1openvpn(8)                  System Manager's Manual                 openvpn(8)
2
3
4

NAME

6       openvpn - secure IP tunnel daemon.
7

SYNOPSIS

9       openvpn [ options ... ]
10

INTRODUCTION

12       OpenVPN  is  an open source VPN daemon by James Yonan.  Because OpenVPN
13       tries to be a universal VPN tool offering a great deal of  flexibility,
14       there are a lot of options on this manual page.  If you're new to Open‐
15       VPN, you might want to skip ahead to the  examples  section  where  you
16       will  see how to construct simple VPNs on the command line without even
17       needing a configuration file.
18
19       Also note that there's more documentation and examples on  the  OpenVPN
20       web site: http://openvpn.net/
21
22       And  if you would like to see a shorter version of this manual, see the
23       openvpn usage message which can be obtained by running openvpn  without
24       any parameters.
25

DESCRIPTION

27       OpenVPN  is  a robust and highly flexible VPN daemon.  OpenVPN supports
28       SSL/TLS security,  ethernet  bridging,  TCP  or  UDP  tunnel  transport
29       through  proxies  or  NAT,  support  for dynamic IP addresses and DHCP,
30       scalability to hundreds or thousands of users, and portability to  most
31       major OS platforms.
32
33       OpenVPN  is  tightly  bound to the OpenSSL library, and derives much of
34       its crypto capabilities from it.
35
36       OpenVPN supports conventional encryption using a pre-shared secret  key
37       (Static  Key mode) or public key security (SSL/TLS mode) using client &
38       server certificates.  OpenVPN also supports non-encrypted TCP/UDP  tun‐
39       nels.
40
41       OpenVPN  is designed to work with the TUN/TAP virtual networking inter‐
42       face that exists on most platforms.
43
44       Overall, OpenVPN aims to offer many of the key features  of  IPSec  but
45       with a relatively lightweight footprint.
46

