1openvpn(8)                  System Manager's Manual                 openvpn(8)
2
3
4

NAME

6       openvpn - secure IP tunnel daemon.
7

SYNOPSIS

9       openvpn [ options ... ]
10

INTRODUCTION

12       OpenVPN  is  an open source VPN daemon by James Yonan.  Because OpenVPN
13       tries to be a universal VPN tool offering a great deal of  flexibility,
14       there are a lot of options on this manual page.  If you're new to Open‐
15       VPN, you might want to skip ahead to the  examples  section  where  you
16       will  see how to construct simple VPNs on the command line without even
17       needing a configuration file.
18
19       Also note that there's more documentation and examples on  the  OpenVPN
20       web site: http://openvpn.net/
21
22       And  if you would like to see a shorter version of this manual, see the
23       openvpn usage message which can be obtained by running openvpn  without
24       any parameters.
25

DESCRIPTION

27       OpenVPN  is  a robust and highly flexible VPN daemon.  OpenVPN supports
28       SSL/TLS security,  ethernet  bridging,  TCP  or  UDP  tunnel  transport
29       through  proxies  or  NAT,  support  for dynamic IP addresses and DHCP,
30       scalability to hundreds or thousands of users, and portability to  most
31       major OS platforms.
32
33       OpenVPN  is  tightly  bound to the OpenSSL library, and derives much of
34       its crypto capabilities from it.
35
36       OpenVPN supports conventional encryption using a pre-shared secret  key
37       (Static  Key mode) or public key security (SSL/TLS mode) using client &
38       server certificates.  OpenVPN also supports non-encrypted TCP/UDP  tun‐
39       nels.
40
41       OpenVPN  is designed to work with the TUN/TAP virtual networking inter‐
42       face that exists on most platforms.
43
44       Overall, OpenVPN aims to offer many of the key features  of  IPSec  but
45       with a relatively lightweight footprint.
46

OPTIONS

48       OpenVPN allows any option to be placed either on the command line or in
49       a configuration file.  Though all command line options are preceded  by
50       a double-leading-dash ("--"), this prefix can be removed when an option
51       is placed in a configuration file.
52
53       --help Show options.
54
55       --config file
56              Load additional config options from file where each line  corre‐
57              sponds  to  one  command  line option, but with the leading '--'
58              removed.
59
60              If --config file is the only option to the openvpn command,  the
61              --config can be removed, and the command can be given as openvpn
62              file
63
64              Note that configuration files can  be  nested  to  a  reasonable
65              depth.
66
67              Double  quotation or single quotation characters ("", '') can be
68              used to enclose single parameters containing whitespace, and "#"
69              or ";" characters in the first column can be used to denote com‐
70              ments.
71
72              Note that OpenVPN 2.0 and higher performs backslash-based  shell
73              escaping for characters not in single quotations, so the follow‐
74              ing mappings should be observed:
75
76                  \\       Maps to a single backslash character (\).
77                  \"       Pass a literal doublequote character ("), don't
78                           interpret it as enclosing a parameter.
79                  \[SPACE] Pass a literal space or tab character, don't
80                           interpret it as a parameter delimiter.
81
82              For example on Windows,  use  double  backslashes  to  represent
83              pathnames:
84
85                  secret "c:\\OpenVPN\\secret.key"
86
87              For   examples   of   configuration   files,   see  http://open
88              vpn.net/examples.html
89
90              Here is an example configuration file:
91
92                  #
93                  # Sample OpenVPN configuration file for
94                  # using a pre-shared static key.
95                  #
96                  # '#' or ';' may be used to delimit comments.
97
98                  # Use a dynamic tun device.
99                  dev tun
100
101                  # Our remote peer
102                  remote mypeer.mydomain
103
104                  # 10.1.0.1 is our local VPN endpoint
105                  # 10.1.0.2 is our remote VPN endpoint
106                  ifconfig 10.1.0.1 10.1.0.2
107
108                  # Our pre-shared static key
109                  secret static.key
110
111   Tunnel Options:
112       --mode m
113              Set  OpenVPN  major  mode.   By   default,   OpenVPN   runs   in
114              point-to-point  mode ("p2p").  OpenVPN 2.0 introduces a new mode
115              ("server") which implements a multi-client server capability.
116
117       --local host
118              Local host name or IP address for bind.  If  specified,  OpenVPN
119              will  bind  to  this address only.  If unspecified, OpenVPN will
120              bind to all interfaces.
121
122       --remote host [port] [proto]
123              Remote host  name  or  IP  address.   On  the  client,  multiple
124              --remote options may be specified for redundancy, each referring
125              to a different OpenVPN  server.   Specifying  multiple  --remote
126              options  for  this purpose is a special case of the more general
127              connection-profile feature.  See the <connection>  documentation
128              below.
129
130              The  OpenVPN client will try to connect to a server at host:port
131              in the order specified by the list of --remote options.
132
133              proto indicates the protocol to use  when  connecting  with  the
134              remote, and may be "tcp" or "udp".
135
136              For  forcing  IPv4 or IPv6 connection suffix tcp or udp with 4/6
137              like udp4/udp6/tcp4/tcp6.
138
139              The client will move on to the next host in  the  list,  in  the
140              event  of  connection failure.  Note that at any given time, the
141              OpenVPN client will at most be connected to one server.
142
143              Note that since UDP is  connectionless,  connection  failure  is
144              defined by the --ping and --ping-restart options.
145
146              Note  the  following  corner case:  If you use multiple --remote
147              options, AND you are dropping root privileges on the client with
148              --user  and/or  --group, AND the client is running a non-Windows
149              OS, if the client needs to switch to  a  different  server,  and
150              that server pushes back different TUN/TAP or route settings, the
151              client may lack the necessary privileges to close and reopen the
152              TUN/TAP  interface.   This could cause the client to exit with a
153              fatal error.
154
155              If --remote is unspecified, OpenVPN will listen for packets from
156              any  IP  address,  but will not act on those packets unless they
157              pass all authentication tests.  This requirement for authentica‐
158              tion  is  binding  on all potential peers, even those from known
159              and supposedly trusted IP addresses (it is very easy to forge  a
160              source IP address on a UDP packet).
161
162              When  used in TCP mode, --remote will act as a filter, rejecting
163              connections from any host which does not match host.
164
165              If host is a DNS name which resolves to multiple  IP  addresses,
166              OpenVPN will try them in the order that the system getaddrinfo()
167              presents them, so priorization and DNS randomization is done  by
168              the  system library.  Unless an IP version is forced by the pro‐
169              tocol specification (4/6 suffix), OpenVPN will try both IPv4 and
170              IPv6 addresses, in the order getaddrinfo() returns them.
171
172       --remote-random-hostname
173              Prepend a random string (6 bytes, 12 hex characters) to hostname
174              to prevent DNS caching.  For  example,  "foo.bar.gov"  would  be
175              modified to "<random-chars>.foo.bar.gov".
176
177       <connection>
178              Define  a client connection profile.  Client connection profiles
179              are groups of OpenVPN options that describe how to connect to  a
180              given  OpenVPN server.  Client connection profiles are specified
181              within an OpenVPN configuration file, and each profile is brack‐
182              eted by <connection> and </connection>.
183
184              An  OpenVPN client will try each connection profile sequentially
185              until it achieves a successful connection.
186
187              --remote-random can be used to initially "scramble" the  connec‐
188              tion list.
189
190              Here is an example of connection profile usage:
191
192                  client
193                  dev tun
194
195                  <connection>
196                  remote 198.19.34.56 1194 udp
197                  </connection>
198
199                  <connection>
200                  remote 198.19.34.56 443 tcp
201                  </connection>
202
203                  <connection>
204                  remote 198.19.34.56 443 tcp
205                  http-proxy 192.168.0.8 8080
206                  </connection>
207
208                  <connection>
209                  remote 198.19.36.99 443 tcp
210                  http-proxy 192.168.0.8 8080
211                  </connection>
212
213                  persist-key
214                  persist-tun
215                  pkcs12 client.p12
216                  remote-cert-tls server
217                  verb 3
218
219              First  we  try to connect to a server at 198.19.34.56:1194 using
220              UDP.  If that fails, we then try to connect to  198.19.34.56:443
221              using  TCP.   If that also fails, then try connecting through an
222              HTTP proxy at 192.168.0.8:8080 to  198.19.34.56:443  using  TCP.
223              Finally,  try  to  connect through the same proxy to a server at
224              198.19.36.99:443 using TCP.
225
226              The following OpenVPN options may be used inside of  a  <connec‐
227              tion> block:
228
229              bind,    connect-retry,    connect-retry-max,   connect-timeout,
230              explicit-exit-notify,     float,      fragment,      http-proxy,
231              http-proxy-option,  link-mtu,  local,  lport,  mssfix, mtu-disc,
232              nobind, port, proto, remote,  rport,  socks-proxy,  tun-mtu  and
233              tun-mtu-extra.
234
235              A defaulting mechanism exists for specifying options to apply to
236              all <connection> profiles.  If any of the  above  options  (with
237              the  exception  of  remote  )  appear  outside of a <connection>
238              block, but in a configuration file which has one or  more  <con‐
239              nection>  blocks,  the  option setting will be used as a default
240              for <connection> blocks which follow  it  in  the  configuration
241              file.
242
243              For example, suppose the nobind option were placed in the sample
244              configuration file above, near the top of the file,  before  the
245              first <connection> block.  The effect would be as if nobind were
246              declared in all <connection> blocks below it.
247
248       --proto-force p
249              When iterating through connection profiles, only  consider  pro‐
250              files using protocol p ('tcp'|'udp').
251
252       --remote-random
253              When  multiple  --remote address/ports are specified, or if con‐
254              nection profiles are being used, initially randomize  the  order
255              of the list as a kind of basic load-balancing measure.
256
257       --proto p
258              Use  protocol  p  for  communicating with remote host.  p can be
259              udp, tcp-client, or tcp-server.
260
261              The default protocol is udp when --proto is not specified.
262
263              For UDP operation, --proto  udp  should  be  specified  on  both
264              peers.
265
266              For  TCP operation, one peer must use --proto tcp-server and the
267              other  must  use  --proto  tcp-client.   A  peer  started   with
268              tcp-server will wait indefinitely for an incoming connection.  A
269              peer started with tcp-client will attempt  to  connect,  and  if
270              that  fails, will sleep for 5 seconds (adjustable via the --con‐
271              nect-retry option) and try again infinite or  up  to  N  retries
272              (adjustable  via  the  --connect-retry-max  option).   Both  TCP
273              client and server will simulate  a  SIGUSR1  restart  signal  if
274              either side resets the connection.
275
276              OpenVPN is designed to operate optimally over UDP, but TCP capa‐
277              bility is provided for situations where UDP cannot be used.   In
278              comparison with UDP, TCP will usually be somewhat less efficient
279              and less robust when used over unreliable or congested networks.
280
281              This article outlines some of problems with  tunneling  IP  over
282              TCP:
283
284              http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
285
286              There  are certain cases, however, where using TCP may be advan‐
287              tageous from a security and robustness perspective, such as tun‐
288              neling  non-IP  or application-level UDP protocols, or tunneling
289              protocols which don't possess a built-in reliability layer.
290
291       --connect-retry n [max]
292              Wait  n  seconds   between  connection   attempts   (default=5).
293              Repeated  reconnection  attempts are slowed down after 5 retries
294              per remote by doubling the wait  time  after  each  unsuccessful
295              attempt.  The  optional argument max specifies the maximum value
296              of wait time in seconds at which it gets capped (default=300).
297
298       --connect-retry-max n
299              n specifies the number of times each  --remote  or  <connection>
300              entry is tried. Specifying n as one would try each entry exactly
301              once.   A   successful   connection    resets    the    counter.
302              (default=unlimited).
303
304       --show-proxy-settings
305              Show  sensed  HTTP or SOCKS proxy settings. Currently, only Win‐
306              dows clients support this option.
307
308       --http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method]
309              Connect to remote host through an HTTP proxy at  address  server
310              and port port.  If HTTP Proxy-Authenticate is required, authfile
311              is a file containing a username and  password  on  2  lines,  or
312              "stdin"  to  prompt from console. Its content can also be speci‐
313              fied in the config file with the --http-proxy-user-pass  option.
314              (See section on inline files)
315
316              auth-method should be one of "none", "basic", or "ntlm".
317
318              HTTP  Digest  authentication  is supported as well, but only via
319              the auto or auto-nct flags (below).
320
321              The auto flag causes  OpenVPN  to  automatically  determine  the
322              auth-method  and  query  stdin  or  the management interface for
323              username/password credentials, if required.  This flag exists on
324              OpenVPN 2.1 or higher.
325
326              The  auto-nct  flag  (no  clear-text  auth) instructs OpenVPN to
327              automatically determine the authentication method, but to reject
328              weak authentication protocols such as HTTP Basic Authentication.
329
330       --http-proxy-option type [parm]
331              Set  extended  HTTP  proxy  options.   Repeat  to  set  multiple
332              options.
333
334              VERSION  version  --  Set  HTTP  version   number   to   version
335              (default=1.0).
336
337              AGENT user-agent -- Set HTTP "User-Agent" string to user-agent.
338
339              CUSTOM-HEADER  name  content -- Adds the custom Header with name
340              as name and content as the content of the custom HTTP header.
341
342       --socks-proxy server [port] [authfile]
343              Connect to remote host through a Socks5 proxy at address  server
344              and  port  port  (default=1080).   authfile (optional) is a file
345              containing a username and password on 2  lines,  or  "stdin"  to
346              prompt from console.
347
348       --resolv-retry n
349              If hostname resolve fails for --remote, retry resolve for n sec‐
350              onds before failing.
351
352              Set n to "infinite" to retry indefinitely.
353
354              By default, --resolv-retry infinite is enabled.  You can disable
355              by setting n=0.
356
357       --float
358              Allow  remote  peer to change its IP address and/or port number,
359              such as due to DHCP (this is the  default  if  --remote  is  not
360              used).   --float  when specified with --remote allows an OpenVPN
361              session to initially connect to a peer at a known address,  how‐
362              ever if packets arrive from a new address and pass all authenti‐
363              cation tests, the new address will take control of the  session.
364              This  is  useful when you are connecting to a peer which holds a
365              dynamic address such as a dial-in user or DHCP client.
366
367              Essentially, --float tells OpenVPN to accept authenticated pack‐
368              ets  from  any address, not only the address which was specified
369              in the --remote option.
370
371       --ipchange cmd
372              Run command cmd when our remote ip-address is initially  authen‐
373              ticated or changes.
374
375              cmd  consists  of  a  path  to  script  (or executable program),
376              optionally followed by arguments. The path and arguments may  be
377              single-  or  double-quoted and/or escaped using a backslash, and
378              should be separated by one or more spaces.
379
380              When cmd is executed two arguments are appended after any  argu‐
381              ments specified in cmd , as follows:
382
383              cmd ip_address port_number
384
385              Don't use --ipchange in --mode server mode.  Use a --client-con‐
386              nect script instead.
387
388              See the "Environmental Variables" section below  for  additional
389              parameters passed as environmental variables.
390
391              If you are running in a dynamic IP address environment where the
392              IP addresses of either peer could change without notice, you can
393              use  this  script, for example, to edit the /etc/hosts file with
394              the current address of the peer.  The script will be  run  every
395              time the remote peer changes its IP address.
396
397              Similarly  if our IP address changes due to DHCP, we should con‐
398              figure our IP address change script (see man page for  dhcpcd(8)
399              )  to  deliver  a  SIGHUP or SIGUSR1 signal to OpenVPN.  OpenVPN
400              will then  reestablish  a  connection  with  its  most  recently
401              authenticated peer on its new IP address.
402
403       --port port
404              TCP/UDP port number or port name for both local and remote (sets
405              both --lport and --rport options to given  port).   The  current
406              default of 1194 represents the official IANA port number assign‐
407              ment for OpenVPN and has been  used  since  version  2.0-beta17.
408              Previous versions used port 5000 as the default.
409
410       --lport port
411              Set  local TCP/UDP port number or name.  Cannot be used together
412              with --nobind option.
413
414       --rport port
415              Set TCP/UDP port number or name used by the --remote option. The
416              port can also be set directly using the --remote option.
417
418       --bind [ipv6only]
419              Bind  to  local address and port. This is the default unless any
420              of --proto tcp-client , --http-proxy or --socks-proxy are used.
421
422              If the ipv6only keyword is present OpenVPN  will  bind  only  to
423              IPv6 (as oposed to IPv6 and IPv4) when a IPv6 socket is opened.
424
425
426       --nobind
427              Do  not bind to local address and port.  The IP stack will allo‐
428              cate a dynamic port for returning packets.  Since the  value  of
429              the  dynamic  port could not be known in advance by a peer, this
430              option is only suitable for peers which will be initiating  con‐
431              nections by using the --remote option.
432
433       --dev tunX | tapX | null
434              TUN/TAP  virtual network device ( X can be omitted for a dynamic
435              device.)
436
437              See examples section below for an example on setting  up  a  TUN
438              device.
