid=%s pid=%u DATA %s DATA len=%d ADH-SEED-SHA TLS-DH-anon-WITH-SEED-CBC-SHA TLS-RSA-WITH-AES-128-GCM-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA TLS-RSA-WITH-AES-256-GCM-SHA384 TLS-RSA-WITH-AES-256-CBC-SHA256 TLS-RSA-WITH-AES-256-CBC-SHA TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA TLS-RSA-WITH-3DES-EDE-CBC-SHA TLS-RSA-WITH-DES-CBC-SHA DH-DSS-SEED-SHA TLS-DH-DSS-WITH-SEED-CBC-SHA DHE-DSS-AES128-GCM-SHA256 TLS-DHE-DSS-WITH-AES-128-GCM-SHA256 DHE-DSS-AES128-SHA256 TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 DHE-DSS-AES128-SHA TLS-DHE-DSS-WITH-AES-128-CBC-SHA DHE-DSS-AES256-GCM-SHA384 TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 DHE-DSS-AES256-SHA256 TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 DHE-DSS-AES256-SHA TLS-DHE-DSS-WITH-AES-256-CBC-SHA DHE-DSS-CAMELLIA128-SHA256 TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256 DHE-DSS-CAMELLIA128-SHA TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA DHE-DSS-CAMELLIA256-SHA256 TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256 DHE-DSS-CAMELLIA256-SHA TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA DHE-DSS-DES-CBC3-SHA TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA DHE-DSS-DES-CBC-SHA TLS-DHE-DSS-WITH-DES-CBC-SHA DHE-DSS-SEED-SHA TLS-DHE-DSS-WITH-SEED-CBC-SHA TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 TLS-DHE-RSA-WITH-AES-128-CBC-SHA TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-DHE-RSA-WITH-AES-256-CBC-SHA TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA TLS-DHE-RSA-WITH-DES-CBC-SHA DHE-RSA-SEED-SHA TLS-DHE-RSA-WITH-SEED-CBC-SHA DH-RSA-SEED-SHA TLS-DH-RSA-WITH-SEED-CBC-SHA ECDH-ECDSA-AES128-GCM-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 ECDH-ECDSA-AES128-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 ECDH-ECDSA-AES128-SHA TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA ECDH-ECDSA-AES256-GCM-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 ECDH-ECDSA-AES256-SHA256 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256 ECDH-ECDSA-AES256-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 ECDH-ECDSA-AES256-SHA TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA ECDH-ECDSA-CAMELLIA128-SHA256 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 ECDH-ECDSA-CAMELLIA128-SHA TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA ECDH-ECDSA-CAMELLIA256-SHA256 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256 ECDH-ECDSA-CAMELLIA256-SHA TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA ECDH-ECDSA-DES-CBC3-SHA TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA ECDH-ECDSA-DES-CBC-SHA TLS-ECDH-ECDSA-WITH-DES-CBC-SHA ECDH-ECDSA-RC4-SHA TLS-ECDH-ECDSA-WITH-RC4-128-SHA ECDHE-ECDSA-AES128-GCM-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 ECDHE-ECDSA-AES128-SHA384 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384 ECDHE-ECDSA-AES128-SHA TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA ECDHE-ECDSA-AES256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256 ECDHE-ECDSA-AES256-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 ECDHE-ECDSA-AES256-SHA TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA ECDHE-ECDSA-CAMELLIA128-SHA256 TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 ECDHE-ECDSA-CAMELLIA128-SHA TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA ECDHE-ECDSA-CAMELLIA256-SHA256 TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256 ECDHE-ECDSA-CAMELLIA256-SHA TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA ECDHE-ECDSA-DES-CBC3-SHA TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA ECDHE-ECDSA-DES-CBC-SHA TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA ECDHE-ECDSA-RC4-SHA TLS-ECDHE-ECDSA-WITH-RC4-128-SHA ECDHE-RSA-AES128-GCM-SHA256 TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 ECDHE-RSA-AES128-SHA384 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384 ECDHE-RSA-AES128-SHA TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA ECDHE-RSA-AES256-GCM-SHA384 TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 ECDHE-RSA-AES256-SHA256 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256 ECDHE-RSA-AES256-SHA384 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 ECDHE-RSA-AES256-SHA TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA ECDHE-RSA-CAMELLIA128-SHA256 TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 ECDHE-RSA-CAMELLIA128-SHA TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA ECDHE-RSA-CAMELLIA256-SHA256 TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 ECDHE-RSA-CAMELLIA256-SHA TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA ECDHE-RSA-DES-CBC3-SHA TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA ECDHE-RSA-DES-CBC-SHA TLS-ECDHE-RSA-WITH-DES-CBC-SHA ECDHE-RSA-RC4-SHA TLS-ECDHE-RSA-WITH-RC4-128-SHA ECDH-RSA-AES128-GCM-SHA256 TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256 ECDH-RSA-AES128-SHA256 TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256 ECDH-RSA-AES128-SHA384 TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384 ECDH-RSA-AES128-SHA TLS-ECDH-RSA-WITH-AES-128-CBC-SHA ECDH-RSA-AES256-GCM-SHA384 TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384 ECDH-RSA-AES256-SHA256 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256 ECDH-RSA-AES256-SHA384 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384 ECDH-RSA-AES256-SHA TLS-ECDH-RSA-WITH-AES-256-CBC-SHA ECDH-RSA-CAMELLIA128-SHA256 TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256 ECDH-RSA-CAMELLIA128-SHA TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA ECDH-RSA-CAMELLIA256-SHA256 TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256 ECDH-RSA-CAMELLIA256-SHA TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA ECDH-RSA-DES-CBC3-SHA TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA ECDH-RSA-DES-CBC-SHA TLS-ECDH-RSA-WITH-DES-CBC-SHA ECDH-RSA-RC4-SHA TLS-ECDH-RSA-WITH-RC4-128-SHA EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EXP-DES-CBC-SHA TLS-RSA-EXPORT-WITH-DES40-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA EXP-RC2-CBC-MD5 TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5 EXP-RC4-MD5 TLS-RSA-EXPORT-WITH-RC4-40-MD5 TLS-RSA-WITH-NULL-MD5 TLS-RSA-WITH-NULL-SHA256 TLS-RSA-WITH-NULL-SHA PSK-3DES-EDE-CBC-SHA TLS-PSK-WITH-3DES-EDE-CBC-SHA PSK-AES128-CBC-SHA TLS-PSK-WITH-AES-128-CBC-SHA PSK-AES256-CBC-SHA TLS-PSK-WITH-AES-256-CBC-SHA PSK-RC4-SHA TLS-PSK-WITH-RC4-128-SHA TLS-RSA-WITH-RC4-128-MD5 TLS-RSA-WITH-RC4-128-SHA TLS-RSA-WITH-SEED-CBC-SHA SRP-DSS-3DES-EDE-CBC-SHA TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA SRP-DSS-AES-128-CBC-SHA TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA SRP-DSS-AES-256-CBC-SHA TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA SRP-RSA-AES-128-CBC-SHA TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA SRP-RSA-AES-256-CBC-SHA TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA S_ERROR S_UNDEF S_INITIAL S_PRE_START P_CONTROL_HARD_RESET_CLIENT_V1 P_CONTROL_HARD_RESET_SERVER_V1 P_CONTROL_SOFT_RESET_V1 P_CONTROL_V1 P_ACK_V1 P_DATA_V1 P_CONTROL_HARD_RESET_CLIENT_V2 P_CONTROL_HARD_RESET_SERVER_V2 TM_ACTIVE TM_UNTRUSTED TM_LAME_DUCK ssl_openssl.c TLS_ERROR: BIO read %s error BIO read %s %d bytes TLS ERROR: BIO write %s error TLS ERROR: BIO write %s incomplete %d/%d BIO write %s %d bytes Error creating %s BIO Error reading extra certificate Error adding extra certificate accept SSL state (%s): %s SSL alert (%s): %s: %s Generating temp (%d bit) RSA key struct session * SSL_CTX_new TLSv1_server_method SSL_CTX_new TLSv1_client_method WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate No valid translation found for TLS cipher '%.*s' Deprecated TLS cipher name '%s', please use IANA name '%s' Failed to set restricted TLS cipher list, too long (>%zu). Failed to set restricted TLS cipher list: %s Cannot open memory BIO for inline DH parameters Cannot open %s for DH parameters Cannot load DH parameters from %s SSL_CTX_set_tmp_dh Diffie-Hellman initialized with %d bit key Error reading inline PKCS#12 file Error opening file %s Error reading PKCS#12 file %s Cannot use certificate Cannot use private key Private key does not match the certificate Cannot add certificate to certificate chain (X509_STORE_add_cert) Cannot add certificate to client CA list (SSL_CTX_add_client_CA) Cannot load inline certificate file Cannot load certificate file %s Cannot load private key file %s OpenVPN external private key RSA Method Cannot enable SSL external private key capability Cannot get certificate store (SSL_CTX_get_cert_store) Cannot load CA certificate file %s WARNING: experimental option --capath %s Cannot add lookup at --capath %s Cannot load extra-certs file: %s SSL_new failed ssl_bio ct_in ct_out tls_write_plaintext tls_write_plaintext_const tls_read_ciphertext tls_write_ciphertext tls_read_plaintext %s %s, cipher %s %s , %d bit RSA , %d bit DSA Cannot create SSL_CTX object Cannot create SSL object Available TLS Ciphers, listed in order of