OPTIONS

48       OpenVPN allows any option to be placed either on the command line or in
49       a configuration file.  Though all command line options are preceded  by
50       a double-leading-dash ("--"), this prefix can be removed when an option
51       is placed in a configuration file.
52
53       --help Show options.
54
55       --config file
56              Load additional config options from file where each line  corre‐
57              sponds  to  one  command  line option, but with the leading '--'
58              removed.
59
60              If --config file is the only option to the openvpn command,  the
61              --config can be removed, and the command can be given as openvpn
62              file
63
64              Note that configuration files can  be  nested  to  a  reasonable
65              depth.
66
67              Double  quotation or single quotation characters ("", '') can be
68              used to enclose single parameters containing whitespace, and "#"
69              or ";" characters in the first column can be used to denote com‐
70              ments.
71
72              Note that OpenVPN 2.0 and higher performs backslash-based  shell
73              escaping for characters not in single quotations, so the follow‐
74              ing mappings should be observed:
75
76                  \\       Maps to a single backslash character (\).
77                  \"       Pass a literal doublequote character ("), don't
78                           interpret it as enclosing a parameter.
79                  \[SPACE] Pass a literal space or tab character, don't
80                           interpret it as a parameter delimiter.
81
82              For example on Windows,  use  double  backslashes  to  represent
83              pathnames:
84
85                  secret "c:\\OpenVPN\\secret.key"
86
87              For   examples   of   configuration   files,   see  http://open
88              vpn.net/examples.html
89
90              Here is an example configuration file:
91
92                  #
93                  # Sample OpenVPN configuration file for
94                  # using a pre-shared static key.
95                  #
96                  # '#' or ';' may be used to delimit comments.
97
98                  # Use a dynamic tun device.
99                  dev tun
100
101                  # Our remote peer
102                  remote mypeer.mydomain
103
104                  # 10.1.0.1 is our local VPN endpoint
105                  # 10.1.0.2 is our remote VPN endpoint
106                  ifconfig 10.1.0.1 10.1.0.2
107
108                  # Our pre-shared static key
109                  secret static.key
110
111   Tunnel Options:
112       --mode m
113              Set  OpenVPN  major  mode.   By   default,   OpenVPN   runs   in
114              point-to-point  mode ("p2p").  OpenVPN 2.0 introduces a new mode
115              ("server") which implements a multi-client server capability.
116
117       --local host
118              Local host name or IP address for bind.  If  specified,  OpenVPN
119              will  bind  to  this address only.  If unspecified, OpenVPN will
120              bind to all interfaces.
121
122       --remote host [port] [proto]
123              Remote host  name  or  IP  address.   On  the  client,  multiple
124              --remote options may be specified for redundancy, each referring
125              to a different OpenVPN  server.   Specifying  multiple  --remote
126              options  for  this purpose is a special case of the more general
127              connection-profile feature.  See the <connection>  documentation
128              below.
129
130              The  OpenVPN client will try to connect to a server at host:port
131              in the order specified by the list of --remote options.
132
133              proto indicates the protocol to use  when  connecting  with  the
134              remote, and may be "tcp" or "udp".
135
136              For  forcing  IPv4 or IPv6 connection suffix tcp or udp with 4/6
137              like udp4/udp6/tcp4/tcp6.
138
139              The client will move on to the next host in  the  list,  in  the
140              event  of  connection failure.  Note that at any given time, the
141              OpenVPN client will at most be connected to one server.
142
143              Note that since UDP is  connectionless,  connection  failure  is
144              defined by the --ping and --ping-restart options.
145
146              Note  the  following  corner case:  If you use multiple --remote
147              options, AND you are dropping root privileges on the client with
148              --user  and/or  --group, AND the client is running a non-Windows
149              OS, if the client needs to switch to  a  different  server,  and
150              that server pushes back different TUN/TAP or route settings, the
151              client may lack the necessary privileges to close and reopen the
152              TUN/TAP  interface.   This could cause the client to exit with a
153              fatal error.
154
155              If --remote is unspecified, OpenVPN will listen for packets from
156              any  IP  address,  but will not act on those packets unless they
157              pass all authentication tests.  This requirement for authentica‐
158              tion  is  binding  on all potential peers, even those from known
159              and supposedly trusted IP addresses (it is very easy to forge  a
160              source IP address on a UDP packet).
161
162              When  used in TCP mode, --remote will act as a filter, rejecting
163              connections from any host which does not match host.
164
165              If host is a DNS name which resolves to multiple  IP  addresses,
166              OpenVPN will try them in the order that the system getaddrinfo()
167              presents them, so priorization and DNS randomization is done  by
168              the  system library.  Unless an IP version is forced by the pro‐
169              tocol specification (4/6 suffix), OpenVPN will try both IPv4 and
170              IPv6 addresses, in the order getaddrinfo() returns them.
171
172       --remote-random-hostname
173              Prepend a random string (6 bytes, 12 hex characters) to hostname
174              to prevent DNS caching.  For  example,  "foo.bar.gov"  would  be
175              modified to "<random-chars>.foo.bar.gov".
176
177       <connection>
178              Define  a client connection profile.  Client connection profiles
179              are groups of OpenVPN options that describe how to connect to  a
180              given  OpenVPN server.  Client connection profiles are specified
181              within an OpenVPN configuration file, and each profile is brack‐
182              eted by <connection> and </connection>.
183
184              An  OpenVPN client will try each connection profile sequentially
185              until it achieves a successful connection.
186
187              --remote-random can be used to initially "scramble" the  connec‐
188              tion list.
189
190              Here is an example of connection profile usage:
191
192                  client
193                  dev tun
194
195                  <connection>
196                  remote 198.19.34.56 1194 udp
197                  </connection>
198
199                  <connection>
200                  remote 198.19.34.56 443 tcp
201                  </connection>
202
203                  <connection>
204                  remote 198.19.34.56 443 tcp
205                  http-proxy 192.168.0.8 8080
206                  </connection>
207
208                  <connection>
209                  remote 198.19.36.99 443 tcp
210                  http-proxy 192.168.0.8 8080
211                  </connection>
212
213                  persist-key
214                  persist-tun
215                  pkcs12 client.p12
216                  remote-cert-tls server
217                  verb 3
218
219              First  we  try to connect to a server at 198.19.34.56:1194 using
220              UDP.  If that fails, we then try to connect to  198.19.34.56:443
221              using  TCP.   If that also fails, then try connecting through an
222              HTTP proxy at 192.168.0.8:8080 to  198.19.34.56:443  using  TCP.
223              Finally,  try  to  connect through the same proxy to a server at
224              198.19.36.99:443 using TCP.
225
226              The following OpenVPN options may be used inside of  a  <connec‐
227              tion> block:
228
229              bind,    connect-retry,    connect-retry-max,   connect-timeout,
230              explicit-exit-notify,     float,      fragment,      http-proxy,
231              http-proxy-option,  link-mtu,  local,  lport,  mssfix, mtu-disc,
232              nobind, port, proto, remote,  rport,  socks-proxy,  tun-mtu  and
233              tun-mtu-extra.
234
235              A defaulting mechanism exists for specifying options to apply to
236              all <connection> profiles.  If any of the  above  options  (with
237              the  exception  of  remote  )  appear  outside of a <connection>
238              block, but in a configuration file which has one or  more  <con‐
239              nection>  blocks,  the  option setting will be used as a default
240              for <connection> blocks which follow  it  in  the  configuration
241              file.
242
243              For example, suppose the nobind option were placed in the sample
244              configuration file above, near the top of the file,  before  the
245              first <connection> block.  The effect would be as if nobind were
246              declared in all <connection> blocks below it.
247
248       --proto-force p
249              When iterating through connection profiles, only  consider  pro‐
250              files using protocol p ('tcp'|'udp').
251
252       --remote-random
253              When  multiple  --remote address/ports are specified, or if con‐
254              nection profiles are being used, initially randomize  the  order
255              of the list as a kind of basic load-balancing measure.
256
257       --proto p
258              Use  protocol  p  for  communicating with remote host.  p can be
259              udp, tcp-client, or tcp-server.
260
261              The default protocol is udp when --proto is not specified.
262
263              For UDP operation, --proto  udp  should  be  specified  on  both
264              peers.
265
266              For  TCP operation, one peer must use --proto tcp-server and the
267              other  must  use  --proto  tcp-client.   A  peer  started   with
268              tcp-server will wait indefinitely for an incoming connection.  A
269              peer started with tcp-client will attempt  to  connect,  and  if
270              that  fails, will sleep for 5 seconds (adjustable via the --con‐
271              nect-retry option) and try again infinite or  up  to  N  retries
272              (adjustable  via  the  --connect-retry-max  option).   Both  TCP
273              client and server will simulate  a  SIGUSR1  restart  signal  if
274              either side resets the connection.
275
276              OpenVPN is designed to operate optimally over UDP, but TCP capa‐
277              bility is provided for situations where UDP cannot be used.   In
278              comparison with UDP, TCP will usually be somewhat less efficient
279              and less robust when used over unreliable or congested networks.
280
281              This article outlines some of problems with  tunneling  IP  over
282              TCP:
283
284              http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
285
286              There  are certain cases, however, where using TCP may be advan‐
287              tageous from a security and robustness perspective, such as tun‐
288              neling  non-IP  or application-level UDP protocols, or tunneling
289              protocols which don't possess a built-in reliability layer.
290
291       --connect-retry n [max]
292              Wait  n  seconds   between  connection   attempts   (default=5).
293              Repeated  reconnection  attempts are slowed down after 5 retries
294              per remote by doubling the wait  time  after  each  unsuccessful
295              attempt.  The  optional argument max specifies the maximum value
296              of wait time in seconds at which it gets capped (default=300).
297
298       --connect-retry-max n
299              n specifies the number of times each  --remote  or  <connection>
300              entry is tried. Specifying n as one would try each entry exactly
301              once.   A   successful   connection    resets    the    counter.
302              (default=unlimited).
303
304       --show-proxy-settings
305              Show  sensed  HTTP or SOCKS proxy settings. Currently, only Win‐
306              dows clients support this option.
307
308       --http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method]
309              Connect to remote host through an HTTP proxy at  address  server
310              and port port.  If HTTP Proxy-Authenticate is required, authfile
311              is a file containing a username and  password  on  2  lines,  or
312              "stdin"  to  prompt from console. Its content can also be speci‐
313              fied in the config file with the --http-proxy-user-pass  option.
314              (See section on inline files)
315
316              auth-method should be one of "none", "basic", or "ntlm".
317
318              HTTP  Digest  authentication  is supported as well, but only via
319              the auto or auto-nct flags (below).
320
321              The auto flag causes  OpenVPN  to  automatically  determine  the
322              auth-method  and  query  stdin  or  the management interface for
323              username/password credentials, if required.  This flag exists on
324              OpenVPN 2.1 or higher.
325
326              The  auto-nct  flag  (no  clear-text  auth) instructs OpenVPN to
327              automatically determine the authentication method, but to reject
328              weak authentication protocols such as HTTP Basic Authentication.
329
330       --http-proxy-option type [parm]
331              Set  extended  HTTP  proxy  options.   Repeat  to  set  multiple
332              options.
333
334              VERSION  version  --  Set  HTTP  version   number   to   version
335              (default=1.0).
336
337              AGENT user-agent -- Set HTTP "User-Agent" string to user-agent.
338
339              CUSTOM-HEADER  name  content -- Adds the custom Header with name
340              as name and content as the content of the custom HTTP header.
341
342       --socks-proxy server [port] [authfile]
343              Connect to remote host through a Socks5 proxy at address  server
344              and  port  port  (default=1080).   authfile (optional) is a file
345              containing a username and password on 2  lines,  or  "stdin"  to
346              prompt from console.
347
348       --resolv-retry n
349              If hostname resolve fails for --remote, retry resolve for n sec‐
350              onds before failing.
351
352              Set n to "infinite" to retry indefinitely.
353
354              By default, --resolv-retry infinite is enabled.  You can disable
355              by setting n=0.
356
357       --float
358              Allow  remote  peer to change its IP address and/or port number,
359              such as due to DHCP (this is the  default  if  --remote  is  not
360              used).   --float  when specified with --remote allows an OpenVPN
361              session to initially connect to a peer at a known address,  how‐
362              ever if packets arrive from a new address and pass all authenti‐
363              cation tests, the new address will take control of the  session.
364              This  is  useful when you are connecting to a peer which holds a
365              dynamic address such as a dial-in user or DHCP client.
366
367              Essentially, --float tells OpenVPN to accept authenticated pack‐
368              ets  from  any address, not only the address which was specified
369              in the --remote option.
370
371       --ipchange cmd
372              Run command cmd when our remote ip-address is initially  authen‐
373              ticated or changes.
374
375              cmd  consists  of  a  path  to  script  (or executable program),
376              optionally followed by arguments. The path and arguments may  be
377              single-  or  double-quoted and/or escaped using a backslash, and
378              should be separated by one or more spaces.
379
380              When cmd is executed two arguments are appended after any  argu‐
381              ments specified in cmd , as follows:
382
383              cmd ip_address port_number
384
385              Don't use --ipchange in --mode server mode.  Use a --client-con‐
386              nect script instead.
387
388              See the "Environmental Variables" section below  for  additional
389              parameters passed as environmental variables.
390
391              If you are running in a dynamic IP address environment where the
392              IP addresses of either peer could change without notice, you can
393              use  this  script, for example, to edit the /etc/hosts file with
394              the current address of the peer.  The script will be  run  every
395              time the remote peer changes its IP address.
396
397              Similarly  if our IP address changes due to DHCP, we should con‐
398              figure our IP address change script (see man page for  dhcpcd(8)
399              )  to  deliver  a  SIGHUP or SIGUSR1 signal to OpenVPN.  OpenVPN
400              will then  reestablish  a  connection  with  its  most  recently
401              authenticated peer on its new IP address.
402
403       --port port
404              TCP/UDP port number or port name for both local and remote (sets
405              both --lport and --rport options to given  port).   The  current
406              default of 1194 represents the official IANA port number assign‐
407              ment for OpenVPN and has been  used  since  version  2.0-beta17.
408              Previous versions used port 5000 as the default.
409
410       --lport port
411              Set  local TCP/UDP port number or name.  Cannot be used together
412              with --nobind option.
413
414       --rport port
415              Set TCP/UDP port number or name used by the --remote option. The
416              port can also be set directly using the --remote option.
417
418       --bind [ipv6only]
419              Bind  to  local address and port. This is the default unless any
420              of --proto tcp-client , --http-proxy or --socks-proxy are used.
421
422              If the ipv6only keyword is present OpenVPN  will  bind  only  to
423              IPv6 (as oposed to IPv6 and IPv4) when a IPv6 socket is opened.
424
425
426       --nobind
427              Do  not bind to local address and port.  The IP stack will allo‐
428              cate a dynamic port for returning packets.  Since the  value  of
429              the  dynamic  port could not be known in advance by a peer, this
430              option is only suitable for peers which will be initiating  con‐
431              nections by using the --remote option.
432
433       --dev tunX | tapX | null
434              TUN/TAP  virtual network device ( X can be omitted for a dynamic
435              device.)
436
437              See examples section below for an example on setting  up  a  TUN
438              device.
439
440              You  must  use either tun devices on both ends of the connection
441              or tap devices on both ends.  You cannot mix them, as they  rep‐
442              resent different underlying network layers.
443
444              tun  devices  encapsulate  IPv4  or IPv6 (OSI Layer 3) while tap
445              devices encapsulate Ethernet 802.3 (OSI Layer 2).
446
447       --dev-type device-type
448              Which device type are we using?  device-type should be tun  (OSI
449              Layer  3)  or  tap  (OSI  Layer 2).  Use this option only if the
450              TUN/TAP device used with --dev does not begin with tun or tap.
451
452       --topology mode
453              Configure virtual addressing topology when running in --dev  tun
454              mode.   This  directive  has no meaning in --dev tap mode, which
455              always uses a subnet topology.
456
457              If you set this  directive  on  the  server,  the  --server  and
458              --server-bridge  directives  will automatically push your chosen
459              topology setting to clients as well.  This directive can also be
460              manually  pushed  to  clients.   Like  the --dev directive, this
461              directive must always be compatible between client and server.
462
463              mode can be one of:
464
465              net30 -- Use a point-to-point topology, by  allocating  one  /30
466              subnet  per  client.   This  is designed to allow point-to-point
467              semantics when some or all of the connecting  clients  might  be
468              Windows systems.  This is the default on OpenVPN 2.0.
469
470              p2p  --  Use a point-to-point topology where the remote endpoint
471              of the client's tun interface always points to  the  local  end‐
472              point of the server's tun interface.  This mode allocates a sin‐
473              gle IP address per connecting client.  Only use when none of the
474              connecting  clients are Windows systems.  This mode is function‐
475              ally equivalent to the --ifconfig-pool-linear directive which is
476              available  in  OpenVPN 2.0, is deprecated and will be removed in
477              OpenVPN 2.5
478
479              subnet -- Use a subnet rather than a point-to-point topology  by
480              configuring the tun interface with a local IP address and subnet
481              mask, similar to the topology used in  --dev  tap  and  ethernet
482              bridging mode.  This mode allocates a single IP address per con‐
483              necting client and works on Windows  as  well.   Only  available
484              when  server  and  clients are OpenVPN 2.1 or higher, or OpenVPN
485              2.0.x which has been manually patched with the --topology direc‐
486              tive code.  When used on Windows, requires version 8.2 or higher
487              of the TAP-Win32 driver.  When used on *nix, requires  that  the
488              tun  driver  supports an ifconfig(8) command which sets a subnet
489              instead of a remote endpoint IP address.
490
491              This option exists in OpenVPN 2.1 or higher.
492
493              Note: Using --topology subnet changes the interpretation of  the
494              arguments  of  --ifconfig  to  mean "address netmask", no longer
495              "local remote".
496
497       --dev-node node
498              Explicitly set the device node rather than  using  /dev/net/tun,
499              /dev/tun,  /dev/tap,  etc.  If OpenVPN cannot figure out whether
500              node is a TUN or TAP device based on the name, you  should  also
501              specify --dev-type tun or --dev-type tap.
502
503              Under  Mac  OS  X this option can be used to specify the default
504              tun implementation. Using --dev-node utun forces  usage  of  the
505              native Darwin tun kernel support. Use --dev-node utunN to select
506              a  specific  utun  instance.  To  force   using   the   tun.kext
507              (/dev/tunX)   use   --dev-node   tun.   When  not  specifying  a
508              --dev-node option openvpn will first try to open utun, and  fall
509              back to tun.kext.
510
511              On  Windows systems, select the TAP-Win32 adapter which is named
512              node in the Network Connections Control Panel or the raw GUID of
513              the  adapter  enclosed  by  braces.   The --show-adapters option
514              under Windows can  also  be  used  to  enumerate  all  available
515              TAP-Win32  adapters  and  will show both the network connections
516              control panel name and the GUID for each TAP-Win32 adapter.
517
518       --lladdr address
519              Specify the link layer address, more commonly known as  the  MAC
520              address.  Only applied to TAP devices.
521
522       --iproute cmd
523              Set  alternate  command  to  execute instead of default iproute2
524              command.  May be used in order to execute  OpenVPN  in  unprivi‐
525              leged environment.
526
527       --ifconfig l rn
528              Set  TUN/TAP  adapter  parameters.   l  is the IP address of the
529              local VPN endpoint.  For TUN devices in point-to-point mode,  rn
530              is  the IP address of the remote VPN endpoint.  For TAP devices,
531              or TUN devices used with --topology subnet,  rn  is  the  subnet
532              mask  of  the  virtual network segment which is being created or
533              connected to.
534
535              For TUN devices, which facilitate virtual point-to-point IP con‐
536              nections (when used in --topology net30 or p2p mode), the proper
537              usage of --ifconfig is to use two private IP addresses which are
538              not  a  member  of  any existing subnet which is in use.  The IP
539              addresses  may  be  consecutive  and  should  have  their  order
540              reversed  on  the remote peer.  After the VPN is established, by
541              pinging rn, you will be pinging across the VPN.
542
543              For TAP devices, which provide the  ability  to  create  virtual
544              ethernet  segments,  or  TUN  devices  in --topology subnet mode
545              (which create virtual "multipoint networks"), --ifconfig is used
546              to set an IP address and subnet mask just as a physical ethernet
547              adapter would be similarly configured.  If you are attempting to
548              connect  to  a remote ethernet bridge, the IP address and subnet
549              should be set to values which would be valid on the the  bridged
550              ethernet  segment  (note also that DHCP can be used for the same
551              purpose).
552
553              This option, while primarily a proxy for  the  ifconfig(8)  com‐
554              mand,  is  designed  to simplify TUN/TAP tunnel configuration by
555              providing a standard interface to the different ifconfig  imple‐
556              mentations on different platforms.
557
558              --ifconfig  parameters which are IP addresses can also be speci‐
559              fied as a DNS or /etc/hosts file resolvable name.
560
561              For TAP devices, --ifconfig should not be used if the TAP inter‐
562              face will be getting an IP address lease from a DHCP server.
563
564       --ifconfig-noexec
565              Don't  actually  execute  ifconfig/netsh  commands, instead pass
566              --ifconfig parameters to scripts using environmental variables.
567
568       --ifconfig-nowarn
569              Don't  output  an  options  consistency  check  warning  if  the
570              --ifconfig  option  on this side of the connection doesn't match
571              the remote side.  This is useful when you  want  to  retain  the
572              overall  benefits  of  the  options  consistency check (also see
573              --disable-occ option) while only disabling the  ifconfig  compo‐
574              nent of the check.
575
576              For  example,  if  you have a configuration where the local host
577              uses --ifconfig but the  remote  host  does  not,  use  --ifcon‐
578              fig-nowarn on the local host.
579
580              This  option  will also silence warnings about potential address
581              conflicts which occasionally annoy  more  experienced  users  by
582              triggering "false positive" warnings.
583
584       --route network/IP [netmask] [gateway] [metric]
585              Add  route  to  routing  table  after connection is established.
586              Multiple routes can be specified.  Routes will be  automatically
587              torn down in reverse order prior to TUN/TAP device close.
588
589              This  option is intended as a convenience proxy for the route(8)
590              shell command, while at the same time providing portable  seman‐
591              tics across OpenVPN's platform space.
592
593              netmask default -- 255.255.255.255
594
595              gateway  default  --  taken  from  --route-gateway or the second
596              parameter to --ifconfig when --dev tun is specified.
597
598              metric default -- taken from --route-metric otherwise 0.
599
600              The default can be specified by leaving an option blank or  set‐
601              ting it to "default".
602
603              The  network  and  gateway parameters can also be specified as a
604              DNS or /etc/hosts file resolvable name, or as one of three  spe‐
605              cial keywords:
606
607              vpn_gateway  --  The remote VPN endpoint address (derived either
608              from --route-gateway or the second parameter to --ifconfig  when
609              --dev tun is specified).
610
611              net_gateway  --  The  pre-existing IP default gateway, read from
612              the routing table (not supported on all OSes).
613
614              remote_host -- The --remote address if OpenVPN is being  run  in
615              client mode, and is undefined in server mode.
616
617       --route-gateway gw|'dhcp'
618              Specify a default gateway gw for use with --route.
619
620              If  dhcp is specified as the parameter, the gateway address will
621              be  extracted  from  a  DHCP  negotiation   with   the   OpenVPN
622              server-side LAN.
623
624       --route-metric m
625              Specify a default metric m for use with --route.
626
627       --route-delay [n] [w]
628              Delay  n  seconds  (default=0)  after  connection establishment,
629              before adding routes. If n is 0, routes will  be  added  immedi‐
630              ately  upon connection establishment.  If --route-delay is omit‐
631              ted, routes will be added immediately after TUN/TAP device  open
632              and  --up  script execution, before any --user or --group privi‐
633              lege downgrade (or --chroot execution.)
634
635              This option is designed to be useful in scenarios where DHCP  is
636              used to set tap adapter addresses.  The delay will give the DHCP
637              handshake time to complete before routes are added.
638
639              On Windows, --route-delay tries to be more intelligent by  wait‐
640              ing  w  seconds  (w=30  by default) for the TAP-Win32 adapter to
641              come up before adding routes.
642
643       --route-up cmd
644              Run  command  cmd   after   routes   are   added,   subject   to
645              --route-delay.
646
647              cmd  consists  of  a  path  to  script  (or executable program),
648              optionally followed by arguments. The path and arguments may  be
649              single-  or  double-quoted and/or escaped using a backslash, and
650              should be separated by one or more spaces.
651
652              See the "Environmental Variables" section below  for  additional
653              parameters passed as environmental variables.
654
655       --route-pre-down cmd
656              Run command cmd before routes are removed upon disconnection.
657
658              cmd  consists  of  a  path  to  script  (or executable program),
659              optionally followed by arguments. The path and arguments may  be
660              single-  or  double-quoted and/or escaped using a backslash, and
661              should be separated by one or more spaces.
662
663              See the "Environmental Variables" section below  for  additional
664              parameters passed as environmental variables.
665
666       --route-noexec
667              Don't  add  or remove routes automatically.  Instead pass routes
668              to --route-up script using environmental variables.
669
670       --route-nopull
671              When used with --client or  --pull,  accept  options  pushed  by
672              server  EXCEPT  for  routes,  block-outside-dns and dhcp options
673              like DNS servers.
674
675              When used on the client, this option effectively bars the server
676              from  adding  routes to the client's routing table, however note
677              that this option still allows the server to set the TCP/IP prop‐
678              erties of the client's TUN/TAP interface.
679
680       --allow-pull-fqdn
681              Allow  client  to  pull DNS names from server (rather than being
682              limited  to   IP   address)   for   --ifconfig,   --route,   and
683              --route-gateway.
684
685       --client-nat snat|dnat network netmask alias
686              This  pushable  client option sets up a stateless one-to-one NAT
687              rule on packet addresses (not ports), and  is  useful  in  cases
688              where  routes  or  ifconfig  settings pushed to the client would
689              create an IP numbering conflict.
690
691              network/netmask (for  example  192.168.0.0/255.255.0.0)  defines
692              the  local view of a resource from the client perspective, while
693              alias/netmask (for example  10.64.0.0/255.255.0.0)  defines  the
694              remote view from the server perspective.
695
696              Use snat (source NAT) for resources owned by the client and dnat
697              (destination NAT) for remote resources.
698
699              Set --verb 6 for debugging info showing  the  transformation  of
700              src/dest addresses in packets.
701
702       --redirect-gateway flags...
703              Automatically  execute routing commands to cause all outgoing IP
704              traffic to be redirected over the VPN.  This  is  a  client-side
705              option.
706
707              This option performs three steps:
708
709              (1)  Create  a  static route for the --remote address which for‐
710              wards to the pre-existing default gateway.  This is done so that
711              (3) will not create a routing loop.
712
713              (2) Delete the default gateway route.
714
715              (3)  Set  the new default gateway to be the VPN endpoint address
716              (derived either from --route-gateway or the second parameter  to
717              --ifconfig when --dev tun is specified).
718
719              When  the  tunnel  is  torn  down,  all  of  the above steps are
720              reversed so that the original default route is restored.
721
722              Option flags:
723
724              local -- Add the local flag if both OpenVPN peers  are  directly
725              connected via a common subnet, such as with wireless.  The local
726              flag will cause step 1 above to be omitted.
727
728              autolocal -- Try to automatically determine  whether  to  enable
729              local flag above.
730
731              def1  --  Use this flag to override the default gateway by using
732              0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0.  This  has  the
733              benefit  of  overriding  but not wiping out the original default
734              gateway.
735
736              bypass-dhcp -- Add a direct route to the DHCP server (if  it  is
737              non-local)  which  bypasses  the  tunnel  (Available  on Windows
738              clients, may not be available on non-Windows clients).
739
740              bypass-dns -- Add a direct route to the DNS server(s)  (if  they
741              are  non-local)  which bypasses the tunnel (Available on Windows
742              clients, may not be available on non-Windows clients).
743
744              block-local -- Block access to local  LAN  when  the  tunnel  is
745              active, except for the LAN gateway itself.  This is accomplished
746              by routing the local LAN (except for the  LAN  gateway  address)
747              into the tunnel.
748
749              ipv6 -- Redirect IPv6 routing into the tunnel.  This works simi‐
750              lar to the def1 flag, that is, more  specific  IPv6  routes  are
751              added  (2000::/4,  3000::/4),  covering  the  whole IPv6 unicast
752              space.
753
754              !ipv4 -- Do not redirect IPv4 traffic - typically  used  in  the
755              flag pair ipv6 !ipv4 to redirect IPv6-only.
756
757       --link-mtu n
758              Sets  an  upper  bound on the size of UDP packets which are sent
759              between OpenVPN peers.  It's best  not  to  set  this  parameter
760              unless you know what you're doing.
761
762       --redirect-private [flags]
763              Like  --redirect-gateway, but omit actually changing the default
764              gateway.  Useful when pushing private subnets.
765
766       --tun-mtu n
767              Take the TUN device MTU to be n and derive the link MTU from  it
768              (default=1500).   In most cases, you will probably want to leave
769              this parameter set to its default value.
770
771              The MTU (Maximum Transmission Units)  is  the  maximum  datagram
772              size  in  bytes  that can be sent unfragmented over a particular
773              network path.  OpenVPN requires that packets on the  control  or
774              data channels be sent unfragmented.
775
776              MTU problems often manifest themselves as connections which hang
777              during periods of active usage.
778
779              It's best to use the --fragment and/or --mssfix options to  deal
780              with MTU sizing issues.
781
782       --tun-mtu-extra n
783              Assume  that  the TUN/TAP device might return as many as n bytes
784              more than the --tun-mtu size on read.  This  parameter  defaults
785              to 0, which is sufficient for most TUN devices.  TAP devices may
786              introduce additional overhead in excess of the MTU size,  and  a