439
440              You  must  use either tun devices on both ends of the connection
441              or tap devices on both ends.  You cannot mix them, as they  rep‐
442              resent different underlying network layers.
443
444              tun  devices  encapsulate  IPv4  or IPv6 (OSI Layer 3) while tap
445              devices encapsulate Ethernet 802.3 (OSI Layer 2).
446
447       --dev-type device-type
448              Which device type are we using?  device-type should be tun  (OSI
449              Layer  3)  or  tap  (OSI  Layer 2).  Use this option only if the
450              TUN/TAP device used with --dev does not begin with tun or tap.
451
452       --topology mode
453              Configure virtual addressing topology when running in --dev  tun
454              mode.   This  directive  has no meaning in --dev tap mode, which
455              always uses a subnet topology.
456
457              If you set this  directive  on  the  server,  the  --server  and
458              --server-bridge  directives  will automatically push your chosen
459              topology setting to clients as well.  This directive can also be
460              manually  pushed  to  clients.   Like  the --dev directive, this
461              directive must always be compatible between client and server.
462
463              mode can be one of:
464
465              net30 -- Use a point-to-point topology, by  allocating  one  /30
466              subnet  per  client.   This  is designed to allow point-to-point
467              semantics when some or all of the connecting  clients  might  be
468              Windows systems.  This is the default on OpenVPN 2.0.
469
470              p2p  --  Use a point-to-point topology where the remote endpoint
471              of the client's tun interface always points to  the  local  end‐
472              point of the server's tun interface.  This mode allocates a sin‐
473              gle IP address per connecting client.  Only use when none of the
474              connecting  clients are Windows systems.  This mode is function‐
475              ally equivalent to the --ifconfig-pool-linear directive which is
476              available  in  OpenVPN 2.0, is deprecated and will be removed in
477              OpenVPN 2.5
478
479              subnet -- Use a subnet rather than a point-to-point topology  by
480              configuring the tun interface with a local IP address and subnet
481              mask, similar to the topology used in  --dev  tap  and  ethernet
482              bridging mode.  This mode allocates a single IP address per con‐
483              necting client and works on Windows  as  well.   Only  available
484              when  server  and  clients are OpenVPN 2.1 or higher, or OpenVPN
485              2.0.x which has been manually patched with the --topology direc‐
486              tive code.  When used on Windows, requires version 8.2 or higher
487              of the TAP-Win32 driver.  When used on *nix, requires  that  the
488              tun  driver  supports an ifconfig(8) command which sets a subnet
489              instead of a remote endpoint IP address.
490
491              This option exists in OpenVPN 2.1 or higher.
492
493              Note: Using --topology subnet changes the interpretation of  the
494              arguments  of  --ifconfig  to  mean "address netmask", no longer
495              "local remote".
496
497       --dev-node node
498              Explicitly set the device node rather than  using  /dev/net/tun,
499              /dev/tun,  /dev/tap,  etc.  If OpenVPN cannot figure out whether
500              node is a TUN or TAP device based on the name, you  should  also
501              specify --dev-type tun or --dev-type tap.
502
503              Under  Mac  OS  X this option can be used to specify the default
504              tun implementation. Using --dev-node utun forces  usage  of  the
505              native Darwin tun kernel support. Use --dev-node utunN to select
506              a  specific  utun  instance.  To  force   using   the   tun.kext
507              (/dev/tunX)   use   --dev-node   tun.   When  not  specifying  a
508              --dev-node option openvpn will first try to open utun, and  fall
509              back to tun.kext.
510
511              On  Windows systems, select the TAP-Win32 adapter which is named
512              node in the Network Connections Control Panel or the raw GUID of
513              the  adapter  enclosed  by  braces.   The --show-adapters option
514              under Windows can  also  be  used  to  enumerate  all  available
515              TAP-Win32  adapters  and  will show both the network connections
516              control panel name and the GUID for each TAP-Win32 adapter.
517
518       --lladdr address
519              Specify the link layer address, more commonly known as  the  MAC
520              address.  Only applied to TAP devices.
521
522       --iproute cmd
523              Set  alternate  command  to  execute instead of default iproute2
524              command.  May be used in order to execute  OpenVPN  in  unprivi‐
525              leged environment.
526
527       --ifconfig l rn
528              Set  TUN/TAP  adapter  parameters.   l  is the IP address of the
529              local VPN endpoint.  For TUN devices in point-to-point mode,  rn
530              is  the IP address of the remote VPN endpoint.  For TAP devices,
531              or TUN devices used with --topology subnet,  rn  is  the  subnet
532              mask  of  the  virtual network segment which is being created or
533              connected to.
534
535              For TUN devices, which facilitate virtual point-to-point IP con‐
536              nections (when used in --topology net30 or p2p mode), the proper
537              usage of --ifconfig is to use two private IP addresses which are
538              not  a  member  of  any existing subnet which is in use.  The IP
539              addresses  may  be  consecutive  and  should  have  their  order
540              reversed  on  the remote peer.  After the VPN is established, by
541              pinging rn, you will be pinging across the VPN.
542
543              For TAP devices, which provide the  ability  to  create  virtual
544              ethernet  segments,  or  TUN  devices  in --topology subnet mode
545              (which create virtual "multipoint networks"), --ifconfig is used
546              to set an IP address and subnet mask just as a physical ethernet
547              adapter would be similarly configured.  If you are attempting to
548              connect  to  a remote ethernet bridge, the IP address and subnet
549              should be set to values which would be valid on the the  bridged
550              ethernet  segment  (note also that DHCP can be used for the same
551              purpose).
552
553              This option, while primarily a proxy for  the  ifconfig(8)  com‐
554              mand,  is  designed  to simplify TUN/TAP tunnel configuration by
555              providing a standard interface to the different ifconfig  imple‐
556              mentations on different platforms.
557
558              --ifconfig  parameters which are IP addresses can also be speci‐
559              fied as a DNS or /etc/hosts file resolvable name.
560
561              For TAP devices, --ifconfig should not be used if the TAP inter‐
562              face will be getting an IP address lease from a DHCP server.
563
564       --ifconfig-noexec
565              Don't  actually  execute  ifconfig/netsh  commands, instead pass
566              --ifconfig parameters to scripts using environmental variables.
567
568       --ifconfig-nowarn
569              Don't  output  an  options  consistency  check  warning  if  the
570              --ifconfig  option  on this side of the connection doesn't match
571              the remote side.  This is useful when you  want  to  retain  the
572              overall  benefits  of  the  options  consistency check (also see
573              --disable-occ option) while only disabling the  ifconfig  compo‐
574              nent of the check.
575
576              For  example,  if  you have a configuration where the local host
577              uses --ifconfig but the  remote  host  does  not,  use  --ifcon‐
578              fig-nowarn on the local host.
579
580              This  option  will also silence warnings about potential address
581              conflicts which occasionally annoy  more  experienced  users  by
582              triggering "false positive" warnings.
583
584       --route network/IP [netmask] [gateway] [metric]
585              Add  route  to  routing  table  after connection is established.
586              Multiple routes can be specified.  Routes will be  automatically
587              torn down in reverse order prior to TUN/TAP device close.
588
589              This  option is intended as a convenience proxy for the route(8)
590              shell command, while at the same time providing portable  seman‐
591              tics across OpenVPN's platform space.
592
593              netmask default -- 255.255.255.255
594
595              gateway  default  --  taken  from  --route-gateway or the second
596              parameter to --ifconfig when --dev tun is specified.
597
598              metric default -- taken from --route-metric otherwise 0.
599
600              The default can be specified by leaving an option blank or  set‐
601              ting it to "default".
602
603              The  network  and  gateway parameters can also be specified as a
604              DNS or /etc/hosts file resolvable name, or as one of three  spe‐
605              cial keywords:
606
607              vpn_gateway  --  The remote VPN endpoint address (derived either
608              from --route-gateway or the second parameter to --ifconfig  when
609              --dev tun is specified).
610
611              net_gateway  --  The  pre-existing IP default gateway, read from
612              the routing table (not supported on all OSes).
613
614              remote_host -- The --remote address if OpenVPN is being  run  in
615              client mode, and is undefined in server mode.
616
617       --route-gateway gw|'dhcp'
618              Specify a default gateway gw for use with --route.
619
620              If  dhcp is specified as the parameter, the gateway address will
621              be  extracted  from  a  DHCP  negotiation   with   the   OpenVPN
622              server-side LAN.
623
624       --route-metric m
625              Specify a default metric m for use with --route.
626
627       --route-delay [n] [w]
628              Delay  n  seconds  (default=0)  after  connection establishment,
629              before adding routes. If n is 0, routes will  be  added  immedi‐
630              ately  upon connection establishment.  If --route-delay is omit‐
631              ted, routes will be added immediately after TUN/TAP device  open
632              and  --up  script execution, before any --user or --group privi‐
633              lege downgrade (or --chroot execution.)
634
635              This option is designed to be useful in scenarios where DHCP  is
636              used to set tap adapter addresses.  The delay will give the DHCP
637              handshake time to complete before routes are added.
638
639              On Windows, --route-delay tries to be more intelligent by  wait‐
640              ing  w  seconds  (w=30  by default) for the TAP-Win32 adapter to
641              come up before adding routes.
642
643       --route-up cmd
644              Run  command  cmd   after   routes   are   added,   subject   to
645              --route-delay.
646
647              cmd  consists  of  a  path  to  script  (or executable program),
648              optionally followed by arguments. The path and arguments may  be
649              single-  or  double-quoted and/or escaped using a backslash, and
650              should be separated by one or more spaces.
651
652              See the "Environmental Variables" section below  for  additional
653              parameters passed as environmental variables.
654
655       --route-pre-down cmd
656              Run command cmd before routes are removed upon disconnection.
657
658              cmd  consists  of  a  path  to  script  (or executable program),
659              optionally followed by arguments. The path and arguments may  be
660              single-  or  double-quoted and/or escaped using a backslash, and
661              should be separated by one or more spaces.
662
663              See the "Environmental Variables" section below  for  additional
664              parameters passed as environmental variables.
665
666       --route-noexec
667              Don't  add  or remove routes automatically.  Instead pass routes
668              to --route-up script using environmental variables.
669
670       --route-nopull
671              When used with --client or  --pull,  accept  options  pushed  by
672              server  EXCEPT  for  routes,  block-outside-dns and dhcp options
673              like DNS servers.
674
675              When used on the client, this option effectively bars the server
676              from  adding  routes to the client's routing table, however note
677              that this option still allows the server to set the TCP/IP prop‐
678              erties of the client's TUN/TAP interface.
679
680       --allow-pull-fqdn
681              Allow  client  to  pull DNS names from server (rather than being
682              limited  to   IP   address)   for   --ifconfig,   --route,   and
683              --route-gateway.
684
685       --client-nat snat|dnat network netmask alias
686              This  pushable  client option sets up a stateless one-to-one NAT
687              rule on packet addresses (not ports), and  is  useful  in  cases
688              where  routes  or  ifconfig  settings pushed to the client would
689              create an IP numbering conflict.
690
691              network/netmask (for  example  192.168.0.0/255.255.0.0)  defines
692              the  local view of a resource from the client perspective, while
693              alias/netmask (for example  10.64.0.0/255.255.0.0)  defines  the
694              remote view from the server perspective.
695
696              Use snat (source NAT) for resources owned by the client and dnat
697              (destination NAT) for remote resources.
698
699              Set --verb 6 for debugging info showing  the  transformation  of
700              src/dest addresses in packets.
701
702       --redirect-gateway flags...
703              Automatically  execute routing commands to cause all outgoing IP
704              traffic to be redirected over the VPN.  This  is  a  client-side
705              option.
706
707              This option performs three steps:
708
709              (1)  Create  a  static route for the --remote address which for‐
710              wards to the pre-existing default gateway.  This is done so that
711              (3) will not create a routing loop.
712
713              (2) Delete the default gateway route.
714
715              (3)  Set  the new default gateway to be the VPN endpoint address
716              (derived either from --route-gateway or the second parameter  to
717              --ifconfig when --dev tun is specified).
718
719              When  the  tunnel  is  torn  down,  all  of  the above steps are
720              reversed so that the original default route is restored.
721
722              Option flags:
723
724              local -- Add the local flag if both OpenVPN peers  are  directly
725              connected via a common subnet, such as with wireless.  The local
726              flag will cause step 1 above to be omitted.
727
728              autolocal -- Try to automatically determine  whether  to  enable
729              local flag above.
730
731              def1  --  Use this flag to override the default gateway by using
732              0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0.  This  has  the
733              benefit  of  overriding  but not wiping out the original default
734              gateway.
735
736              bypass-dhcp -- Add a direct route to the DHCP server (if  it  is
737              non-local)  which  bypasses  the  tunnel  (Available  on Windows
738              clients, may not be available on non-Windows clients).
739
740              bypass-dns -- Add a direct route to the DNS server(s)  (if  they
741              are  non-local)  which bypasses the tunnel (Available on Windows
742              clients, may not be available on non-Windows clients).
743
744              block-local -- Block access to local  LAN  when  the  tunnel  is
745              active, except for the LAN gateway itself.  This is accomplished
746              by routing the local LAN (except for the  LAN  gateway  address)
747              into the tunnel.
748
749              ipv6 -- Redirect IPv6 routing into the tunnel.  This works simi‐
750              lar to the def1 flag, that is, more  specific  IPv6  routes  are
751              added  (2000::/4,  3000::/4),  covering  the  whole IPv6 unicast
752              space.
753
754              !ipv4 -- Do not redirect IPv4 traffic - typically  used  in  the
755              flag pair ipv6 !ipv4 to redirect IPv6-only.
756
757       --link-mtu n
758              Sets  an  upper  bound on the size of UDP packets which are sent
759              between OpenVPN peers.  It's best  not  to  set  this  parameter
760              unless you know what you're doing.
761
762       --redirect-private [flags]
763              Like  --redirect-gateway, but omit actually changing the default
764              gateway.  Useful when pushing private subnets.
765
766       --tun-mtu n
767              Take the TUN device MTU to be n and derive the link MTU from  it
768              (default=1500).   In most cases, you will probably want to leave
769              this parameter set to its default value.
770
771              The MTU (Maximum Transmission Units)  is  the  maximum  datagram
772              size  in  bytes  that can be sent unfragmented over a particular
773              network path.  OpenVPN requires that packets on the  control  or
774              data channels be sent unfragmented.
775
776              MTU problems often manifest themselves as connections which hang
777              during periods of active usage.
778
779              It's best to use the --fragment and/or --mssfix options to  deal
780              with MTU sizing issues.
781
782       --tun-mtu-extra n
783              Assume  that  the TUN/TAP device might return as many as n bytes
784              more than the --tun-mtu size on read.  This  parameter  defaults
785              to 0, which is sufficient for most TUN devices.  TAP devices may
786              introduce additional overhead in excess of the MTU size,  and  a
787              setting  of  32  is the default when TAP devices are used.  This
788              parameter only controls internal OpenVPN buffer sizing, so there
789              is  no  transmission  overhead  associated  with  using a larger
790              value.
791
792       --mtu-disc type
793              Should we do Path MTU discovery on TCP/UDP channel?   Only  sup‐
794              ported  on OSes such as Linux that supports the necessary system
795              call to set.
796
797              'no' -- Never send DF (Don't Fragment) frames
798              'maybe' -- Use per-route hints
799              'yes' -- Always DF (Don't Fragment)
800
801       --mtu-test
802              To empirically  measure  MTU  on  connection  startup,  add  the
803              --mtu-test option to your configuration.  OpenVPN will send ping
804              packets of various sizes to the  remote  peer  and  measure  the
805              largest   packets   which   were   successfully  received.   The
806              --mtu-test process normally takes about 3 minutes to complete.
807
808       --fragment max
809              Enable internal datagram fragmentation so that no UDP  datagrams
810              are sent which are larger than max bytes.
811
812              The  max  parameter  is  interpreted  in  the  same  way  as the
813              --link-mtu parameter, i.e. the UDP packet size after  encapsula‐
814              tion  overhead  has  been  added  in,  but not including the UDP
815              header itself.
816
817              The --fragment option only makes sense when you  are  using  the
818              UDP protocol ( --proto udp ).
819
820              --fragment adds 4 bytes of overhead per datagram.
821
822              See the --mssfix option below for an important related option to
823              --fragment.
824
825              It should also be noted that this option is not meant to replace
826              UDP  fragmentation at the IP stack level.  It is only meant as a
827              last resort when path  MTU  discovery  is  broken.   Using  this
828              option is less efficient than fixing path MTU discovery for your
829              IP link and using native IP fragmentation instead.
830
831              Having said that, there are circumstances where using  OpenVPN's
832              internal  fragmentation capability may be your only option, such
833              as tunneling a UDP multicast stream  which  requires  fragmenta‐
834              tion.
835
836       --mssfix max
837              Announce  to  TCP  sessions  running  over  the tunnel that they
838              should limit their send packet sizes such that after OpenVPN has
839              encapsulated  them,  the  resulting UDP packet size that OpenVPN
840              sends to its peer will not exceed max bytes. The  default  value
841              is 1450.