preference: %s (No IANA name known to OpenVPN, use OpenSSL name.) d e untrusted ssl_verify.c VERIFY ERROR: depth=%d, could not extract X509 subject string from certificate VERIFY ERROR: could not extract %s from X509 subject string ('%s') -- note that the username length is limited to %d characters TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d TLS Error: level-1 certificate hash verification failed tls_id_%d tls_digest_%d tls_serial_%d VERIFY OK: nsCertType=%s VERIFY nsCertType ERROR: %s, require nsCertType=%s VERIFY KU OK VERIFY KU ERROR VERIFY EKU OK VERIFY EKU ERROR VERIFY X509NAME OK: %s VERIFY X509NAME ERROR: %s, must be %s VERIFY PLUGIN OK: depth=%d, %s VERIFY PLUGIN ERROR: depth=%d, %s pcf w+ Failed to open temporary file : %s Error writing PEM file containing certificate peer_cert %sc %d %s TLS: executing verify command VERIFY SCRIPT OK: depth=%d, %s VERIFY SCRIPT ERROR: depth=%d, %s VERIFY CRL: filename overflow VERIFY CRL: certificate serial number %s is revoked VERIFY OK: depth=%d, %s deferred [CN SET] TLS Auth Error (verify_user_pass_management): peer provided a blank username acf auth_control_file TLS Auth Error (verify_user_pass_plugin): peer provided a blank username TLS Auth Error: could not write username/password to file: %s TLS Auth Error: could not create write username/password to temp file --auth-user-pass-verify TLS Auth Error: peer provided a blank username TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled TLS: Username/Password authentication %s for username '%s' %s TLS Auth Error: Auth Username/Password verification failed for peer TLS Auth Error: TLS object CN attempted to change from '%s' to '%s' -- tunnel disabled TLS Auth Error: TLS object CN=%s client-provided SSL certs unexpectedly changed during mid-session reauth TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s' X509 ATTRIBUTE name='%s' value='%s' depth=%d X509_%d_%s ssl_verify_openssl.c VERIFY ERROR: depth=%d, error=%s: %s x509_track: no such attribute '%s' Certificate does not have key usage extension Validating certificate key usage ++ Certificate has key usage %04x, expects %04x Certificate does not have extended key usage extension Validating certificate extended key usage ++ Certificate has EKU (str) %s, expects %s ++ Certificate has EKU (oid) %s, expects %s Failed to write peer certificate in PEM format CRL: cannot read: %s CRL: cannot read CRL from file %s CRL: CRL %s is from a different issuer than the issuer of certificate %s CRL CHECK FAILED: %s is REVOKED CRL CHECK OK: %s 5O 5 0 status.c Note: cannot open %s for %s Failed to truncate status file: %s READ/WRITE (silence this warning with --ifconfig-nowarn) @ WARNING: --%s address [%s] conflicts with --ifconfig address pair [%s, %s]. %s WARNING: potential conflict between --%s address [%s] and --ifconfig address pair [%s, %s] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. %s WARNING: --%s address [%s] conflicts with --ifconfig subnet [%s, %s] -- local and remote addresses cannot be inside of the --ifconfig subnet. %s tun.c [unknown-dev-type] NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. T%s T? Error: problem with tun vs. tap setting WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (%s) that looks more like a netmask. %s WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s ifconfig_local ifconfig_remote ifconfig_netmask ifconfig_broadcast init_tun: problem converting IPv6 ifconfig addresses %s and %s to binary ifconfig_ipv6_local ifconfig_ipv6_netbits ifconfig_ipv6_remote do_ifconfig, tt->ipv6=%d, tt->did_ifconfig_ipv6_setup=%d %s %s %s pointopoint %s mtu %d %s %s %s netmask %s mtu %d broadcast %s Linux ifconfig failed %s %s add %s/%d Linux ifconfig inet6 failed /dev/net/tun ERROR: Cannot open TUN/TAP dev %s I don't recognize device %s as a tun or tap device ERROR: Cannot ioctl TUNSETIFF %s TUN/TAP device %s opened TUN/TAP TX queue length set to %d Note: Cannot set tx queue length on %s Note: Cannot open control socket on %s %s %s 0.0.0.0 Linux ip addr del failed Cannot ioctl TUNSETPERSIST(%d) %s Cannot get user entry for %s Cannot ioctl TUNSETOWNER(%s) %s Cannot get group entry for %s Persist state set to: %s
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ T$ 4# PUSH_REPLY
GCC: (GNU) 3.3.2 20031005 (Debian prerelease) GCC: (Buildroot 2012.02) 4.5.3
.shstrtab .interp .hash .dynsym .dynstr .rel.dyn .rel.plt .init .text .fini .rodata .eh_frame .init_array .fini_array .jcr .dynamic .got .data .bss .comment .ARM.attributes