787              setting  of  32  is the default when TAP devices are used.  This
788              parameter only controls internal OpenVPN buffer sizing, so there
789              is  no  transmission  overhead  associated  with  using a larger
790              value.
791
792       --mtu-disc type
793              Should we do Path MTU discovery on TCP/UDP channel?   Only  sup‐
794              ported  on OSes such as Linux that supports the necessary system
795              call to set.
796
797              'no' -- Never send DF (Don't Fragment) frames
798              'maybe' -- Use per-route hints
799              'yes' -- Always DF (Don't Fragment)
800
801       --mtu-test
802              To empirically  measure  MTU  on  connection  startup,  add  the
803              --mtu-test option to your configuration.  OpenVPN will send ping
804              packets of various sizes to the  remote  peer  and  measure  the
805              largest   packets   which   were   successfully  received.   The
806              --mtu-test process normally takes about 3 minutes to complete.
807
808       --fragment max
809              Enable internal datagram fragmentation so that no UDP  datagrams
810              are sent which are larger than max bytes.
811
812              The  max  parameter  is  interpreted  in  the  same  way  as the
813              --link-mtu parameter, i.e. the UDP packet size after  encapsula‐
814              tion  overhead  has  been  added  in,  but not including the UDP
815              header itself.
816
817              The --fragment option only makes sense when you  are  using  the
818              UDP protocol ( --proto udp ).
819
820              --fragment adds 4 bytes of overhead per datagram.
821
822              See the --mssfix option below for an important related option to
823              --fragment.
824
825              It should also be noted that this option is not meant to replace
826              UDP  fragmentation at the IP stack level.  It is only meant as a
827              last resort when path  MTU  discovery  is  broken.   Using  this
828              option is less efficient than fixing path MTU discovery for your
829              IP link and using native IP fragmentation instead.
830
831              Having said that, there are circumstances where using  OpenVPN's
832              internal  fragmentation capability may be your only option, such
833              as tunneling a UDP multicast stream  which  requires  fragmenta‐
834              tion.
835
836       --mssfix max
837              Announce  to  TCP  sessions  running  over  the tunnel that they
838              should limit their send packet sizes such that after OpenVPN has
839              encapsulated  them,  the  resulting UDP packet size that OpenVPN
840              sends to its peer will not exceed max bytes. The  default  value
841              is 1450.
842
843              The  max  parameter  is  interpreted  in  the  same  way  as the
844              --link-mtu parameter, i.e. the UDP packet size after  encapsula‐
845              tion  overhead  has  been  added  in,  but not including the UDP
846              header itself. Resulting packet would be at most 28 bytes larger
847              for  IPv4 and 48 bytes for IPv6 (20/40 bytes for IP header and 8
848              bytes for UDP header). Default value of 1450 allows IPv4 packets
849              to be transmitted over a link with MTU 1473 or higher without IP
850              level fragmentation.
851
852              The --mssfix option only makes sense when you are using the  UDP
853              protocol  for  OpenVPN peer-to-peer communication, i.e.  --proto
854              udp.
855
856              --mssfix and --fragment can  be  ideally  used  together,  where
857              --mssfix  will try to keep TCP from needing packet fragmentation
858              in the first place, and if big packets come through anyhow (from
859              protocols  other  than TCP), --fragment will internally fragment
860              them.
861
862              Both --fragment and --mssfix are designed to work  around  cases
863              where  Path  MTU discovery is broken on the network path between
864              OpenVPN peers.
865
866              The usual symptom of such a breakdown is an  OpenVPN  connection
867              which successfully starts, but then stalls during active usage.
868
869              If --fragment and --mssfix are used together, --mssfix will take
870              its default max parameter from the --fragment max option.
871
872              Therefore, one could lower the maximum UDP packet size  to  1300
873              (a  good  first try for solving MTU-related connection problems)
874              with the following options:
875
876              --tun-mtu 1500 --fragment 1300 --mssfix
877
878       --sndbuf size
879              Set the TCP/UDP socket send buffer size.  Defaults to  operation
880              system default.
881
882       --rcvbuf size
883              Set  the TCP/UDP socket receive buffer size.  Defaults to opera‐
884              tion system default.
885
886       --mark value
887              Mark encrypted packets being sent with value. The mark value can
888              be matched in policy routing and packetfilter rules. This option
889              is only supported in Linux and does nothing on  other  operating
890              systems.
891
892       --socket-flags flags...
893              Apply  the  given  flags  to the OpenVPN transport socket.  Cur‐
894              rently, only TCP_NODELAY is supported.
895
896              The TCP_NODELAY socket flag is useful in TCP  mode,  and  causes
897              the  kernel to send tunnel packets immediately over the TCP con‐
898              nection without trying to group several smaller packets  into  a
899              larger packet.  This can result in a considerably improvement in
900              latency.
901
902              This option is pushable from server to  client,  and  should  be
903              used on both client and server for maximum effect.
904
905       --txqueuelen n
906              (Linux  only)  Set the TX queue length on the TUN/TAP interface.
907              Currently defaults to 100.
908
909       --shaper n
910              Limit bandwidth of outgoing tunnel data to n bytes per second on
911              the  TCP/UDP port.  Note that this will only work if mode is set
912              to p2p.  If you want to limit the bandwidth in both  directions,
913              use this option on both peers.
914
915              OpenVPN  uses the following algorithm to implement traffic shap‐
916              ing: Given a shaper rate of n bytes per second, after a datagram
917              write  of  b bytes is queued on the TCP/UDP port, wait a minimum
918              of (b / n) seconds before queuing the next write.
919
920              It should  be  noted  that  OpenVPN  supports  multiple  tunnels
921              between the same two peers, allowing you to construct full-speed
922              and reduced bandwidth tunnels at the same time, routing low-pri‐
923              ority  data  such as off-site backups over the reduced bandwidth
924              tunnel, and other data over the full-speed tunnel.
925
926              Also note that for low bandwidth tunnels (under 1000  bytes  per
927              second),  you  should probably use lower MTU values as well (see
928              above), otherwise the packet latency will grow so  large  as  to
929              trigger  timeouts  in  the TLS layer and TCP connections running
930              over the tunnel.
931
932              OpenVPN allows n to be between 100 bytes/sec and 100 Mbytes/sec.
933
934       --inactive n [bytes]
935              Causes OpenVPN to exit after n  seconds  of  inactivity  on  the
936              TUN/TAP  device. The time length of inactivity is measured since
937              the last incoming or outgoing tunnel packet.  The default  value
938              is 0 seconds, which disables this feature.
939
940              If  the  optional bytes parameter is included, exit if less than
941              bytes of combined in/out traffic are  produced  on  the  tun/tap
942              device in n seconds.
943
944              In  any  case,  OpenVPN's  internal ping packets (which are just
945              keepalives) and TLS control packets are not  considered  "activ‐
946              ity",  nor  are they counted as traffic, as they are used inter‐
947              nally by OpenVPN and are not an indication of actual user activ‐
948              ity.
949
950       --ping n
951              Ping  remote over the TCP/UDP control channel if no packets have
952              been sent for at least n seconds (specify --ping on  both  peers
953              to  cause ping packets to be sent in both directions since Open‐
954              VPN ping packets are not echoed like  IP  ping  packets).   When
955              used   in   one  of  OpenVPN's  secure  modes  (where  --secret,
956              --tls-server, or --tls-client is  specified),  the  ping  packet
957              will be cryptographically secure.
958
959              This option has two intended uses:
960
961              (1)  Compatibility  with  stateful firewalls.  The periodic ping
962              will ensure that a stateful firewall rule which  allows  OpenVPN
963              UDP packets to pass will not time out.
964
965              (2)  To  provide a basis for the remote to test the existence of
966              its peer using the --ping-exit option.
967
968       --ping-exit n
969              Causes OpenVPN to exit after n seconds pass without reception of
970              a ping or other packet from remote.  This option can be combined
971              with --inactive, --ping, and --ping-exit to create a  two-tiered
972              inactivity disconnect.
973
974              For example,
975
976              openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
977
978              when  used  on  both  peers will cause OpenVPN to exit within 60
979              seconds if its peer disconnects, but will exit after one hour if
980              no actual tunnel data is exchanged.
981
982       --ping-restart n
983              Similar  to  --ping-exit,  but trigger a SIGUSR1 restart after n
984              seconds pass without reception of a ping or  other  packet  from
985              remote.
986
987              This  option  is  useful  in  cases  where the remote peer has a
988              dynamic IP address and a low-TTL DNS name is used to  track  the
989              IP  address  using  a  service  such  as  http://dyndns.org/ + a
990              dynamic DNS client such as ddclient.
991
992              If the peer cannot be reached,  a  restart  will  be  triggered,
993              causing  the  hostname  used with --remote to be re-resolved (if
994              --resolv-retry is also specified).
995
996              In server mode, --ping-restart, --inactive, or any other type of
997              internally generated signal will always be applied to individual
998              client instance objects, never to  whole  server  itself.   Note
999              also  in  server mode that any internally generated signal which
1000              would normally cause a restart, will cause the deletion  of  the
1001              client instance object instead.
1002
1003              In  client mode, the --ping-restart parameter is set to 120 sec‐
1004              onds by default.  This default will hold until the client  pulls
1005              a  replacement  value  from the server, based on the --keepalive
1006              setting in the server configuration.  To disable the 120  second
1007              default, set --ping-restart 0 on the client.
1008
1009              See the signals section below for more information on SIGUSR1.
1010
1011              Note  that the behavior of SIGUSR1 can be modified by the --per‐
1012              sist-tun,   --persist-key,   --persist-local-ip,   and    --per‐
1013              sist-remote-ip options.
1014
1015              Also  note  that  --ping-exit  and  --ping-restart  are mutually
1016              exclusive and cannot be used together.
1017
1018       --keepalive interval timeout
1019              A helper directive designed to simplify the expression of --ping
1020              and --ping-restart.
1021
1022              This  option  can be used on both client and server side, but it
1023              is enough to add this on the server side as it will push  appro‐
1024              priate --ping and --ping-restart options to the client.  If used
1025              on both server and client, the values pushed  from  server  will
1026              override the client local values.
1027
1028              The  timeout  argument will be twice as long on the server side.
1029              This ensures that a timeout is detected on  client  side  before
1030              the server side drops the connection.
1031
1032              For example, --keepalive 10 60 expands as follows:
1033
1034                   if mode server:
1035                     ping 10                    # Argument: interval
1036                     ping-restart 120           # Argument: timeout*2
1037                     push "ping 10"             # Argument: interval
1038                     push "ping-restart 60"     # Argument: timeout
1039                   else
1040                     ping 10                    # Argument: interval
1041                     ping-restart 60            # Argument: timeout
1042
1043       --ping-timer-rem
1044              Run  the  --ping-exit  /  --ping-restart timer only if we have a
1045              remote address.  Use this option if you are starting the  daemon
1046              in listen mode (i.e. without an explicit --remote peer), and you
1047              don't want to start clocking timeouts until a remote  peer  con‐
1048              nects.
1049
1050       --persist-tun
1051              Don't  close  and  reopen  TUN/TAP device or run up/down scripts
1052              across SIGUSR1 or --ping-restart restarts.
1053
1054              SIGUSR1 is a restart signal similar to SIGHUP, but which  offers
1055              finer-grained control over reset options.
1056
1057       --persist-key
1058              Don't re-read key files across SIGUSR1 or --ping-restart.
1059
1060              This option can be combined with --user nobody to allow restarts
1061              triggered by the SIGUSR1 signal.   Normally  if  you  drop  root
1062              privileges  in  OpenVPN, the daemon cannot be restarted since it
1063              will now be unable to re-read protected key files.
1064
1065              This option solves the problem by persisting keys across SIGUSR1
1066              resets, so they don't need to be re-read.
1067
1068       --persist-local-ip
1069              Preserve  initially  resolved  local  IP address and port number
1070              across SIGUSR1 or --ping-restart restarts.
1071
1072       --persist-remote-ip
1073              Preserve most recently authenticated remote IP address and  port
1074              number across SIGUSR1 or --ping-restart restarts.
1075
1076       --mlock
1077              Disable paging by calling the POSIX mlockall function.  Requires
1078              that OpenVPN be initially run as root (though OpenVPN can subse‐
1079              quently downgrade its UID using the --user option).
1080
1081              Using  this option ensures that key material and tunnel data are
1082              never written to disk due to virtual  memory  paging  operations
1083              which  occur  under  most  modern operating systems.  It ensures
1084              that even if an attacker was able to crack the box running Open‐
1085              VPN,  he  would  not  be  able  to  scan the system swap file to
1086              recover previously used ephemeral keys, which  are  used  for  a
1087              period of time governed by the --reneg options (see below), then
1088              are discarded.
1089
1090              The downside of using --mlock is that it will reduce the  amount
1091              of physical memory available to other applications.
1092
1093       --up cmd
1094              Run command cmd after successful TUN/TAP device open (pre --user
1095              UID change).
1096
1097              cmd consists of  a  path  to  script  (or  executable  program),
1098              optionally  followed by arguments. The path and arguments may be
1099              single- or double-quoted and/or escaped using a  backslash,  and
1100              should be separated by one or more spaces.
1101
1102              The  up  command  is  useful for specifying route commands which
1103              route IP traffic destined for private subnets which exist at the
1104              other end of the VPN connection into the tunnel.
1105
1106              For --dev tun execute as:
1107
1108              cmd    tun_dev   tun_mtu   link_mtu   ifconfig_local_ip   ifcon‐
1109              fig_remote_ip [ init | restart ]
1110
1111              For --dev tap execute as:
1112
1113              cmd tap_dev tap_mtu link_mtu ifconfig_local_ip  ifconfig_netmask
1114              [ init | restart ]
1115
1116              See  the  "Environmental Variables" section below for additional
1117              parameters passed as environmental variables.
1118
1119              Note that if cmd includes arguments, all OpenVPN-generated argu‐
1120              ments  will  be  appended to them to build an argument list with
1121              which the executable will be called.
1122
1123              Typically, cmd will run a script to add routes to the tunnel.
1124
1125              Normally the up script is called after  the  TUN/TAP  device  is
1126              opened.  In this context, the last command line parameter passed
1127              to the script will be init.  If the --up-restart option is  also
1128              used,  the  up  script  will  be called for restarts as well.  A
1129              restart is considered to be a partial reinitialization of  Open‐
1130              VPN  where  the TUN/TAP instance is preserved (the --persist-tun
1131              option will enable such preservation).  A restart can be  gener‐
1132              ated by a SIGUSR1 signal, a --ping-restart timeout, or a connec‐
1133              tion reset when the TCP protocol is  enabled  with  the  --proto
1134              option.   If  a restart occurs, and --up-restart has been speci‐
1135              fied, the up script will be called  with  restart  as  the  last
1136              parameter.
1137
1138              NOTE: on restart, OpenVPN will not pass the full set of environ‐
1139              ment variables to the script.   Namely,  everything  related  to
1140              routing  and gateways will not be passed, as nothing needs to be
1141              done anyway - all the routing setup is already in place.   Addi‐
1142              tionally,  the  up-restart  script  will run with the downgraded
1143              UID/GID settings (if configured).
1144
1145              The following standalone example shows how the --up  script  can
1146              be called in both an initialization and restart context.  (NOTE:
1147              for security reasons, don't run the following example unless UDP
1148              port  9999  is blocked by your firewall.  Also, the example will
1149              run indefinitely, so you should abort with control-c).
1150
1151              openvpn --dev tun --port 9999 --verb 4  --ping-restart  10  --up
1152              'echo up' --down 'echo down' --persist-tun --up-restart
1153
1154              Note  that  OpenVPN also provides the --ifconfig option to auto‐
1155              matically ifconfig the  TUN  device,  eliminating  the  need  to
1156              define  an --up script, unless you also want to configure routes
1157              in the --up script.
1158
1159              If --ifconfig is also specified, OpenVPN will pass the  ifconfig
1160              local  and  remote  endpoints  on  the  command line to the --up
1161              script so that they can be used to configure routes such as:
1162
1163              route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
1164
1165       --up-delay
1166              Delay TUN/TAP open and  possible  --up  script  execution  until
1167              after TCP/UDP connection establishment with peer.
1168
1169              In  --proto  udp  mode, this option normally requires the use of
1170              --ping to allow  connection  initiation  to  be  sensed  in  the
1171              absence  of  tunnel data, since UDP is a "connectionless" proto‐
1172              col.
1173
1174              On Windows, this option will delay  the  TAP-Win32  media  state
1175              transitioning  to  "connected"  until  connection establishment,
1176              i.e. the receipt of the  first  authenticated  packet  from  the
1177              peer.
1178
1179       --down cmd
1180              Run  command  cmd  after  TUN/TAP  device close (post --user UID
1181              change and/or --chroot ).  cmd consists of a path to script  (or
1182              executable  program), optionally followed by arguments. The path
1183              and arguments may be single-  or  double-quoted  and/or  escaped
1184              using  a  backslash, and should be separated by one or more spa‐
1185              ces.
1186
1187              Called with the same parameters and environmental  variables  as
1188              the --up option above.
1189
1190              Note  that  if  you  reduce  privileges  by  using --user and/or
1191              --group, your --down script will also run at reduced privilege.
1192
1193       --down-pre
1194              Call --down cmd/script before, rather than after, TUN/TAP close.
1195
1196       --up-restart
1197              Enable the --up and --down scripts to be called for restarts  as
1198              well  as  initial  program start.  This option is described more
1199              fully above in the --up option documentation.
1200
1201       --setenv name value
1202              Set a  custom  environmental  variable  name=value  to  pass  to
1203              script.
1204
1205       --setenv FORWARD_COMPATIBLE 1
1206              Relax  config  file  syntax  checking so that unknown directives
1207              will trigger a warning but not a fatal error, on the  assumption
1208              that  a given unknown directive might be valid in future OpenVPN
1209              versions.
1210
1211              This option should be used with caution, as there are good secu‐
1212              rity reasons for having OpenVPN fail if it detects problems in a
1213              config file.  Having said that,  there  are  valid  reasons  for
1214              wanting new software features to gracefully degrade when encoun‐
1215              tered by older software versions.
1216
1217              It is also possible to tag a single directive so as not to trig‐
1218              ger  a  fatal  error  if  the directive isn't recognized.  To do
1219              this, prepend the following before the directive: setenv opt
1220
1221              Versions prior to OpenVPN 2.3.3 will always ignore  options  set
1222              with the setenv opt directive.
1223
1224              See also --ignore-unknown-option
1225
1226       --setenv-safe name value
1227              Set  a  custom environmental variable OPENVPN_name=value to pass
1228              to script.
1229
1230              This directive is  designed  to  be  pushed  by  the  server  to
1231              clients,  and  the prepending of "OPENVPN_" to the environmental
1232              variable is a safety precaution to prevent  a  LD_PRELOAD  style
1233              attack from a malicious or compromised server.
1234
1235       --ignore-unknown-option opt1 opt2 opt3 ... optN
1236              When one of options opt1 ... optN is encountered in the configu‐
1237              ration file the configuration file parsing does not fail if this
1238              OpenVPN   version   does   not   support  the  option.  Multiple
1239              --ignore-unknown-option options can be given to support a larger
1240              number of options to ignore.
1241
1242              This option should be used with caution, as there are good secu‐
1243              rity reasons for having OpenVPN fail if it detects problems in a
1244              config file. Having said that, there are valid reasons for want‐
1245              ing new software features to gracefully degrade when encountered
1246              by older software versions.
1247
1248              --ignore-unknown-option is available since OpenVPN 2.3.3.
1249
1250       --script-security level
1251              This  directive offers policy-level control over OpenVPN's usage
1252              of external programs and scripts.  Lower level values  are  more
1253              restrictive,  higher  values  are more permissive.  Settings for
1254              level:
1255
1256              0 -- Strictly no calling of external programs.
1257              1 -- (Default) Only call built-in executables such as  ifconfig,
1258              ip, route, or netsh.
1259              2  --  Allow  calling  of  built-in executables and user-defined
1260              scripts.
1261              3 -- Allow passwords to be passed to scripts  via  environmental
1262              variables (potentially unsafe).
1263
1264              OpenVPN  releases before v2.3 also supported a method flag which
1265              indicated how OpenVPN should call external commands and scripts.
1266              This  could be either execve or system.  As of OpenVPN 2.3, this
1267              flag is no longer  accepted.   In  most  *nix  environments  the
1268              execve() approach has been used without any issues.
1269
1270              Some  directives  such as --up allow options to be passed to the
1271              external script. In these cases make sure the script  name  does
1272              not  contain  any  spaces or the configuration parser will choke
1273              because it can't determine where the script name ends and script
1274              options start.
1275
1276              To run scripts in Windows in earlier OpenVPN versions you needed
1277              to either add a full path to the script  interpreter  which  can
1278              parse  the  script  or use the system flag to run these scripts.
1279              As of OpenVPN 2.3 it is now a strict requirement  to  have  full
1280              path  to  the  script  interpreter  when running non-executables
1281              files.  This is not needed for executable files, such  as  .exe,
1282              .com,  .bat  or  .cmd  files.  For example, if you have a Visual
1283              Basic script, you must use this syntax now:
1284
1285                  --up 'C:\\Windows\\System32\\wscript.exe C:\\Program\ Files\\OpenVPN\\config\\my-up-script.vbs'
1286
1287              Please note the single quote marks and the escaping of the back‐
1288              slashes (\) and the space character.
1289
1290              The reason the support for the system flag was removed is due to
1291              the security implications with shell expansions  when  executing
1292              scripts via the system() call.
1293
1294       --disable-occ
1295              Don't  output  a  warning  message if option inconsistencies are
1296              detected between peers.  An example of an  option  inconsistency
1297              would be where one peer uses --dev tun while the other peer uses
1298              --dev tap.
1299
1300              Use of this option is discouraged, but is provided as  a  tempo‐
1301              rary  fix  in  situations where a recent version of OpenVPN must
1302              connect to an old version.
1303
1304       --user user
1305              Change the user ID of the OpenVPN process to user after initial‐
1306              ization,  dropping  privileges  in  the process.  This option is
1307              useful to protect the system in  the  event  that  some  hostile
1308              party  was  able  to gain control of an OpenVPN session.  Though
1309              OpenVPN's security features make this unlikely, it  is  provided
1310              as a second line of defense.
1311
1312              By  setting  user  to nobody or somebody similarly unprivileged,
1313              the hostile party would be limited in  what  damage  they  could
1314              cause.   Of  course  once  you  take away privileges, you cannot
1315              return them to an OpenVPN session.   This  means,  for  example,
1316              that  if you want to reset an OpenVPN daemon with a SIGUSR1 sig‐
1317              nal (for example in response to a DHCP reset), you  should  make
1318              use of one or more of the --persist options to ensure that Open‐
1319              VPN doesn't need to execute any privileged operations  in  order
1320              to  restart (such as re-reading key files or running ifconfig on
1321              the TUN device).
1322
1323       --group group
1324              Similar to the --user option, this option changes the  group  ID
1325              of the OpenVPN process to group after initialization.
1326
1327       --cd dir
1328              Change  directory to dir prior to reading any files such as con‐
1329              figuration files, key files, scripts, etc.   dir  should  be  an
1330              absolute path, with a leading "/", and without any references to
1331              the current directory such as "." or "..".
1332
1333              This option is useful when you are running OpenVPN  in  --daemon
1334              mode,  and  you  want to consolidate all of your OpenVPN control
1335              files in one location.
1336
1337       --chroot dir
1338              Chroot to dir after initialization.  --chroot essentially  rede‐
1339              fines  dir  as  being the top level directory tree (/).  OpenVPN
1340              will therefore be unable to access any files outside this  tree.
1341              This can be desirable from a security standpoint.
1342
1343              Since  the  chroot  operation is delayed until after initializa‐
1344              tion, most OpenVPN options that reference files will operate  in
1345              a pre-chroot context.
1346
1347              In  many  cases,  the dir parameter can point to an empty direc‐
1348              tory, however complications can result when scripts or  restarts
1349              are executed after the chroot operation.
1350
1351              Note:  The  SSL  library  will  probably need /dev/urandom to be
1352              available inside the chroot directory dir.  This is because  SSL
1353              libraries  occasionally  need  to  collect  fresh random.  Newer
1354              linux kernels and some BSDs implement a  getrandom()  or  geten‐
1355              tropy()  syscall  that  removes  the need for /dev/urandom to be
1356              available.
1357
1358       --setcon context
1359              Apply SELinux context  after  initialization.  This  essentially
1360              provides  the  ability to restrict OpenVPN's rights to only net‐
1361              work I/O operations, thanks to SELinux. This goes  further  than
1362              --user  and  --chroot in that those two, while being great secu‐
1363              rity features, unfortunately do not  protect  against  privilege
1364              escalation  by exploitation of a vulnerable system call. You can
1365              of course combine all three, but please note that  since  setcon
1366              requires  access to /proc you will have to provide it inside the
1367              chroot directory (e.g. with mount --bind).
1368
1369              Since the setcon operation is delayed  until  after  initializa‐
1370              tion,  OpenVPN  can be restricted to just network-related system
1371              calls, whereas by applying the context before startup  (such  as
1372              the  OpenVPN one provided in the SELinux Reference Policies) you
1373              will have to allow many things required only during  initializa‐
1374              tion.
1375
1376              Like  with  chroot,  complications  can  result  when scripts or
1377              restarts are executed after the setcon operation, which  is  why
1378              you  should  really  consider using the --persist-key and --per‐
1379              sist-tun options.
1380
1381       --daemon [progname]
1382              Become a daemon after  all  initialization  functions  are  com‐
1383              pleted.   This option will cause all message and error output to
1384              be sent to the syslog file (such as  /var/log/messages),  except
1385              for  the  output of scripts and ifconfig commands, which will go
1386              to /dev/null unless otherwise redirected.  The syslog  redirect‐
1387              ion  occurs  immediately at the point that --daemon is parsed on
1388              the command line even  though  the  daemonization  point  occurs
1389              later.   If  one  of  the  --log  options  is  present,  it will
1390              supercede syslog redirection.
1391
1392              The optional progname parameter will cause OpenVPN to report its
1393              program name to the system logger as progname.  This can be use‐
1394              ful in linking OpenVPN messages in the syslog file with specific
1395              tunnels.  When unspecified, progname defaults to "openvpn".
1396
1397              When  OpenVPN  is  run  with the --daemon option, it will try to
1398              delay daemonization until the majority of  initialization  func‐
1399              tions which are capable of generating fatal errors are complete.
1400              This means that initialization scripts can test the return  sta‐
1401              tus  of  the openvpn command for a fairly reliable indication of
1402              whether the command has correctly initialized  and  entered  the
1403              packet forwarding event loop.
1404
1405              In  OpenVPN,  the vast majority of errors which occur after ini‐
1406              tialization are non-fatal.
1407
1408              Note: as soon as OpenVPN has daemonized,  it  can  not  ask  for
1409              usernames,  passwords,  or  key  pass phrases anymore.  This has
1410              certain consequences, namely  that  using  a  password-protected
1411              private  key  will  fail  unless the --askpass option is used to
1412              tell OpenVPN to ask for the pass phrase (this requirement is new
1413              in  v2.3.7, and is a consequence of calling daemon() before ini‐
1414              tializing the crypto layer).
1415
1416              Further, using --daemon together with --auth-user-pass  (entered
1417              on  console) and --auth-nocache will fail as soon as key renego‐
1418              tiation (and reauthentication) occurs.
1419
1420       --syslog [progname]
1421              Direct log output to system logger, but do not become a  daemon.
1422              See --daemon directive above for description of progname parame‐
1423              ter.
1424
1425       --errors-to-stderr
1426              Output errors to stderr instead of stdout unless log  output  is
1427              redirected by one of the --log options.
1428
1429       --passtos
1430              Set the TOS field of the tunnel packet to what the payload's TOS
1431              is.
1432
1433       --inetd [wait|nowait] [progname]
1434              Use this option when OpenVPN is being  run  from  the  inetd  or
1435              xinetd(8) server.
1436
1437              The  wait/nowait  option  must  match  what  is specified in the
1438              inetd/xinetd config file.  The nowait mode can only be used with
1439              --proto  tcp-server.   The default is wait.  The nowait mode can
1440              be used to instantiate the  OpenVPN  daemon  as  a  classic  TCP
1441              server,  where client connection requests are serviced on a sin‐
1442              gle port number.  For additional information  on  this  kind  of
1443              configuration,     see    the    OpenVPN    FAQ:    http://open
1444              vpn.net/faq.html#oneport
1445
1446              This option precludes the use of --daemon, --local, or --remote.
1447              Note that this option causes message and error output to be han‐
1448              dled in the same way as the --daemon option.  The optional prog‐
1449              name parameter is also handled exactly as in --daemon.
1450
1451              Also note that in wait mode, each OpenVPN tunnel requires a sep‐
1452              arate TCP/UDP port and a separate inetd or  xinetd  entry.   See
1453              the  OpenVPN  1.x  HOWTO  for  an  example on using OpenVPN with
1454              xinetd: http://openvpn.net/1xhowto.html
1455
1456       --log file
1457              Output logging  messages  to  file,  including  output  to  std‐
1458              out/stderr  which  is  generated  by  called  scripts.   If file
1459              already exists it will be truncated.  This option  takes  effect
1460              immediately  when  it  is  parsed  in  the command line and will
1461              supercede syslog output if --daemon or --inetd  is  also  speci‐
1462              fied.   This  option  is persistent over the entire course of an
1463              OpenVPN instantiation and will not be reset by SIGHUP,  SIGUSR1,
1464              or --ping-restart.
1465
1466              Note that on Windows, when OpenVPN is started as a service, log‐
1467              ging occurs by default without the need to specify this option.
1468
1469       --log-append file
1470              Append logging messages to file.  If file  does  not  exist,  it
1471              will  be created.  This option behaves exactly like --log except
1472              that it appends to rather than truncating the log file.
1473
1474       --suppress-timestamps
1475              Avoid writing timestamps to log messages, even when they  other‐
1476              wise would be prepended. In particular, this applies to log mes‐
1477              sages sent to stdout.
1478
1479       --machine-readable-output
1480              Always write timestamps and message flags to log messages,  even