842
843              The  max  parameter  is  interpreted  in  the  same  way  as the
844              --link-mtu parameter, i.e. the UDP packet size after  encapsula‐
845              tion  overhead  has  been  added  in,  but not including the UDP
846              header itself. Resulting packet would be at most 28 bytes larger
847              for  IPv4 and 48 bytes for IPv6 (20/40 bytes for IP header and 8
848              bytes for UDP header). Default value of 1450 allows IPv4 packets
849              to be transmitted over a link with MTU 1473 or higher without IP
850              level fragmentation.
851
852              The --mssfix option only makes sense when you are using the  UDP
853              protocol  for  OpenVPN peer-to-peer communication, i.e.  --proto
854              udp.
855
856              --mssfix and --fragment can  be  ideally  used  together,  where
857              --mssfix  will try to keep TCP from needing packet fragmentation
858              in the first place, and if big packets come through anyhow (from
859              protocols  other  than TCP), --fragment will internally fragment
860              them.
861
862              Both --fragment and --mssfix are designed to work  around  cases
863              where  Path  MTU discovery is broken on the network path between
864              OpenVPN peers.
865
866              The usual symptom of such a breakdown is an  OpenVPN  connection
867              which successfully starts, but then stalls during active usage.
868
869              If --fragment and --mssfix are used together, --mssfix will take
870              its default max parameter from the --fragment max option.
871
872              Therefore, one could lower the maximum UDP packet size  to  1300
873              (a  good  first try for solving MTU-related connection problems)
874              with the following options:
875
876              --tun-mtu 1500 --fragment 1300 --mssfix
877
878       --sndbuf size
879              Set the TCP/UDP socket send buffer size.  Defaults to  operation
880              system default.
881
882       --rcvbuf size
883              Set  the TCP/UDP socket receive buffer size.  Defaults to opera‐
884              tion system default.
885
886       --mark value
887              Mark encrypted packets being sent with value. The mark value can
888              be matched in policy routing and packetfilter rules. This option
889              is only supported in Linux and does nothing on  other  operating
890              systems.
891
892       --socket-flags flags...
893              Apply  the  given  flags  to the OpenVPN transport socket.  Cur‐
894              rently, only TCP_NODELAY is supported.
895
896              The TCP_NODELAY socket flag is useful in TCP  mode,  and  causes
897              the  kernel to send tunnel packets immediately over the TCP con‐
898              nection without trying to group several smaller packets  into  a
899              larger packet.  This can result in a considerably improvement in
900              latency.
901
902              This option is pushable from server to  client,  and  should  be
903              used on both client and server for maximum effect.
904
905       --txqueuelen n
906              (Linux  only)  Set the TX queue length on the TUN/TAP interface.
907              Currently defaults to 100.
908
909       --shaper n
910              Limit bandwidth of outgoing tunnel data to n bytes per second on
911              the  TCP/UDP port.  Note that this will only work if mode is set
912              to p2p.  If you want to limit the bandwidth in both  directions,
913              use this option on both peers.
914
915              OpenVPN  uses the following algorithm to implement traffic shap‐
916              ing: Given a shaper rate of n bytes per second, after a datagram
917              write  of  b bytes is queued on the TCP/UDP port, wait a minimum
918              of (b / n) seconds before queuing the next write.
919
920              It should  be  noted  that  OpenVPN  supports  multiple  tunnels
921              between the same two peers, allowing you to construct full-speed
922              and reduced bandwidth tunnels at the same time, routing low-pri‐
923              ority  data  such as off-site backups over the reduced bandwidth
924              tunnel, and other data over the full-speed tunnel.
925
926              Also note that for low bandwidth tunnels (under 1000  bytes  per
927              second),  you  should probably use lower MTU values as well (see
928              above), otherwise the packet latency will grow so  large  as  to
929              trigger  timeouts  in  the TLS layer and TCP connections running
930              over the tunnel.
931
932              OpenVPN allows n to be between 100 bytes/sec and 100 Mbytes/sec.
933
934       --inactive n [bytes]
935              Causes OpenVPN to exit after n  seconds  of  inactivity  on  the
936              TUN/TAP  device. The time length of inactivity is measured since
937              the last incoming or outgoing tunnel packet.  The default  value
938              is 0 seconds, which disables this feature.
939
940              If  the  optional bytes parameter is included, exit if less than
941              bytes of combined in/out traffic are  produced  on  the  tun/tap
942              device in n seconds.
943
944              In  any  case,  OpenVPN's  internal ping packets (which are just
945              keepalives) and TLS control packets are not  considered  "activ‐
946              ity",  nor  are they counted as traffic, as they are used inter‐
947              nally by OpenVPN and are not an indication of actual user activ‐
948              ity.
949
950       --ping n
951              Ping  remote over the TCP/UDP control channel if no packets have
952              been sent for at least n seconds (specify --ping on  both  peers
953              to  cause ping packets to be sent in both directions since Open‐
954              VPN ping packets are not echoed like  IP  ping  packets).   When
955              used   in   one  of  OpenVPN's  secure  modes  (where  --secret,
956              --tls-server, or --tls-client is  specified),  the  ping  packet
957              will be cryptographically secure.
958
959              This option has two intended uses:
960
961              (1)  Compatibility  with  stateful firewalls.  The periodic ping
962              will ensure that a stateful firewall rule which  allows  OpenVPN
963              UDP packets to pass will not time out.
964
965              (2)  To  provide a basis for the remote to test the existence of
966              its peer using the --ping-exit option.
967
968       --ping-exit n
969              Causes OpenVPN to exit after n seconds pass without reception of
970              a ping or other packet from remote.  This option can be combined
971              with --inactive, --ping, and --ping-exit to create a  two-tiered
972              inactivity disconnect.
973
974              For example,
975
976              openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
977
978              when  used  on  both  peers will cause OpenVPN to exit within 60
979              seconds if its peer disconnects, but will exit after one hour if
980              no actual tunnel data is exchanged.
981
982       --ping-restart n
983              Similar  to  --ping-exit,  but trigger a SIGUSR1 restart after n
984              seconds pass without reception of a ping or  other  packet  from
985              remote.
986
987              This  option  is  useful  in  cases  where the remote peer has a
988              dynamic IP address and a low-TTL DNS name is used to  track  the
989              IP  address  using  a  service  such  as  http://dyndns.org/ + a
990              dynamic DNS client such as ddclient.
991
992              If the peer cannot be reached,  a  restart  will  be  triggered,
993              causing  the  hostname  used with --remote to be re-resolved (if
994              --resolv-retry is also specified).
995
996              In server mode, --ping-restart, --inactive, or any other type of
997              internally generated signal will always be applied to individual
998              client instance objects, never to  whole  server  itself.   Note
999              also  in  server mode that any internally generated signal which
1000              would normally cause a restart, will cause the deletion  of  the
1001              client instance object instead.
1002
1003              In  client mode, the --ping-restart parameter is set to 120 sec‐
1004              onds by default.  This default will hold until the client  pulls
1005              a  replacement  value  from the server, based on the --keepalive
1006              setting in the server configuration.  To disable the 120  second
1007              default, set --ping-restart 0 on the client.
1008
1009              See the signals section below for more information on SIGUSR1.
1010
1011              Note  that the behavior of SIGUSR1 can be modified by the --per‐
1012              sist-tun,   --persist-key,   --persist-local-ip,   and    --per‐
1013              sist-remote-ip options.
1014
1015              Also  note  that  --ping-exit  and  --ping-restart  are mutually
1016              exclusive and cannot be used together.
1017
1018       --keepalive interval timeout
1019              A helper directive designed to simplify the expression of --ping
1020              and --ping-restart.
1021
1022              This  option  can be used on both client and server side, but it
1023              is enough to add this on the server side as it will push  appro‐
1024              priate --ping and --ping-restart options to the client.  If used
1025              on both server and client, the values pushed  from  server  will
1026              override the client local values.
1027
1028              The  timeout  argument will be twice as long on the server side.
1029              This ensures that a timeout is detected on  client  side  before
1030              the server side drops the connection.
1031
1032              For example, --keepalive 10 60 expands as follows:
1033
1034                   if mode server:
1035                     ping 10                    # Argument: interval
1036                     ping-restart 120           # Argument: timeout*2
1037                     push "ping 10"             # Argument: interval
1038                     push "ping-restart 60"     # Argument: timeout
1039                   else
1040                     ping 10                    # Argument: interval
1041                     ping-restart 60            # Argument: timeout
1042
1043       --ping-timer-rem
1044              Run  the  --ping-exit  /  --ping-restart timer only if we have a
1045              remote address.  Use this option if you are starting the  daemon
1046              in listen mode (i.e. without an explicit --remote peer), and you
1047              don't want to start clocking timeouts until a remote  peer  con‐
1048              nects.
1049
1050       --persist-tun
1051              Don't  close  and  reopen  TUN/TAP device or run up/down scripts
1052              across SIGUSR1 or --ping-restart restarts.
1053
1054              SIGUSR1 is a restart signal similar to SIGHUP, but which  offers
1055              finer-grained control over reset options.
1056
1057       --persist-key
1058              Don't re-read key files across SIGUSR1 or --ping-restart.
1059
1060              This option can be combined with --user nobody to allow restarts
1061              triggered by the SIGUSR1 signal.   Normally  if  you  drop  root
1062              privileges  in  OpenVPN, the daemon cannot be restarted since it
1063              will now be unable to re-read protected key files.
1064
1065              This option solves the problem by persisting keys across SIGUSR1
1066              resets, so they don't need to be re-read.
1067
1068       --persist-local-ip
1069              Preserve  initially  resolved  local  IP address and port number
1070              across SIGUSR1 or --ping-restart restarts.
1071
1072       --persist-remote-ip
1073              Preserve most recently authenticated remote IP address and  port
1074              number across SIGUSR1 or --ping-restart restarts.
1075
1076       --mlock
1077              Disable paging by calling the POSIX mlockall function.  Requires
1078              that OpenVPN be initially run as root (though OpenVPN can subse‐
1079              quently downgrade its UID using the --user option).
1080
1081              Using  this option ensures that key material and tunnel data are
1082              never written to disk due to virtual  memory  paging  operations
1083              which  occur  under  most  modern operating systems.  It ensures
1084              that even if an attacker was able to crack the box running Open‐
1085              VPN,  he  would  not  be  able  to  scan the system swap file to
1086              recover previously used ephemeral keys, which  are  used  for  a
1087              period of time governed by the --reneg options (see below), then
1088              are discarded.
1089
1090              The downside of using --mlock is that it will reduce the  amount
1091              of physical memory available to other applications.
1092
1093       --up cmd
1094              Run command cmd after successful TUN/TAP device open (pre --user
1095              UID change).
1096
1097              cmd consists of  a  path  to  script  (or  executable  program),
1098              optionally  followed by arguments. The path and arguments may be
1099              single- or double-quoted and/or escaped using a  backslash,  and
1100              should be separated by one or more spaces.
1101
1102              The  up  command  is  useful for specifying route commands which
1103              route IP traffic destined for private subnets which exist at the
1104              other end of the VPN connection into the tunnel.
1105
1106              For --dev tun execute as:
1107
1108              cmd    tun_dev   tun_mtu   link_mtu   ifconfig_local_ip   ifcon‐
1109              fig_remote_ip [ init | restart ]
1110
1111              For --dev tap execute as:
1112
1113              cmd tap_dev tap_mtu link_mtu ifconfig_local_ip  ifconfig_netmask
1114              [ init | restart ]
1115
1116              See  the  "Environmental Variables" section below for additional
1117              parameters passed as environmental variables.
1118
1119              Note that if cmd includes arguments, all OpenVPN-generated argu‐
1120              ments  will  be  appended to them to build an argument list with
1121              which the executable will be called.
1122
1123              Typically, cmd will run a script to add routes to the tunnel.
1124
1125              Normally the up script is called after  the  TUN/TAP  device  is
1126              opened.  In this context, the last command line parameter passed
1127              to the script will be init.  If the --up-restart option is  also
1128              used,  the  up  script  will  be called for restarts as well.  A
1129              restart is considered to be a partial reinitialization of  Open‐
1130              VPN  where  the TUN/TAP instance is preserved (the --persist-tun
1131              option will enable such preservation).  A restart can be  gener‐
1132              ated by a SIGUSR1 signal, a --ping-restart timeout, or a connec‐
1133              tion reset when the TCP protocol is  enabled  with  the  --proto
1134              option.   If  a restart occurs, and --up-restart has been speci‐
1135              fied, the up script will be called  with  restart  as  the  last
1136              parameter.
1137
1138              NOTE: on restart, OpenVPN will not pass the full set of environ‐
1139              ment variables to the script.   Namely,  everything  related  to
1140              routing  and gateways will not be passed, as nothing needs to be
1141              done anyway - all the routing setup is already in place.   Addi‐
1142              tionally,  the  up-restart  script  will run with the downgraded
1143              UID/GID settings (if configured).
1144
1145              The following standalone example shows how the --up  script  can
1146              be called in both an initialization and restart context.  (NOTE:
1147              for security reasons, don't run the following example unless UDP
1148              port  9999  is blocked by your firewall.  Also, the example will
1149              run indefinitely, so you should abort with control-c).
1150
1151              openvpn --dev tun --port 9999 --verb 4  --ping-restart  10  --up
1152              'echo up' --down 'echo down' --persist-tun --up-restart
1153
1154              Note  that  OpenVPN also provides the --ifconfig option to auto‐
1155              matically ifconfig the  TUN  device,  eliminating  the  need  to
1156              define  an --up script, unless you also want to configure routes
1157              in the --up script.
1158
1159              If --ifconfig is also specified, OpenVPN will pass the  ifconfig
1160              local  and  remote  endpoints  on  the  command line to the --up
1161              script so that they can be used to configure routes such as:
1162
1163              route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
1164
1165       --up-delay
1166              Delay TUN/TAP open and  possible  --up  script  execution  until
1167              after TCP/UDP connection establishment with peer.
1168
1169              In  --proto  udp  mode, this option normally requires the use of
1170              --ping to allow  connection  initiation  to  be  sensed  in  the
1171              absence  of  tunnel data, since UDP is a "connectionless" proto‐
1172              col.
1173
1174              On Windows, this option will delay  the  TAP-Win32  media  state
1175              transitioning  to  "connected"  until  connection establishment,
1176              i.e. the receipt of the  first  authenticated  packet  from  the
1177              peer.
1178
1179       --down cmd
1180              Run  command  cmd  after  TUN/TAP  device close (post --user UID
1181              change and/or --chroot ).  cmd consists of a path to script  (or
1182              executable  program), optionally followed by arguments. The path
1183              and arguments may be single-  or  double-quoted  and/or  escaped
1184              using  a  backslash, and should be separated by one or more spa‐
1185              ces.
1186
1187              Called with the same parameters and environmental  variables  as
1188              the --up option above.
1189
1190              Note  that  if  you  reduce  privileges  by  using --user and/or
1191              --group, your --down script will also run at reduced privilege.
1192
1193       --down-pre
1194              Call --down cmd/script before, rather than after, TUN/TAP close.
1195
1196       --up-restart
1197              Enable the --up and --down scripts to be called for restarts  as
1198              well  as  initial  program start.  This option is described more
1199              fully above in the --up option documentation.
1200
1201       --setenv name value
1202              Set a  custom  environmental  variable  name=value  to  pass  to
1203              script.
1204
1205       --setenv FORWARD_COMPATIBLE 1
1206              Relax  config  file  syntax  checking so that unknown directives
1207              will trigger a warning but not a fatal error, on the  assumption
1208              that  a given unknown directive might be valid in future OpenVPN
1209              versions.
1210
1211              This option should be used with caution, as there are good secu‐
1212              rity reasons for having OpenVPN fail if it detects problems in a
1213              config file.  Having said that,  there  are  valid  reasons  for
1214              wanting new software features to gracefully degrade when encoun‐
1215              tered by older software versions.
1216
1217              It is also possible to tag a single directive so as not to trig‐
1218              ger  a  fatal  error  if  the directive isn't recognized.  To do
1219              this, prepend the following before the directive: setenv opt
1220
1221              Versions prior to OpenVPN 2.3.3 will always ignore  options  set
1222              with the setenv opt directive.
1223
1224              See also --ignore-unknown-option
1225
1226       --setenv-safe name value
1227              Set  a  custom environmental variable OPENVPN_name=value to pass
1228              to script.
1229
1230              This directive is  designed  to  be  pushed  by  the  server  to
1231              clients,  and  the prepending of "OPENVPN_" to the environmental
1232              variable is a safety precaution to prevent  a  LD_PRELOAD  style
1233              attack from a malicious or compromised server.
1234
1235       --ignore-unknown-option opt1 opt2 opt3 ... optN
1236              When one of options opt1 ... optN is encountered in the configu‐
1237              ration file the configuration file parsing does not fail if this
1238              OpenVPN   version   does   not   support  the  option.  Multiple
1239              --ignore-unknown-option options can be given to support a larger
1240              number of options to ignore.