1481              when  they  otherwise would not be prefixed. In particular, this
1482              applies to log messages sent to stdout.
1483
1484       --writepid file
1485              Write OpenVPN's main process ID to file.
1486
1487       --nice n
1488              Change process priority after initialization ( n greater than  0
1489              is lower priority, n less than zero is higher priority).
1490
1491       --fast-io
1492              (Experimental)  Optimize  TUN/TAP/UDP  I/O  writes by avoiding a
1493              call to poll/epoll/select prior to  the  write  operation.   The
1494              purpose  of  such  a  call  would normally be to block until the
1495              device or socket is ready to accept the write.  Such blocking is
1496              unnecessary on some platforms which don't support write blocking
1497              on UDP sockets or TUN/TAP devices.  In such cases, one can opti‐
1498              mize  the  event  loop  by  avoiding the poll/epoll/select call,
1499              improving CPU efficiency by 5% to 10%.
1500
1501              This option can  only  be  used  on  non-Windows  systems,  when
1502              --proto udp is specified, and when --shaper is NOT specified.
1503
1504       --multihome
1505              Configure  a  multi-homed  UDP  server.  This option needs to be
1506              used when a server has more than one IP address  (e.g.  multiple
1507              interfaces, or secondary IP addresses), and is not using --local
1508              to force binding to one specific address only.  This option will
1509              add some extra lookups to the packet path to ensure that the UDP
1510              reply packets are always sent from the address that  the  client
1511              is  talking  to.  This is not supported on all platforms, and it
1512              adds more processing, so it's not enabled by default.
1513
1514              Note: this option is only relevant for UDP servers.
1515
1516              Note 2: if you do  an  IPv6+IPv4  dual-stack  bind  on  a  Linux
1517              machine   with   multiple  IPv4  address,  connections  to  IPv4
1518              addresses will not work right on kernels  before  3.15,  due  to
1519              missing  kernel support for the IPv4-mapped case (some distribu‐
1520              tions have ported this to earlier kernel versions, though).
1521
1522       --echo [parms...]
1523              Echo parms to log output.
1524
1525              Designed to be used to send messages to a  controlling  applica‐
1526              tion which is receiving the OpenVPN log output.
1527
1528       --remap-usr1 signal
1529              Control  whether internally or externally generated SIGUSR1 sig‐
1530              nals are remapped to SIGHUP (restart without  persisting  state)
1531              or SIGTERM (exit).
1532
1533              signal  can  be  set  to  "SIGHUP" or "SIGTERM".  By default, no
1534              remapping occurs.
1535
1536       --verb n
1537              Set output verbosity to n (default=1).   Each  level  shows  all
1538              info  from  the  previous levels.  Level 3 is recommended if you
1539              want a good summary of what's happening without being swamped by
1540              output.
1541
1542              0 -- No output except fatal errors.
1543              1 to 4 -- Normal usage range.
1544              5  --  Output  R and W characters to the console for each packet
1545              read and write, uppercase is used for TCP/UDP packets and lower‐
1546              case is used for TUN/TAP packets.
1547              6  to  11  --  Debug  info  range (see errlevel.h for additional
1548              information on debug levels).
1549
1550       --status file [n]
1551              Write operational status to file every n seconds.
1552
1553              Status can also be written to the syslog by  sending  a  SIGUSR2
1554              signal.
1555
1556              With  multi-client  capability  enabled  on a server, the status
1557              file includes a list of clients and a routing table. The  output
1558              format  can be controlled by the --status-version option in that
1559              case.
1560
1561              For clients or instances running in point-to-point mode, it will
1562              contain the traffic statistics.
1563
1564       --status-version [n]
1565              Set the status file format version number to n.
1566
1567              This  only  affects the status file on servers with multi-client
1568              capability enabled.
1569
1570              1 -- traditional format (default). The client list contains  the
1571              following  fields  comma-separated:  Common  Name, Real Address,
1572              Bytes Received, Bytes Sent, Connected Since.
1573              2 -- a more reliable format for external processing. Compared to
1574              version 1, the client list contains some additional fields: Vir‐
1575              tual Address, Virtual IPv6 Address, Username,  Client  ID,  Peer
1576              ID.  Future versions may extend the number of fields.
1577              3 -- identical to 2, but fields are tab-separated.
1578
1579
1580       --mute n
1581              Log  at  most n consecutive messages in the same category.  This
1582              is useful to limit repetitive logging of similar message types.
1583
1584       --compress [algorithm]
1585              Enable a compression algorithm.
1586
1587              The algorithm parameter may be "lzo", "lz4", or empty.  LZO  and
1588              LZ4  are  different  compression  algorithms, with LZ4 generally
1589              offering the best performance with least CPU usage.   For  back‐
1590              wards compatibility with OpenVPN versions before v2.4, use "lzo"
1591              (which is identical to the older option "--comp-lzo yes").
1592
1593              If the algorithm parameter is empty, compression will be  turned
1594              off,  but  the  packet  framing  for  compression  will still be
1595              enabled, allowing a different setting to be pushed later.
1596
1597              Security Considerations
1598
1599              Compression and encryption  is  a  tricky  combination.   If  an
1600              attacker knows or is able to control (parts of) the plaintext of
1601              packets that contain secrets, the  attacker  might  be  able  to
1602              extract  the  secret  if  compression  is enabled.  See e.g. the
1603              CRIME and BREACH attacks on TLS which also leverage  compression
1604              to  break  encryption.   If  you  are not entirely sure that the
1605              above does not apply to your traffic, you are advised  to  *not*
1606              enable compression.
1607
1608
1609       --comp-lzo [mode]
1610              DEPRECATED  This  option  will  be  removed  in a future OpenVPN
1611              release.  Use the newer --compress instead.
1612
1613              Use LZO compression -- may add up  to  1  byte  per  packet  for
1614              incompressible  data.   mode  may  be "yes", "no", or "adaptive"
1615              (default).
1616
1617              In a server mode setup, it is possible to selectively turn  com‐
1618              pression on or off for individual clients.
1619
1620              First,  make  sure the client-side config file enables selective
1621              compression by having at least one --comp-lzo directive, such as
1622              --comp-lzo  no.   This will turn off compression by default, but
1623              allow a future directive push from  the  server  to  dynamically
1624              change the on/off/adaptive setting.
1625
1626              Next in a --client-config-dir file, specify the compression set‐
1627              ting for the client, for example:
1628
1629                  comp-lzo yes
1630                  push "comp-lzo yes"
1631
1632              The first line sets the comp-lzo setting for the server side  of
1633              the link, the second sets the client side.
1634
1635       --comp-noadapt
1636              When  used in conjunction with --comp-lzo, this option will dis‐
1637              able OpenVPN's adaptive compression algorithm.  Normally,  adap‐
1638              tive compression is enabled with --comp-lzo.
1639
1640              Adaptive  compression  tries to optimize the case where you have
1641              compression enabled, but you are  sending  predominantly  incom‐
1642              pressible  (or  pre-compressed) packets over the tunnel, such as
1643              an FTP or rsync transfer of  a  large,  compressed  file.   With
1644              adaptive  compression, OpenVPN will periodically sample the com‐
1645              pression process to measure its efficiency.  If the  data  being
1646              sent  over  the  tunnel  is  already compressed, the compression
1647              efficiency will be very low, triggering openvpn to disable  com‐
1648              pression for a period of time until the next re-sample test.
1649
1650       --management socket-name unix [pw-file]      (recommended)
1651       --management IP port [pw-file]
1652              Enable a management server on a socket-name Unix socket on those
1653              platforms supporting it, or on a designated TCP port.
1654
1655              pw-file , if specified, is a password file  where  the  password
1656              must  be  on  first  line.  Instead of a filename it can use the
1657              keyword stdin which will prompt the user for a password  to  use
1658              when OpenVPN is starting.
1659
1660              For  unix  sockets, the  default  behaviour  is to create a unix
1661              domain socket that may be connected to by any process.  Use  the
1662              --management-client-user  and  --management-client-group  direc‐
1663              tives to restrict access.
1664
1665              The management interface provides a special mode where  the  TCP
1666              management  link  can operate over the tunnel itself.  To enable
1667              this mode, set IP to tunnel.  Tunnel mode will cause  the   man‐
1668              agement  interface  to  listen for a TCP connection on the local
1669              VPN address of the TUN/TAP interface.
1670
1671              BEWARE of enabling the management interface over TCP.  In  these
1672              cases  you should ALWAYS make use of pw-file to password protect
1673              the management interface.  Any user who can connect to this  TCP
1674              IP:port  will be able to manage and control (and interfere with)
1675              the OpenVPN process.  It is also strongly recommended to set  IP
1676              to  127.0.0.1  (localhost) to restrict accessibility of the man‐
1677              agement server to local clients.
1678
1679              While the management port is designed for  programmatic  control
1680              of  OpenVPN  by  other applications, it is possible to telnet to
1681              the port, using a telnet client in "raw" mode.  Once  connected,
1682              type "help" for a list of commands.
1683
1684              For  detailed documentation on the management interface, see the
1685              management-notes.txt file in the management folder of the  Open‐
1686              VPN source distribution.
1687
1688
1689       --management-client
1690              Management interface will connect as a TCP/unix domain client to
1691              IP:port specified by --management rather than listen  as  a  TCP
1692              server or on a unix domain socket.
1693
1694              If  the client connection fails to connect or is disconnected, a
1695              SIGTERM signal will be generated causing OpenVPN to quit.
1696
1697       --management-query-passwords
1698              Query  management  channel  for   private   key   password   and
1699              --auth-user-pass  username/password.   Only query the management
1700              channel for inputs which ordinarily would have been queried from
1701              the console.
1702
1703       --management-query-proxy
1704              Query management channel for proxy server information for a spe‐
1705              cific --remote (client-only).
1706
1707       --management-query-remote
1708              Allow  management  interface  to  override  --remote  directives
1709              (client-only).
1710
1711       --management-external-key
1712              Allows  usage  for  external  private  key file instead of --key
1713              option (client-only).
1714
1715       --management-external-cert certificate-hint
1716              Allows usage for external certificate instead of  --cert  option
1717              (client-only).  certificate-hint is an arbitrary string which is
1718              passed to a  management  interface  client  as  an  argument  of
1719              NEED-CERTIFICATE   notification.   Requires  --management-exter‐
1720              nal-key.
1721
1722       --management-forget-disconnect
1723              Make OpenVPN forget passwords when  management  session  discon‐
1724              nects.
1725
1726              This  directive  does not affect the --http-proxy username/pass‐
1727              word.  It is always cached.
1728
1729       --management-hold
1730              Start OpenVPN in a hibernating state, until a client of the man‐
1731              agement  interface  explicitly  starts  it with the hold release
1732              command.
1733
1734       --management-signal
1735              Send SIGUSR1 signal to OpenVPN  if  management  session  discon‐
1736              nects.   This  is  useful when you wish to disconnect an OpenVPN
1737              session on user logoff. For --management-client this  option  is
1738              not needed since a disconnect will always generate a SIGTERM.
1739
1740       --management-log-cache n
1741              Cache  the  most recent n lines of log file history for usage by
1742              the management channel.
1743
1744       --management-up-down
1745              Report tunnel up/down events to management interface.
1746
1747       --management-client-auth
1748              Gives management interface client the responsibility to  authen‐
1749              ticate clients after their client certificate has been verified.
1750              See management-notes.txt in OpenVPN  distribution  for  detailed
1751              notes.
1752
1753       --management-client-pf
1754              Management  interface  clients must specify a packet filter file
1755              for each connecting client.  See management-notes.txt in OpenVPN
1756              distribution for detailed notes.
1757
1758       --management-client-user u
1759              When  the  management  interface  is  listening on a unix domain
1760              socket, only allow connections from user u.
1761
1762       --management-client-group g
1763              When the management interface is  listening  on  a  unix  domain
1764              socket, only allow connections from group g.
1765
1766       --plugin module-pathname [init-string]
1767              Load  plug-in  module  from  the  file  module-pathname, passing
1768              init-string as an argument to the  module  initialization  func‐
1769              tion.   Multiple  plugin  modules may be loaded into one OpenVPN
1770              process.
1771
1772              The module-pathname argument can be just a filename or  a  file‐
1773              name  with a relative or absolute path.  The format of the file‐
1774              name and path defines if the  plug-in  will  be  loaded  from  a
1775              default plug-in directory or outside this directory.
1776
1777                  --plugin path        Effective directory used
1778                  ====================================================
1779                   myplug.so            DEFAULT_DIR/myplug.so
1780                   subdir/myplug.so     DEFAULT_DIR/subdir/myplug.so
1781                   ./subdir/myplug.so   CWD/subdir/myplug.so
1782                   /usr/lib/my/plug.so  /usr/lib/my/plug.so
1783
1784              DEFAULT_DIR  is replaced by the default plug-in directory, which
1785              is configured at the build time of OpenVPN.  CWD is the  current
1786              directory  where  OpenVPN  was  started or the directory OpenVPN
1787              have swithed into  via  the  --cd  option  before  the  --plugin
1788              option.
1789
1790              For  more  information  and  examples  on  how  to build OpenVPN
1791              plug-in modules, see the README file in the plugin folder of the
1792              OpenVPN source distribution.
1793
1794              If you are using an RPM install of OpenVPN, see /usr/lib64/open‐
1795              vpn/plugin.  The documentation is in doc and the  actual  plugin
1796              modules are in lib.
1797
1798              Multiple plugin modules can be cascaded, and modules can be used
1799              in tandem with scripts.  The modules will be called  by  OpenVPN
1800              in the order that they are declared in the config file.  If both
1801              a plugin and script are configured for the  same  callback,  the
1802              script  will  be  called  last.   If the return code of the mod‐
1803              ule/script controls an authentication function (such as tls-ver‐
1804              ify,  auth-user-pass-verify, or client-connect), then every mod‐
1805              ule and script must return success (0) in order for the  connec‐
1806              tion to be authenticated.
1807
1808       --keying-material-exporter label len
1809              Save  Exported  Keying  Material [RFC5705] of len bytes (must be
1810              between  16  and  4095  bytes)  using   label   in   environment
1811              (exported_keying_material)  for  use by plugins in OPENVPN_PLUG‐
1812              IN_TLS_FINAL callback.
1813
1814              Note that exporter labels have the  potential  to  collide  with
1815              existing PRF labels. In order to prevent this, labels MUST begin
1816              with "EXPORTER".
1817
1818              This option requires OpenSSL 1.0.1 or newer.
1819
1820   Server Mode
1821       Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode  is  sup‐
1822       ported,  and  can  be enabled with the --mode server option.  In server
1823       mode, OpenVPN will listen on a single port for incoming client  connec‐
1824       tions.   All  client connections will be routed through a single tun or
1825       tap interface.  This mode is designed for  scalability  and  should  be
1826       able  to  support hundreds or even thousands of clients on sufficiently
1827       fast hardware.  SSL/TLS authentication must be used in this mode.
1828
1829       --server network netmask ['nopool']
1830              A helper directive designed to  simplify  the  configuration  of
1831              OpenVPN's  server  mode.   This directive will set up an OpenVPN
1832              server which will allocate addresses to clients out of the given
1833              network/netmask.   The  server itself will take the ".1" address
1834              of the given network for use as the server-side endpoint of  the
1835              local TUN/TAP interface.
1836
1837              For example, --server 10.8.0.0 255.255.255.0 expands as follows:
1838
1839                   mode server
1840                   tls-server
1841                   push "topology [topology]"
1842
1843                   if dev tun AND (topology == net30 OR topology == p2p):
1844                     ifconfig 10.8.0.1 10.8.0.2
1845                     if !nopool:
1846                       ifconfig-pool 10.8.0.4 10.8.0.251
1847                     route 10.8.0.0 255.255.255.0
1848                     if client-to-client:
1849                       push "route 10.8.0.0 255.255.255.0"
1850                     else if topology == net30:
1851                       push "route 10.8.0.1"
1852
1853                   if dev tap OR (dev tun AND topology == subnet):
1854                     ifconfig 10.8.0.1 255.255.255.0
1855                     if !nopool:
1856                       ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
1857                     push "route-gateway 10.8.0.1"
1858                     if route-gateway unset:
1859                       route-gateway 10.8.0.2
1860
1861
1862              Don't   use   --server   if  you  are  ethernet  bridging.   Use
1863              --server-bridge instead.
1864
1865       --server-bridge gateway netmask pool-start-IP pool-end-IP
1866
1867       --server-bridge ['nogw']
1868
1869              A helper directive similar to --server which is designed to sim‐
1870              plify  the  configuration  of  OpenVPN's server mode in ethernet
1871              bridging configurations.
1872
1873              If --server-bridge is  used  without  any  parameters,  it  will
1874              enable  a DHCP-proxy mode, where connecting OpenVPN clients will
1875              receive an IP address for their TAP adapter from the DHCP server
1876              running  on the OpenVPN server-side LAN.  Note that only clients
1877              that support the binding of a DHCP client with the  TAP  adapter
1878              (such as Windows) can support this mode.  The optional nogw flag
1879              (advanced) indicates that  gateway  information  should  not  be
1880              pushed to the client.
1881
1882              To  configure  ethernet  bridging,  you must first use your OS's
1883              bridging capability to bridge the TAP interface with the  ether‐
1884              net  NIC interface.  For example, on Linux this is done with the
1885              brctl tool, and with Windows XP it is done in the  Network  Con‐
1886              nections  Panel  by  selecting the ethernet and TAP adapters and
1887              right-clicking on "Bridge Connections".
1888
1889              Next you you must manually set  the  IP/netmask  on  the  bridge
1890              interface.     The    gateway    and   netmask   parameters   to
1891              --server-bridge can be set  to  either  the  IP/netmask  of  the
1892              bridge  interface,  or  the  IP/netmask  of  the  default  gate‐
1893              way/router on the bridged subnet.
1894
1895              Finally, set aside a IP range in the bridged subnet, denoted  by
1896              pool-start-IP  and  pool-end-IP, for OpenVPN to allocate to con‐
1897              necting clients.
1898
1899              For example,  server-bridge  10.8.0.4  255.255.255.0  10.8.0.128
1900              10.8.0.254 expands as follows:
1901
1902                  mode server
1903                  tls-server
1904
1905                  ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
1906                  push "route-gateway 10.8.0.4"
1907
1908              In another example, --server-bridge (without parameters) expands
1909              as follows:
1910
1911                  mode server
1912                  tls-server
1913
1914                  push "route-gateway dhcp"
1915
1916              Or --server-bridge nogw expands as follows:
1917
1918                  mode server
1919                  tls-server
1920
1921       --push option
1922              Push a config file option back to the client for  remote  execu‐
1923              tion.   Note that option must be enclosed in double quotes ("").
1924              The client must specify --pull in its config file.  The  set  of
1925              options  which  can be pushed is limited by both feasibility and
1926              security.  Some  options  such  as  those  which  would  execute
1927              scripts are banned, since they would effectively allow a compro‐
1928              mised server to execute arbitrary code  on  the  client.   Other
1929              options  such  as TLS or MTU parameters cannot be pushed because
1930              the client needs to know  them  before  the  connection  to  the
1931              server can be initiated.
1932
1933              This is a partial list of options which can currently be pushed:
1934              --route,  --route-gateway,  --route-delay,   --redirect-gateway,
1935              --ip-win32,   --dhcp-option,  --inactive,  --ping,  --ping-exit,
1936              --ping-restart, --setenv,  --auth-token,  --persist-key,  --per‐
1937              sist-tun, --echo, --comp-lzo, --socket-flags, --sndbuf, --rcvbuf
1938
1939       --push-reset
1940              Don't  inherit  the  global  push  list  for  a  specific client
1941              instance.  Specify this option in a client-specific context such
1942              as  with  a --client-config-dir configuration file.  This option
1943              will ignore --push options at the global config file level.
1944
1945       --push-remove opt
1946              selectively remove all --push options matching  "opt"  from  the
1947              option  list  for  a  client.   "opt"  is matched as a substring
1948              against the whole option string to-be-pushed to the  client,  so
1949              --push-remove  route  would  remove  all  --push  route ...  and
1950              --push   route-ipv6   ...    statements,   while   --push-remove
1951              'route-ipv6  2001:'  would  only remove IPv6 routes for 2001:...
1952              networks.
1953
1954              --push-remove can only be used  in  a  client-specific  context,
1955              like  in  a --client-config-dir file, or --client-connect script
1956              or plugin -- similar to --push-reset, just more selective.
1957
1958              NOTE: to change an option, --push-remove can be  used  to  first
1959              remove  the old value, and then add a new --push option with the
1960              new value.
1961
1962       --push-peer-info
1963              Push additional information about the  client  to  server.   The
1964              following data is always pushed to the server:
1965
1966              IV_VER=<version> -- the client OpenVPN version
1967
1968              IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]   --  the
1969              client OS platform
1970
1971              IV_LZO_STUB=1 -- if client was built with LZO stub capability
1972
1973              IV_LZ4=1 -- if the client supports LZ4 compressions.
1974
1975              IV_PROTO=2 -- if the client supports peer-id floating mechansim
1976
1977              IV_NCP=2 -- negotiable ciphers, client supports --cipher  pushed
1978              by the server, a value of 2 or greater indicates client supports
1979              AES-GCM-128 and AES-GCM-256.
1980
1981              IV_GUI_VER=<gui_id> <version> -- the UI version of a UI  if  one
1982              is  running,  for  example  "de.blinkt.openvpn  0.5.47"  for the
1983              Android app.
1984
1985              When --push-peer-info is enabled the additional information con‐
1986              sists of the following data:
1987
1988              IV_HWADDR=<mac  address>  --  the MAC address of clients default
1989              gateway
1990
1991              IV_SSL=<version string> -- the ssl version used by  the  client,
1992              e.g. "OpenSSL 1.0.2f 28 Jan 2016".
1993
1994              IV_PLAT_VER=x.y  - the version of the operating system, e.g. 6.1
1995              for Windows 7.
1996
1997              UV_<name>=<value> -- client environment  variables  whose  names
1998              start with "UV_"
1999
2000       --disable
2001              Disable a particular client (based on the common name) from con‐
2002              necting.  Don't use this option to disable a client due  to  key
2003              or password compromise.  Use a CRL (certificate revocation list)
2004              instead (see the --crl-verify option).
2005
2006              This option must be associated with a specific client  instance,
2007              which  means  that  it  must  be  specified  either  in a client
2008              instance config file using  --client-config-dir  or  dynamically
2009              generated using a --client-connect script.
2010
2011       --ifconfig-pool start-IP end-IP [netmask]
2012              Set  aside a pool of subnets to be dynamically allocated to con‐
2013              necting clients, similar to a DHCP server.  For  tun-style  tun‐
2014              nels, each client will be given a /30 subnet (for interoperabil‐
2015              ity with Windows clients).  For  tap-style  tunnels,  individual
2016              addresses  will be allocated, and the optional netmask parameter
2017              will also be pushed to clients.
2018
2019
2020       --ifconfig-pool-persist file [seconds]
2021              Persist/unpersist ifconfig-pool data to file, at seconds  inter‐
2022              vals (default=600), as well as on program startup and shutdown.
2023
2024              The  goal  of  this option is to provide a long-term association
2025              between clients (denoted by their common name) and  the  virtual
2026              IP address assigned to them from the ifconfig-pool.  Maintaining
2027              a long-term association is good for clients  because  it  allows
2028              them to effectively use the --persist-tun option.
2029
2030              file  is  a  comma-delimited  ASCII  file,  formatted  as  <Com‐
2031              mon-Name>,<IP-address>.
2032
2033              If seconds = 0, file will be treated as read-only.  This is use‐
2034              ful if you would like to treat file as a configuration file.
2035
2036              Note  that  the  entries  in this file are treated by OpenVPN as
2037              suggestions only, based on past associations  between  a  common
2038              name  and IP address.  They do not guarantee that the given com‐
2039              mon name will always receive the given IP address.  If you  want
2040              guaranteed assignment, use --ifconfig-push
2041
2042
2043       --ifconfig-pool-linear
2044              DEPRECATED This option will be removed in OpenVPN 2.5
2045
2046              Modifies  the  --ifconfig-pool  directive to allocate individual
2047              TUN interface addresses for clients  rather  than  /30  subnets.
2048              NOTE:  This option is incompatible with Windows clients.
2049
2050              This  option is deprecated, and should be replaced with --topol‐
2051              ogy p2p which is functionally equivalent.
2052
2053       --ifconfig-push local remote-netmask [alias]
2054              Push virtual IP endpoints  for  client  tunnel,  overriding  the
2055              --ifconfig-pool dynamic allocation.
2056
2057              The parameters local and remote-netmask are set according to the
2058              --ifconfig directive which you want to  execute  on  the  client
2059              machine  to  configure  the remote end of the tunnel.  Note that
2060              the parameters local and remote-netmask are from the perspective
2061              of  the  client,  not  the server.  They may be DNS names rather
2062              than IP addresses, in which case they will be  resolved  on  the
2063              server at the time of client connection.
2064
2065              The  optional  alias  parameter  may  be used in cases where NAT
2066              causes the client view of its local endpoint to differ from  the
2067              server  view.   In  this case local/remote-netmask will refer to
2068              the server view while alias/remote-netmask  will  refer  to  the
2069              client view.
2070
2071              This  option must be associated with a specific client instance,
2072              which means that  it  must  be  specified  either  in  a  client
2073              instance  config  file  using --client-config-dir or dynamically
2074              generated using a --client-connect script.
2075
2076              Remember also to include a --route directive in the main OpenVPN
2077              config  file  which encloses local, so that the kernel will know
2078              to route it to the server's TUN/TAP interface.
2079
2080              OpenVPN's internal client IP address selection  algorithm  works
2081              as follows:
2082
2083              1  --  Use  --client-connect script generated file for static IP
2084              (first choice).
2085              2 -- Use --client-config-dir file for static IP (next choice).
2086              3  --  Use  --ifconfig-pool  allocation  for  dynamic  IP  (last
2087              choice).
2088
2089       --iroute network [netmask]
2090              Generate  an  internal  route  to a specific client. The netmask
2091              parameter, if omitted, defaults to 255.255.255.255.
2092
2093              This directive can be used to route  a  fixed  subnet  from  the
2094              server to a particular client, regardless of where the client is
2095              connecting from.  Remember that you must also add the  route  to
2096              the  system  routing table as well (such as by using the --route
2097              directive).  The reason why two routes are needed  is  that  the
2098              --route  directive routes the packet from the kernel to OpenVPN.
2099              Once in OpenVPN, the --iroute directive routes to  the  specific
2100              client.
2101
2102              This option must be specified either in a client instance config
2103              file using --client-config-dir or dynamically generated using  a
2104              --client-connect script.
2105
2106              The  --iroute  directive  also has an important interaction with
2107              --push "route ...".  --iroute essentially defines a subnet which
2108              is  owned  by  a particular client (we will call this client A).
2109              If you would like other clients to be able to reach A's  subnet,
2110              you can use --push "route ..."  together with --client-to-client
2111              to effect this.  In order for all clients  to  see  A's  subnet,
2112              OpenVPN  must push this route to all clients EXCEPT for A, since
2113              the subnet is already owned by A.  OpenVPN accomplishes this  by
2114              not  not  pushing  a  route to a client if it matches one of the
2115              client's iroutes.
2116
2117       --client-to-client
2118              Because the OpenVPN server mode handles multiple clients through
2119              a  single tun or tap interface, it is effectively a router.  The
2120              --client-to-client  flag  tells  OpenVPN  to  internally   route
2121              client-to-client  traffic  rather than pushing all client-origi‐
2122              nating traffic to the TUN/TAP interface.
2123
2124              When this option is used,  each  client  will  "see"  the  other
2125              clients  which  are currently connected.  Otherwise, each client
2126              will only see the server.  Don't use this option if you want  to
2127              firewall tunnel traffic using custom, per-client rules.
2128
2129       --duplicate-cn
2130              Allow multiple clients with the same common name to concurrently
2131              connect.  In the absence of this option, OpenVPN will disconnect
2132              a  client  instance  upon  connection of a new client having the
2133              same common name.
2134
2135       --client-connect cmd
2136              Run command cmd on client connection.
2137
2138              cmd consists of  a  path  to  script  (or  executable  program),
2139              optionally  followed by arguments. The path and arguments may be
2140              single- or double-quoted and/or escaped using a  backslash,  and
2141              should be separated by one or more spaces.
2142
2143              The  command  is  passed  the  common name and IP address of the
2144              just-authenticated client as environmental variables (see  envi‐
2145              ronmental  variable  section below).  The command is also passed
2146              the pathname of a freshly created temporary  file  as  the  last
2147              argument  (after any arguments specified in cmd ), to be used by
2148              the command to pass dynamically generated config file directives
2149              back to OpenVPN.
2150
2151              If  the  script  wants  to  generate a dynamic config file to be
2152              applied on the server when the client connects, it should  write
2153              it to the file named by the last argument.
2154
2155              See  the  --client-config-dir option below for options which can
2156              be legally used in a dynamically generated config file.
2157
2158              Note that the return value of script is significant.  If  script
2159              returns  a non-zero error status, it will cause the client to be
2160              disconnected.
2161
2162       --client-disconnect cmd
2163              Like --client-connect but called on  client  instance  shutdown.
2164              Will  not be called unless the --client-connect script and plug‐
2165              ins (if defined) were previously called on  this  instance  with
2166              successful (0) status returns.
2167
2168              The exception to this rule is if the --client-disconnect command
2169              or plugins are cascaded, and at least one  client-connect  func‐
2170              tion  succeeded, then ALL of the client-disconnect functions for
2171              scripts and plugins will be called  on  client  instance  object
2172              deletion, even in cases where some of the related client-connect
2173              functions returned an error status.
2174
2175              The --client-disconnect command is passed the same  pathname  as
2176              the corresponding --client-connect command as its last argument.
2177              (after any arguments specified in cmd ).
2178
2179       --client-config-dir dir
2180              Specify a directory dir for custom client config files.  After a
2181              connecting  client  has been authenticated, OpenVPN will look in
2182              this directory for a file having the same name as  the  client's
2183              X509  common name.  If a matching file exists, it will be opened
2184              and parsed for client-specific  configuration  options.   If  no
2185              matching  file  is  found,  OpenVPN will instead try to open and
2186              parse a default file called "DEFAULT", which may be provided but
2187              is not required. Note that the configuration files must be read‐
2188              able by the OpenVPN process after it has dropped it's root priv‐
2189              ileges.
2190
2191              This  file  can  specify  a  fixed IP address for a given client
2192              using --ifconfig-push, as well as fixed  subnets  owned  by  the
2193              client using --iroute.
2194
2195              One  of  the  useful properties of this option is that it allows
2196              client configuration files to be conveniently  created,  edited,
2197              or  removed while the server is live, without needing to restart
2198              the server.
2199
2200              The following options are legal in  a  client-specific  context:
2201              --push,  --push-reset, --push-remove, --iroute, --ifconfig-push,
2202              and --config.
2203
2204       --ccd-exclusive
2205              Require, as a condition of  authentication,  that  a  connecting
2206              client has a --client-config-dir file.
2207
2208       --tmp-dir dir
2209              Specify  a  directory  dir  for temporary files.  This directory
2210              will be used by openvpn processes and script to communicate tem‐
2211              porary  data  with openvpn main process. Note that the directory
2212              must be writable by the OpenVPN process  after  it  has  dropped
2213              it's root privileges.
2214
2215              This directory will be used by in the following cases:
2216
2217              *  --client-connect  scripts to dynamically generate client-spe‐
2218              cific configuration files.
2219
2220              * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY  plugin  hook  to  return
2221              success/failure  via  auth_control_file when using deferred auth
2222              method
2223
2224              * OPENVPN_PLUGIN_ENABLE_PF plugin hook to pass  filtering  rules
2225              via pf_file
2226
2227       --hash-size r v
2228              Set the size of the real address hash table to r and the virtual
2229              address table to v.  By default, both tables are  sized  at  256
2230              buckets.
2231
2232       --bcast-buffers n
2233              Allocate n buffers for broadcast datagrams (default=256).
2234
2235       --tcp-queue-limit n
2236              Maximum number of output packets queued before TCP (default=64).
2237
2238              When OpenVPN is tunneling data from a TUN/TAP device to a remote
2239              client over a TCP connection, it is possible  that  the  TUN/TAP
2240              device  might produce data at a faster rate than the TCP connec‐
2241              tion can support.  When the  number  of  output  packets  queued
2242              before  sending to the TCP socket reaches this limit for a given
2243              client connection, OpenVPN will start to drop  outgoing  packets
2244              directed at this client.
2245
2246       --tcp-nodelay
2247              This  macro  sets  the  TCP_NODELAY socket flag on the server as
2248              well as pushes it to connecting clients.  The  TCP_NODELAY  flag
2249              disables  the  Nagle algorithm on TCP sockets causing packets to
2250              be transmitted immediately with low latency, rather than waiting
2251              a  short  period  of  time in order to aggregate several packets
2252              into a larger containing packet.  In VPN applications over  TCP,
2253              TCP_NODELAY is generally a good latency optimization.
2254
2255              The macro expands as follows:
2256
2257                   if mode server:
2258                     socket-flags TCP_NODELAY
2259                     push "socket-flags TCP_NODELAY"
2260
2261       --max-clients n
2262              Limit server to a maximum of n concurrent clients.
2263
2264       --max-routes-per-client n
2265              Allow  a  maximum of n internal routes per client (default=256).
2266              This is designed to help contain DoS attacks where an  authenti‐
2267              cated  client  floods  the server with packets appearing to come
2268              from many unique MAC addresses, forcing the  server  to  deplete
2269              virtual  memory  as  its  internal  routing table expands.  This
2270              directive can be used in a --client-config-dir file or auto-gen‐
2271              erated by a --client-connect script to override the global value
2272              for a particular client.
2273
2274              Note that this directive affects OpenVPN's internal routing  ta‐
2275              ble, not the kernel routing table.
2276
2277       --stale-routes-check n [t]
2278              Remove  routes haven't had activity for n seconds (i.e. the age‐
2279              ing time).
2280
2281              This check is ran every t seconds (i.e. check interval).
2282
2283              If t is not present it defaults to n
2284
2285              This option helps to keep the dynamic routing table small.   See
2286              also --max-routes-per-client
2287
2288       --connect-freq n sec
2289              Allow  a  maximum  of  n  new  connections  per sec seconds from
2290              clients.  This is designed to contain DoS  attacks  which  flood
2291              the  server  with  connection  requests using certificates which
2292              will ultimately fail to authenticate.
2293
2294              This is an imperfect solution however, because  in  a  real  DoS
2295              scenario, legitimate connections might also be refused.
2296
2297              For  the best protection against DoS attacks in server mode, use
2298              --proto udp and either --tls-auth or --tls-crypt.
2299
2300       --learn-address cmd
2301              Run command cmd to validate client virtual addresses or routes.
2302
2303              cmd consists of  a  path  to  script  (or  executable  program),
2304              optionally  followed by arguments. The path and arguments may be
2305              single- or double-quoted and/or escaped using a  backslash,  and
2306              should be separated by one or more spaces.
2307
2308              Three arguments will be appended to any arguments in cmd as fol‐
2309              lows:
2310
2311              [1] operation -- "add", "update", or "delete" based  on  whether
2312              or  not the address is being added to, modified, or deleted from
2313              OpenVPN's internal routing table.
2314              [2] address -- The address being learned or unlearned.  This can
2315              be  an IPv4 address such as "198.162.10.14", an IPv4 subnet such
2316              as "198.162.10.0/24", or an ethernet MAC address (when --dev tap
2317              is being used) such as "00:FF:01:02:03:04".
2318              [3] common name -- The common name on the certificate associated
2319              with the client linked to this address.  Only present for  "add"
2320              or "update" operations, not "delete".
2321
2322              On  "add"  or  "update" methods, if the script returns a failure
2323              code (non-zero), OpenVPN will reject the address  and  will  not
2324              modify its internal routing table.
2325
2326              Normally, the cmd script will use the information provided above
2327              to set appropriate firewall entries on the  VPN  TUN/TAP  inter‐
2328              face.  Since OpenVPN provides the association between virtual IP
2329              or MAC address and the client's authenticated  common  name,  it
2330              allows  a user-defined script to configure firewall access poli‐
2331              cies with regard to the client's high-level common name,  rather
2332              than the low level client virtual addresses.
2333
2334       --auth-user-pass-verify cmd method
2335              Require  the  client to provide a username/password (possibly in
2336              addition to a client certificate) for authentication.
2337
2338              OpenVPN will run command cmd to validate  the  username/password
2339              provided by the client.
2340
2341              cmd  consists  of  a  path  to  script  (or executable program),
2342              optionally followed by arguments. The path and arguments may  be
2343              single-  or  double-quoted and/or escaped using a backslash, and
2344              should be separated by one or more spaces.
2345
2346              If method is set to "via-env", OpenVPN will call script with the
2347              environmental  variables  username and password set to the user‐
2348              name/password strings provided by the  client.   Be  aware  that
2349              this  method  is insecure on some platforms which make the envi‐
2350              ronment of a process publicly visible to other unprivileged pro‐
2351              cesses.
2352
2353              If  method is set to "via-file", OpenVPN will write the username
2354              and password to the first two lines of a  temporary  file.   The
2355              filename  will  be passed as an argument to script, and the file
2356              will be  automatically  deleted  by  OpenVPN  after  the  script
2357              returns.   The  location  of the temporary file is controlled by
2358              the --tmp-dir option, and will default to the current  directory
2359              if  unspecified.   For security, consider setting --tmp-dir to a
2360              volatile storage medium such as /dev/shm (if available) to  pre‐
2361              vent the username/password file from touching the hard drive.
2362
2363              The script should examine the username and password, returning a
2364              success exit code (0) if the client's authentication request  is
2365              to be accepted, or a failure code (1) to reject the client.
2366
2367              This  directive  is  designed to enable a plugin-style interface
2368              for extending OpenVPN's authentication capabilities.
2369
2370              To protect against a client passing a maliciously  formed  user‐
2371              name  or  password string, the username string must consist only
2372              of these characters: alphanumeric, underbar ('_'),  dash  ('-'),
2373              dot  ('.'), or at ('@').  The password string can consist of any
2374              printable characters except for CR or LF.  Any  illegal  charac‐
2375              ters in either the username or password string will be converted
2376              to underbar ('_').
2377
2378              Care must be taken by any user-defined scripts to avoid creating
2379              a  security vulnerability in the way that these strings are han‐
2380              dled.  Never use these strings in such a way that they might  be
2381              escaped or evaluated by a shell interpreter.
2382
2383              For  a  sample script that performs PAM authentication, see sam‐
2384              ple-scripts/auth-pam.pl in the OpenVPN source distribution.
2385
2386       --auth-gen-token [lifetime]
2387              After  successful  user/password  authentication,  the   OpenVPN
2388              server will with this option generate a temporary authentication
2389              token and push that to client.  On the following renegotiations,
2390              the  OpenVPN  client  will  pass this token instead of the users
2391              password.  On the server side  the  server  will  do  the  token
2392              authentication  internally  and  it  will  NOT do any additional
2393              authentications  against   configured   external   user/password
2394              authentication mechanisms.
2395
2396              The  lifetime  argument  defines how long the generated token is
2397              valid.  The lifetime is defined in seconds.  If lifetime is  not
2398              set or it is set to 0, the token will never expire.
2399
2400              This  feature  is useful for environments which is configured to
2401              use One Time  Passwords  (OTP)  as  part  of  the  user/password
2402              authentications  and  that  authentication  mechanism  does  not
2403              implement any auth-token support.
2404
2405       --opt-verify
2406              Clients that connect with options  that  are  incompatible  with
2407              those of the server will be disconnected.
2408
2409              Options   that   will  be  compared  for  compatibility  include
2410              dev-type, link-mtu, tun-mtu, proto,  ifconfig,  comp-lzo,  frag‐
2411              ment,  keydir,  cipher, auth, keysize, secret, no-replay, no-iv,
2412              tls-auth, key-method, tls-server, and tls-client.
2413
2414              This option requires that --disable-occ NOT be used.
2415
2416       --auth-user-pass-optional
2417              Allow connections  by  clients  that  do  not  specify  a  user‐
2418              name/password.  Normally, when --auth-user-pass-verify or --man‐
2419              agement-client-auth is specified (or  an  authentication  plugin
2420              module),  the  OpenVPN  server  daemon  will  require connecting
2421              clients to specify a username and password.  This  option  makes
2422              the submission of a username/password by clients optional, pass‐
2423              ing the responsibility to the user-defined  authentication  mod‐
2424              ule/script  to  accept or deny the client based on other factors
2425              (such as the setting of X509  certificate  fields).   When  this
2426              option  is used, and a connecting client does not submit a user‐
2427              name/password,  the  user-defined  authentication  module/script
2428              will see the username and password as being set to empty strings
2429              ("").  The  authentication  module/script  MUST  have  logic  to
2430              detect this condition and respond accordingly.
2431
2432       --client-cert-not-required
2433              DEPRECATED This option will be removed in OpenVPN 2.5
2434
2435              Don't require client certificate, client will authenticate using
2436              username/password only.  Be aware that using this  directive  is
2437              less secure than requiring certificates from all clients.
2438
2439              Please  note:  This  is  replaced  by --verify-client-cert which
2440              allows for more  flexibility.  The  option  --verify-client-cert
2441              none is functionally equivalent to --client-cert-not-required
2442
2443
2444       --verify-client-cert none|optional|require
2445              Specify  whether  the  client is required to supply a valid cer‐
2446              tificate.
2447
2448              Possible options are
2449
2450              none : a client certificate is not required. the client need  to
2451              authenticate  using username/password only.  Be aware that using
2452              this directive is less secure than requiring  certificates  from
2453              all clients.
2454
2455              If  you use this directive, the entire responsibility of authen‐
2456              tication will rest on your  --auth-user-pass-verify  script,  so
2457              keep  in mind that bugs in your script could potentially compro‐
2458              mise the security of your VPN.
2459
2460              --verify-client-cert  none   is   functionally   equivalent   to
2461              --client-cert-not-required.
2462
2463              optional  :  a  client  may  present a certificate but it is not
2464              required to do so.  When using this directive, you  should  also
2465              use  a --auth-user-pass-verify script to ensure that clients are
2466              authenticated using a certificate, a username and  password,  or
2467              possibly even both.
2468
2469              Again,  the entire responsibility of authentication will rest on
2470              your --auth-user-pass-verify script, so keep in mind  that  bugs
2471              in your script could potentially compromise the security of your
2472              VPN.
2473
2474              require : this is the default option. A client  is  required  to
2475              present a certificate, otherwise VPN access is refused.
2476
2477              If  you  don't  use  this directive (or use --verify-client-cert
2478              require  )  but  you  also  specify  an  --auth-user-pass-verify
2479              script,  then  OpenVPN  will perform double authentication.  The
2480              client certificate verification AND the  --auth-user-pass-verify
2481              script  will need to succeed in order for a client to be authen‐
2482              ticated and accepted onto the VPN.
2483
2484       --username-as-common-name
2485              For --auth-user-pass-verify authentication,  use  the  authenti‐
2486              cated  username  as the common name, rather than the common name
2487              from the client cert.
2488
2489       --compat-names [no-remapping]
2490              DEPRECATED This option will be removed in OpenVPN 2.5
2491
2492              Until OpenVPN v2.3 the format of the X.509  Subject  fields  was
2493              formatted like this:
2494
2495              /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com
2496
2497              In  addition  the old behaviour was to remap any character other
2498              than alphanumeric, underscore ('_'), dash ('-'), dot ('.'),  and
2499              slash  ('/')  to  underscore ('_').  The X.509 Subject string as
2500              returned by the tls_id environmental variable,  could  addition‐
2501              ally contain colon (':') or equal ('=').
2502
2503              When  using  the  --compat-names option, this old formatting and
2504              remapping will be re-enabled again.  This is purely  implemented
2505              for  compatibility  reasons when using older plug-ins or scripts
2506              which does not handle the new formatting or UTF-8 characters.
2507
2508              In OpenVPN 2.3 the formatting of these  fields  changed  into  a
2509              more standardised format.  It now looks like:
2510
2511              C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com
2512
2513              The new default format in OpenVPN 2.3 also does not do the char‐
2514              acter remapping which happened earlier.  This new format enables
2515              proper support for UTF-8 characters in the usernames, X.509 Sub‐
2516              ject fields and Common Name variables and it complies to the RFC
2517              2253, UTF-8 String Representation of Distinguished Names.
2518
2519              The  no-remapping  mode flag can be used with the --compat-names
2520              option to be compatible with the now deprecated --no-name-remap‐
2521              ping option.  It is only available at the server. When this mode
2522              flag is used, the Common Name, Subject, and username strings are
2523              allowed  to include any printable character including space, but
2524              excluding control characters such  as  tab,  newline,  and  car‐
2525              riage-return. no-remapping is only available on the server side.
2526
2527              Please  note: This option is immediately deprecated.  It is only
2528              implemented to make the transition to the  new  formatting  less
2529              intrusive.  It will be removed in OpenVPN 2.5.  So please update
2530              your scripts/plug-ins where necessary.
2531
2532       --no-name-remapping
2533              DEPRECATED This option will be removed in OpenVPN 2.5
2534
2535              The  --no-name-remapping  option  is   an   alias   for   --com‐
2536              pat-names no-remapping.   It  ensures  compatibility with server
2537              configurations using the --no-name-remapping option.
2538
2539              Please note: This option is now deprecated.  It will be  removed
2540              in  OpenVPN  2.5.  So please make sure you support the new X.509
2541              name formatting described with the --compat-names option as soon
2542              as possible.
2543
2544       --port-share host port [dir]
2545              When run in TCP server mode, share the OpenVPN port with another
2546              application, such as an HTTPS server.  If OpenVPN senses a  con‐
2547              nection  to  its  port which is using a non-OpenVPN protocol, it
2548              will proxy the connection to the server at host:port.  Currently
2549              only  designed to work with HTTP/HTTPS, though it would be theo‐
2550              retically possible to extend to other protocols such as ssh.
2551
2552              dir specifies an optional directory where a temporary file  with
2553              name  N  containing  content C will be dynamically generated for
2554              each proxy connection, where N is  the  source  IP:port  of  the
2555              client  connection and C is the source IP:port of the connection
2556              to the proxy receiver.  This directory can be used as a  dictio‐
2557              nary  by  the proxy receiver to determine the origin of the con‐
2558              nection.  Each generated file will be automatically deleted when
2559              the proxied connection is torn down.
2560
2561              Not implemented on Windows.
2562
2563   Client Mode
2564       Use  client  mode  when  connecting  to  an  OpenVPN  server  which has
2565       --server, --server-bridge, or --mode server in it's configuration.
2566
2567       --client
2568              A helper directive designed to  simplify  the  configuration  of
2569              OpenVPN's client mode.  This directive is equivalent to:
2570
2571                   pull
2572                   tls-client
2573
2574       --pull This  option  must  be used on a client which is connecting to a
2575              multi-client server.  It indicates to  OpenVPN  that  it  should
2576              accept  options  pushed by the server, provided they are part of
2577              the legal set of pushable options (note that the  --pull  option
2578              is implied by --client ).
2579
2580              In  particular,  --pull  allows the server to push routes to the
2581              client, so you should not use --pull or --client  in  situations
2582              where  you  don't  trust  the  server  to  have control over the
2583              client's routing table.
2584
2585       --pull-filter accept|ignore|reject text
2586              Filter options received from the server  if  the  option  starts
2587              with  text.   Runs  on client. The action flag accept allows the
2588              option, ignore removes it and reject flags an error and triggers
2589              a SIGUSR1 restart.  The filters may be specified multiple times,
2590              and each filter is applied in the order  it  is  specified.  The
2591              filtering  of  each  option  stops  as soon as a match is found.
2592              Unmatched options are accepted by default.
2593
2594              Prefix comparison is used to match  text  against  the  received
2595              option so that
2596
2597                  --pull-filter ignore "route"
2598
2599              would  remove all pushed options starting with route which would
2600              include, for example, route-gateway.  Enclose text in quotes  to
2601              embed spaces.
2602
2603                  --pull-filter accept "route 192.168.1."
2604                  --pull-filter ignore "route "
2605
2606              would remove all routes that do not start with 192.168.1.
2607
2608              This  option  may be used only on clients.  Note that reject may
2609              result in a repeated cycle of failure and reconnect, unless mul‐
2610              tiple  remotes  are  specified and connection to the next remote
2611              succeeds. To silently ignore an option pushed by the server, use
2612              ignore.
2613
2614       --auth-user-pass [up]
2615              Authenticate  with server using username/password.  up is a file
2616              containing username/password on 2 lines. If the password line is
2617              missing, OpenVPN will prompt for one.
2618
2619              If  up  is  omitted, username/password will be prompted from the
2620              console.
2621
2622              The server configuration must specify an --auth-user-pass-verify
2623              script to verify the username/password provided by the client.
2624
2625       --auth-retry type
2626              Controls  how OpenVPN responds to username/password verification
2627              errors such as the client-side response to an  AUTH_FAILED  mes‐
2628              sage  from the server or verification failure of the private key
2629              password.
2630
2631              Normally used to prevent auth errors from  being  fatal  on  the
2632              client  side,  and to permit username/password requeries in case
2633              of error.
2634
2635              An AUTH_FAILED message is generated by the server if the  client
2636              fails  --auth-user-pass  authentication,  or  if the server-side
2637              --client-connect script returns an error status when the  client
2638              tries to connect.
2639
2640              type can be one of:
2641
2642              none  --  Client  will  exit  with  a  fatal  error (this is the
2643              default).
2644              nointeract -- Client will retry the connection without  requery‐
2645              ing  for an --auth-user-pass username/password.  Use this option
2646              for unattended clients.
2647              interact -- Client will requery for  an  --auth-user-pass  user‐
2648              name/password  and/or  private  key password before attempting a
2649              reconnection.
2650
2651              Note that while this option cannot be pushed,  it  can  be  con‐
2652              trolled from the management interface.
2653
2654       --static-challenge t e
2655              Enable  static  challenge/response protocol using challenge text
2656              t, with echo flag given by e (0|1).
2657
2658              The echo flag indicates whether or not the  user's  response  to
2659              the challenge should be echoed.
2660
2661              See  management-notes.txt  in  the  OpenVPN  distribution  for a
2662              description of the OpenVPN challenge/response protocol.
2663
2664       --server-poll-timeout n, --connect-timeout n
2665              When connecting to a remote server do not wait for more  than  n
2666              seconds  waiting  for  a response before trying the next server.
2667              The default value is 120s. This timeout includes proxy  and  TCP
2668              connect timeouts.
2669
2670       --explicit-exit-notify [n]
2671              In  UDP  client mode or point-to-point mode, send server/peer an
2672              exit notification if tunnel is restarted or OpenVPN  process  is
2673              exited.   In client mode, on exit/restart, this option will tell
2674              the server to  immediately  close  its  client  instance  object
2675              rather  than waiting for a timeout.  The n parameter (default=1)
2676              controls the maximum number of attempts that the client will try
2677              to resend the exit notification message.
2678
2679              In UDP server mode, send RESTART control channel command to con‐
2680              nected clients. The  n  parameter  (default=1)  controls  client
2681              behavior.  With  n  =  1 client will attempt to reconnect to the
2682              same server, with n = 2 client will advance to the next server.
2683
2684              OpenVPN will not send any exit notifications unless this  option
2685              is enabled.
2686
2687       --allow-recursive-routing
2688              When  this  option  is  set,  OpenVPN will not drop incoming tun
2689              packets with same destination as host.
2690
2691   Data Channel Encryption Options:
2692       These options are meaningful for both Static & TLS-negotiated key modes
2693       (must be compatible between peers).
2694
2695       --secret file [direction]
2696              Enable  Static  Key  encryption  mode (non-TLS).  Use pre-shared
2697              secret file which was generated with --genkey.
2698
2699              The optional direction parameter enables the use of  4  distinct
2700              keys  (HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt),
2701              so that each data flow direction has a different set of HMAC and
2702              cipher keys.  This has a number of desirable security properties
2703              including eliminating certain kinds of DoS  and  message  replay
2704              attacks.
2705
2706              When  the  direction parameter is omitted, 2 keys are used bidi‐
2707              rectionally, one for HMAC and the other  for  encryption/decryp‐
2708              tion.
2709
2710              The direction parameter should always be complementary on either
2711              side of the connection, i.e. one side should  use  "0"  and  the
2712              other should use "1", or both sides should omit it altogether.
2713
2714              The  direction  parameter requires that file contains a 2048 bit
2715              key.  While pre-1.5 versions of OpenVPN generate  1024  bit  key
2716              files,  any  version  of  OpenVPN  which  supports the direction
2717              parameter, will also support 2048 bit key file generation  using
2718              the --genkey option.
2719
2720              Static  key  encryption mode has certain advantages, the primary
2721              being ease of configuration.
2722
2723              There are no certificates or certificate authorities or  compli‐
2724              cated  negotiation  handshakes and protocols.  The only require‐
2725              ment is that you have a pre-existing secure  channel  with  your
2726              peer  (such  as  ssh ) to initially copy the key.  This require‐
2727              ment, along with the fact that your key never changes unless you
2728              manually  generate a new one, makes it somewhat less secure than
2729              TLS mode (see below).  If an attacker manages to steal your key,
2730              everything that was ever encrypted with it is compromised.  Con‐
2731              trast that to the perfect forward secrecy features of  TLS  mode
2732              (using  Diffie  Hellman key exchange), where even if an attacker
2733              was able to steal your private key, he would gain no information
2734              to help him decrypt past sessions.
2735
2736              Another  advantageous  aspect  of  Static Key encryption mode is
2737              that it is a handshake-free protocol without any  distinguishing
2738              signature  or  feature  (such  as a header or protocol handshake
2739              sequence) that would mark the ciphertext packets as being gener‐
2740              ated  by  OpenVPN.   Anyone  eavesdropping on the wire would see
2741              nothing but random-looking data.
2742
2743       --key-direction
2744              Alternative way of specifying the optional  direction  parameter
2745              for  the  --tls-auth  and  --secret  options.  Useful when using
2746              inline files (See section on inline files).
2747
2748       --auth alg
2749              Authenticate data channel packets and (if enabled) tls-auth con‐
2750              trol  channel  packets  with HMAC using message digest algorithm
2751              alg.  (The default is SHA1 ).  HMAC is a commonly  used  message
2752              authentication algorithm (MAC) that uses a data string, a secure
2753              hash algorithm, and a key, to produce a digital signature.
2754
2755              The OpenVPN data channel protocol  uses  encrypt-then-mac  (i.e.
2756              first  encrypt  a  packet,  then HMAC the resulting ciphertext),
2757              which prevents padding oracle attacks.
2758
2759              If an AEAD cipher mode  (e.g.  GCM)  is  chosen,  the  specified
2760              --auth  algorithm  is  ignored  for  the  data  channel, and the
2761              authentication method of the AEAD cipher is used instead.   Note
2762              that alg still specifies the digest used for tls-auth.
2763
2764              In  static-key  encryption mode, the HMAC key is included in the
2765              key file generated by --genkey.  In TLS mode, the  HMAC  key  is
2766              dynamically  generated and shared between peers via the TLS con‐
2767              trol channel.  If OpenVPN receives a packet with a bad  HMAC  it
2768              will  drop  the  packet.   HMAC  usually adds 16 or 20 bytes per
2769              packet.  Set alg=none to disable authentication.
2770
2771              For       more       information       on        HMAC        see
2772              http://www.cs.ucsd.edu/users/mihir/papers/hmac.html
2773
2774       --cipher alg
2775              Encrypt data channel packets with cipher algorithm alg.
2776
2777              The  default  is  BF-CBC, an abbreviation for Blowfish in Cipher
2778              Block Chaining mode.  When cipher negotiation (NCP) is  allowed,
2779              OpenVPN  2.4 and newer on both client and server side will auto‐
2780              matically  upgrade  to  AES-256-GCM.   See   --ncp-ciphers   and
2781              --ncp-disable for more details on NCP.
2782
2783              Using  BF-CBC  is  no  longer recommended, because of its 64-bit
2784              block size.  This small block size allows attacks based on  col‐
2785              lisions,   as   demonstrated  by  SWEET32.   See  https://commu
2786              nity.openvpn.net/openvpn/wiki/SWEET32 for details.  Due to this,
2787              support  for  BF-CBC,  DES,  CAST5, IDEA and RC2 ciphers will be
2788              removed in OpenVPN 2.6.
2789
2790              To see other ciphers that are available with  OpenVPN,  use  the
2791              --show-ciphers option.
2792
2793              Set alg=none to disable encryption.
2794
2795
2796       --ncp-ciphers cipher_list
2797              Restrict  the allowed ciphers to be negotiated to the ciphers in
2798              cipher_list.  cipher_list is a colon-separated list of  ciphers,
2799              and defaults to "AES-256-GCM:AES-128-GCM".
2800
2801              For servers, the first cipher from cipher_list will be pushed to
2802              clients that support cipher negotiation.
2803
2804              Cipher negotiation is enabled in client-server mode only.   I.e.
2805              if  --mode  is  set to 'server' (server-side, implied by setting
2806              --server ), or if --pull is specified (client-side,  implied  by
2807              setting --client).
2808
2809              If  both  peers  support  and do not disable NCP, the negotiated
2810              cipher will override the cipher specified by --cipher.
2811
2812              Additionally, to allow for more smooth  transition,  if  NCP  is
2813              enabled,  OpenVPN  will  inherit  the cipher of the peer if that
2814              cipher is different from the local  --cipher  setting,  but  the
2815              peer  cipher  is  one of the ciphers specified in --ncp-ciphers.
2816              E.g. a non-NCP client (<=v2.3, or with --ncp-disabled set)  con‐
2817              necting  to  a  NCP  server  (v2.4+)  with "--cipher BF-CBC" and
2818              "--ncp-ciphers AES-256-GCM:AES-256-CBC" set can  either  specify
2819              "--cipher BF-CBC" or "--cipher AES-256-CBC" and both will work.
2820
2821
2822       --ncp-disable
2823              Disable  "negotiable  crypto  parameters".  This completely dis‐
2824              ables cipher negotiation.
2825
2826       --keysize n
2827              DEPRECATED This option will be removed in OpenVPN 2.6.
2828
2829              Size of cipher key in bits (optional).  If unspecified, defaults
2830              to  cipher-specific  default.   The  --show-ciphers  option (see
2831              below) shows all available OpenSSL ciphers,  their  default  key
2832              sizes,  and  whether  the  key size can be changed.  Use care in
2833              changing a cipher's default key size.   Many  ciphers  have  not
2834              been  extensively  cryptanalyzed  with non-standard key lengths,
2835              and a larger key may offer no real guarantee  of  greater  secu‐
2836              rity, or may even reduce security.
2837
2838       --prng alg [nsl]
2839              (Advanced) For PRNG (Pseudo-random number generator), use digest
2840              algorithm alg (default=sha1), and set nsl  (default=16)  to  the
2841              size in bytes of the nonce secret length (between 16 and 64).
2842
2843              Set  alg=none to disable the PRNG and use the OpenSSL RAND_bytes
2844              function instead  for  all  of  OpenVPN's  pseudo-random  number
2845              needs.
2846
2847       --engine [engine-name]
2848              Enable OpenSSL hardware-based crypto engine functionality.
2849
2850              If  engine-name is specified, use a specific crypto engine.  Use
2851              the --show-engines standalone option to list the crypto  engines
2852              which are supported by OpenSSL.
2853
2854       --no-replay
2855              DEPRECATED This option will be removed in OpenVPN 2.5.
2856
2857              (Advanced)  Disable OpenVPN's protection against replay attacks.
2858              Don't use this option unless you are prepared to make a tradeoff
2859              of greater efficiency in exchange for less security.
2860
2861              OpenVPN provides datagram replay protection by default.
2862
2863              Replay protection is accomplished by tagging each outgoing data‐
2864              gram with an identifier that is guaranteed to be unique for  the
2865              key  being used.  The peer that receives the datagram will check
2866              for the uniqueness of the identifier.   If  the  identifier  was
2867              already  received  in a previous datagram, OpenVPN will drop the
2868              packet.  Replay protection is important to defeat  attacks  such
2869              as  a  SYN flood attack, where the attacker listens in the wire,