1241
1242              This option should be used with caution, as there are good secu‐
1243              rity reasons for having OpenVPN fail if it detects problems in a
1244              config file. Having said that, there are valid reasons for want‐
1245              ing new software features to gracefully degrade when encountered
1246              by older software versions.
1247
1248              --ignore-unknown-option is available since OpenVPN 2.3.3.
1249
1250       --script-security level
1251              This  directive offers policy-level control over OpenVPN's usage
1252              of external programs and scripts.  Lower level values  are  more
1253              restrictive,  higher  values  are more permissive.  Settings for
1254              level:
1255
1256              0 -- Strictly no calling of external programs.
1257              1 -- (Default) Only call built-in executables such as  ifconfig,
1258              ip, route, or netsh.
1259              2  --  Allow  calling  of  built-in executables and user-defined
1260              scripts.
1261              3 -- Allow passwords to be passed to scripts  via  environmental
1262              variables (potentially unsafe).
1263
1264              OpenVPN  releases before v2.3 also supported a method flag which
1265              indicated how OpenVPN should call external commands and scripts.
1266              This  could be either execve or system.  As of OpenVPN 2.3, this
1267              flag is no longer  accepted.   In  most  *nix  environments  the
1268              execve() approach has been used without any issues.
1269
1270              Some  directives  such as --up allow options to be passed to the
1271              external script. In these cases make sure the script  name  does
1272              not  contain  any  spaces or the configuration parser will choke
1273              because it can't determine where the script name ends and script
1274              options start.
1275
1276              To run scripts in Windows in earlier OpenVPN versions you needed
1277              to either add a full path to the script  interpreter  which  can
1278              parse  the  script  or use the system flag to run these scripts.
1279              As of OpenVPN 2.3 it is now a strict requirement  to  have  full
1280              path  to  the  script  interpreter  when running non-executables
1281              files.  This is not needed for executable files, such  as  .exe,
1282              .com,  .bat  or  .cmd  files.  For example, if you have a Visual
1283              Basic script, you must use this syntax now:
1284
1285                  --up 'C:\\Windows\\System32\\wscript.exe C:\\Program\ Files\\OpenVPN\\config\\my-up-script.vbs'
1286
1287              Please note the single quote marks and the escaping of the back‐
1288              slashes (\) and the space character.
1289
1290              The reason the support for the system flag was removed is due to
1291              the security implications with shell expansions  when  executing
1292              scripts via the system() call.
1293
1294       --disable-occ
1295              Don't  output  a  warning  message if option inconsistencies are
1296              detected between peers.  An example of an  option  inconsistency
1297              would be where one peer uses --dev tun while the other peer uses
1298              --dev tap.
1299
1300              Use of this option is discouraged, but is provided as  a  tempo‐
1301              rary  fix  in  situations where a recent version of OpenVPN must
1302              connect to an old version.
1303
1304       --user user
1305              Change the user ID of the OpenVPN process to user after initial‐
1306              ization,  dropping  privileges  in  the process.  This option is
1307              useful to protect the system in  the  event  that  some  hostile
1308              party  was  able  to gain control of an OpenVPN session.  Though
1309              OpenVPN's security features make this unlikely, it  is  provided
1310              as a second line of defense.
1311
1312              By  setting  user  to nobody or somebody similarly unprivileged,
1313              the hostile party would be limited in  what  damage  they  could
1314              cause.   Of  course  once  you  take away privileges, you cannot
1315              return them to an OpenVPN session.   This  means,  for  example,
1316              that  if you want to reset an OpenVPN daemon with a SIGUSR1 sig‐
1317              nal (for example in response to a DHCP reset), you  should  make
1318              use of one or more of the --persist options to ensure that Open‐
1319              VPN doesn't need to execute any privileged operations  in  order
1320              to  restart (such as re-reading key files or running ifconfig on
1321              the TUN device).
1322
1323       --group group
1324              Similar to the --user option, this option changes the  group  ID
1325              of the OpenVPN process to group after initialization.
1326
1327       --cd dir
1328              Change  directory to dir prior to reading any files such as con‐
1329              figuration files, key files, scripts, etc.   dir  should  be  an
1330              absolute path, with a leading "/", and without any references to
1331              the current directory such as "." or "..".
1332
1333              This option is useful when you are running OpenVPN  in  --daemon
1334              mode,  and  you  want to consolidate all of your OpenVPN control
1335              files in one location.
1336
1337       --chroot dir
1338              Chroot to dir after initialization.  --chroot essentially  rede‐
1339              fines  dir  as  being the top level directory tree (/).  OpenVPN
1340              will therefore be unable to access any files outside this  tree.
1341              This can be desirable from a security standpoint.
1342
1343              Since  the  chroot  operation is delayed until after initializa‐
1344              tion, most OpenVPN options that reference files will operate  in
1345              a pre-chroot context.
1346
1347              In  many  cases,  the dir parameter can point to an empty direc‐
1348              tory, however complications can result when scripts or  restarts
1349              are executed after the chroot operation.
1350
1351              Note:  The  SSL  library  will  probably need /dev/urandom to be
1352              available inside the chroot directory dir.  This is because  SSL
1353              libraries  occasionally  need  to  collect  fresh random.  Newer
1354              linux kernels and some BSDs implement a  getrandom()  or  geten‐
1355              tropy()  syscall  that  removes  the need for /dev/urandom to be
1356              available.
1357
1358       --setcon context
1359              Apply SELinux context  after  initialization.  This  essentially
1360              provides  the  ability to restrict OpenVPN's rights to only net‐
1361              work I/O operations, thanks to SELinux. This goes  further  than
1362              --user  and  --chroot in that those two, while being great secu‐
1363              rity features, unfortunately do not  protect  against  privilege
1364              escalation  by exploitation of a vulnerable system call. You can
1365              of course combine all three, but please note that  since  setcon
1366              requires  access to /proc you will have to provide it inside the
1367              chroot directory (e.g. with mount --bind).
1368
1369              Since the setcon operation is delayed  until  after  initializa‐
1370              tion,  OpenVPN  can be restricted to just network-related system
1371              calls, whereas by applying the context before startup  (such  as
1372              the  OpenVPN one provided in the SELinux Reference Policies) you
1373              will have to allow many things required only during  initializa‐
1374              tion.
1375
1376              Like  with  chroot,  complications  can  result  when scripts or
1377              restarts are executed after the setcon operation, which  is  why
1378              you  should  really  consider using the --persist-key and --per‐
1379              sist-tun options.
1380
1381       --daemon [progname]
1382              Become a daemon after  all  initialization  functions  are  com‐
1383              pleted.   This option will cause all message and error output to
1384              be sent to the syslog file (such as  /var/log/messages),  except
1385              for  the  output of scripts and ifconfig commands, which will go
1386              to /dev/null unless otherwise redirected.  The syslog  redirect‐
1387              ion  occurs  immediately at the point that --daemon is parsed on
1388              the command line even  though  the  daemonization  point  occurs
1389              later.   If  one  of  the  --log  options  is  present,  it will
1390              supercede syslog redirection.
1391
1392              The optional progname parameter will cause OpenVPN to report its
1393              program name to the system logger as progname.  This can be use‐
1394              ful in linking OpenVPN messages in the syslog file with specific
1395              tunnels.  When unspecified, progname defaults to "openvpn".
1396
1397              When  OpenVPN  is  run  with the --daemon option, it will try to
1398              delay daemonization until the majority of  initialization  func‐
1399              tions which are capable of generating fatal errors are complete.
1400              This means that initialization scripts can test the return  sta‐
1401              tus  of  the openvpn command for a fairly reliable indication of
1402              whether the command has correctly initialized  and  entered  the
1403              packet forwarding event loop.
1404
1405              In  OpenVPN,  the vast majority of errors which occur after ini‐
1406              tialization are non-fatal.
1407
1408              Note: as soon as OpenVPN has daemonized,  it  can  not  ask  for
1409              usernames,  passwords,  or  key  pass phrases anymore.  This has
1410              certain consequences, namely  that  using  a  password-protected
1411              private  key  will  fail  unless the --askpass option is used to
1412              tell OpenVPN to ask for the pass phrase (this requirement is new
1413              in  v2.3.7, and is a consequence of calling daemon() before ini‐
1414              tializing the crypto layer).
1415
1416              Further, using --daemon together with --auth-user-pass  (entered
1417              on  console) and --auth-nocache will fail as soon as key renego‐
1418              tiation (and reauthentication) occurs.
1419
1420       --syslog [progname]
1421              Direct log output to system logger, but do not become a  daemon.
1422              See --daemon directive above for description of progname parame‐
1423              ter.
1424
1425       --errors-to-stderr
1426              Output errors to stderr instead of stdout unless log  output  is
1427              redirected by one of the --log options.
1428
1429       --passtos
1430              Set the TOS field of the tunnel packet to what the payload's TOS
1431              is.
1432
1433       --inetd [wait|nowait] [progname]
1434              Use this option when OpenVPN is being  run  from  the  inetd  or
1435              xinetd(8) server.
1436
1437              The  wait/nowait  option  must  match  what  is specified in the
1438              inetd/xinetd config file.  The nowait mode can only be used with
1439              --proto  tcp-server.   The default is wait.  The nowait mode can
1440              be used to instantiate the  OpenVPN  daemon  as  a  classic  TCP
1441              server,  where client connection requests are serviced on a sin‐
1442              gle port number.  For additional information  on  this  kind  of
1443              configuration,     see    the    OpenVPN    FAQ:    http://open
1444              vpn.net/faq.html#oneport
1445
1446              This option precludes the use of --daemon, --local, or --remote.
1447              Note that this option causes message and error output to be han‐
1448              dled in the same way as the --daemon option.  The optional prog‐
1449              name parameter is also handled exactly as in --daemon.
1450
1451              Also note that in wait mode, each OpenVPN tunnel requires a sep‐
1452              arate TCP/UDP port and a separate inetd or  xinetd  entry.   See
1453              the  OpenVPN  1.x  HOWTO  for  an  example on using OpenVPN with
1454              xinetd: http://openvpn.net/1xhowto.html
1455
1456       --log file
1457              Output logging  messages  to  file,  including  output  to  std‐
1458              out/stderr  which  is  generated  by  called  scripts.   If file
1459              already exists it will be truncated.  This option  takes  effect
1460              immediately  when  it  is  parsed  in  the command line and will
1461              supercede syslog output if --daemon or --inetd  is  also  speci‐
1462              fied.   This  option  is persistent over the entire course of an
1463              OpenVPN instantiation and will not be reset by SIGHUP,  SIGUSR1,
1464              or --ping-restart.
1465
1466              Note that on Windows, when OpenVPN is started as a service, log‐
1467              ging occurs by default without the need to specify this option.
1468
1469       --log-append file
1470              Append logging messages to file.  If file  does  not  exist,  it
1471              will  be created.  This option behaves exactly like --log except
1472              that it appends to rather than truncating the log file.
1473
1474       --suppress-timestamps
1475              Avoid writing timestamps to log messages, even when they  other‐
1476              wise would be prepended. In particular, this applies to log mes‐
1477              sages sent to stdout.
1478
1479       --machine-readable-output
1480              Always write timestamps and message flags to log messages,  even
1481              when  they  otherwise would not be prefixed. In particular, this
1482              applies to log messages sent to stdout.
1483
1484       --writepid file
1485              Write OpenVPN's main process ID to file.
1486
1487       --nice n
1488              Change process priority after initialization ( n greater than  0
1489              is lower priority, n less than zero is higher priority).
1490
1491       --fast-io
1492              (Experimental)  Optimize  TUN/TAP/UDP  I/O  writes by avoiding a
1493              call to poll/epoll/select prior to  the  write  operation.   The
1494              purpose  of  such  a  call  would normally be to block until the
1495              device or socket is ready to accept the write.  Such blocking is
1496              unnecessary on some platforms which don't support write blocking
1497              on UDP sockets or TUN/TAP devices.  In such cases, one can opti‐
1498              mize  the  event  loop  by  avoiding the poll/epoll/select call,
1499              improving CPU efficiency by 5% to 10%.
1500
1501              This option can  only  be  used  on  non-Windows  systems,  when
1502              --proto udp is specified, and when --shaper is NOT specified.
1503
1504       --multihome
1505              Configure  a  multi-homed  UDP  server.  This option needs to be
1506              used when a server has more than one IP address  (e.g.  multiple
1507              interfaces, or secondary IP addresses), and is not using --local
1508              to force binding to one specific address only.  This option will
1509              add some extra lookups to the packet path to ensure that the UDP
1510              reply packets are always sent from the address that  the  client
1511              is  talking  to.  This is not supported on all platforms, and it
1512              adds more processing, so it's not enabled by default.
1513
1514              Note: this option is only relevant for UDP servers.
1515
1516              Note 2: if you do  an  IPv6+IPv4  dual-stack  bind  on  a  Linux
1517              machine   with   multiple  IPv4  address,  connections  to  IPv4
1518              addresses will not work right on kernels  before  3.15,  due  to
1519              missing  kernel support for the IPv4-mapped case (some distribu‐
1520              tions have ported this to earlier kernel versions, though).
1521
1522       --echo [parms...]
1523              Echo parms to log output.
1524
1525              Designed to be used to send messages to a  controlling  applica‐
1526              tion which is receiving the OpenVPN log output.
1527
1528       --remap-usr1 signal
1529              Control  whether internally or externally generated SIGUSR1 sig‐
1530              nals are remapped to SIGHUP (restart without  persisting  state)
1531              or SIGTERM (exit).
1532
1533              signal  can  be  set  to  "SIGHUP" or "SIGTERM".  By default, no
1534              remapping occurs.
1535
1536       --verb n
1537              Set output verbosity to n (default=1).   Each  level  shows  all
1538              info  from  the  previous levels.  Level 3 is recommended if you
1539              want a good summary of what's happening without being swamped by
1540              output.
1541
1542              0 -- No output except fatal errors.
1543              1 to 4 -- Normal usage range.
1544              5  --  Output  R and W characters to the console for each packet
1545              read and write, uppercase is used for TCP/UDP packets and lower‐
1546              case is used for TUN/TAP packets.
1547              6  to  11  --  Debug  info  range (see errlevel.h for additional
1548              information on debug levels).
1549
1550       --status file [n]
1551              Write operational status to file every n seconds.
1552
1553              Status can also be written to the syslog by  sending  a  SIGUSR2
1554              signal.
1555
1556              With  multi-client  capability  enabled  on a server, the status
1557              file includes a list of clients and a routing table. The  output
1558              format  can be controlled by the --status-version option in that
1559              case.
1560
1561              For clients or instances running in point-to-point mode, it will
1562              contain the traffic statistics.
1563
1564       --status-version [n]
1565              Set the status file format version number to n.
1566
1567              This  only  affects the status file on servers with multi-client
1568              capability enabled.
1569
1570              1 -- traditional format (default). The client list contains  the
1571              following  fields  comma-separated:  Common  Name, Real Address,
1572              Bytes Received, Bytes Sent, Connected Since.
1573              2 -- a more reliable format for external processing. Compared to
1574              version 1, the client list contains some additional fields: Vir‐
1575              tual Address, Virtual IPv6 Address, Username,  Client  ID,  Peer
1576              ID.  Future versions may extend the number of fields.
1577              3 -- identical to 2, but fields are tab-separated.
1578
1579
1580       --mute n
1581              Log  at  most n consecutive messages in the same category.  This
1582              is useful to limit repetitive logging of similar message types.
1583
1584       --compress [algorithm]
1585              Enable a compression algorithm.
1586
1587              The algorithm parameter may be "lzo", "lz4", or empty.  LZO  and
1588              LZ4  are  different  compression  algorithms, with LZ4 generally
1589              offering the best performance with least CPU usage.   For  back‐
1590              wards compatibility with OpenVPN versions before v2.4, use "lzo"
1591              (which is identical to the older option "--comp-lzo yes").
1592
1593              If the algorithm parameter is empty, compression will be  turned
1594              off,  but  the  packet  framing  for  compression  will still be
1595              enabled, allowing a different setting to be pushed later.
1596
1597              Security Considerations
1598
1599              Compression and encryption  is  a  tricky  combination.   If  an
1600              attacker knows or is able to control (parts of) the plaintext of
1601              packets that contain secrets, the  attacker  might  be  able  to
1602              extract  the  secret  if  compression  is enabled.  See e.g. the
1603              CRIME and BREACH attacks on TLS which also leverage  compression
1604              to  break  encryption.   If  you  are not entirely sure that the
1605              above does not apply to your traffic, you are advised  to  *not*
1606              enable compression.
1607
1608
1609       --comp-lzo [mode]
1610              DEPRECATED  This  option  will  be  removed  in a future OpenVPN
1611              release.  Use the newer --compress instead.
1612
1613              Use LZO compression -- may add up  to  1  byte  per  packet  for
1614              incompressible  data.   mode  may  be "yes", "no", or "adaptive"
1615              (default).
1616
1617              In a server mode setup, it is possible to selectively turn  com‐
1618              pression on or off for individual clients.