2870              intercepts a TCP SYN packet (identifying it by  the  context  in
2871              which  it  occurs in relation to other packets), then floods the
2872              receiving peer with copies of this packet.
2873
2874              OpenVPN's replay protection is implemented in slightly different
2875              ways, depending on the key management mode you have selected.
2876
2877              In  Static  Key  mode  or  when using an CFB or OFB mode cipher,
2878              OpenVPN uses a 64 bit unique identifier  that  combines  a  time
2879              stamp with an incrementing sequence number.
2880
2881              When  using  TLS  mode  for  key exchange and a CBC cipher mode,
2882              OpenVPN uses only a 32 bit sequence number without a time stamp,
2883              since  OpenVPN  can  guarantee  the uniqueness of this value for
2884              each key.  As in IPSec, if the sequence number is close to wrap‐
2885              ping back to zero, OpenVPN will trigger a new key exchange.
2886
2887              To  check for replays, OpenVPN uses the sliding window algorithm
2888              used by IPSec.
2889
2890       --replay-window n [t]
2891              Use a replay protection sliding-window of size n and a time win‐
2892              dow of t seconds.
2893
2894              By default n is 64 (the IPSec default) and t is 15 seconds.
2895
2896              This  option  is  only  relevant  in UDP mode, i.e.  when either
2897              --proto udp is specified, or no --proto option is specified.
2898
2899              When OpenVPN tunnels IP packets over UDP, there is the possibil‐
2900              ity  that  packets  might  be dropped or delivered out of order.
2901              Because OpenVPN, like IPSec, is emulating the  physical  network
2902              layer,  it will accept an out-of-order packet sequence, and will
2903              deliver such packets in the same order they were received to the
2904              TCP/IP  protocol  stack,  provided  they  satisfy  several  con‐
2905              straints.
2906
2907              (a) The packet cannot be a replay (unless --no-replay is  speci‐
2908              fied, which disables replay protection altogether).
2909
2910              (b)  If  a packet arrives out of order, it will only be accepted
2911              if the difference between its sequence number  and  the  highest
2912              sequence number received so far is less than n.
2913
2914              (c)  If  a packet arrives out of order, it will only be accepted
2915              if it arrives no later than t seconds after any packet  contain‐
2916              ing a higher sequence number.
2917
2918              If  you  are using a network link with a large pipeline (meaning
2919              that the product of bandwidth and latency is high), you may want
2920              to  use  a  larger  value  for n.  Satellite links in particular
2921              often require this.
2922
2923              If you run OpenVPN  at  --verb  4,  you  will  see  the  message
2924              "Replay-window  backtrack  occurred  [x]" every time the maximum
2925              sequence number backtrack seen thus far increases.  This can  be
2926              used to calibrate n.
2927
2928              There  is some controversy on the appropriate method of handling
2929              packet reordering at the security layer.
2930
2931              Namely, to what extent should the  security  layer  protect  the
2932              encapsulated protocol from attacks which masquerade as the kinds
2933              of normal packet loss and reordering that  occur  over  IP  net‐
2934              works?
2935
2936              The  IPSec  and  OpenVPN  approach is to allow packet reordering
2937              within a certain fixed sequence number window.
2938
2939              OpenVPN adds to the IPSec model by limiting the window  size  in
2940              time as well as sequence space.
2941
2942              OpenVPN  also  adds  TCP  transport as an option (not offered by
2943              IPSec) in which case OpenVPN can adopt a  very  strict  attitude
2944              towards message deletion and reordering:  Don't allow it.  Since
2945              TCP guarantees reliability, any packet loss or reordering  event
2946              can be assumed to be an attack.
2947
2948              In  this  sense, it could be argued that TCP tunnel transport is
2949              preferred when tunneling non-IP  or  UDP  application  protocols
2950              which  might  be  vulnerable to a message deletion or reordering
2951              attack which falls within the normal operational  parameters  of
2952              IP networks.
2953
2954              So  I  would  make  the statement that one should never tunnel a
2955              non-IP protocol or UDP application protocol  over  UDP,  if  the
2956              protocol might be vulnerable to a message deletion or reordering
2957              attack that falls within the normal operating parameters of what
2958              is  to  be  expected from the physical IP layer.  The problem is
2959              easily fixed by simply using TCP as the VPN transport layer.
2960
2961       --mute-replay-warnings
2962              Silence the output of replay warnings, which are a common  false
2963              alarm  on  WiFi networks.  This option preserves the security of
2964              the replay protection code without the verbosity associated with
2965              warnings about duplicate packets.
2966
2967       --replay-persist file
2968              Persist  replay-protection  state  across sessions using file to
2969              save and reload the state.
2970
2971              This option will strengthen protection against  replay  attacks,
2972              especially when you are using OpenVPN in a dynamic context (such
2973              as with --inetd) when OpenVPN sessions  are  frequently  started
2974              and stopped.
2975
2976              This  option will keep a disk copy of the current replay protec‐
2977              tion state (i.e. the most recent packet timestamp  and  sequence
2978              number  received  from  the  remote peer), so that if an OpenVPN
2979              session is stopped and restarted, it will reject any replays  of
2980              packets which were already received by the prior session.
2981
2982              This  option  only makes sense when replay protection is enabled
2983              (the default) and you are using either  --secret  (shared-secret
2984              key mode) or TLS mode with --tls-auth.
2985
2986       --no-iv
2987              DEPRECATED This option will be removed in OpenVPN 2.5.
2988
2989              (Advanced)  Disable  OpenVPN's  use of IV (cipher initialization
2990              vector).  Don't use this option unless you are prepared to  make
2991              a tradeoff of greater efficiency in exchange for less security.
2992
2993              OpenVPN  uses  an IV by default, and requires it for CFB and OFB
2994              cipher modes (which are totally insecure without it).  Using  an
2995              IV  is  important  for security when multiple messages are being
2996              encrypted/decrypted with the same key.
2997
2998              IV is implemented differently depending on the cipher mode used.
2999
3000              In CBC mode, OpenVPN uses a pseudo-random IV for each packet.
3001
3002              In CFB/OFB mode, OpenVPN uses a unique sequence number and  time
3003              stamp as the IV.  In fact, in CFB/OFB mode, OpenVPN uses a data‐
3004              gram space-saving optimization that uses the  unique  identifier
3005              for datagram replay protection as the IV.
3006
3007       --use-prediction-resistance
3008              Enable prediction resistance on mbed TLS's RNG.
3009
3010              Enabling  prediction resistance causes the RNG to reseed in each
3011              call for random. Reseeding this often can  quickly  deplete  the
3012              kernel entropy pool.
3013
3014              If  you  need this option, please consider running a daemon that
3015              adds entropy to the kernel pool.
3016
3017
3018       --test-crypto
3019              Do a self-test of OpenVPN's crypto  options  by  encrypting  and
3020              decrypting  test  packets  using  the  data  channel  encryption
3021              options specified above.  This option does not require a peer to
3022              function,  and  therefore  can  be  specified  without  --dev or
3023              --remote.
3024
3025              The typical usage of --test-crypto would be something like this:
3026
3027              openvpn --test-crypto --secret key
3028
3029              or
3030
3031              openvpn --test-crypto --secret key --verb 9
3032
3033              This option is very useful to test OpenVPN  after  it  has  been
3034              ported  to  a  new  platform, or to isolate problems in the com‐
3035              piler, OpenSSL crypto library, or OpenVPN's crypto code.   Since
3036              it is a self-test mode, problems with encryption and authentica‐
3037              tion can be debugged independently of network and tunnel issues.
3038
3039   TLS Mode Options:
3040       TLS mode is the most powerful crypto mode of OpenVPN in  both  security
3041       and flexibility.  TLS mode works by establishing control and data chan‐
3042       nels which are multiplexed over a single TCP/UDP port.  OpenVPN  initi‐
3043       ates  a  TLS  session  over the control channel and uses it to exchange
3044       cipher and HMAC keys to protect the data  channel.   TLS  mode  uses  a
3045       robust  reliability layer over the UDP connection for all control chan‐
3046       nel communication, while the data channel, over which encrypted  tunnel
3047       data  passes,  is  forwarded  without any mediation.  The result is the
3048       best of both worlds: a fast data channel that forwards  over  UDP  with
3049       only  the  overhead of encrypt, decrypt, and HMAC functions, and a con‐
3050       trol channel that provides all of the security features of TLS, includ‐
3051       ing   certificate-based   authentication  and  Diffie  Hellman  forward
3052       secrecy.
3053
3054       To use TLS mode, each peer that runs OpenVPN should have its own  local
3055       certificate/key  pair ( --cert and --key ), signed by the root certifi‐
3056       cate which is specified in --ca.
3057
3058       When two OpenVPN peers connect, each presents its local certificate  to
3059       the other.  Each peer will then check that its partner peer presented a
3060       certificate which was signed by the master root certificate  as  speci‐
3061       fied in --ca.
3062
3063       If  that  check  on  both peers succeeds, then the TLS negotiation will
3064       succeed, both OpenVPN peers will exchange temporary session  keys,  and
3065       the tunnel will begin passing data.
3066
3067       The OpenVPN project provides a set of scripts for managing RSA certifi‐
3068       cates & keys: https://github.com/OpenVPN/easy-rsa
3069
3070       --tls-server
3071              Enable TLS and assume server role during  TLS  handshake.   Note
3072              that  OpenVPN  is  designed  as a peer-to-peer application.  The
3073              designation of client or server is only for the purpose of nego‐
3074              tiating the TLS control channel.
3075
3076       --tls-client
3077              Enable TLS and assume client role during TLS handshake.
3078
3079       --ca file
3080              Certificate authority (CA) file in .pem format, also referred to
3081              as the root certificate.  This file can have  multiple  certifi‐
3082              cates  in .pem format, concatenated together.  You can construct
3083              your own certificate authority certificate and  private  key  by
3084              using a command such as:
3085
3086              openssl req -nodes -new -x509 -keyout ca.key -out ca.crt
3087
3088              Then  edit  your openssl.cnf file and edit the certificate vari‐
3089              able to point to your new root certificate ca.crt.
3090
3091              For testing purposes only, the OpenVPN distribution  includes  a
3092              sample  CA certificate (ca.crt).  Of course you should never use
3093              the test certificates and test keys distributed with OpenVPN  in
3094              a  production environment, since by virtue of the fact that they
3095              are distributed with OpenVPN, they are totally insecure.
3096
3097       --capath dir
3098              Directory containing trusted certificates (CAs and  CRLs).   Not
3099              available with mbed TLS.
3100
3101              When using the --capath option, you are required to supply valid
3102              CRLs for the CAs too.  CAs in the capath directory are  expected
3103              to   be  named  <hash>.<n>.   CRLs  are  expected  to  be  named
3104              <hash>.r<n>.  See the -CApath option of openssl verify , and the
3105              -hash  option  of openssl x509 and openssl crl for more informa‐
3106              tion.
3107
3108       --dh file
3109              File  containing  Diffie  Hellman  parameters  in  .pem   format
3110              (required for --tls-server only).
3111
3112              Set  file=none  to  disable Diffie Hellman key exchange (and use
3113              ECDH only). Note that this requires peers to  be  using  an  SSL
3114              library  that  supports  ECDH  TLS  cipher  suites (e.g. OpenSSL
3115              1.0.1+, or mbed TLS 2.0+).
3116
3117              Use openssl dhparam -out dh2048.pem 2048 to generate 2048-bit DH
3118              parameters. Diffie Hellman parameters may be considered public.
3119
3120       --ecdh-curve name
3121              Specify  the  curve  to  use  for elliptic curve Diffie Hellman.
3122              Available curves can be listed with --show-curves.   The  speci‐
3123              fied curve will only be used for ECDH TLS-ciphers.
3124
3125              This option is not supported in mbed TLS builds of OpenVPN.
3126
3127       --cert file
3128              Local peer's signed certificate in .pem format -- must be signed
3129              by a certificate authority whose certificate is  in  --ca  file.
3130              Each peer in an OpenVPN link running in TLS mode should have its
3131              own certificate and private key file.  In  addition,  each  cer‐
3132              tificate  should  have  been  signed by the key of a certificate
3133              authority whose public  key  resides  in  the  --ca  certificate
3134              authority  file.   You  can  easily  make  your  own certificate
3135              authority (see above) or pay money to use a  commercial  service
3136              such as thawte.com (in which case you will be helping to finance
3137              the world's second space tourist :).  To generate a certificate,
3138              you can use a command such as:
3139
3140              openssl req -nodes -new -keyout mycert.key -out mycert.csr
3141
3142              If  your  certificate  authority  private  key  lives on another
3143              machine, copy the certificate signing  request  (mycert.csr)  to
3144              this  other  machine  (this can be done over an insecure channel
3145              such as email).  Now sign the certificate with  a  command  such
3146              as:
3147
3148              openssl ca -out mycert.crt -in mycert.csr
3149
3150              Now  copy  the  certificate  (mycert.crt) back to the peer which
3151              initially generated the .csr file (this can  be  over  a  public
3152              medium).  Note that the openssl ca command reads the location of
3153              the certificate authority key from its configuration  file  such
3154              as  /usr/share/ssl/openssl.cnf -- note also that for certificate
3155              authority functions, you must set up the files index.txt (may be
3156              empty) and serial (initialize to 01 ).
3157
3158       --extra-certs file
3159              Specify  a  file  containing one or more PEM certs (concatenated
3160              together) that complete the local certificate chain.
3161
3162              This option is useful for "split" CAs, where the CA  for  server
3163              certs  is different than the CA for client certs.  Putting certs
3164              in this file allows them to be used to complete the  local  cer‐
3165              tificate  chain without trusting them to verify the peer-submit‐
3166              ted certificate, as would be the case if the certs  were  placed
3167              in the ca file.
3168
3169       --key file
3170              Local  peer's  private  key in .pem format.  Use the private key
3171              which was generated when you built your peer's certificate  (see
3172              --cert file above).
3173
3174       --tls-version-min version ['or-highest']
3175              Sets  the  minimum  TLS  version  we  will  accept from the peer
3176              (default is "1.0").  Examples for version include "1.0",  "1.1",
3177              or  "1.2".  If 'or-highest' is specified and version is not rec‐
3178              ognized, we will only accept the highest TLS  version  supported
3179              by the local SSL implementation.
3180
3181       --tls-version-max version
3182              Set  the maximum TLS version we will use (default is the highest
3183              version supported).  Examples for version include "1.0",  "1.1",
3184              or "1.2".
3185
3186       --pkcs12 file
3187              Specify a PKCS #12 file containing local private key, local cer‐
3188              tificate, and root CA certificate.   This  option  can  be  used
3189              instead  of  --ca,  --cert,  and --key.  Not available with mbed
3190              TLS.
3191
3192       --verify-hash hash [algo]
3193              Specify SHA1  or  SHA256  fingerprint  for  level-1  cert.   The
3194              level-1  cert  is  the  CA (or intermediate cert) that signs the
3195              leaf certificate, and is one removed from the  leaf  certificate
3196              in  the direction of the root.  When accepting a connection from
3197              a peer, the level-1 cert fingerprint must match hash or certifi‐
3198              cate verification will fail.  Hash is specified as XX:XX:... For
3199              example:
3200
3201                  AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16
3202
3203              The algo flag can be either SHA1 or SHA256.  If not provided, it
3204              defaults to SHA1.
3205
3206       --pkcs11-cert-private [0|1]...
3207              Set  if  access  to certificate object should be performed after
3208              login.  Every provider has its own setting.
3209
3210       --pkcs11-id name
3211              Specify the serialized certificate id to be used. The id can  be
3212              gotten by the standalone --show-pkcs11-ids option.
3213
3214       --pkcs11-id-management
3215              Acquire  PKCS#11  id  from  management interface. In this case a
3216              NEED-STR 'pkcs11-id-request' real-time  message  will  be  trig‐
3217              gered,  application  may use pkcs11-id-count command to retrieve
3218              available number of certificates, and pkcs11-id-get  command  to
3219              retrieve certificate id and certificate body.
3220
3221       --pkcs11-pin-cache seconds
3222              Specify  how  many seconds the PIN can be cached, the default is
3223              until the token is removed.
3224
3225       --pkcs11-protected-authentication [0|1]...
3226              Use PKCS#11 protected authentication path, useful for  biometric
3227              and  external  keypad  devices.  Every provider has its own set‐
3228              ting.
3229
3230       --pkcs11-providers provider...
3231              Specify a RSA Security Inc. PKCS #11 Cryptographic Token  Inter‐
3232              face  (Cryptoki)  providers  to  load.   This option can be used
3233              instead of --cert, --key, and --pkcs12.
3234
3235              If p11-kit is present on the system, its p11-kit-proxy.so module
3236              will   be  loaded  by  default  if  either  the  --pkcs11-id  or
3237              --pkcs11-id-management    options    are    specified    without
3238              --pkcs11-provider being given.
3239
3240       --pkcs11-private-mode mode...
3241              Specify  which  method  to  use  in order to perform private key
3242              operations.   A  different  mode  can  be  specified  for   each
3243              provider.   Mode is encoded as hex number, and can be a mask one
3244              of the following:
3245
3246              0 (default) -- Try to determine automatically.
3247              1 -- Use sign.
3248              2 -- Use sign recover.
3249              4 -- Use decrypt.
3250              8 -- Use unwrap.
3251
3252       --cryptoapicert select-string
3253              Load the certificate and private key from the  Windows  Certifi‐
3254              cate System Store (Windows/OpenSSL Only).
3255
3256              Use this option instead of --cert and --key.
3257
3258              This  makes it possible to use any smart card, supported by Win‐
3259              dows, but also any kind of certificate,  residing  in  the  Cert
3260              Store,  where  you  have access to the private key.  This option
3261              has been tested with a couple of different smart cards (GemSAFE,
3262              Cryptoflex, and Swedish Post Office eID) on the client side, and
3263              also an imported PKCS12 software certificate on the server side.
3264
3265              To select a certificate, based on a substring search in the cer‐
3266              tificate's subject:
3267
3268              cryptoapicert "SUBJ:Peter Runestig"
3269
3270              To select a certificate, based on certificate's thumbprint:
3271
3272              cryptoapicert "THUMB:f6 49 24 41 01 b4 ..."
3273
3274              The thumbprint hex string can easily be copy-and-pasted from the
3275              Windows Certificate Store GUI.
3276
3277
3278       --key-method m
3279              DEPRECATED This option will be removed in OpenVPN 2.5
3280
3281              Use data channel key negotiation method m.  The key method  must
3282              match on both sides of the connection.
3283
3284              After  OpenVPN  negotiates  a TLS session, a new set of keys for
3285              protecting the tunnel data channel is  generated  and  exchanged
3286              over the TLS session.
3287
3288              In  method  1 (the default for OpenVPN 1.x), both sides generate
3289              random encrypt and HMAC-send keys which  are  forwarded  to  the
3290              other host over the TLS channel. Method 1 is deprecated in Open‐
3291              VPN 2.4 , and will be removed in OpenVPN 2.5.
3292
3293              In method 2, (the default for OpenVPN 2.0) the client  generates
3294              a  random key.  Both client and server also generate some random
3295              seed material.  All key source material is  exchanged  over  the
3296              TLS  channel.  The  actual  keys are generated using the TLS PRF
3297              function, taking source entropy from  both  client  and  server.
3298              Method  2  is  designed  to  closely parallel the key generation
3299              process used by TLS 1.0.
3300
3301              Note that in TLS mode, two separate levels of keying occur:
3302
3303              (1) The TLS connection is initially negotiated, with both  sides
3304              of  the connection producing certificates and verifying the cer‐
3305              tificate (or other authentication info provided)  of  the  other
3306              side.  The --key-method parameter has no effect on this process.
3307
3308              (2)  After the TLS connection is established, the tunnel session
3309              keys are separately negotiated  over  the  existing  secure  TLS
3310              channel.   Here,  --key-method  determines the derivation of the
3311              tunnel session keys.
3312
3313       --tls-cipher l
3314       --tls-ciphersuites l
3315              A list l of allowable TLS ciphers delimited by a colon (":").
3316
3317              These setting can be used to ensure that certain  cipher  suites
3318              are used (or not used) for the TLS connection.  OpenVPN uses TLS
3319              to secure the control channel, over which the keys that are used
3320              to protect the actual VPN traffic are exchanged.
3321
3322              The  supplied  list  of ciphers is (after potential OpenSSL/IANA
3323              name translation) simply supplied to the crypto library.  Please
3324              see the OpenSSL and/or mbed TLS documentation for details on the
3325              cipher list interpretation.
3326
3327              For OpenSSL, the --tls-cipher is used for TLS 1.2 and below. For
3328              TLS 1.3 and up, the --tls-ciphersuites setting is used. mbed TLS
3329              has no TLS 1.3 support yet and only the --tls-cipher setting  is
3330              used.
3331
3332              Use  --show-tls  to  see a list of TLS ciphers supported by your
3333              crypto library.
3334
3335              Warning!  --tls-cipher and --tls-ciphersuites  are  expert  fea‐
3336              tures,  which  -  if used correcly - can improve the security of
3337              your VPN connection.  But it is also  easy  to  unwittingly  use
3338              them to carefully align a gun with your foot, or just break your
3339              connection.  Use with care!
3340
3341              The default for --tls-cipher is to use mbed TLS's default cipher
3342              list         when         using        mbed        TLS        or
3343              "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA"
3344              when using OpenSSL.
3345
3346              The   default  for  --tls-ciphersuites  is  to  use  the  crypto
3347              library's default.
3348
3349       --tls-cert-profile profile
3350              Set  the  allowed  cryptographic  algorithms  for   certificates
3351              according to profile.
3352
3353              The following profiles are supported:
3354
3355              legacy  (default):  SHA1  and newer, RSA 2048-bit+, any elliptic
3356              curve.
3357
3358              preferred : SHA2 and newer, RSA 2048-bit+, any elliptic curve.
3359
3360              suiteb : SHA256/SHA384, ECDSA with P-256 or P-384.
3361
3362              This option  is  only  fully  supported  for  mbed  TLS  builds.
3363              OpenSSL builds use the following approximation:
3364
3365              legacy (default): sets "security level 1"
3366
3367              preferred : sets "security level 2"
3368
3369              suiteb : sets "security level 3" and --tls-cipher "SUITEB128".
3370
3371              OpenVPN  will  migrate  to 'preferred' as default in the future.
3372              Please ensure that your keys already comply.
3373
3374       --tls-timeout n
3375              Packet retransmit timeout on TLS control channel if no  acknowl‐
3376              edgment  from remote within n seconds (default=2).  When OpenVPN
3377              sends a control packet to its peer, it will expect to receive an
3378              acknowledgement  within  n  seconds  or  it  will retransmit the
3379              packet, subject to a  TCP-like  exponential  backoff  algorithm.
3380              This  parameter  only  applies to control channel packets.  Data
3381              channel packets (which carry encrypted tunnel  data)  are  never
3382              acknowledged, sequenced, or retransmitted by OpenVPN because the
3383              higher level network protocols running on top of the tunnel such
3384              as TCP expect this role to be left to them.
3385
3386       --reneg-bytes n
3387              Renegotiate  data  channel  key  after  n bytes sent or received
3388              (disabled by default with an  exception,  see  below).   OpenVPN
3389              allows  the  lifetime  of  a  key to be expressed as a number of
3390              bytes encrypted/decrypted, a number of packets, or a  number  of
3391              seconds.   A  key  renegotiation  will be forced if any of these
3392              three criteria are met by either peer.
3393
3394              If using ciphers with cipher block  sizes  less  than  128-bits,
3395              --reneg-bytes is set to 64MB by default, unless it is explicitly
3396              disabled by setting the value to 0, but this is HIGHLY  DISCOUR‐
3397              AGED  as  this  is  designed  to add some protection against the
3398              SWEET32 attack vector.  For more information  see  the  --cipher
3399              option.
3400
3401       --reneg-pkts n
3402              Renegotiate  data  channel key after n packets sent and received
3403              (disabled by default).
3404
3405       --reneg-sec n
3406              Renegotiate data channel key after n seconds (default=3600).
3407
3408              When using dual-factor authentication, note  that  this  default
3409              value  may  cause  the  end user to be challenged to reauthorize
3410              once per hour.
3411
3412              Also, keep in mind that this option can  be  used  on  both  the
3413              client  and  server,  and whichever uses the lower value will be
3414              the one to trigger the renegotiation.  A common  mistake  is  to
3415              set  --reneg-sec  to  a  higher  value  on  either the client or
3416              server, while the other side of the connection  is  still  using
3417              the  default  value of 3600 seconds, meaning that the renegotia‐
3418              tion will still occur once per 3600 seconds.  The solution is to
3419              increase --reneg-sec on both the client and server, or set it to
3420              0 on one side of the connection (to disable), and to your chosen
3421              value on the other side.
3422
3423       --hand-window n
3424              Handshake  Window  --  the  TLS-based key exchange must finalize
3425              within n seconds of handshake initiation by any peer (default  =
3426              60  seconds).   If  the handshake fails we will attempt to reset
3427              our connection with our peer and try again.  Even in  the  event
3428              of  handshake  failure we will still use our expiring key for up
3429              to --tran-window seconds to maintain continuity of  transmission
3430              of tunnel data.
3431
3432       --tran-window n
3433              Transition  window  --  our  old  key can live this many seconds
3434              after a new a key renegotiation begins (default = 3600 seconds).
3435              This  feature  allows  for a graceful transition from old to new
3436              key, and removes the key renegotiation sequence from the  criti‐
3437              cal path of tunnel data forwarding.
3438
3439       --single-session
3440              After  initially  connecting  to a remote peer, disallow any new
3441              connections.  Using this option means that a remote peer  cannot
3442              connect, disconnect, and then reconnect.
3443
3444              If  the  daemon  is reset by a signal or --ping-restart, it will
3445              allow one new connection.
3446
3447              --single-session can be used with --ping-exit or  --inactive  to
3448              create a single dynamic session that will exit when finished.
3449
3450       --tls-exit
3451              Exit on TLS negotiation failure.
3452
3453       --tls-auth file [direction]
3454              Add an additional layer of HMAC authentication on top of the TLS
3455              control channel to mitigate DoS attacks and attacks on  the  TLS
3456              stack.
3457
3458              In  a  nutshell, --tls-auth enables a kind of "HMAC firewall" on
3459              OpenVPN's TCP/UDP port, where TLS control channel packets  bear‐
3460              ing an incorrect HMAC signature can be dropped immediately with‐
3461              out response.
3462
3463              file (required) is a file in OpenVPN static key format which can
3464              be generated by --genkey
3465
3466              Older   versions  (up  to  OpenVPN  2.3)  supported  a  freeform
3467              passphrase file.  This is no longer supported in newer  versions
3468              (v2.4+).
3469
3470              See  the  --secret  option  for more information on the optional
3471              direction parameter.
3472
3473              --tls-auth is recommended when you are running OpenVPN in a mode
3474              where  it  is listening for packets from any IP address, such as
3475              when --remote is not specified, or --remote  is  specified  with
3476              --float.
3477
3478              The  rationale  for  this feature is as follows.  TLS requires a
3479              multi-packet exchange before it is able to authenticate a  peer.
3480              During  this  time  before authentication, OpenVPN is allocating
3481              resources (memory and CPU) to this potential peer.   The  poten‐
3482              tial peer is also exposing many parts of OpenVPN and the OpenSSL
3483              library to the packets it is sending.  Most  successful  network
3484              attacks  today  seek to either exploit bugs in programs (such as
3485              buffer overflow attacks) or force a program to consume  so  many
3486              resources that it becomes unusable.  Of course the first line of
3487              defense is always to produce clean, well-audited code.   OpenVPN
3488              has been written with buffer overflow attack prevention as a top
3489              priority.  But as history has shown, many  of  the  most  widely
3490              used  network  applications  have,  from time to time, fallen to
3491              buffer overflow attacks.
3492
3493              So as a second line of  defense,  OpenVPN  offers  this  special
3494              layer  of  authentication  on  top of the TLS control channel so
3495              that every packet on the control channel is authenticated by  an
3496              HMAC signature and a unique ID for replay protection.  This sig‐
3497              nature will also help protect against DoS  (Denial  of  Service)
3498              attacks.   An  important rule of thumb in reducing vulnerability
3499              to DoS attacks is to minimize the amount of resources  a  poten‐
3500              tial, but as yet unauthenticated, client is able to consume.
3501
3502              --tls-auth does this by signing every TLS control channel packet
3503              with an HMAC signature, including packets which are sent  before
3504              the  TLS  level  has had a chance to authenticate the peer.  The
3505              result is that packets without  the  correct  signature  can  be
3506              dropped immediately upon reception, before they have a chance to
3507              consume additional system resources such as by initiating a  TLS
3508              handshake.    --tls-auth  can  be  strengthened  by  adding  the
3509              --replay-persist option which will keep OpenVPN's replay protec‐
3510              tion state in a file so that it is not lost across restarts.
3511
3512              It  should  be emphasized that this feature is optional and that
3513              the key file used with --tls-auth gives a peer nothing more than
3514              the  power  to  initiate  a  TLS  handshake.   It is not used to
3515              encrypt or authenticate any tunnel data.
3516
3517              Use --tls-crypt instead if you want to use the key file  to  not
3518              only authenticate, but also encrypt the TLS control channel.
3519
3520       --tls-crypt keyfile
3521
3522              Encrypt  and  authenticate  all control channel packets with the
3523              key from keyfile.  (See --tls-auth for more background.)
3524
3525              Encrypting (and authenticating) control channel packets:
3526
3527              · provides more privacy by hiding the certificate used  for  the
3528                TLS connection,
3529
3530              · makes it harder to identify OpenVPN traffic as such,
3531
3532              · provides "poor-man's" post-quantum security, against attackers
3533                who will never  know  the  pre-shared  key  (i.e.  no  forward
3534                secrecy).
3535
3536
3537              In  contrast  to  --tls-auth, --tls-crypt does *not* require the
3538              user to set --key-direction.
3539
3540              Security Considerations
3541
3542              All peers use the  same  --tls-crypt  pre-shared  group  key  to
3543              authenticate  and  encrypt  control channel messages.  To ensure
3544              that IV collisions remain unlikely, this key should not be  used
3545              to   encrypt   more   than   2^48   client-to-server   or   2^48
3546              server-to-client control channel messages.   A  typical  initial
3547              negotiation  is  about  10  packets in each direction.  Assuming
3548              both initial negotiation and renegotiations  are  at  most  2^16
3549              (65536)  packets (to be conservative), and (re)negotiations hap‐
3550              pen each minute for each user (24/7), this limits the  tls-crypt
3551              key lifetime to 8171 years divided by the number of users.  So a
3552              setup with 1000 users should rotate the key at least  once  each
3553              eight years.  (And a setup with 8000 users each year.)
3554
3555              If  IV  collisions were to occur, this could result in the secu‐
3556              rity of --tls-crypt degrading to  the  same  security  as  using
3557              --tls-auth.   That  is,  the control channel still benefits from
3558              the extra protection  against  active  man-in-the-middle-attacks
3559              and  DoS  attacks,  but  may  no  longer offer extra privacy and
3560              post-quantum security on top of what TLS itself offers.
3561
3562       --askpass [file]
3563              Get certificate password from console or file before  we  daemo‐
3564              nize.
3565
3566              For  the extremely security conscious, it is possible to protect
3567              your private key with a password.  Of  course  this  means  that
3568              every  time  the  OpenVPN daemon is started you must be there to
3569              type the password.  The --askpass option  allows  you  to  start
3570              OpenVPN from the command line.  It will query you for a password
3571              before it daemonizes.  To protect a private key with a  password
3572              you  should omit the -nodes option when you use the openssl com‐
3573              mand line tool to manage certificates and private keys.
3574
3575              If file is specified, read the password from the first  line  of
3576              file.   Keep  in  mind that storing your password in a file to a
3577              certain extent invalidates the extra security provided by  using
3578              an encrypted key.
3579
3580       --auth-nocache
3581              Don't  cache --askpass or --auth-user-pass username/passwords in
3582              virtual memory.
3583
3584              If specified, this directive will cause OpenVPN  to  immediately
3585              forget  username/password  inputs  after  they  are  used.  As a
3586              result, when OpenVPN needs a username/password, it  will  prompt
3587              for  input  from  stdin,  which may be multiple times during the
3588              duration of an OpenVPN session.
3589
3590              When using --auth-nocache in combination  with  a  user/password
3591              file  and  --chroot  or  --daemon,  make sure to use an absolute
3592              path.
3593
3594              This directive does not affect the  --http-proxy  username/pass‐
3595              word.  It is always cached.
3596
3597       --auth-token token
3598              This  is  not an option to be used directly in any configuration
3599              files, but rather  push  this  option  from  a  --client-connect
3600              script   or  a  --plugin  which  hooks  into  the  OPENVPN_PLUG‐
3601              IN_CLIENT_CONNECT  or  OPENVPN_PLUGIN_CLIENT_CONNECT_V2   calls.
3602              This  option provides a possibility to replace the clients pass‐
3603              word with an authentication token during  the  lifetime  of  the
3604              OpenVPN client.
3605
3606              Whenever    the    connection    is    renegotiated    and   the
3607              --auth-user-pass-verify script or --plugin  making  use  of  the
3608              OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY  hook is triggered, it will
3609              pass over this token as the password instead of the password the
3610              user  provided.  The authentication token can only be reset by a
3611              full reconnect where the server can  push  new  options  to  the
3612              client.   The  password the user entered is never preserved once
3613              an authentication token have been set.  If  the  OpenVPN  server
3614              side  rejects  the authentication token, the client will receive
3615              an AUTH_FAIL and disconnect.
3616
3617              The purpose of this is to enable two factor authentication meth‐
3618              ods,  such  as  HOTP  or  TOTP,  to  be  used without needing to
3619              retrieve a new OTP code each time the  connection  is  renegoti‐
3620              ated.   Another  use case is to cache authentication data on the
3621              client without needing to have the users password cached in mem‐
3622              ory during the life time of the session.
3623
3624              To  make  use  of  this  feature, the --client-connect script or
3625              --plugin needs to put
3626
3627                  push "auth-token UNIQUE_TOKEN_VALUE"
3628
3629              into the file/buffer for dynamic configuration data.  This  will
3630              then  make  the OpenVPN server to push this value to the client,
3631              which replaces the local password with the UNIQUE_TOKEN_VALUE.
3632
3633              Newer clients (2.4.7+) will fall back to the  original  password
3634              method  after  a  failed auth. Older clients will keep using the
3635              token value and react acording to --auth-retry
3636
3637       --tls-verify cmd
3638              Run command cmd to verify the X509 name of a pending TLS connec‐
3639              tion  that has otherwise passed all other tests of certification
3640              (except for revocation via --crl-verify directive;  the  revoca‐
3641              tion test occurs after the --tls-verify test).
3642
3643              cmd  should return 0 to allow the TLS handshake to proceed, or 1
3644              to fail.
3645
3646              cmd consists of  a  path  to  script  (or  executable  program),
3647              optionally  followed by arguments. The path and arguments may be
3648              single- or double-quoted and/or escaped using a  backslash,  and
3649              should be separated by one or more spaces.
3650
3651              When  cmd is executed two arguments are appended after any argu‐
3652              ments specified in cmd , as follows:
3653
3654              cmd certificate_depth subject
3655
3656              These arguments are, respectively, the current certificate depth
3657              and the X509 common name (cn) of the peer.
3658
3659              This  feature is useful if the peer you want to trust has a cer‐
3660              tificate which was signed by a certificate  authority  who  also
3661              signed many other certificates, where you don't necessarily want
3662              to trust all of them, but rather be selective about  which  peer
3663              certificate you will accept.  This feature allows you to write a
3664              script which will test the X509 name on a certificate and decide
3665              whether  or not it should be accepted.  For a simple perl script
3666              which will test the common name field on  the  certificate,  see
3667              the file verify-cn in the OpenVPN distribution.
3668
3669              See  the  "Environmental Variables" section below for additional
3670              parameters passed as environmental variables.
3671
3672       --tls-export-cert directory
3673              Store the certificates the clients uses upon connection to  this
3674              directory. This will be done before --tls-verify is called.  The
3675              certificates will use a temporary name and will be deleted  when
3676              the  tls-verify script returns.  The file name used for the cer‐
3677              tificate is available via the peer_cert environment variable.
3678
3679       --x509-username-field [ext:]fieldname
3680              Field in the X.509 certificate subject to be used as  the  user‐
3681              name  (default=CN).   Typically,  this  option is specified with
3682              fieldname as either of the following:
3683
3684              --x509-username-field emailAddress
3685              --x509-username-field ext:subjectAltName
3686
3687              The first example uses the value of the "emailAddress" attribute
3688              in  the certificate's Subject field as the username.  The second
3689              example uses the ext: prefix to signify that the X.509 extension
3690              fieldname "subjectAltName" be searched for an rfc822Name (email)
3691              field to be used as the username.  In cases where there are mul‐
3692              tiple  email  addresses in ext:fieldname, the last occurrence is
3693              chosen.
3694
3695              When this option is used,  the  --verify-x509-name  option  will
3696              match against the chosen fieldname instead of the Common Name.
3697
3698              Only  the  subjectAltName and issuerAltName X.509 extensions are
3699              supported.
3700
3701              Please note: This option has a feature  which  will  convert  an
3702              all-lowercase fieldname to uppercase characters, e.g., ou -> OU.
3703              A mixed-case fieldname or one having the  ext:  prefix  will  be
3704              left  as-is.   This automatic upcasing feature is deprecated and
3705              will be removed in a future release.
3706
3707       --verify-x509-name name type
3708              Accept connections only if a host's X.509 name is equal to name.
3709              The remote host must also pass all other tests of verification.
3710
3711              Which  X.509  name is compared to name depends on the setting of
3712              type.  type can be "subject" to match the  complete  subject  DN
3713              (default),  "name"  to  match  a subject RDN or "name-prefix" to
3714              match a subject RDN prefix.   Which  RDN  is  verified  as  name
3715              depends  on the --x509-username-field option. But it defaults to
3716              the common name (CN), e.g.  a  certificate  with  a  subject  DN
3717              "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by:
3718
3719              --verify-x509-name  'C=KG,  ST=NA,  L=Bishkek,  CN=Server-1' and
3720              --verify-x509-name  Server-1  name  or  you  could  use   --ver‐
3721              ify-x509-name  Server-  name-prefix if you want a client to only
3722              accept connections to "Server-1", "Server-2", etc.
3723
3724              --verify-x509-name is a useful replacement for the  --tls-verify
3725              option  to  verify  the  remote host, because --verify-x509-name
3726              works in a --chroot environment without any dependencies.
3727
3728              Using a name prefix is a useful alternative to  managing  a  CRL
3729              (Certificate Revocation List) on the client, since it allows the
3730              client to refuse all certificates except  for  those  associated
3731              with designated servers.
3732
3733              NOTE: Test against a name prefix only when you are using OpenVPN
3734              with a custom CA certificate that is under your control.   Never
3735              use  this  option  with type "name-prefix" when your client cer‐
3736              tificates are signed by a third party, such as a commercial  web
3737              CA.
3738
3739       --x509-track attribute
3740              Save peer X509 attribute value in environment for use by plugins
3741              and management interface.  Prepend a '+' to  attribute  to  save
3742              values  from  full  cert  chain.   Values  will  be  encoded  as
3743              X509_<depth>_<attribute>=<value>.  Multiple --x509-track options
3744              can be defined to track multiple attributes.
3745
3746       --ns-cert-type client|server
3747              DEPRECATED  This option will be removed in OpenVPN 2.5.  Use the
3748              more modern equivalent --remote-cert-tls instead.   This  option
3749              will be removed in OpenVPN 2.5.
3750
3751              Require  that  peer  certificate  was  signed  with  an explicit
3752              nsCertType designation of "client" or "server".
3753
3754              This is a useful security option for clients, to ensure that the
3755              host they connect with is a designated server.
3756
3757              See  the  easy-rsa/build-key-server script for an example of how
3758              to generate a certificate  with  the  nsCertType  field  set  to
3759              "server".
3760
3761              If the server certificate's nsCertType field is set to "server",
3762              then the clients can verify this with --ns-cert-type server.
3763
3764              This is an important security precaution to  protect  against  a
3765              man-in-the-middle  attack where an authorized client attempts to
3766              connect to another client  by  impersonating  the  server.   The
3767              attack  is  easily prevented by having clients verify the server
3768              certificate using any one of --ns-cert-type, --verify-x509-name,
3769              or --tls-verify.
3770
3771       --remote-cert-ku [v...]
3772              Require  that  peer  certificate was signed with an explicit key
3773              usage.
3774
3775              If present in the certificate, the keyUsage value  is  validated
3776              by  the  TLS  library during the TLS handshake.  Specifying this
3777              option without arguments requires this extension to  be  present
3778              (so the TLS library will verify it).
3779
3780              If the list v...  is also supplied, the keyUsage field must have
3781              at least the same bits set as the bits in one of the values sup‐
3782              plied in the list v...
3783
3784              The  key  usage  values in the list must be encoded in hex, e.g.
3785              "--remote-cert-ku a0"
3786
3787       --remote-cert-eku oid
3788              Require that  peer  certificate  was  signed  with  an  explicit
3789              extended key usage.
3790
3791              This is a useful security option for clients, to ensure that the
3792              host they connect to is a designated server.
3793
3794              The extended key usage should be encoded  in  oid  notation,  or
3795              OpenSSL symbolic representation.
3796
3797       --remote-cert-tls client|server
3798              Require  that  peer  certificate was signed with an explicit key
3799              usage and extended key usage based on RFC3280 TLS rules.
3800
3801              This is a useful security option for clients, to ensure that the
3802              host  they  connect to is a designated server.  Or the other way
3803              around; for a server to verify that only  hosts  with  a  client
3804              certificate can connect.
3805
3806              The   --remote-cert-tls   client   option   is   equivalent   to
3807              --remote-cert-ku --remote-cert-eku "TLS Web  Client  Authentica‐
3808              tion"
3809
3810              The   --remote-cert-tls   server   option   is   equivalent   to
3811              --remote-cert-ku --remote-cert-eku "TLS Web  Server  Authentica‐
3812              tion"
3813
3814              This  is  an  important security precaution to protect against a
3815              man-in-the-middle attack where an authorized client attempts  to
3816              connect  to  another  client  by  impersonating the server.  The
3817              attack is easily prevented by having clients verify  the  server
3818              certificate   using   any   one   of  --remote-cert-tls,  --ver‐
3819              ify-x509-name, or --tls-verify.
3820
3821       --crl-verify crl ['dir']
3822              Check peer certificate against the file crl in PEM format.
3823
3824              A CRL (certificate revocation list) is used  when  a  particular
3825              key is compromised but when the overall PKI is still intact.
3826
3827              Suppose  you had a PKI consisting of a CA, root certificate, and
3828              a number of client certificates.  Suppose a laptop computer con‐
3829              taining  a client key and certificate was stolen.  By adding the
3830              stolen certificate to the CRL file, you could reject any connec‐
3831              tion  which  attempts  to  use  it, while preserving the overall
3832              integrity of the PKI.
3833
3834              The only time when it would be necessary to rebuild  the  entire
3835              PKI from scratch would be if the root certificate key itself was
3836              compromised.
3837
3838              If the optional dir flag is specified, enable a  different  mode
3839              where  crl  is  a  directory  containing  files named as revoked
3840              serial numbers (the files may be empty, the contents  are  never
3841              read).  If a client requests a connection, where the client cer‐
3842              tificate serial number (decimal string) is the name  of  a  file
3843              present in the directory, it will be rejected.
3844
3845              Note:  As  the crl file (or directory) is read every time a peer
3846              connects, if you are dropping root privileges with --user,  make
3847              sure that this user has sufficient privileges to read the file.
3848
3849   SSL Library information:
3850       --show-ciphers
3851              (Standalone) Show all cipher algorithms to use with the --cipher
3852              option.
3853
3854       --show-digests
3855              (Standalone) Show all message digest algorithms to use with  the
3856              --auth option.
3857
3858       --show-tls
3859              (Standalone)  Show  all  TLS  ciphers  supported  by  the crypto
3860              library.  OpenVPN uses TLS to secure the control  channel,  over
3861              which  the  keys that are used to protect the actual VPN traffic
3862              are exchanged.  The TLS ciphers  will  be  sorted  from  highest
3863              preference (most secure) to lowest.
3864
3865              Be  aware  that whether a cipher suite in this list can actually
3866              work depends on the specific setup  of  both  peers  (e.g.  both
3867              peers  must  support  the cipher, and an ECDSA cipher suite will
3868              not work if you are using an RSA certificate, etc.).
3869
3870       --show-engines
3871              (Standalone)  Show  currently  available  hardware-based  crypto
3872              acceleration engines supported by the OpenSSL library.
3873
3874       --show-curves
3875              (Standalone)  Show all available elliptic curves to use with the
3876              --ecdh-curve option.
3877
3878   Generate a random key:
3879       Used only for non-TLS static key encryption mode.
3880
3881       --genkey
3882              (Standalone) Generate a random  key  to  be  used  as  a  shared
3883              secret,  for  use  with  the --secret option.  This file must be
3884              shared with the peer over a pre-existing secure channel such  as
3885              scp(1)
3886
3887       --secret file
3888              Write key to file.
3889
3890   TUN/TAP persistent tunnel config mode:
3891       Available  with Linux 2.4.7+.  These options comprise a standalone mode
3892       of OpenVPN which can be used to create and delete persistent tunnels.
3893
3894       --mktun
3895              (Standalone) Create a persistent tunnel on platforms which  sup‐
3896              port  them  such  as Linux.  Normally TUN/TAP tunnels exist only
3897              for the period of time that an application has them open.   This
3898              option  takes advantage of the TUN/TAP driver's ability to build
3899              persistent tunnels that live through multiple instantiations  of
3900              OpenVPN  and  die  only  when they are deleted or the machine is
3901              rebooted.
3902
3903              One of the advantages of persistent tunnels is that they  elimi‐
3904              nate  the  need  for separate --up and --down scripts to run the
3905              appropriate ifconfig(8) and route(8) commands.   These  commands
3906              can  be placed in the the same shell script which starts or ter‐
3907              minates an OpenVPN session.
3908
3909              Another  advantage  is  that  open   connections   through   the
3910              TUN/TAP-based  tunnel  will  not  be  reset  if the OpenVPN peer
3911              restarts.  This can be useful to provide  uninterrupted  connec‐
3912              tivity  through  the  tunnel in the event of a DHCP reset of the
3913              peer's public IP address (see the --ipchange option above).
3914
3915              One disadvantage of persistent tunnels is that it is  harder  to
3916              automatically  configure  their  MTU  value  (see --link-mtu and
3917              --tun-mtu above).
3918
3919              On some platforms such as Windows, TAP-Win32 tunnels are persis‐
3920              tent by default.
3921
3922       --rmtun
3923              (Standalone) Remove a persistent tunnel.
3924
3925       --dev tunX | tapX
3926              TUN/TAP device
3927
3928       --user user
3929              Optional user to be owner of this tunnel.
3930
3931       --group group
3932              Optional group to be owner of this tunnel.
3933
3934   Windows-Specific Options:
3935       --win-sys path
3936              Set  the  Windows  system directory pathname to use when looking
3937              for system executables such  as  route.exe  and  netsh.exe.   By
3938              default,  if  this  directive is not specified, OpenVPN will use
3939              the SystemRoot environment variable.
3940
3941              This option have changed behaviour in OpenVPN 2.3.  Earlier  you
3942              had  to  define  --win-sys env to use the SystemRoot environment
3943              variable, otherwise it  defaulted  to  C:\WINDOWS.   It  is  not
3944              needed  to  use  the  env  keyword any more, and it will just be
3945              ignored. A warning is logged when this is found in the  configu‐
3946              ration file.
3947
3948       --ip-win32 method
3949              When  using  --ifconfig on Windows, set the TAP-Win32 adapter IP
3950              address and netmask using method.  Don't use this option  unless
3951              you are also using --ifconfig.
3952
3953              manual  --  Don't  set  the IP address or netmask automatically.
3954              Instead output a message to the console telling the user to con‐
3955              figure  the adapter manually and indicating the IP/netmask which
3956              OpenVPN expects the adapter to be set to.
3957
3958              dynamic  [offset]  [lease-time]  --  Automatically  set  the  IP
3959              address and netmask by replying to DHCP query messages generated
3960              by the kernel.  This mode is probably  the  "cleanest"  solution
3961              for  setting  the TCP/IP properties since it uses the well-known
3962              DHCP protocol.  There are, however, two prerequisites for  using
3963              this  mode:  (1) The TCP/IP properties for the TAP-Win32 adapter
3964              must be set to "Obtain an IP  address  automatically,"  and  (2)
3965              OpenVPN  needs  to  claim an IP address in the subnet for use as
3966              the virtual DHCP server address.  By default in --dev tap  mode,
3967              OpenVPN  will take the normally unused first address in the sub‐
3968              net.   For  example,  if  your  subnet  is  192.168.4.0  netmask
3969              255.255.255.0, then OpenVPN will take the IP address 192.168.4.0
3970              to use as the virtual DHCP server address.  In --dev  tun  mode,
3971              OpenVPN  will  cause the DHCP server to masquerade as if it were
3972              coming from the remote endpoint.  The optional offset  parameter
3973              is  an  integer  which is > -256 and < 256 and which defaults to
3974              -1.  If offset is positive, the DHCP server will  masquerade  as
3975              the  IP address at network address + offset.  If offset is nega‐
3976              tive, the DHCP server will  masquerade  as  the  IP  address  at
3977              broadcast  address  + offset.  The Windows ipconfig /all command
3978              can be used to show what Windows thinks the DHCP server  address
3979              is.   OpenVPN  will  "claim" this address, so make sure to use a
3980              free address.  Having said that,  different  OpenVPN  instantia‐
3981              tions,  including  different  ends  of  the same connection, can
3982              share the same virtual  DHCP  server  address.   The  lease-time
3983              parameter  controls  the lease time of the DHCP assignment given
3984              to the TAP-Win32 adapter, and is denoted in seconds.  Normally a
3985              very  long  lease  time  is preferred because it prevents routes
3986              involving the TAP-Win32 adapter from being lost when the  system
3987              goes to sleep.  The default lease time is one year.
3988
3989              netsh  -- Automatically set the IP address and netmask using the
3990              Windows command-line "netsh" command.  This  method  appears  to
3991              work correctly on Windows XP but not Windows 2000.
3992
3993              ipapi  -- Automatically set the IP address and netmask using the
3994              Windows IP Helper API.  This approach does not have ideal seman‐
3995              tics,  though  testing has indicated that it works okay in prac‐
3996              tice.  If you use this option, it is best to  leave  the  TCP/IP
3997              properties  for  the  TAP-Win32  adapter in their default state,
3998              i.e. "Obtain an IP address automatically."
3999
4000              adaptive -- (Default) Try dynamic method initially and fail over
4001              to netsh if the DHCP negotiation with the TAP-Win32 adapter does
4002              not succeed in 20 seconds.  Such failures  have  been  known  to
4003              occur  when  certain  third-party firewall packages installed on
4004              the client machine  block  the  DHCP  negotiation  used  by  the
4005              TAP-Win32  adapter.  Note that if the netsh failover occurs, the
4006              TAP-Win32 adapter TCP/IP properties will be reset from  DHCP  to
4007              static,  and  this  will cause future OpenVPN startups using the
4008              adaptive mode to  use  netsh  immediately,  rather  than  trying
4009              dynamic first.  To "unstick" the adaptive mode from using netsh,
4010              run OpenVPN at least once using the dynamic mode to restore  the
4011              TAP-Win32 adapter TCP/IP properties to a DHCP configuration.
4012
4013       --route-method m
4014              Which method m to use for adding routes on Windows?
4015
4016              adaptive  (default)  -- Try IP helper API first.  If that fails,
4017              fall back to the route.exe shell command.
4018              ipapi -- Use IP helper API.
4019              exe -- Call the route.exe shell command.
4020
4021       --dhcp-option type [parm]
4022              Set extended TAP-Win32 TCP/IP  properties,  must  be  used  with
4023              --ip-win32  dynamic  or --ip-win32 adaptive.  This option can be
4024              used to  set  additional  TCP/IP  properties  on  the  TAP-Win32
4025              adapter,  and  is particularly useful for configuring an OpenVPN
4026              client to access a Samba server across the VPN.
4027
4028              DOMAIN name -- Set Connection-specific DNS Suffix.
4029
4030              DNS addr -- Set primary domain name server IPv4 or IPv6 address.
4031              Repeat this option to set secondary DNS server addresses.
4032
4033              Note: DNS IPv6 servers are currently set using netsh (the exist‐
4034              ing DHCP code can only do IPv4 DHCP, and that protocol only per‐
4035              mits  IPv4 addresses anywhere).  The option will be put into the
4036              environment, so an --up script could act upon it if needed.
4037
4038              WINS addr -- Set  primary  WINS  server  address  (NetBIOS  over
4039              TCP/IP  Name  Server).  Repeat this option to set secondary WINS
4040              server addresses.
4041
4042              NBDD addr -- Set  primary  NBDD  server  address  (NetBIOS  over
4043              TCP/IP  Datagram  Distribution Server) Repeat this option to set
4044              secondary NBDD server addresses.
4045
4046              NTP addr -- Set primary NTP server address (Network Time  Proto‐
4047              col).  Repeat this option to set secondary NTP server addresses.
4048
4049              NBT  type  --  Set  NetBIOS  over  TCP/IP  Node  type.  Possible
4050              options: 1 = b-node (broadcasts),  2  =  p-node  (point-to-point
4051              name queries to a WINS server), 4 = m-node (broadcast then query
4052              name server), and 8 = h-node (query  name  server,  then  broad‐
4053              cast).
4054
4055              NBS  scope-id  -- Set NetBIOS over TCP/IP Scope. A NetBIOS Scope
4056              ID provides an extended naming  service  for  the  NetBIOS  over
4057              TCP/IP  (Known  as NBT) module. The primary purpose of a NetBIOS
4058              scope ID is to isolate NetBIOS traffic on a  single  network  to
4059              only  those  nodes  with the same NetBIOS scope ID.  The NetBIOS
4060              scope ID is a character string that is appended to  the  NetBIOS
4061              name.  The  NetBIOS scope ID on two hosts must match, or the two
4062              hosts will not be able to communicate. The NetBIOS Scope ID also
4063              allows  computers  to  use  the same computer name, as they have
4064              different scope IDs. The Scope ID becomes a part of the  NetBIOS
4065              name,  making  the  name  unique.   (This description of NetBIOS
4066              scopes courtesy of NeonSurge@abyss.com)
4067
4068              DISABLE-NBT -- Disable Netbios-over-TCP/IP.
4069
4070              Note that if --dhcp-option is pushed via --push to a non-windows
4071              client,  the  option  will  be saved in the client's environment
4072              before  the  up  script  is  called,  under   the   name   "for‐
4073              eign_option_{n}".
4074
4075       --tap-sleep n
4076              Cause  OpenVPN  to  sleep  for  n  seconds immediately after the
4077              TAP-Win32 adapter state is set to "connected".
4078
4079              This option is intended to be used to troubleshoot problems with
4080              the  --ifconfig  and --ip-win32 options, and is used to give the
4081              TAP-Win32 adapter time to come up before Windows IP  Helper  API
4082              operations are applied to it.
4083
4084       --show-net-up
4085              Output  OpenVPN's  view  of the system routing table and network
4086              adapter list to the syslog or log file after the TUN/TAP adapter
4087              has been brought up and any routes have been added.
4088
4089       --block-outside-dns
4090              Block  DNS  servers  on  other  network  adapters to prevent DNS
4091              leaks. This option prevents any application from  accessing  TCP
4092              or  UDP  port  53  except one inside the tunnel. It uses Windows
4093              Filtering Platform (WFP) and works on Windows Vista or later.
4094
4095              This option is considered unknown on non-Windows  platforms  and
4096              unsupported  on  Windows  XP, resulting in fatal error.  You may
4097              want to use --setenv opt or --ignore-unknown-option  (not  suit‐
4098              able  for  Windows  XP) to ignore said error.  Note that pushing
4099              unknown options from server does not trigger fatal errors.
4100
4101       --dhcp-renew
4102              Ask Windows to renew the TAP adapter  lease  on  startup.   This
4103              option  is  normally unnecessary, as Windows automatically trig‐
4104              gers a DHCP renegotiation on the TAP adapter when it  comes  up,
4105              however  if  you set the TAP-Win32 adapter Media Status property
4106              to "Always Connected", you may need this flag.
4107
4108       --dhcp-release
4109              Ask Windows to release the TAP adapter lease on shutdown.   This
4110              option  has  no effect now, as it is enabled by default starting
4111              with OpenVPN 2.4.1.
4112
4113       --register-dns
4114              Run ipconfig /flushdns and ipconfig /registerdns  on  connection
4115              initiation.   This  is  known  to  kick Windows into recognizing
4116              pushed DNS servers.
4117
4118       --pause-exit
4119              Put up a "press any key to  continue"  message  on  the  console
4120              prior  to  OpenVPN  program  exit.  This option is automatically
4121              used by the Windows explorer when OpenVPN is run on a configura‐
4122              tion file using the right-click explorer menu.
4123
4124       --service exit-event [0|1]
4125              Should  be  used when OpenVPN is being automatically executed by
4126              another program in such a context that no interaction  with  the
4127              user via display or keyboard is possible.  In general, end-users
4128              should never need to explicitly use this option, as it is  auto‐
4129              matically  added  by  the  OpenVPN  service wrapper when a given
4130              OpenVPN configuration is being run as a service.
4131
4132              exit-event is the name of a Windows  global  event  object,  and
4133              OpenVPN will continuously monitor the state of this event object
4134              and exit when it becomes signaled.
4135
4136              The second parameter indicates the initial state  of  exit-event
4137              and normally defaults to 0.
4138
4139              Multiple  OpenVPN  processes can be simultaneously executed with
4140              the same exit-event parameter.  In  any  case,  the  controlling
4141              process  can  signal  exit-event,  causing all such OpenVPN pro‐
4142              cesses to exit.
4143
4144              When executing an OpenVPN process using the --service directive,
4145              OpenVPN  will  probably not have a console window to output sta‐
4146              tus/error messages, therefore it  is  useful  to  use  --log  or
4147              --log-append to write these messages to a file.
4148
4149       --show-adapters
4150              (Standalone)  Show  available  TAP-Win32  adapters  which can be
4151              selected using the --dev-node option.  On  non-Windows  systems,
4152              the ifconfig(8) command provides similar functionality.
4153
4154       --allow-nonadmin [TAP-adapter]
4155              (Standalone)  Set  TAP-adapter to allow access from non-adminis‐
4156              trative accounts.  If TAP-adapter is omitted, all  TAP  adapters
4157              on the system will be configured to allow non-admin access.  The
4158              non-admin access setting will only persist  for  the  length  of
4159              time  that the TAP-Win32 device object and driver remain loaded,
4160              and will need to be re-enabled after a reboot, or if the  driver
4161              is unloaded and reloaded.  This directive can only be used by an
4162              administrator.
4163
4164       --show-valid-subnets
4165              (Standalone) Show valid subnets for --dev tun emulation.   Since
4166              the  TAP-Win32  driver exports an ethernet interface to Windows,
4167              and since TUN devices are point-to-point in nature, it is neces‐
4168              sary  for  the TAP-Win32 driver to impose certain constraints on
4169              TUN endpoint address selection.
4170
4171              Namely, the point-to-point endpoints used in TUN  device  emula‐
4172              tion  must  be the middle two addresses of a /30 subnet (netmask
4173              255.255.255.252).
4174
4175       --show-net
4176              (Standalone) Show OpenVPN's view of the system routing table and
4177              network adapter list.
4178
4179   PKCS#11 Standalone Options:
4180       --show-pkcs11-ids [provider] [cert_private]
4181              (Standalone)  Show  PKCS#11 token object list. Specify cert_pri‐
4182              vate as 1 if certificates are stored as private objects.
4183
4184              If p11-kit is present on the system, the  provider  argument  is
4185              optional; if omitted the default p11-kit-proxy.so module will be
4186              queried.
4187
4188              --verb option can be used BEFORE this option to  produce  debug‐
4189              ging information.
4190
4191   Standalone Debug Options:
4192       --show-gateway [v6target]
4193              (Standalone)  Show  current  IPv4  and  IPv6 default gateway and
4194              interface towards the gateway (if the protocol  in  question  is
4195              enabled).   If  an  IPv6 address is passed as argument, the IPv6
4196              route for this host is reported.
4197
4198   IPv6 Related Options
4199       The following options exist to support IPv6 tunneling  in  peer-to-peer
4200       and client-server mode.  All options are modeled after their IPv4 coun‐
4201       terparts, so more detailed explanations given there apply here as  well
4202       (except for --topology , which has no effect on IPv6).
4203
4204       --ifconfig-ipv6 ipv6addr/bits ipv6remote
4205              configure IPv6 address ipv6addr/bits on the ``tun'' device.  The
4206              second parameter is used as route target for --route-ipv6 if  no
4207              gateway is specified.
4208
4209       --route-ipv6 ipv6addr/bits [gateway] [metric]
4210              setup IPv6 routing in the system to send the specified IPv6 net‐
4211              work into OpenVPN's ``tun''.  The gateway parameter is only used
4212              for  IPv6  routes  across  ``tap''  devices, and if missing, the
4213              ``ipv6remote'' field from --ifconfig-ipv6 is used.
4214
4215       --server-ipv6 ipv6addr/bits
4216              convenience-function to enable a number of IPv6 related  options
4217              at once, namely --ifconfig-ipv6, --ifconfig-ipv6-pool and --push
4218              tun-ipv6 Is only accepted if ``--mode server''  or  ``--server''
4219              is  set.  Pushing  of the --tun-ipv6 directive is done for older
4220              clients which require an explicit ``--tun-ipv6'' in  their  con‐
4221              figuration.
4222
4223       --ifconfig-ipv6-pool ipv6addr/bits
4224              Specify  an IPv6 address pool for dynamic assignment to clients.
4225              The pool starts at ipv6addr and matches  the  offset  determined
4226              from the start of the IPv4 pool.
4227
4228       --ifconfig-ipv6-push ipv6addr/bits ipv6remote
4229              for  ccd/  per-client  static  IPv6 interface configuration, see
4230              --client-config-dir and --ifconfig-push for more details.
4231
4232       --iroute-ipv6 ipv6addr/bits
4233              for  ccd/  per-client  static  IPv6  route  configuration,   see
4234              --iroute  for  more  details  how to setup and use this, and how
4235              --iroute and --route interact.
4236
4237