1619
1620              First,  make  sure the client-side config file enables selective
1621              compression by having at least one --comp-lzo directive, such as
1622              --comp-lzo  no.   This will turn off compression by default, but
1623              allow a future directive push from  the  server  to  dynamically
1624              change the on/off/adaptive setting.
1625
1626              Next in a --client-config-dir file, specify the compression set‐
1627              ting for the client, for example:
1628
1629                  comp-lzo yes
1630                  push "comp-lzo yes"
1631
1632              The first line sets the comp-lzo setting for the server side  of
1633              the link, the second sets the client side.
1634
1635       --comp-noadapt
1636              When  used in conjunction with --comp-lzo, this option will dis‐
1637              able OpenVPN's adaptive compression algorithm.  Normally,  adap‐
1638              tive compression is enabled with --comp-lzo.
1639
1640              Adaptive  compression  tries to optimize the case where you have
1641              compression enabled, but you are  sending  predominantly  incom‐
1642              pressible  (or  pre-compressed) packets over the tunnel, such as
1643              an FTP or rsync transfer of  a  large,  compressed  file.   With
1644              adaptive  compression, OpenVPN will periodically sample the com‐
1645              pression process to measure its efficiency.  If the  data  being
1646              sent  over  the  tunnel  is  already compressed, the compression
1647              efficiency will be very low, triggering openvpn to disable  com‐
1648              pression for a period of time until the next re-sample test.
1649
1650       --management socket-name unix [pw-file]      (recommended)
1651       --management IP port [pw-file]
1652              Enable a management server on a socket-name Unix socket on those
1653              platforms supporting it, or on a designated TCP port.
1654
1655              pw-file , if specified, is a password file  where  the  password
1656              must  be  on  first  line.  Instead of a filename it can use the
1657              keyword stdin which will prompt the user for a password  to  use
1658              when OpenVPN is starting.
1659
1660              For  unix  sockets, the  default  behaviour  is to create a unix
1661              domain socket that may be connected to by any process.  Use  the
1662              --management-client-user  and  --management-client-group  direc‐
1663              tives to restrict access.
1664
1665              The management interface provides a special mode where  the  TCP
1666              management  link  can operate over the tunnel itself.  To enable
1667              this mode, set IP to tunnel.  Tunnel mode will cause  the   man‐
1668              agement  interface  to  listen for a TCP connection on the local
1669              VPN address of the TUN/TAP interface.
1670
1671              BEWARE of enabling the management interface over TCP.  In  these
1672              cases  you should ALWAYS make use of pw-file to password protect
1673              the management interface.  Any user who can connect to this  TCP
1674              IP:port  will be able to manage and control (and interfere with)
1675              the OpenVPN process.  It is also strongly recommended to set  IP
1676              to  127.0.0.1  (localhost) to restrict accessibility of the man‐
1677              agement server to local clients.
1678
1679              While the management port is designed for  programmatic  control
1680              of  OpenVPN  by  other applications, it is possible to telnet to
1681              the port, using a telnet client in "raw" mode.  Once  connected,
1682              type "help" for a list of commands.
1683
1684              For  detailed documentation on the management interface, see the
1685              management-notes.txt file in the management folder of the  Open‐
1686              VPN source distribution.
1687
1688
1689       --management-client
1690              Management interface will connect as a TCP/unix domain client to
1691              IP:port specified by --management rather than listen  as  a  TCP
1692              server or on a unix domain socket.
1693
1694              If  the client connection fails to connect or is disconnected, a
1695              SIGTERM signal will be generated causing OpenVPN to quit.
1696
1697       --management-query-passwords
1698              Query  management  channel  for   private   key   password   and
1699              --auth-user-pass  username/password.   Only query the management
1700              channel for inputs which ordinarily would have been queried from
1701              the console.
1702
1703       --management-query-proxy
1704              Query management channel for proxy server information for a spe‐
1705              cific --remote (client-only).
1706
1707       --management-query-remote
1708              Allow  management  interface  to  override  --remote  directives
1709              (client-only).
1710
1711       --management-external-key
1712              Allows  usage  for  external  private  key file instead of --key
1713              option (client-only).
1714
1715       --management-external-cert certificate-hint
1716              Allows usage for external certificate instead of  --cert  option
1717              (client-only).  certificate-hint is an arbitrary string which is
1718              passed to a  management  interface  client  as  an  argument  of
1719              NEED-CERTIFICATE   notification.   Requires  --management-exter‐
1720              nal-key.
1721
1722       --management-forget-disconnect
1723              Make OpenVPN forget passwords when  management  session  discon‐
1724              nects.
1725
1726              This  directive  does not affect the --http-proxy username/pass‐
1727              word.  It is always cached.
1728
1729       --management-hold
1730              Start OpenVPN in a hibernating state, until a client of the man‐
1731              agement  interface  explicitly  starts  it with the hold release
1732              command.
1733
1734       --management-signal
1735              Send SIGUSR1 signal to OpenVPN  if  management  session  discon‐
1736              nects.   This  is  useful when you wish to disconnect an OpenVPN
1737              session on user logoff. For --management-client this  option  is
1738              not needed since a disconnect will always generate a SIGTERM.
1739
1740       --management-log-cache n
1741              Cache  the  most recent n lines of log file history for usage by
1742              the management channel.
1743
1744       --management-up-down
1745              Report tunnel up/down events to management interface.
1746
1747       --management-client-auth
1748              Gives management interface client the responsibility to  authen‐
1749              ticate clients after their client certificate has been verified.
1750              See management-notes.txt in OpenVPN  distribution  for  detailed
1751              notes.
1752
1753       --management-client-pf
1754              Management  interface  clients must specify a packet filter file
1755              for each connecting client.  See management-notes.txt in OpenVPN
1756              distribution for detailed notes.
1757
1758       --management-client-user u
1759              When  the  management  interface  is  listening on a unix domain
1760              socket, only allow connections from user u.
1761
1762       --management-client-group g
1763              When the management interface is  listening  on  a  unix  domain
1764              socket, only allow connections from group g.
1765
1766       --plugin module-pathname [init-string]
1767              Load  plug-in  module  from  the  file  module-pathname, passing
1768              init-string as an argument to the  module  initialization  func‐
1769              tion.   Multiple  plugin  modules may be loaded into one OpenVPN
1770              process.
1771
1772              The module-pathname argument can be just a filename or  a  file‐
1773              name  with a relative or absolute path.  The format of the file‐
1774              name and path defines if the  plug-in  will  be  loaded  from  a
1775              default plug-in directory or outside this directory.
1776
1777                  --plugin path        Effective directory used
1778                  ====================================================
1779                   myplug.so            DEFAULT_DIR/myplug.so
1780                   subdir/myplug.so     DEFAULT_DIR/subdir/myplug.so
1781                   ./subdir/myplug.so   CWD/subdir/myplug.so
1782                   /usr/lib/my/plug.so  /usr/lib/my/plug.so
1783
1784              DEFAULT_DIR  is replaced by the default plug-in directory, which
1785              is configured at the build time of OpenVPN.  CWD is the  current
1786              directory  where  OpenVPN  was  started or the directory OpenVPN
1787              have swithed into  via  the  --cd  option  before  the  --plugin
1788              option.
1789
1790              For  more  information  and  examples  on  how  to build OpenVPN
1791              plug-in modules, see the README file in the plugin folder of the
1792              OpenVPN source distribution.
1793
1794              If you are using an RPM install of OpenVPN, see /usr/lib64/open‐
1795              vpn/plugin.  The documentation is in doc and the  actual  plugin
1796              modules are in lib.
1797
1798              Multiple plugin modules can be cascaded, and modules can be used
1799              in tandem with scripts.  The modules will be called  by  OpenVPN
1800              in the order that they are declared in the config file.  If both
1801              a plugin and script are configured for the  same  callback,  the
1802              script  will  be  called  last.   If the return code of the mod‐
1803              ule/script controls an authentication function (such as tls-ver‐
1804              ify,  auth-user-pass-verify, or client-connect), then every mod‐
1805              ule and script must return success (0) in order for the  connec‐
1806              tion to be authenticated.
1807
1808       --keying-material-exporter label len
1809              Save  Exported  Keying  Material [RFC5705] of len bytes (must be
1810              between  16  and  4095  bytes)  using   label   in   environment
1811              (exported_keying_material)  for  use by plugins in OPENVPN_PLUG‐
1812              IN_TLS_FINAL callback.
1813
1814              Note that exporter labels have the  potential  to  collide  with
1815              existing PRF labels. In order to prevent this, labels MUST begin
1816              with "EXPORTER".
1817
1818              This option requires OpenSSL 1.0.1 or newer.
1819
1820   Server Mode
1821       Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode  is  sup‐
1822       ported,  and  can  be enabled with the --mode server option.  In server
1823       mode, OpenVPN will listen on a single port for incoming client  connec‐
1824       tions.   All  client connections will be routed through a single tun or
1825       tap interface.  This mode is designed for  scalability  and  should  be
1826       able  to  support hundreds or even thousands of clients on sufficiently
1827       fast hardware.  SSL/TLS authentication must be used in this mode.
1828
1829       --server network netmask ['nopool']
1830              A helper directive designed to  simplify  the  configuration  of
1831              OpenVPN's  server  mode.   This directive will set up an OpenVPN
1832              server which will allocate addresses to clients out of the given
1833              network/netmask.   The  server itself will take the ".1" address
1834              of the given network for use as the server-side endpoint of  the
1835              local TUN/TAP interface.
1836
1837              For example, --server 10.8.0.0 255.255.255.0 expands as follows:
1838
1839                   mode server
1840                   tls-server
1841                   push "topology [topology]"
1842
1843                   if dev tun AND (topology == net30 OR topology == p2p):
1844                     ifconfig 10.8.0.1 10.8.0.2
1845                     if !nopool:
1846                       ifconfig-pool 10.8.0.4 10.8.0.251
1847                     route 10.8.0.0 255.255.255.0
1848                     if client-to-client:
1849                       push "route 10.8.0.0 255.255.255.0"
1850                     else if topology == net30:
1851                       push "route 10.8.0.1"
1852
1853                   if dev tap OR (dev tun AND topology == subnet):
1854                     ifconfig 10.8.0.1 255.255.255.0
1855                     if !nopool:
1856                       ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
1857                     push "route-gateway 10.8.0.1"
1858                     if route-gateway unset:
1859                       route-gateway 10.8.0.2
1860
1861
1862              Don't   use   --server   if  you  are  ethernet  bridging.   Use
1863              --server-bridge instead.
1864
1865       --server-bridge gateway netmask pool-start-IP pool-end-IP
1866
1867       --server-bridge ['nogw']
1868
1869              A helper directive similar to --server which is designed to sim‐
1870              plify  the  configuration  of  OpenVPN's server mode in ethernet
1871              bridging configurations.
1872
1873              If --server-bridge is  used  without  any  parameters,  it  will
1874              enable  a DHCP-proxy mode, where connecting OpenVPN clients will
1875              receive an IP address for their TAP adapter from the DHCP server
1876              running  on the OpenVPN server-side LAN.  Note that only clients
1877              that support the binding of a DHCP client with the  TAP  adapter
1878              (such as Windows) can support this mode.  The optional nogw flag
1879              (advanced) indicates that  gateway  information  should  not  be
1880              pushed to the client.
1881
1882              To  configure  ethernet  bridging,  you must first use your OS's
1883              bridging capability to bridge the TAP interface with the  ether‐
1884              net  NIC interface.  For example, on Linux this is done with the
1885              brctl tool, and with Windows XP it is done in the  Network  Con‐
1886              nections  Panel  by  selecting the ethernet and TAP adapters and
1887              right-clicking on "Bridge Connections".
1888
1889              Next you you must manually set  the  IP/netmask  on  the  bridge
1890              interface.     The    gateway    and   netmask   parameters   to
1891              --server-bridge can be set  to  either  the  IP/netmask  of  the
1892              bridge  interface,  or  the  IP/netmask  of  the  default  gate‐
1893              way/router on the bridged subnet.
1894
1895              Finally, set aside a IP range in the bridged subnet, denoted  by
1896              pool-start-IP  and  pool-end-IP, for OpenVPN to allocate to con‐
1897              necting clients.
1898
1899              For example,  server-bridge  10.8.0.4  255.255.255.0  10.8.0.128
1900              10.8.0.254 expands as follows:
1901
1902                  mode server
1903                  tls-server
1904
1905                  ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
1906                  push "route-gateway 10.8.0.4"
1907
1908              In another example, --server-bridge (without parameters) expands
1909              as follows:
1910
1911                  mode server
1912                  tls-server
1913
1914                  push "route-gateway dhcp"
1915
1916              Or --server-bridge nogw expands as follows:
1917
1918                  mode server
1919                  tls-server
1920
1921       --push option
1922              Push a config file option back to the client for  remote  execu‐
1923              tion.   Note that option must be enclosed in double quotes ("").
1924              The client must specify --pull in its config file.  The  set  of
1925              options  which  can be pushed is limited by both feasibility and
1926              security.  Some  options  such  as  those  which  would  execute
1927              scripts are banned, since they would effectively allow a compro‐
1928              mised server to execute arbitrary code  on  the  client.   Other
1929              options  such  as TLS or MTU parameters cannot be pushed because
1930              the client needs to know  them  before  the  connection  to  the
1931              server can be initiated.
1932
1933              This is a partial list of options which can currently be pushed:
1934              --route,  --route-gateway,  --route-delay,   --redirect-gateway,
1935              --ip-win32,   --dhcp-option,  --inactive,  --ping,  --ping-exit,
1936              --ping-restart, --setenv,  --auth-token,  --persist-key,  --per‐
1937              sist-tun, --echo, --comp-lzo, --socket-flags, --sndbuf, --rcvbuf
1938
1939       --push-reset
1940              Don't  inherit  the  global  push  list  for  a  specific client
1941              instance.  Specify this option in a client-specific context such
1942              as  with  a --client-config-dir configuration file.  This option
1943              will ignore --push options at the global config file level.
1944
1945              NOTE: --push-reset is very thorough: it will remove  almost  all
1946              options  from  the list of to-be-pushed options.  In many cases,
1947              some of these options will need to be re-configured afterwards -
1948              specifically,  --topology  subnet  and  --route-gateway will get
1949              lost and this will break client configs in  many  cases.   Thus,
1950              for most purposes, --push-remove is better suited to selectively
1951              remove push options for individual clients.
1952
1953       --push-remove opt
1954              selectively remove all --push options matching  "opt"  from  the
1955              option  list  for  a  client.   "opt"  is matched as a substring
1956              against the whole option string to-be-pushed to the  client,  so
1957              --push-remove  route  would  remove  all  --push  route ...  and
1958              --push   route-ipv6   ...    statements,   while   --push-remove
1959              'route-ipv6  2001:'  would  only remove IPv6 routes for 2001:...
1960              networks.
1961
1962              --push-remove can only be used  in  a  client-specific  context,
1963              like  in  a --client-config-dir file, or --client-connect script
1964              or plugin -- similar to --push-reset, just more selective.
1965
1966              NOTE: to change an option, --push-remove can be  used  to  first
1967              remove  the old value, and then add a new --push option with the
1968              new value.
1969
1970       --push-peer-info
1971              Push additional information about the  client  to  server.   The
1972              following data is always pushed to the server:
1973
1974              IV_VER=<version> -- the client OpenVPN version
1975
1976              IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]   --  the
1977              client OS platform
1978
1979              IV_LZO_STUB=1 -- if client was built with LZO stub capability
1980
1981              IV_LZ4=1 -- if the client supports LZ4 compressions.
1982
1983              IV_PROTO=2 -- if the client supports peer-id floating mechansim
1984
1985              IV_NCP=2 -- negotiable ciphers, client supports --cipher  pushed
1986              by the server, a value of 2 or greater indicates client supports
1987              AES-GCM-128 and AES-GCM-256.
1988
1989              IV_GUI_VER=<gui_id> <version> -- the UI version of a UI  if  one
1990              is  running,  for  example  "de.blinkt.openvpn  0.5.47"  for the
1991              Android app.
1992
1993              When --push-peer-info is enabled the additional information con‐
1994              sists of the following data:
1995
1996              IV_HWADDR=<mac  address>  --  the MAC address of clients default
1997              gateway
1998
1999              IV_SSL=<version string> -- the ssl version used by  the  client,
2000              e.g. "OpenSSL 1.0.2f 28 Jan 2016".
2001
2002              IV_PLAT_VER=x.y  - the version of the operating system, e.g. 6.1
2003              for Windows 7.
2004
2005              UV_<name>=<value> -- client environment  variables  whose  names
2006              start with "UV_"
2007
2008       --disable
2009              Disable a particular client (based on the common name) from con‐
2010              necting.  Don't use this option to disable a client due  to  key
2011              or password compromise.  Use a CRL (certificate revocation list)
2012              instead (see the --crl-verify option).
2013
2014              This option must be associated with a specific client  instance,
2015              which  means  that  it  must  be  specified  either  in a client
2016              instance config file using  --client-config-dir  or  dynamically
2017              generated using a --client-connect script.
2018
2019       --ifconfig-pool start-IP end-IP [netmask]
2020              Set  aside a pool of subnets to be dynamically allocated to con‐
2021              necting clients, similar to a DHCP server.  For  tun-style  tun‐
2022              nels, each client will be given a /30 subnet (for interoperabil‐
2023              ity with Windows clients).  For  tap-style  tunnels,  individual
2024              addresses  will be allocated, and the optional netmask parameter
2025              will also be pushed to clients.
2026
2027
2028       --ifconfig-pool-persist file [seconds]
2029              Persist/unpersist ifconfig-pool data to file, at seconds  inter‐
2030              vals (default=600), as well as on program startup and shutdown.
2031
2032              The  goal  of  this option is to provide a long-term association
2033              between clients (denoted by their common name) and  the  virtual
2034              IP address assigned to them from the ifconfig-pool.  Maintaining
2035              a long-term association is good for clients  because  it  allows
2036              them to effectively use the --persist-tun option.
2037
2038              file  is  a  comma-delimited  ASCII  file,  formatted  as  <Com‐
2039              mon-Name>,<IP-address>.
2040
2041              If seconds = 0, file will be treated as read-only.  This is use‐
2042              ful if you would like to treat file as a configuration file.
2043
2044              Note  that  the  entries  in this file are treated by OpenVPN as
2045              suggestions only, based on past associations  between  a  common
2046              name  and IP address.  They do not guarantee that the given com‐
2047              mon name will always receive the given IP address.  If you  want
2048              guaranteed assignment, use --ifconfig-push
2049
2050
2051       --ifconfig-pool-linear
2052              DEPRECATED This option will be removed in OpenVPN 2.5
2053
2054              Modifies  the  --ifconfig-pool  directive to allocate individual
2055              TUN interface addresses for clients  rather  than  /30  subnets.
2056              NOTE:  This option is incompatible with Windows clients.
2057
2058              This  option is deprecated, and should be replaced with --topol‐
2059              ogy p2p which is functionally equivalent.
2060
2061       --ifconfig-push local remote-netmask [alias]
2062              Push virtual IP endpoints  for  client  tunnel,  overriding  the
2063              --ifconfig-pool dynamic allocation.
2064
2065              The parameters local and remote-netmask are set according to the
2066              --ifconfig directive which you want to  execute  on  the  client
2067              machine  to  configure  the remote end of the tunnel.  Note that
2068              the parameters local and remote-netmask are from the perspective
2069              of  the  client,  not  the server.  They may be DNS names rather
2070              than IP addresses, in which case they will be  resolved  on  the
2071              server at the time of client connection.
2072
2073              The  optional  alias  parameter  may  be used in cases where NAT
2074              causes the client view of its local endpoint to differ from  the
2075              server  view.   In  this case local/remote-netmask will refer to
2076              the server view while alias/remote-netmask  will  refer  to  the
2077              client view.
2078
2079              This  option must be associated with a specific client instance,
2080              which means that  it  must  be  specified  either  in  a  client
2081              instance  config  file  using --client-config-dir or dynamically
2082              generated using a --client-connect script.
2083
2084              Remember also to include a --route directive in the main OpenVPN
2085              config  file  which encloses local, so that the kernel will know
2086              to route it to the server's TUN/TAP interface.
2087
2088              OpenVPN's internal client IP address selection  algorithm  works
2089              as follows:
2090
2091              1  --  Use  --client-connect script generated file for static IP
2092              (first choice).
2093              2 -- Use --client-config-dir file for static IP (next choice).
2094              3  --  Use  --ifconfig-pool  allocation  for  dynamic  IP  (last
2095              choice).
2096
2097       --iroute network [netmask]
2098              Generate  an  internal  route  to a specific client. The netmask
2099              parameter, if omitted, defaults to 255.255.255.255.
2100
2101              This directive can be used to route  a  fixed  subnet  from  the
2102              server to a particular client, regardless of where the client is
2103              connecting from.  Remember that you must also add the  route  to
2104              the  system  routing table as well (such as by using the --route
2105              directive).  The reason why two routes are needed  is  that  the
2106              --route  directive routes the packet from the kernel to OpenVPN.
2107              Once in OpenVPN, the --iroute directive routes to  the  specific
2108              client.
2109
2110              This option must be specified either in a client instance config
2111              file using --client-config-dir or dynamically generated using  a
2112              --client-connect script.
2113
2114              The  --iroute  directive  also has an important interaction with
2115              --push "route ...".  --iroute essentially defines a subnet which
2116              is  owned  by  a particular client (we will call this client A).
2117              If you would like other clients to be able to reach A's  subnet,
2118              you can use --push "route ..."  together with --client-to-client
2119              to effect this.  In order for all clients  to  see  A's  subnet,
2120              OpenVPN  must push this route to all clients EXCEPT for A, since
2121              the subnet is already owned by A.  OpenVPN accomplishes this  by
2122              not  not  pushing  a  route to a client if it matches one of the
2123              client's iroutes.
2124
2125       --client-to-client
2126              Because the OpenVPN server mode handles multiple clients through
2127              a  single tun or tap interface, it is effectively a router.  The
2128              --client-to-client  flag  tells  OpenVPN  to  internally   route
2129              client-to-client  traffic  rather than pushing all client-origi‐
2130              nating traffic to the TUN/TAP interface.
2131
2132              When this option is used,  each  client  will  "see"  the  other
2133              clients  which  are currently connected.  Otherwise, each client
2134              will only see the server.  Don't use this option if you want  to
2135              firewall tunnel traffic using custom, per-client rules.
2136
2137       --duplicate-cn
2138              Allow multiple clients with the same common name to concurrently
2139              connect.  In the absence of this option, OpenVPN will disconnect
2140              a  client  instance  upon  connection of a new client having the
2141              same common name.
2142
2143       --client-connect cmd
2144              Run command cmd on client connection.
2145
2146              cmd consists of  a  path  to  script  (or  executable  program),
2147              optionally  followed by arguments. The path and arguments may be
2148              single- or double-quoted and/or escaped using a  backslash,  and
2149              should be separated by one or more spaces.
2150
2151              The  command  is  passed  the  common name and IP address of the
2152              just-authenticated client as environmental variables (see  envi‐
2153              ronmental  variable  section below).  The command is also passed
2154              the pathname of a freshly created temporary  file  as  the  last
2155              argument  (after any arguments specified in cmd ), to be used by
2156              the command to pass dynamically generated config file directives
2157              back to OpenVPN.
2158
2159              If  the  script  wants  to  generate a dynamic config file to be
2160              applied on the server when the client connects, it should  write
2161              it to the file named by the last argument.
2162
2163              See  the  --client-config-dir option below for options which can
2164              be legally used in a dynamically generated config file.
2165
2166              Note that the return value of script is significant.  If  script
2167              returns  a non-zero error status, it will cause the client to be
2168              disconnected.
2169
2170       --client-disconnect cmd
2171              Like --client-connect but called on  client  instance  shutdown.
2172              Will  not be called unless the --client-connect script and plug‐
2173              ins (if defined) were previously called on  this  instance  with
2174              successful (0) status returns.
2175
2176              The exception to this rule is if the --client-disconnect command
2177              or plugins are cascaded, and at least one  client-connect  func‐
2178              tion  succeeded, then ALL of the client-disconnect functions for
2179              scripts and plugins will be called  on  client  instance  object
2180              deletion, even in cases where some of the related client-connect
2181              functions returned an error status.
2182
2183              The --client-disconnect command is not passed  any  extra  argu‐
2184              ments (only those arguments specified in cmd if any).
2185
2186       --client-config-dir dir
2187              Specify a directory dir for custom client config files.  After a
2188              connecting client has been authenticated, OpenVPN will  look  in
2189              this  directory  for a file having the same name as the client's
2190              X509 common name.  If a matching file exists, it will be  opened
2191              and  parsed  for  client-specific  configuration options.  If no
2192              matching file is found, OpenVPN will instead  try  to  open  and
2193              parse a default file called "DEFAULT", which may be provided but
2194              is not required. Note that the configuration files must be read‐
2195              able by the OpenVPN process after it has dropped it's root priv‐
2196              ileges.
2197
2198              This file can specify a fixed IP  address  for  a  given  client
2199              using  --ifconfig-push,  as  well  as fixed subnets owned by the
2200              client using --iroute.
2201
2202              One of the useful properties of this option is  that  it  allows
2203              client  configuration  files to be conveniently created, edited,
2204              or removed while the server is live, without needing to  restart
2205              the server.
2206
2207              The  following  options  are legal in a client-specific context:
2208              --push, --push-reset, --push-remove, --iroute,  --ifconfig-push,
2209              and --config.
2210
2211       --ccd-exclusive
2212              Require,  as  a  condition  of authentication, that a connecting
2213              client has a --client-config-dir file.
2214
2215       --tmp-dir dir
2216              Specify a directory dir for  temporary  files.   This  directory
2217              will be used by openvpn processes and script to communicate tem‐
2218              porary data with openvpn main process. Note that  the  directory
2219              must  be  writable  by  the OpenVPN process after it has dropped
2220              it's root privileges.
2221
2222              This directory will be used by in the following cases:
2223
2224              * --client-connect scripts to dynamically  generate  client-spe‐
2225              cific configuration files.
2226
2227              *  OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY  plugin  hook  to return
2228              success/failure via auth_control_file when using  deferred  auth
2229              method
2230
2231              *  OPENVPN_PLUGIN_ENABLE_PF  plugin hook to pass filtering rules
2232              via pf_file
2233
2234       --hash-size r v
2235              Set the size of the real address hash table to r and the virtual
2236              address  table  to  v.  By default, both tables are sized at 256
2237              buckets.
2238
2239       --bcast-buffers n
2240              Allocate n buffers for broadcast datagrams (default=256).
2241
2242       --tcp-queue-limit n
2243              Maximum number of output packets queued before TCP (default=64).
2244
2245              When OpenVPN is tunneling data from a TUN/TAP device to a remote
2246              client  over  a  TCP connection, it is possible that the TUN/TAP
2247              device might produce data at a faster rate than the TCP  connec‐
2248              tion  can  support.   When  the  number of output packets queued
2249              before sending to the TCP socket reaches this limit for a  given
2250              client  connection,  OpenVPN will start to drop outgoing packets
2251              directed at this client.
2252
2253       --tcp-nodelay
2254              This macro sets the TCP_NODELAY socket flag  on  the  server  as
2255              well  as  pushes it to connecting clients.  The TCP_NODELAY flag
2256              disables the Nagle algorithm on TCP sockets causing  packets  to
2257              be transmitted immediately with low latency, rather than waiting
2258              a short period of time in order  to  aggregate  several  packets
2259              into  a larger containing packet.  In VPN applications over TCP,
2260              TCP_NODELAY is generally a good latency optimization.
2261
2262              The macro expands as follows:
2263
2264                   if mode server:
2265                     socket-flags TCP_NODELAY
2266                     push "socket-flags TCP_NODELAY"
2267
2268       --max-clients n
2269              Limit server to a maximum of n concurrent clients.
2270
2271       --max-routes-per-client n
2272              Allow a maximum of n internal routes per  client  (default=256).
2273              This  is designed to help contain DoS attacks where an authenti‐
2274              cated client floods the server with packets  appearing  to  come
2275              from  many  unique  MAC addresses, forcing the server to deplete
2276              virtual memory as its  internal  routing  table  expands.   This
2277              directive can be used in a --client-config-dir file or auto-gen‐
2278              erated by a --client-connect script to override the global value
2279              for a particular client.
2280
2281              Note  that this directive affects OpenVPN's internal routing ta‐
2282              ble, not the kernel routing table.
2283
2284       --stale-routes-check n [t]
2285              Remove routes haven't had activity for n seconds (i.e. the  age‐
2286              ing time).
2287
2288              This check is ran every t seconds (i.e. check interval).
2289
2290              If t is not present it defaults to n
2291
2292              This  option helps to keep the dynamic routing table small.  See
2293              also --max-routes-per-client
2294
2295       --connect-freq n sec
2296              Allow a maximum of  n  new  connections  per  sec  seconds  from
2297              clients.   This  is  designed to contain DoS attacks which flood
2298              the server with connection  requests  using  certificates  which
2299              will ultimately fail to authenticate.
2300
2301              This  is  an  imperfect  solution however, because in a real DoS
2302              scenario, legitimate connections might also be refused.
2303
2304              For the best protection against DoS attacks in server mode,  use
2305              --proto udp and either --tls-auth or --tls-crypt.
2306
2307       --learn-address cmd
2308              Run command cmd to validate client virtual addresses or routes.
2309
2310              cmd  consists  of  a  path  to  script  (or executable program),
2311              optionally followed by arguments. The path and arguments may  be
2312              single-  or  double-quoted and/or escaped using a backslash, and
2313              should be separated by one or more spaces.
2314
2315              Three arguments will be appended to any arguments in cmd as fol‐
2316              lows:
2317
2318              [1]  operation  -- "add", "update", or "delete" based on whether
2319              or not the address is being added to, modified, or deleted  from
2320              OpenVPN's internal routing table.
2321              [2] address -- The address being learned or unlearned.  This can
2322              be an IPv4 address such as "198.162.10.14", an IPv4 subnet  such
2323              as "198.162.10.0/24", or an ethernet MAC address (when --dev tap
2324              is being used) such as "00:FF:01:02:03:04".
2325              [3] common name -- The common name on the certificate associated
2326              with  the client linked to this address.  Only present for "add"
2327              or "update" operations, not "delete".
2328
2329              On "add" or "update" methods, if the script  returns  a  failure
2330              code  (non-zero),  OpenVPN  will reject the address and will not
2331              modify its internal routing table.
2332
2333              Normally, the cmd script will use the information provided above
2334              to  set  appropriate  firewall entries on the VPN TUN/TAP inter‐
2335              face.  Since OpenVPN provides the association between virtual IP
2336              or  MAC  address  and the client's authenticated common name, it
2337              allows a user-defined script to configure firewall access  poli‐
2338              cies  with regard to the client's high-level common name, rather
2339              than the low level client virtual addresses.
2340
2341       --auth-user-pass-verify cmd method
2342              Require the client to provide a username/password  (possibly  in
2343              addition to a client certificate) for authentication.
2344
2345              OpenVPN  will  run command cmd to validate the username/password
2346              provided by the client.
2347
2348              cmd consists of  a  path  to  script  (or  executable  program),
2349              optionally  followed by arguments. The path and arguments may be
2350              single- or double-quoted and/or escaped using a  backslash,  and
2351              should be separated by one or more spaces.
2352
2353              If method is set to "via-env", OpenVPN will call script with the
2354              environmental variables username and password set to  the  user‐
2355              name/password  strings  provided  by  the client.  Be aware that
2356              this method is insecure on some platforms which make  the  envi‐
2357              ronment of a process publicly visible to other unprivileged pro‐
2358              cesses.
2359
2360              If method is set to "via-file", OpenVPN will write the  username
2361              and  password  to  the first two lines of a temporary file.  The
2362              filename will be passed as an argument to script, and  the  file
2363              will  be  automatically  deleted  by  OpenVPN  after  the script
2364              returns.  The location of the temporary file  is  controlled  by
2365              the  --tmp-dir option, and will default to the current directory
2366              if unspecified.  For security, consider setting --tmp-dir  to  a
2367              volatile  storage medium such as /dev/shm (if available) to pre‐
2368              vent the username/password file from touching the hard drive.
2369
2370              The script should examine the username and password, returning a
2371              success  exit code (0) if the client's authentication request is
2372              to be accepted, or a failure code (1) to reject the client.
2373
2374              This directive is designed to enable  a  plugin-style  interface
2375              for extending OpenVPN's authentication capabilities.
2376
2377              To  protect  against a client passing a maliciously formed user‐
2378              name or password string, the username string must  consist  only
2379              of  these  characters: alphanumeric, underbar ('_'), dash ('-'),
2380              dot ('.'), or at ('@').  The password string can consist of  any
2381              printable  characters  except for CR or LF.  Any illegal charac‐
2382              ters in either the username or password string will be converted
2383              to underbar ('_').
2384
2385              Care must be taken by any user-defined scripts to avoid creating
2386              a security vulnerability in the way that these strings are  han‐
2387              dled.   Never use these strings in such a way that they might be
2388              escaped or evaluated by a shell interpreter.
2389
2390              For a sample script that performs PAM authentication,  see  sam‐
2391              ple-scripts/auth-pam.pl in the OpenVPN source distribution.
2392
2393       --auth-gen-token [lifetime]
2394              After   successful  user/password  authentication,  the  OpenVPN
2395              server will with this option generate a temporary authentication
2396              token and push that to client.  On the following renegotiations,
2397              the OpenVPN client will pass this token  instead  of  the  users
2398              password.   On  the  server  side  the  server will do the token
2399              authentication internally and it  will  NOT  do  any  additional
2400              authentications   against   configured   external  user/password
2401              authentication mechanisms.