SCRIPTING AND ENVIRONMENTAL VARIABLES

4239       OpenVPN  exports  a  series  of  environmental  variables  for  use  by
4240       user-defined scripts.
4241
4242   Script Order of Execution
4243       --up   Executed after TCP/UDP socket bind and TUN/TAP open.
4244
4245       --tls-verify
4246              Executed when we have a still untrusted remote peer.
4247
4248       --ipchange
4249              Executed  after  connection authentication, or remote IP address
4250              change.
4251
4252       --client-connect
4253              Executed in --mode server mode immediately after client  authen‐
4254              tication.
4255
4256       --route-up
4257              Executed  after  connection  authentication,  either immediately
4258              after, or some  number  of  seconds  after  as  defined  by  the
4259              --route-delay option.
4260
4261       --route-pre-down
4262              Executed right before the routes are removed.
4263
4264       --client-disconnect
4265              Executed in --mode server mode on client instance shutdown.
4266
4267       --down Executed after TCP/UDP and TUN/TAP close.
4268
4269       --learn-address
4270              Executed in --mode server mode whenever an IPv4 address/route or
4271              MAC address is added to OpenVPN's internal routing table.
4272
4273       --auth-user-pass-verify
4274              Executed in --mode server mode on new client  connections,  when
4275              the client is still untrusted.
4276
4277   String Types and Remapping
4278       In  certain  cases,  OpenVPN  will  perform  remapping of characters in
4279       strings.  Essentially, any characters  outside  the  set  of  permitted
4280       characters for each string type will be converted to underbar ('_').
4281
4282       Q: Why is string remapping necessary?
4283
4284       A:  It's  an important security feature to prevent the malicious coding
4285       of strings from  untrusted  sources  to  be  passed  as  parameters  to
4286       scripts, saved in the environment, used as a common name, translated to
4287       a filename, etc.
4288
4289       Q: Can string remapping be disabled?
4290
4291       A: Yes, by using the --no-name-remapping option, however this should be
4292       considered an advanced option.
4293
4294       Here  is a brief rundown of OpenVPN's current string types and the per‐
4295       mitted character class for each string:
4296
4297       X509 Names: Alphanumeric, underbar ('_'), dash  ('-'),  dot  ('.'),  at
4298       ('@'),  colon  (':'),  slash  ('/'),  and equal ('=').  Alphanumeric is
4299       defined as a character which will cause the C library  isalnum()  func‐
4300       tion to return true.
4301
4302       Common  Names: Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and
4303       at ('@').
4304
4305       --auth-user-pass username: Same as Common  Name,  with  one  exception:
4306       starting  with  OpenVPN  2.0.1,  the  username  is  passed to the OPEN‐
4307       VPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin in its raw form, without string
4308       remapping.
4309
4310       --auth-user-pass  password:  Any "printable" character except CR or LF.
4311       Printable is defined to be a character which will cause the  C  library
4312       isprint() function to return true.
4313
4314       --client-config-dir  filename  as derived from common name or username:
4315       Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for  "."
4316       or  ".." as standalone strings.  As of v2.0.1-rc6, the at ('@') charac‐
4317       ter has been added as well for compatibility with the common name char‐
4318       acter class.
4319
4320       Environmental variable names: Alphanumeric or underbar ('_').
4321
4322       Environmental variable values: Any printable character.
4323
4324       For  all  cases,  characters  in  a string which are not members of the
4325       legal character class for that string type will be remapped to underbar
4326       ('_').
4327
4328   Environmental Variables
4329       Once  set,  a variable is persisted indefinitely until it is reset by a
4330       new value or a restart,
4331
4332       As of OpenVPN 2.0-beta12, in server mode, environmental  variables  set
4333       by  OpenVPN are scoped according to the client objects they are associ‐
4334       ated with, so there should not be any issues with scripts having access
4335       to  stale,  previously  set  variables  which refer to different client
4336       instances.
4337
4338       bytes_received
4339              Total number of bytes received from client during  VPN  session.
4340              Set prior to execution of the --client-disconnect script.
4341
4342       bytes_sent
4343              Total  number  of  bytes sent to client during VPN session.  Set
4344              prior to execution of the --client-disconnect script.
4345
4346       common_name
4347              The X509 common name of an authenticated client.  Set  prior  to
4348              execution    of   --client-connect,   --client-disconnect,   and
4349              --auth-user-pass-verify scripts.
4350
4351       config Name of first --config file.   Set  on  program  initiation  and
4352              reset on SIGHUP.
4353
4354       daemon Set to "1" if the --daemon directive is specified, or "0" other‐
4355              wise.  Set on program initiation and reset on SIGHUP.
4356
4357       daemon_log_redirect
4358              Set to "1" if the --log or --log-append  directives  are  speci‐
4359              fied,  or "0" otherwise.  Set on program initiation and reset on
4360              SIGHUP.
4361
4362       dev    The actual name of the TUN/TAP device, including a  unit  number
4363              if it exists.  Set prior to --up or --down script execution.
4364
4365       dev_idx
4366              On  Windows, the device index of the TUN/TAP adapter (to be used
4367              in netsh.exe calls which sometimes just do not work  right  with
4368              interface names).  Set prior to --up or --down script execution.
4369
4370       foreign_option_{n}
4371              An  option pushed via --push to a client which does not natively
4372              support it, such as --dhcp-option on a non-Windows system,  will
4373              be  recorded  to  this  environmental variable sequence prior to
4374              --up script execution.
4375
4376       ifconfig_broadcast
4377              The broadcast address for the virtual ethernet segment which  is
4378              derived  from the --ifconfig option when --dev tap is used.  Set
4379              prior to OpenVPN calling the ifconfig or netsh (windows  version
4380              of ifconfig) commands which normally occurs prior to --up script
4381              execution.
4382
4383       ifconfig_ipv6_local
4384              The local VPN endpoint IPv6 address specified  in  the  --ifcon‐
4385              fig-ipv6 option (first parameter).  Set prior to OpenVPN calling
4386              the ifconfig or netsh (windows  version  of  ifconfig)  commands
4387              which normally occurs prior to --up script execution.
4388
4389       ifconfig_ipv6_netbits
4390              The  prefix  length  of  the  IPv6 network on the VPN interface.
4391              Derived from the /nnn parameter  of  the  IPv6  address  in  the
4392              --ifconfig-ipv6  option (first parameter).  Set prior to OpenVPN
4393              calling the ifconfig or netsh (windows version of ifconfig) com‐
4394              mands which normally occurs prior to --up script execution.
4395
4396       ifconfig_ipv6_remote
4397              The  remote  VPN endpoint IPv6 address specified in the --ifcon‐
4398              fig-ipv6 option (second parameter).  Set prior to OpenVPN  call‐
4399              ing the ifconfig or netsh (windows version of ifconfig) commands
4400              which normally occurs prior to --up script execution.
4401
4402       ifconfig_local
4403              The local VPN endpoint IP address specified  in  the  --ifconfig
4404              option  (first  parameter).   Set  prior  to OpenVPN calling the
4405              ifconfig or netsh (windows version of ifconfig)  commands  which
4406              normally occurs prior to --up script execution.
4407
4408       ifconfig_remote
4409              The  remote  VPN endpoint IP address specified in the --ifconfig
4410              option (second parameter) when --dev tun is used.  Set prior  to
4411              OpenVPN calling the ifconfig or netsh (windows version of ifcon‐
4412              fig) commands which normally occurs prior to --up script  execu‐
4413              tion.
4414
4415       ifconfig_netmask
4416              The  subnet  mask of the virtual ethernet segment that is speci‐
4417              fied as the second parameter to --ifconfig  when  --dev  tap  is
4418              being  used.  Set prior to OpenVPN calling the ifconfig or netsh
4419              (windows version of ifconfig)  commands  which  normally  occurs
4420              prior to --up script execution.
4421
4422       ifconfig_pool_local_ip
4423              The  local  virtual IP address for the TUN/TAP tunnel taken from
4424              an --ifconfig-push directive if specified, or otherwise from the
4425              ifconfig  pool  (controlled  by  the --ifconfig-pool config file
4426              directive).  Only set for --dev tun tunnels.  This option is set
4427              on  the  server  prior  to execution of the --client-connect and
4428              --client-disconnect scripts.
4429
4430       ifconfig_pool_netmask
4431              The virtual IP netmask for the  TUN/TAP  tunnel  taken  from  an
4432              --ifconfig-push  directive  if  specified, or otherwise from the
4433              ifconfig pool (controlled by  the  --ifconfig-pool  config  file
4434              directive).  Only set for --dev tap tunnels.  This option is set
4435              on the server prior to execution  of  the  --client-connect  and
4436              --client-disconnect scripts.
4437
4438       ifconfig_pool_remote_ip
4439              The  remote virtual IP address for the TUN/TAP tunnel taken from
4440              an --ifconfig-push directive if specified, or otherwise from the
4441              ifconfig  pool  (controlled  by  the --ifconfig-pool config file
4442              directive).  This option is set on the server prior to execution
4443              of the --client-connect and --client-disconnect scripts.
4444
4445       link_mtu
4446              The  maximum packet size (not including the IP header) of tunnel
4447              data in UDP tunnel transport mode.  Set prior to --up or  --down
4448              script execution.
4449
4450       local  The  --local  parameter.  Set on program initiation and reset on
4451              SIGHUP.
4452
4453       local_port
4454              The local port number or name, specified by --port  or  --lport.
4455              Set on program initiation and reset on SIGHUP.
4456
4457       password
4458              The  password  provided  by  a  connecting client.  Set prior to
4459              --auth-user-pass-verify script execution only when  the  via-env
4460              modifier  is  specified,  and deleted from the environment after
4461              the script returns.
4462
4463       proto  The --proto parameter.  Set on program initiation and  reset  on
4464              SIGHUP.
4465
4466       remote_{n}
4467              The  --remote parameter.  Set on program initiation and reset on
4468              SIGHUP.
4469
4470       remote_port_{n}
4471              The remote port number, specified by --port or --rport.  Set  on
4472              program initiation and reset on SIGHUP.
4473
4474       route_net_gateway
4475              The pre-existing default IP gateway in the system routing table.
4476              Set prior to --up script execution.
4477
4478       route_vpn_gateway
4479              The default gateway used by --route  options,  as  specified  in
4480              either  the  --route-gateway  option  or the second parameter to
4481              --ifconfig when --dev tun  is  specified.   Set  prior  to  --up
4482              script execution.
4483
4484       route_{parm}_{n}
4485              A  set of variables which define each route to be added, and are
4486              set prior to --up script execution.
4487
4488              parm will be one of "network", "netmask",  "gateway",  or  "met‐
4489              ric".
4490
4491              n is the OpenVPN route number, starting from 1.
4492
4493              If  the  network  or  gateway are resolvable DNS names, their IP
4494              address translations will be recorded rather than their names as
4495              denoted on the command line or configuration file.
4496
4497       route_ipv6_{parm}_{n}
4498              A set of variables which define each IPv6 route to be added, and
4499              are set prior to --up script execution.
4500
4501              parm will be one of "network" or "gateway"  ("netmask"  is  con‐
4502              tained  as  "/nnn"  in  the  route_ipv6_network_{n}, unlike IPv4
4503              where it is passed in a separate environment variable).
4504
4505              n is the OpenVPN route number, starting from 1.
4506
4507              If the network or gateway are resolvable  DNS  names,  their  IP
4508              address translations will be recorded rather than their names as
4509              denoted on the command line or configuration file.
4510
4511       peer_cert
4512              Temporary file name containing the client certificate upon  con‐
4513              nection.  Useful in conjunction with --tls-verify
4514
4515       script_context
4516              Set  to  "init"  or "restart" prior to up/down script execution.
4517              For more information, see documentation for --up.
4518
4519       script_type
4520              Prior to execution of any script, this variable is  set  to  the
4521              type  of  script being run.  It can be one of the following: up,
4522              down,  ipchange,  route-up,  tls-verify,  auth-user-pass-verify,
4523              client-connect,  client-disconnect, or learn-address.  Set prior
4524              to execution of any script.
4525
4526       signal The reason for exit or restart.  Can be one of sigusr1,  sighup,
4527              sigterm,  sigint,  inactive  (controlled  by --inactive option),
4528              ping-exit (controlled by --ping-exit option), ping-restart (con‐
4529              trolled  by  --ping-restart option), connection-reset (triggered
4530              on TCP connection reset), error, or  unknown  (unknown  signal).
4531              This variable is set just prior to down script execution.
4532
4533       time_ascii
4534              Client  connection timestamp, formatted as a human-readable time
4535              string.  Set prior to execution of the --client-connect script.
4536
4537       time_duration
4538              The duration (in seconds) of the client  session  which  is  now
4539              disconnecting.   Set  prior to execution of the --client-discon‐
4540              nect script.
4541
4542       time_unix
4543              Client  connection  timestamp,  formatted  as  a  unix   integer
4544              date/time value.  Set prior to execution of the --client-connect
4545              script.
4546
4547       tls_digest_{n} / tls_digest_sha256_{n}
4548              Contains the certificate SHA1 / SHA256 fingerprint, where  n  is
4549              the  verification  level.   Only  set  for TLS connections.  Set
4550              prior to execution of --tls-verify script.
4551
4552       tls_id_{n}
4553              A series of certificate fields from the remote peer, where n  is
4554              the  verification  level.   Only  set  for TLS connections.  Set
4555              prior to execution of --tls-verify script.
4556
4557       tls_serial_{n}
4558              The serial number of the certificate from the remote peer, where
4559              n is the verification level.  Only set for TLS connections.  Set
4560              prior to execution of --tls-verify script. This is in  the  form
4561              of  a  decimal  string  like  "933971680", which is suitable for
4562              doing serial-based OCSP queries (with OpenSSL,  do  not  prepend
4563              "0x"  to  the  string) If something goes wrong while reading the
4564              value from the certificate it will be an empty string,  so  your
4565              code      should      check      that.      See     the     con‐
4566              trib/OCSP_check/OCSP_check.sh script for an example.
4567
4568       tls_serial_hex_{n}
4569              Like tls_serial_{n}, but in hex form (e.g. "12:34:56:78:9A").
4570
4571       tun_mtu
4572              The MTU of the TUN/TAP device.  Set  prior  to  --up  or  --down
4573              script execution.
4574
4575       trusted_ip (or trusted_ip6)
4576              Actual  IP  address  of connecting client or peer which has been
4577              authenticated.   Set   prior   to   execution   of   --ipchange,
4578              --client-connect,  and  --client-disconnect  scripts.   If using
4579              ipv6 endpoints (udp6, tcp6), trusted_ip6 will be set instead.
4580
4581       trusted_port
4582              Actual port number of connecting client or peer which  has  been
4583              authenticated.    Set   prior   to   execution   of  --ipchange,
4584              --client-connect, and --client-disconnect scripts.
4585
4586       untrusted_ip (or untrusted_ip6)
4587              Actual IP address of connecting client or  peer  which  has  not
4588              been  authenticated  yet.  Sometimes used to nmap the connecting
4589              host in a --tls-verify script to ensure it is  firewalled  prop‐
4590              erly.     Set   prior   to   execution   of   --tls-verify   and
4591              --auth-user-pass-verify scripts.  If using ipv6 endpoints (udp6,
4592              tcp6), untrusted_ip6 will be set instead.
4593
4594       untrusted_port
4595              Actual  port  number  of connecting client or peer which has not
4596              been authenticated yet.  Set prior to execution of  --tls-verify
4597              and --auth-user-pass-verify scripts.
4598
4599       username
4600              The  username  provided  by  a  connecting client.  Set prior to
4601              --auth-user-pass-verify script execution only when  the  via-env
4602              modifier is specified.
4603
4604       X509_{n}_{subject_field}
4605              An  X509 subject field from the remote peer certificate, where n
4606              is the verification level.  Only set for TLS  connections.   Set
4607              prior  to  execution  of  --tls-verify script.  This variable is
4608              similar to tls_id_{n} except the component X509  subject  fields
4609              are  broken  out,  and no string remapping occurs on these field
4610              values (except for remapping of control characters to "_").  For
4611              example,  the  following  variables  would be set on the OpenVPN
4612              server  using  the  sample  client  certificate  in  sample-keys
4613              (client.crt).   Note  that  the  verification level is 0 for the
4614              client certificate and 1 for the CA certificate.
4615
4616                  X509_0_emailAddress=me@myhost.mydomain
4617                  X509_0_CN=Test-Client
4618                  X509_0_O=OpenVPN-TEST
4619                  X509_0_ST=NA
4620                  X509_0_C=KG
4621                  X509_1_emailAddress=me@myhost.mydomain
4622                  X509_1_O=OpenVPN-TEST
4623                  X509_1_L=BISHKEK
4624                  X509_1_ST=NA
4625                  X509_1_C=KG
4626

INLINE FILE SUPPORT

4628       OpenVPN allows including files in the main configuration for the  --ca,
4629       --cert,  --dh,  --extra-certs, --key, --pkcs12, --secret, --crl-verify,
4630       --http-proxy-user-pass, --tls-auth and --tls-crypt options.
4631
4632       Each inline file started by the line <option> and  ended  by  the  line
4633       </option>
4634
4635       Here is an example of an inline file usage
4636
4637           <cert>
4638           -----BEGIN CERTIFICATE-----
4639           [...]
4640           -----END CERTIFICATE-----
4641           </cert>
4642
4643       When using the inline file feature with --pkcs12 the inline file has to
4644       be base64 encoded. Encoding of a .p12 file into base64 can be done  for
4645       example with OpenSSL by running openssl base64 -in input.p12
4646
4647

SIGNALS

4649       SIGHUP Cause  OpenVPN  to  close  all  TUN/TAP and network connections,
4650              restart, re-read the configuration file  (if  any),  and  reopen
4651              TUN/TAP and network connections.
4652
4653       SIGUSR1
4654              Like SIGHUP, except don't re-read configuration file, and possi‐
4655              bly don't close and reopen TUN/TAP device,  re-read  key  files,
4656              preserve  local  IP  address/port,  or  preserve  most  recently
4657              authenticated remote IP  address/port  based  on  --persist-tun,
4658              --persist-key,   --persist-local-ip,   and   --persist-remote-ip
4659              options respectively (see above).
4660
4661              This signal may also be internally generated by a timeout condi‐
4662              tion, governed by the --ping-restart option.
4663
4664              This signal, when combined with --persist-remote-ip, may be sent
4665              when the underlying parameters of the host's  network  interface
4666              change  such as when the host is a DHCP client and is assigned a
4667              new IP address.  See --ipchange above for more information.
4668
4669       SIGUSR2
4670              Causes OpenVPN to display its current statistics (to the  syslog
4671              file if --daemon is used, or stdout otherwise).
4672
4673       SIGINT, SIGTERM
4674              Causes OpenVPN to exit gracefully.
4675

TUN/TAP DRIVER SETUP

4677       If you are running Linux 2.4.7 or higher, you probably have the TUN/TAP
4678       driver already installed.  If so, there are still a few things you need
4679       to do:
4680
4681       Make device: mknod /dev/net/tun c 10 200
4682
4683       Load driver: modprobe tun
4684

EXAMPLES

4686       Prior  to  running these examples, you should have OpenVPN installed on
4687       two machines with network connectivity between them.  If you  have  not
4688       yet installed OpenVPN, consult the INSTALL file included in the OpenVPN
4689       distribution.
4690
4691   TUN/TAP Setup:
4692       If you are using Linux 2.4 or higher, make the tun device node and load
4693       the tun module:
4694
4695              mknod /dev/net/tun c 10 200
4696
4697              modprobe tun
4698
4699       If  you  installed from RPM, the mknod step may be omitted, because the
4700       RPM install does that for you.
4701
4702       Only Linux 2.4 and newer are supported.
4703
4704       For  other  platforms,  consult  the  INSTALL  file   at   http://open
4705       vpn.net/install.html for more information.
4706
4707   Firewall Setup:
4708       If firewalls exist between the two machines, they should be set to for‐
4709       ward UDP port 1194 in both directions.  If you do not have control over
4710       the  firewalls  between  the two machines, you may still be able to use
4711       OpenVPN by adding --ping 15 to each of the openvpn commands used  below
4712       in  the  examples  (this will cause each peer to send out a UDP ping to
4713       its remote peer once every 15 seconds which will  cause  many  stateful
4714       firewalls  to  forward  packets  in both directions without an explicit
4715       firewall rule).
4716
4717       If you are using a Linux iptables-based firewall, you may need to enter
4718       the following command to allow incoming packets on the TUN device:
4719
4720              iptables -A INPUT -i tun+ -j ACCEPT
4721
4722       See  the  firewalls  section  below for more information on configuring
4723       firewalls for use with OpenVPN.
4724
4725   VPN Address Setup:
4726       For purposes of our example, our two machines will be called  bob.exam‐
4727       ple.com  and alice.example.com.  If you are constructing a VPN over the
4728       internet, then replace bob.example.com and alice.example.com  with  the
4729       internet  hostname  or IP address that each machine will use to contact
4730       the other over the internet.
4731
4732       Now we will choose the tunnel endpoints.  Tunnel endpoints are  private
4733       IP  addresses  that  only have meaning in the context of the VPN.  Each
4734       machine will use the tunnel endpoint of the other machine to access  it
4735       over  the VPN.  In our example, the tunnel endpoint for bob.example.com
4736       will be 10.4.0.1 and for alice.example.com, 10.4.0.2.
4737
4738       Once the VPN is established, you  have  essentially  created  a  secure
4739       alternate  path  between  the two hosts which is addressed by using the
4740       tunnel endpoints.  You can control which network traffic passes between
4741       the hosts (a) over the VPN or (b) independently of the VPN, by choosing
4742       whether to use (a) the VPN endpoint address or (b) the public  internet
4743       address, to access the remote host. For example if you are on bob.exam‐
4744       ple.com and you wish to connect to alice.example.com  via  ssh  without
4745       using  the  VPN (since ssh has its own built-in security) you would use
4746       the command ssh alice.example.com.  However in the same  scenario,  you
4747       could  also  use the command telnet 10.4.0.2 to create a telnet session
4748       with alice.example.com over the VPN, that would use the VPN  to  secure
4749       the session rather than ssh.
4750
4751       You can use any address you wish for the tunnel endpoints but make sure
4752       that they are private addresses (such as those that begin  with  10  or
4753       192.168)  and that they are not part of any existing subnet on the net‐
4754       works of either peer, unless you are bridging.  If you use  an  address
4755       that  is  part of your local subnet for either of the tunnel endpoints,
4756       you will get a weird feedback loop.
4757
4758   Example 1: A simple tunnel without security
4759       On bob:
4760
4761              openvpn  --remote  alice.example.com   --dev   tun1   --ifconfig
4762              10.4.0.1 10.4.0.2 --verb 9
4763
4764       On alice:
4765
4766              openvpn  --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2
4767              10.4.0.1 --verb 9
4768
4769       Now verify the tunnel is working by pinging across the tunnel.
4770
4771       On bob:
4772
4773              ping 10.4.0.2
4774
4775       On alice:
4776
4777              ping 10.4.0.1
4778
4779       The --verb 9 option will produce verbose output, similar  to  the  tcp‐
4780       dump(8) program.  Omit the --verb 9 option to have OpenVPN run quietly.
4781
4782   Example  2:  A  tunnel  with  static-key  security (i.e. using a pre-shared
4783       secret)
4784       First build a static key on bob.
4785
4786              openvpn --genkey --secret key
4787
4788       This command will build a random key file called key (in ascii format).
4789       Now  copy key to alice over a secure medium such as by using the scp(1)
4790       program.
4791
4792       On bob:
4793
4794              openvpn  --remote  alice.example.com   --dev   tun1   --ifconfig
4795              10.4.0.1 10.4.0.2 --verb 5 --secret key
4796
4797       On alice:
4798
4799              openvpn  --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2
4800              10.4.0.1 --verb 5 --secret key
4801
4802       Now verify the tunnel is working by pinging across the tunnel.
4803
4804       On bob:
4805
4806              ping 10.4.0.2
4807
4808       On alice:
4809
4810              ping 10.4.0.1
4811
4812   Example 3: A tunnel with full TLS-based security
4813       For this test, we will designate bob as the TLS client and alice as the
4814       TLS  server.   Note  that client or server designation only has meaning
4815       for the TLS subsystem. It has no  bearing  on  OpenVPN's  peer-to-peer,
4816       UDP-based communication model.
4817
4818       First,  build  a  separate  certificate/key pair for both bob and alice
4819       (see above where --cert is discussed for more  info).   Then  construct
4820       Diffie  Hellman  parameters (see above where --dh is discussed for more
4821       info).   You  can  also  use  the  included  test   files   client.crt,
4822       client.key, server.crt, server.key and ca.crt.  The .crt files are cer‐
4823       tificates/public-keys, the .key files are private keys, and ca.crt is a
4824       certification  authority who has signed both client.crt and server.crt.
4825       For Diffie Hellman parameters you can use the included file dh1024.pem.
4826       Note  that  all  client, server, and certificate authority certificates
4827       and keys included in the OpenVPN distribution are totally insecure  and
4828       should be used for testing only.
4829
4830       On bob:
4831
4832              openvpn   --remote   alice.example.com   --dev  tun1  --ifconfig
4833              10.4.0.1 10.4.0.2 --tls-client  --ca  ca.crt  --cert  client.crt
4834              --key client.key --reneg-sec 60 --verb 5
4835
4836       On alice:
4837
4838              openvpn  --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2
4839              10.4.0.1  --tls-server  --dh  dh1024.pem  --ca   ca.crt   --cert
4840              server.crt --key server.key --reneg-sec 60 --verb 5
4841
4842       Now verify the tunnel is working by pinging across the tunnel.
4843
4844       On bob:
4845
4846              ping 10.4.0.2
4847
4848       On alice:
4849
4850              ping 10.4.0.1
4851
4852       Notice  the --reneg-sec 60 option we used above.  That tells OpenVPN to
4853       renegotiate the data channel keys every minute.  Since we used --verb 5
4854       above, you will see status information on each new key negotiation.
4855
4856       For  production  operations, a key renegotiation interval of 60 seconds
4857       is probably too frequent.  Omit the --reneg-sec 60 option to use  Open‐
4858       VPN's default key renegotiation interval of one hour.
4859
4860   Routing:
4861       Assuming  you  can  ping across the tunnel, the next step is to route a
4862       real subnet over the secure tunnel.  Suppose that bob  and  alice  have
4863       two  network  interfaces  each,  one connected to the internet, and the
4864       other to a private network.  Our goal is to securely connect both  pri‐
4865       vate networks.  We will assume that bob's private subnet is 10.0.0.0/24
4866       and alice's is 10.0.1.0/24.
4867
4868       First, ensure that IP forwarding is enabled on both peers.   On  Linux,
4869       enable routing:
4870
4871              echo 1 > /proc/sys/net/ipv4/ip_forward
4872
4873       and enable TUN packet forwarding through the firewall:
4874
4875              iptables -A FORWARD -i tun+ -j ACCEPT
4876
4877       On bob:
4878
4879              route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
4880
4881       On alice:
4882
4883              route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
4884
4885       Now any machine on the 10.0.0.0/24 subnet can access any machine on the
4886       10.0.1.0/24 subnet over the secure tunnel (or vice versa).
4887
4888       In a production environment, you could put the route  command(s)  in  a
4889       script and execute with the --up option.
4890

FIREWALLS

4892       OpenVPN's usage of a single UDP port makes it fairly firewall-friendly.
4893       You should add an entry to your firewall rules to allow incoming  Open‐
4894       VPN packets.  On Linux 2.4+:
4895
4896              iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT
4897
4898       This  will  allow  incoming packets on UDP port 1194 (OpenVPN's default
4899       UDP port) from an OpenVPN peer at 1.2.3.4.
4900
4901       If you are using HMAC-based packet authentication (the default  in  any
4902       of  OpenVPN's  secure  modes),  having  the  firewall  filter on source
4903       address can be considered optional, since HMAC packet authentication is
4904       a  much  more  secure  method of verifying the authenticity of a packet
4905       source.  In that case:
4906
4907              iptables -A INPUT -p udp --dport 1194 -j ACCEPT
4908
4909       would be adequate and would not render the host inflexible with respect
4910       to its peer having a dynamic IP address.
4911
4912       OpenVPN  also works well on stateful firewalls.  In some cases, you may
4913       not need to add any static rules to the firewall list if you are  using
4914       a  stateful  firewall  that knows how to track UDP connections.  If you
4915       specify --ping n, OpenVPN will be guaranteed to send a  packet  to  its
4916       peer  at  least  once  every n seconds.  If n is less than the stateful
4917       firewall connection timeout, you can  maintain  an  OpenVPN  connection
4918       indefinitely without explicit firewall rules.
4919
4920       You  should also add firewall rules to allow incoming IP traffic on TUN
4921       or TAP devices such as:
4922
4923              iptables -A INPUT -i tun+ -j ACCEPT
4924
4925       to allow input packets from tun devices,
4926
4927              iptables -A FORWARD -i tun+ -j ACCEPT
4928
4929       to allow input packets from tun devices to be forwarded to other  hosts
4930       on the local network,
4931
4932              iptables -A INPUT -i tap+ -j ACCEPT
4933
4934       to allow input packets from tap devices, and
4935
4936              iptables -A FORWARD -i tap+ -j ACCEPT
4937
4938       to  allow input packets from tap devices to be forwarded to other hosts
4939       on the local network.
4940
4941       These rules are secure if  you  use  packet  authentication,  since  no
4942       incoming packets will arrive on a TUN or TAP virtual device unless they
4943       first pass an HMAC authentication test.
4944

FAQ

4946       http://openvpn.net/faq.html
4947

HOWTO

4949       For a more comprehensive guide to setting up OpenVPN  in  a  production
4950       setting, see the OpenVPN HOWTO at http://openvpn.net/howto.html
4951

PROTOCOL

4953       For  a  description  of OpenVPN's underlying protocol, see http://open
4954       vpn.net/security.html
4955

WEB

4957       OpenVPN's web site is at http://openvpn.net/
4958
4959       Go here to download the latest version of  OpenVPN,  subscribe  to  the
4960       mailing lists, read the mailing list archives, or browse the SVN repos‐
4961       itory.
4962

BUGS

4964       Report all bugs to the OpenVPN team <info@openvpn.net>.
4965

SEE ALSO

4967       dhcpcd(8), ifconfig(8), openssl(1), route(8), scp(1) ssh(1)
4968

NOTES

4970       This product includes software  developed  by  the  OpenSSL  Project  (
4971       http://www.openssl.org/ )
4972
4973       For     more     information     on     the     TLS    protocol,    see
4974       http://www.ietf.org/rfc/rfc2246.txt
4975
4976       For more information on  the  LZO  real-time  compression  library  see
4977       http://www.oberhumer.com/opensource/lzo/
4978
4980       Copyright  (C) 2002-2018 OpenVPN Inc This program is free software; you
4981       can redistribute it and/or modify it under the terms of the GNU General
4982       Public License version 2 as published by the Free Software Foundation.
4983

AUTHORS

4985       James Yonan <jim@yonan.net>
4986
4987
4988
4989                               28 February 2018                     openvpn(8)
Impressum