2402
2403              The lifetime argument defines how long the  generated  token  is
2404              valid.   The lifetime is defined in seconds.  If lifetime is not
2405              set or it is set to 0, the token will never expire.
2406
2407              This feature is useful for environments which is  configured  to
2408              use  One  Time  Passwords  (OTP)  as  part  of the user/password
2409              authentications  and  that  authentication  mechanism  does  not
2410              implement any auth-token support.
2411
2412       --opt-verify
2413              Clients  that  connect  with  options that are incompatible with
2414              those of the server will be disconnected.
2415
2416              Options  that  will  be  compared  for   compatibility   include
2417              dev-type,  link-mtu,  tun-mtu,  proto, ifconfig, comp-lzo, frag‐
2418              ment, keydir, cipher, auth, keysize, secret,  no-replay,  no-iv,
2419              tls-auth, key-method, tls-server, and tls-client.
2420
2421              This option requires that --disable-occ NOT be used.
2422
2423       --auth-user-pass-optional
2424              Allow  connections  by  clients  that  do  not  specify  a user‐
2425              name/password.  Normally, when --auth-user-pass-verify or --man‐
2426              agement-client-auth  is  specified  (or an authentication plugin
2427              module), the  OpenVPN  server  daemon  will  require  connecting
2428              clients  to  specify a username and password.  This option makes
2429              the submission of a username/password by clients optional, pass‐
2430              ing  the  responsibility to the user-defined authentication mod‐
2431              ule/script to accept or deny the client based on  other  factors
2432              (such  as  the  setting  of X509 certificate fields).  When this
2433              option is used, and a connecting client does not submit a  user‐
2434              name/password,  the  user-defined  authentication  module/script
2435              will see the username and password as being set to empty strings
2436              ("").   The  authentication  module/script  MUST  have  logic to
2437              detect this condition and respond accordingly.
2438
2439       --client-cert-not-required
2440              DEPRECATED This option will be removed in OpenVPN 2.5
2441
2442              Don't require client certificate, client will authenticate using
2443              username/password  only.   Be aware that using this directive is
2444              less secure than requiring certificates from all clients.
2445
2446              Please note: This  is  replaced  by  --verify-client-cert  which
2447              allows  for  more  flexibility.  The option --verify-client-cert
2448              none is functionally equivalent to --client-cert-not-required
2449
2450
2451       --verify-client-cert none|optional|require
2452              Specify whether the client is required to supply  a  valid  cer‐
2453              tificate.
2454
2455              Possible options are
2456
2457              none  : a client certificate is not required. the client need to
2458              authenticate using username/password only.  Be aware that  using
2459              this  directive  is less secure than requiring certificates from
2460              all clients.
2461
2462              If you use this directive, the entire responsibility of  authen‐
2463              tication  will  rest  on your --auth-user-pass-verify script, so
2464              keep in mind that bugs in your script could potentially  compro‐
2465              mise the security of your VPN.
2466
2467              --verify-client-cert   none   is   functionally   equivalent  to
2468              --client-cert-not-required.
2469
2470              optional : a client may present a  certificate  but  it  is  not
2471              required  to  do so.  When using this directive, you should also
2472              use a --auth-user-pass-verify script to ensure that clients  are
2473              authenticated  using  a certificate, a username and password, or
2474              possibly even both.
2475
2476              Again, the entire responsibility of authentication will rest  on
2477              your  --auth-user-pass-verify  script, so keep in mind that bugs
2478              in your script could potentially compromise the security of your
2479              VPN.
2480
2481              require  :  this  is the default option. A client is required to
2482              present a certificate, otherwise VPN access is refused.
2483
2484              If you don't use this  directive  (or  use  --verify-client-cert
2485              require  )  but  you  also  specify  an  --auth-user-pass-verify
2486              script, then OpenVPN will perform  double  authentication.   The
2487              client  certificate verification AND the --auth-user-pass-verify
2488              script will need to succeed in order for a client to be  authen‐
2489              ticated and accepted onto the VPN.
2490
2491       --username-as-common-name
2492              For  --auth-user-pass-verify  authentication,  use the authenti‐
2493              cated username as the common name, rather than the  common  name
2494              from the client cert.
2495
2496       --compat-names [no-remapping]
2497              DEPRECATED This option will be removed in OpenVPN 2.5
2498
2499              Until  OpenVPN  v2.3  the format of the X.509 Subject fields was
2500              formatted like this:
2501
2502              /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com
2503
2504              In addition the old behaviour was to remap any  character  other
2505              than  alphanumeric, underscore ('_'), dash ('-'), dot ('.'), and
2506              slash ('/') to underscore ('_').  The X.509  Subject  string  as
2507              returned  by  the tls_id environmental variable, could addition‐
2508              ally contain colon (':') or equal ('=').
2509
2510              When using the --compat-names option, this  old  formatting  and
2511              remapping  will be re-enabled again.  This is purely implemented
2512              for compatibility reasons when using older plug-ins  or  scripts
2513              which does not handle the new formatting or UTF-8 characters.
2514
2515              In  OpenVPN  2.3  the  formatting of these fields changed into a
2516              more standardised format.  It now looks like:
2517
2518              C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com
2519
2520              The new default format in OpenVPN 2.3 also does not do the char‐
2521              acter remapping which happened earlier.  This new format enables
2522              proper support for UTF-8 characters in the usernames, X.509 Sub‐
2523              ject fields and Common Name variables and it complies to the RFC
2524              2253, UTF-8 String Representation of Distinguished Names.
2525
2526              The no-remapping mode flag can be used with  the  --compat-names
2527              option to be compatible with the now deprecated --no-name-remap‐
2528              ping option.  It is only available at the server. When this mode
2529              flag is used, the Common Name, Subject, and username strings are
2530              allowed to include any printable character including space,  but
2531              excluding  control  characters  such  as  tab, newline, and car‐
2532              riage-return. no-remapping is only available on the server side.
2533
2534              Please note: This option is immediately deprecated.  It is  only
2535              implemented  to  make  the transition to the new formatting less
2536              intrusive.  It will be removed in OpenVPN 2.5.  So please update
2537              your scripts/plug-ins where necessary.
2538
2539       --no-name-remapping
2540              DEPRECATED This option will be removed in OpenVPN 2.5
2541
2542              The   --no-name-remapping   option   is   an  alias  for  --com‐
2543              pat-names no-remapping.  It ensures  compatibility  with  server
2544              configurations using the --no-name-remapping option.
2545
2546              Please  note: This option is now deprecated.  It will be removed
2547              in OpenVPN 2.5.  So please make sure you support the  new  X.509
2548              name formatting described with the --compat-names option as soon
2549              as possible.
2550
2551       --port-share host port [dir]
2552              When run in TCP server mode, share the OpenVPN port with another
2553              application,  such as an HTTPS server.  If OpenVPN senses a con‐
2554              nection to its port which is using a  non-OpenVPN  protocol,  it
2555              will proxy the connection to the server at host:port.  Currently
2556              only designed to work with HTTP/HTTPS, though it would be  theo‐
2557              retically possible to extend to other protocols such as ssh.
2558
2559              dir  specifies an optional directory where a temporary file with
2560              name N containing content C will be  dynamically  generated  for
2561              each  proxy  connection,  where  N  is the source IP:port of the
2562              client connection and C is the source IP:port of the  connection
2563              to  the proxy receiver.  This directory can be used as a dictio‐
2564              nary by the proxy receiver to determine the origin of  the  con‐
2565              nection.  Each generated file will be automatically deleted when
2566              the proxied connection is torn down.
2567
2568              Not implemented on Windows.
2569
2570   Client Mode
2571       Use client  mode  when  connecting  to  an  OpenVPN  server  which  has
2572       --server, --server-bridge, or --mode server in it's configuration.
2573
2574       --client
2575              A  helper  directive  designed  to simplify the configuration of
2576              OpenVPN's client mode.  This directive is equivalent to:
2577
2578                   pull
2579                   tls-client
2580
2581       --pull This option must be used on a client which is  connecting  to  a
2582              multi-client  server.   It  indicates  to OpenVPN that it should
2583              accept options pushed by the server, provided they are  part  of
2584              the  legal  set of pushable options (note that the --pull option
2585              is implied by --client ).
2586
2587              In particular, --pull allows the server to push  routes  to  the
2588              client,  so  you should not use --pull or --client in situations
2589              where you don't trust  the  server  to  have  control  over  the
2590              client's routing table.
2591
2592       --pull-filter accept|ignore|reject text
2593              Filter  options  received  from  the server if the option starts
2594              with text.  Runs on client. The action flag  accept  allows  the
2595              option, ignore removes it and reject flags an error and triggers
2596              a SIGUSR1 restart.  The filters may be specified multiple times,
2597              and  each  filter  is  applied in the order it is specified. The
2598              filtering of each option stops as soon  as  a  match  is  found.
2599              Unmatched options are accepted by default.
2600
2601              Prefix  comparison  is  used  to match text against the received
2602              option so that
2603
2604                  --pull-filter ignore "route"
2605
2606              would remove all pushed options starting with route which  would
2607              include,  for example, route-gateway.  Enclose text in quotes to
2608              embed spaces.
2609
2610                  --pull-filter accept "route 192.168.1."
2611                  --pull-filter ignore "route "
2612
2613              would remove all routes that do not start with 192.168.1.
2614
2615              This option may be used only on clients.  Note that  reject  may
2616              result in a repeated cycle of failure and reconnect, unless mul‐
2617              tiple remotes are specified and connection to  the  next  remote
2618              succeeds. To silently ignore an option pushed by the server, use
2619              ignore.
2620
2621       --auth-user-pass [up]
2622              Authenticate with server using username/password.  up is a  file
2623              containing username/password on 2 lines. If the password line is
2624              missing, OpenVPN will prompt for one.
2625
2626              If up is omitted, username/password will be  prompted  from  the
2627              console.
2628
2629              The server configuration must specify an --auth-user-pass-verify
2630              script to verify the username/password provided by the client.
2631
2632       --auth-retry type
2633              Controls how OpenVPN responds to username/password  verification
2634              errors  such  as the client-side response to an AUTH_FAILED mes‐
2635              sage from the server or verification failure of the private  key
2636              password.
2637
2638              Normally  used  to  prevent  auth errors from being fatal on the
2639              client side, and to permit username/password requeries  in  case
2640              of error.
2641
2642              An  AUTH_FAILED message is generated by the server if the client
2643              fails --auth-user-pass authentication,  or  if  the  server-side
2644              --client-connect  script returns an error status when the client
2645              tries to connect.
2646
2647              type can be one of:
2648
2649              none -- Client will  exit  with  a  fatal  error  (this  is  the
2650              default).
2651              nointeract  -- Client will retry the connection without requery‐
2652              ing for an --auth-user-pass username/password.  Use this  option
2653              for unattended clients.
2654              interact  --  Client  will requery for an --auth-user-pass user‐
2655              name/password and/or private key password  before  attempting  a
2656              reconnection.
2657
2658              Note  that  while  this  option cannot be pushed, it can be con‐
2659              trolled from the management interface.
2660
2661       --static-challenge t e
2662              Enable static challenge/response protocol using  challenge  text
2663              t, with echo flag given by e (0|1).
2664
2665              The  echo  flag  indicates whether or not the user's response to
2666              the challenge should be echoed.
2667
2668              See management-notes.txt  in  the  OpenVPN  distribution  for  a
2669              description of the OpenVPN challenge/response protocol.
2670
2671       --server-poll-timeout n, --connect-timeout n
2672              When  connecting  to a remote server do not wait for more than n
2673              seconds waiting for a response before trying  the  next  server.
2674              The  default  value is 120s. This timeout includes proxy and TCP
2675              connect timeouts.
2676
2677       --explicit-exit-notify [n]
2678              In UDP client mode or point-to-point mode, send  server/peer  an
2679              exit  notification  if tunnel is restarted or OpenVPN process is
2680              exited.  In client mode, on exit/restart, this option will  tell
2681              the  server  to  immediately  close  its  client instance object
2682              rather than waiting for a timeout.  The n parameter  (default=1)
2683              controls the maximum number of attempts that the client will try
2684              to resend the exit notification message.
2685
2686              In UDP server mode, send RESTART control channel command to con‐
2687              nected  clients.  The  n  parameter  (default=1) controls client
2688              behavior. With n = 1 client will attempt  to  reconnect  to  the
2689              same server, with n = 2 client will advance to the next server.
2690
2691              OpenVPN  will not send any exit notifications unless this option
2692              is enabled.
2693
2694       --allow-recursive-routing
2695              When this option is set, OpenVPN  will  not  drop  incoming  tun
2696              packets with same destination as host.
2697
2698   Data Channel Encryption Options:
2699       These options are meaningful for both Static & TLS-negotiated key modes
2700       (must be compatible between peers).
2701
2702       --secret file [direction]
2703              Enable Static Key encryption  mode  (non-TLS).   Use  pre-shared
2704              secret file which was generated with --genkey.
2705
2706              The  optional  direction parameter enables the use of 4 distinct
2707              keys (HMAC-send, cipher-encrypt, HMAC-receive,  cipher-decrypt),
2708              so that each data flow direction has a different set of HMAC and
2709              cipher keys.  This has a number of desirable security properties
2710              including  eliminating  certain  kinds of DoS and message replay
2711              attacks.
2712
2713              When the direction parameter is omitted, 2 keys are  used  bidi‐
2714              rectionally,  one  for HMAC and the other for encryption/decryp‐
2715              tion.
2716
2717              The direction parameter should always be complementary on either
2718              side  of  the  connection,  i.e. one side should use "0" and the
2719              other should use "1", or both sides should omit it altogether.
2720
2721              The direction parameter requires that file contains a  2048  bit
2722              key.   While  pre-1.5  versions of OpenVPN generate 1024 bit key
2723              files, any version  of  OpenVPN  which  supports  the  direction
2724              parameter,  will also support 2048 bit key file generation using
2725              the --genkey option.
2726
2727              Static key encryption mode has certain advantages,  the  primary
2728              being ease of configuration.
2729
2730              There  are no certificates or certificate authorities or compli‐
2731              cated negotiation handshakes and protocols.  The  only  require‐
2732              ment  is  that  you have a pre-existing secure channel with your
2733              peer (such as ssh ) to initially copy the  key.   This  require‐
2734              ment, along with the fact that your key never changes unless you
2735              manually generate a new one, makes it somewhat less secure  than
2736              TLS mode (see below).  If an attacker manages to steal your key,
2737              everything that was ever encrypted with it is compromised.  Con‐
2738              trast  that  to the perfect forward secrecy features of TLS mode
2739              (using Diffie Hellman key exchange), where even if  an  attacker
2740              was able to steal your private key, he would gain no information
2741              to help him decrypt past sessions.
2742
2743              Another advantageous aspect of Static  Key  encryption  mode  is
2744              that  it is a handshake-free protocol without any distinguishing
2745              signature or feature (such as a  header  or  protocol  handshake
2746              sequence) that would mark the ciphertext packets as being gener‐
2747              ated by OpenVPN.  Anyone eavesdropping on  the  wire  would  see
2748              nothing but random-looking data.
2749
2750       --key-direction
2751              Alternative  way  of specifying the optional direction parameter
2752              for the --tls-auth  and  --secret  options.  Useful  when  using
2753              inline files (See section on inline files).
2754
2755       --auth alg
2756              Authenticate data channel packets and (if enabled) tls-auth con‐
2757              trol channel packets with HMAC using  message  digest  algorithm
2758              alg.   (The  default is SHA1 ).  HMAC is a commonly used message
2759              authentication algorithm (MAC) that uses a data string, a secure
2760              hash algorithm, and a key, to produce a digital signature.
2761
2762              The  OpenVPN  data  channel protocol uses encrypt-then-mac (i.e.
2763              first encrypt a packet, then  HMAC  the  resulting  ciphertext),
2764              which prevents padding oracle attacks.
2765
2766              If  an  AEAD  cipher  mode  (e.g.  GCM) is chosen, the specified
2767              --auth algorithm is  ignored  for  the  data  channel,  and  the
2768              authentication  method of the AEAD cipher is used instead.  Note
2769              that alg still specifies the digest used for tls-auth.
2770
2771              In static-key encryption mode, the HMAC key is included  in  the
2772              key  file  generated  by --genkey.  In TLS mode, the HMAC key is
2773              dynamically generated and shared between peers via the TLS  con‐
2774              trol  channel.   If OpenVPN receives a packet with a bad HMAC it
2775              will drop the packet.  HMAC usually adds  16  or  20  bytes  per
2776              packet.  Set alg=none to disable authentication.
2777
2778              For        more        information       on       HMAC       see
2779              http://www.cs.ucsd.edu/users/mihir/papers/hmac.html
2780
2781       --cipher alg
2782              Encrypt data channel packets with cipher algorithm alg.
2783
2784              The default is BF-CBC, an abbreviation for  Blowfish  in  Cipher
2785              Block  Chaining mode.  When cipher negotiation (NCP) is allowed,
2786              OpenVPN 2.4 and newer on both client and server side will  auto‐
2787              matically   upgrade   to  AES-256-GCM.   See  --ncp-ciphers  and
2788              --ncp-disable for more details on NCP.
2789
2790              Using BF-CBC is no longer recommended,  because  of  its  64-bit
2791              block  size.  This small block size allows attacks based on col‐
2792              lisions,  as  demonstrated  by  SWEET32.    See   https://commu
2793              nity.openvpn.net/openvpn/wiki/SWEET32 for details.  Due to this,
2794              support for BF-CBC, DES, CAST5, IDEA and  RC2  ciphers  will  be
2795              removed in OpenVPN 2.6.
2796
2797              To  see  other  ciphers that are available with OpenVPN, use the
2798              --show-ciphers option.
2799
2800              Set alg=none to disable encryption.
2801
2802
2803       --ncp-ciphers cipher_list
2804              Restrict the allowed ciphers to be negotiated to the ciphers  in
2805              cipher_list.   cipher_list is a colon-separated list of ciphers,
2806              and defaults to "AES-256-GCM:AES-128-GCM".
2807
2808              For servers, the first cipher from cipher_list will be pushed to
2809              clients that support cipher negotiation.
2810
2811              Cipher  negotiation is enabled in client-server mode only.  I.e.
2812              if --mode is set to 'server' (server-side,  implied  by  setting
2813              --server  ),  or if --pull is specified (client-side, implied by
2814              setting --client).
2815
2816              If both peers support and do not  disable  NCP,  the  negotiated
2817              cipher will override the cipher specified by --cipher.
2818
2819              Additionally,  to  allow  for  more smooth transition, if NCP is
2820              enabled, OpenVPN will inherit the cipher of  the  peer  if  that
2821              cipher  is  different  from  the local --cipher setting, but the
2822              peer cipher is one of the ciphers  specified  in  --ncp-ciphers.
2823              E.g.  a non-NCP client (<=v2.3, or with --ncp-disabled set) con‐
2824              necting to a NCP  server  (v2.4+)  with  "--cipher  BF-CBC"  and
2825              "--ncp-ciphers  AES-256-GCM:AES-256-CBC"  set can either specify
2826              "--cipher BF-CBC" or "--cipher AES-256-CBC" and both will work.
2827
2828              This list is restricted to be 127 chars long after conversion to
2829              OpenVPN ciphers.
2830
2831       --ncp-disable
2832              Disable  "negotiable  crypto  parameters".  This completely dis‐
2833              ables cipher negotiation.
2834
2835       --keysize n
2836              DEPRECATED This option will be removed in OpenVPN 2.6.
2837
2838              Size of cipher key in bits (optional).  If unspecified, defaults
2839              to  cipher-specific  default.   The  --show-ciphers  option (see
2840              below) shows all available OpenSSL ciphers,  their  default  key
2841              sizes,  and  whether  the  key size can be changed.  Use care in
2842              changing a cipher's default key size.   Many  ciphers  have  not
2843              been  extensively  cryptanalyzed  with non-standard key lengths,
2844              and a larger key may offer no real guarantee  of  greater  secu‐
2845              rity, or may even reduce security.
2846
2847       --prng alg [nsl]
2848              (Advanced) For PRNG (Pseudo-random number generator), use digest
2849              algorithm alg (default=sha1), and set nsl  (default=16)  to  the
2850              size in bytes of the nonce secret length (between 16 and 64).
2851
2852              Set  alg=none to disable the PRNG and use the OpenSSL RAND_bytes
2853              function instead  for  all  of  OpenVPN's  pseudo-random  number
2854              needs.
2855
2856       --engine [engine-name]
2857              Enable OpenSSL hardware-based crypto engine functionality.
2858
2859              If  engine-name is specified, use a specific crypto engine.  Use
2860              the --show-engines standalone option to list the crypto  engines
2861              which are supported by OpenSSL.
2862
2863       --no-replay
2864              DEPRECATED This option will be removed in OpenVPN 2.5.
2865
2866              (Advanced)  Disable OpenVPN's protection against replay attacks.
2867              Don't use this option unless you are prepared to make a tradeoff
2868              of greater efficiency in exchange for less security.
2869
2870              OpenVPN provides datagram replay protection by default.
2871
2872              Replay protection is accomplished by tagging each outgoing data‐
2873              gram with an identifier that is guaranteed to be unique for  the
2874              key  being used.  The peer that receives the datagram will check
2875              for the uniqueness of the identifier.   If  the  identifier  was
2876              already  received  in a previous datagram, OpenVPN will drop the
2877              packet.  Replay protection is important to defeat  attacks  such
2878              as  a  SYN flood attack, where the attacker listens in the wire,
2879              intercepts a TCP SYN packet (identifying it by  the  context  in
2880              which  it  occurs in relation to other packets), then floods the
2881              receiving peer with copies of this packet.
2882
2883              OpenVPN's replay protection is implemented in slightly different
2884              ways, depending on the key management mode you have selected.
2885
2886              In  Static  Key  mode  or  when using an CFB or OFB mode cipher,
2887              OpenVPN uses a 64 bit unique identifier  that  combines  a  time
2888              stamp with an incrementing sequence number.
2889
2890              When  using  TLS  mode  for  key exchange and a CBC cipher mode,
2891              OpenVPN uses only a 32 bit sequence number without a time stamp,
2892              since  OpenVPN  can  guarantee  the uniqueness of this value for
2893              each key.  As in IPSec, if the sequence number is close to wrap‐
2894              ping back to zero, OpenVPN will trigger a new key exchange.
2895
2896              To  check for replays, OpenVPN uses the sliding window algorithm
2897              used by IPSec.
2898
2899       --replay-window n [t]
2900              Use a replay protection sliding-window of size n and a time win‐
2901              dow of t seconds.
2902
2903              By default n is 64 (the IPSec default) and t is 15 seconds.
2904
2905              This  option  is  only  relevant  in UDP mode, i.e.  when either
2906              --proto udp is specified, or no --proto option is specified.
2907
2908              When OpenVPN tunnels IP packets over UDP, there is the possibil‐
2909              ity  that  packets  might  be dropped or delivered out of order.
2910              Because OpenVPN, like IPSec, is emulating the  physical  network
2911              layer,  it will accept an out-of-order packet sequence, and will
2912              deliver such packets in the same order they were received to the
2913              TCP/IP  protocol  stack,  provided  they  satisfy  several  con‐
2914              straints.
2915
2916              (a) The packet cannot be a replay (unless --no-replay is  speci‐
2917              fied, which disables replay protection altogether).
2918
2919              (b)  If  a packet arrives out of order, it will only be accepted
2920              if the difference between its sequence number  and  the  highest
2921              sequence number received so far is less than n.
2922
2923              (c)  If  a packet arrives out of order, it will only be accepted
2924              if it arrives no later than t seconds after any packet  contain‐
2925              ing a higher sequence number.
2926
2927              If  you  are using a network link with a large pipeline (meaning
2928              that the product of bandwidth and latency is high), you may want
2929              to  use  a  larger  value  for n.  Satellite links in particular
2930              often require this.
2931
2932              If you run OpenVPN  at  --verb  4,  you  will  see  the  message
2933              "Replay-window  backtrack  occurred  [x]" every time the maximum
2934              sequence number backtrack seen thus far increases.  This can  be
2935              used to calibrate n.
2936
2937              There  is some controversy on the appropriate method of handling
2938              packet reordering at the security layer.
2939
2940              Namely, to what extent should the  security  layer  protect  the
2941              encapsulated protocol from attacks which masquerade as the kinds
2942              of normal packet loss and reordering that  occur  over  IP  net‐
2943              works?
2944
2945              The  IPSec  and  OpenVPN  approach is to allow packet reordering
2946              within a certain fixed sequence number window.
2947
2948              OpenVPN adds to the IPSec model by limiting the window  size  in
2949              time as well as sequence space.
2950
2951              OpenVPN  also  adds  TCP  transport as an option (not offered by
2952              IPSec) in which case OpenVPN can adopt a  very  strict  attitude
2953              towards message deletion and reordering:  Don't allow it.  Since
2954              TCP guarantees reliability, any packet loss or reordering  event
2955              can be assumed to be an attack.
2956
2957              In  this  sense, it could be argued that TCP tunnel transport is
2958              preferred when tunneling non-IP  or  UDP  application  protocols
2959              which  might  be  vulnerable to a message deletion or reordering
2960              attack which falls within the normal operational  parameters  of
2961              IP networks.
2962
2963              So  I  would  make  the statement that one should never tunnel a
2964              non-IP protocol or UDP application protocol  over  UDP,  if  the
2965              protocol might be vulnerable to a message deletion or reordering
2966              attack that falls within the normal operating parameters of what
2967              is  to  be  expected from the physical IP layer.  The problem is
2968              easily fixed by simply using TCP as the VPN transport layer.
2969
2970       --mute-replay-warnings
2971              Silence the output of replay warnings, which are a common  false
2972              alarm  on  WiFi networks.  This option preserves the security of
2973              the replay protection code without the verbosity associated with
2974              warnings about duplicate packets.
2975
2976       --replay-persist file
2977              Persist  replay-protection  state  across sessions using file to
2978              save and reload the state.
2979
2980              This option will strengthen protection against  replay  attacks,
2981              especially when you are using OpenVPN in a dynamic context (such
2982              as with --inetd) when OpenVPN sessions  are  frequently  started
2983              and stopped.
2984
2985              This  option will keep a disk copy of the current replay protec‐
2986              tion state (i.e. the most recent packet timestamp  and  sequence
2987              number  received  from  the  remote peer), so that if an OpenVPN
2988              session is stopped and restarted, it will reject any replays  of
2989              packets which were already received by the prior session.
2990
2991              This  option  only makes sense when replay protection is enabled
2992              (the default) and you are using either  --secret  (shared-secret
2993              key mode) or TLS mode with --tls-auth.
2994
2995       --no-iv
2996              DEPRECATED This option will be removed in OpenVPN 2.5.
2997
2998              (Advanced)  Disable  OpenVPN's  use of IV (cipher initialization
2999              vector).  Don't use this option unless you are prepared to  make
3000              a tradeoff of greater efficiency in exchange for less security.
3001
3002              OpenVPN  uses  an IV by default, and requires it for CFB and OFB
3003              cipher modes (which are totally insecure without it).  Using  an
3004              IV  is  important  for security when multiple messages are being
3005              encrypted/decrypted with the same key.
3006
3007              IV is implemented differently depending on the cipher mode used.
3008
3009              In CBC mode, OpenVPN uses a pseudo-random IV for each packet.
3010
3011              In CFB/OFB mode, OpenVPN uses a unique sequence number and  time
3012              stamp as the IV.  In fact, in CFB/OFB mode, OpenVPN uses a data‐
3013              gram space-saving optimization that uses the  unique  identifier
3014              for datagram replay protection as the IV.
3015
3016       --use-prediction-resistance
3017              Enable prediction resistance on mbed TLS's RNG.
3018
3019              Enabling  prediction resistance causes the RNG to reseed in each
3020              call for random. Reseeding this often can  quickly  deplete  the
3021              kernel entropy pool.
3022
3023              If  you  need this option, please consider running a daemon that
3024              adds entropy to the kernel pool.
3025
3026
3027       --test-crypto
3028              Do a self-test of OpenVPN's crypto  options  by  encrypting  and
3029              decrypting  test  packets  using  the  data  channel  encryption
3030              options specified above.  This option does not require a peer to
3031              function,  and  therefore  can  be  specified  without  --dev or
3032              --remote.
3033
3034              The typical usage of --test-crypto would be something like this:
3035
3036              openvpn --test-crypto --secret key
3037
3038              or
3039
3040              openvpn --test-crypto --secret key --verb 9
3041
3042              This option is very useful to test OpenVPN  after  it  has  been
3043              ported  to  a  new  platform, or to isolate problems in the com‐
3044              piler, OpenSSL crypto library, or OpenVPN's crypto code.   Since
3045              it is a self-test mode, problems with encryption and authentica‐
3046              tion can be debugged independently of network and tunnel issues.
3047
3048   TLS Mode Options:
3049       TLS mode is the most powerful crypto mode of OpenVPN in  both  security
3050       and flexibility.  TLS mode works by establishing control and data chan‐
3051       nels which are multiplexed over a single TCP/UDP port.  OpenVPN  initi‐
3052       ates  a  TLS  session  over the control channel and uses it to exchange
3053       cipher and HMAC keys to protect the data  channel.   TLS  mode  uses  a
3054       robust  reliability layer over the UDP connection for all control chan‐
3055       nel communication, while the data channel, over which encrypted  tunnel
3056       data  passes,  is  forwarded  without any mediation.  The result is the
3057       best of both worlds: a fast data channel that forwards  over  UDP  with
3058       only  the  overhead of encrypt, decrypt, and HMAC functions, and a con‐
3059       trol channel that provides all of the security features of TLS, includ‐
3060       ing   certificate-based   authentication  and  Diffie  Hellman  forward
3061       secrecy.
3062
3063       To use TLS mode, each peer that runs OpenVPN should have its own  local
3064       certificate/key  pair ( --cert and --key ), signed by the root certifi‐
3065       cate which is specified in --ca.
3066
3067       When two OpenVPN peers connect, each presents its local certificate  to
3068       the other.  Each peer will then check that its partner peer presented a
3069       certificate which was signed by the master root certificate  as  speci‐
3070       fied in --ca.
3071
3072       If  that  check  on  both peers succeeds, then the TLS negotiation will
3073       succeed, both OpenVPN peers will exchange temporary session  keys,  and
3074       the tunnel will begin passing data.
3075
3076       The OpenVPN project provides a set of scripts for managing RSA certifi‐
3077       cates & keys: https://github.com/OpenVPN/easy-rsa
3078
3079       --tls-server
3080              Enable TLS and assume server role during  TLS  handshake.   Note
3081              that  OpenVPN  is  designed  as a peer-to-peer application.  The
3082              designation of client or server is only for the purpose of nego‐
3083              tiating the TLS control channel.
3084
3085       --tls-client
3086              Enable TLS and assume client role during TLS handshake.
3087
3088       --ca file
3089              Certificate authority (CA) file in .pem format, also referred to
3090              as the root certificate.  This file can have  multiple  certifi‐
3091              cates  in .pem format, concatenated together.  You can construct
3092              your own certificate authority certificate and  private  key  by
3093              using a command such as:
3094
3095              openssl req -nodes -new -x509 -keyout ca.key -out ca.crt
3096
3097              Then  edit  your openssl.cnf file and edit the certificate vari‐
3098              able to point to your new root certificate ca.crt.
3099
3100              For testing purposes only, the OpenVPN distribution  includes  a
3101              sample  CA certificate (ca.crt).  Of course you should never use
3102              the test certificates and test keys distributed with OpenVPN  in
3103              a  production environment, since by virtue of the fact that they
3104              are distributed with OpenVPN, they are totally insecure.
3105
3106       --capath dir
3107              Directory containing trusted certificates (CAs and  CRLs).   Not
3108              available with mbed TLS.
3109
3110              CAs in the capath directory are expected to be named <hash>.<n>.
3111              CRLs are expected to  be  named  <hash>.r<n>.  See  the  -CApath
3112              option  of openssl verify , and the -hash option of openssl x509
3113              , openssl crl and X509_LOOKUP_hash_dir(3) for more information.
3114
3115              Similarly to the --crl-verify option CRLs are  not  mandatory  -
3116              OpenVPN  will  log the usual warning in the logs if the relevant
3117              CRL is missing, but the connection will be allowed.
3118
3119       --dh file
3120              File  containing  Diffie  Hellman  parameters  in  .pem   format
3121              (required for --tls-server only).
3122
3123              Set  file=none  to  disable Diffie Hellman key exchange (and use
3124              ECDH only). Note that this requires peers to  be  using  an  SSL
3125              library  that  supports  ECDH  TLS  cipher  suites (e.g. OpenSSL
3126              1.0.1+, or mbed TLS 2.0+).
3127
3128              Use openssl dhparam -out dh2048.pem 2048 to generate 2048-bit DH
3129              parameters. Diffie Hellman parameters may be considered public.
3130
3131       --ecdh-curve name
3132              Specify  the  curve  to  use  for elliptic curve Diffie Hellman.
3133              Available curves can be listed with --show-curves.   The  speci‐
3134              fied curve will only be used for ECDH TLS-ciphers.
3135
3136              This option is not supported in mbed TLS builds of OpenVPN.
3137
3138       --cert file
3139              Local peer's signed certificate in .pem format -- must be signed
3140              by a certificate authority whose certificate is  in  --ca  file.
3141              Each peer in an OpenVPN link running in TLS mode should have its
3142              own certificate and private key file.  In  addition,  each  cer‐
3143              tificate  should  have  been  signed by the key of a certificate
3144              authority whose public  key  resides  in  the  --ca  certificate
3145              authority  file.   You  can  easily  make  your  own certificate
3146              authority (see above) or pay money to use a  commercial  service
3147              such as thawte.com (in which case you will be helping to finance
3148              the world's second space tourist :).  To generate a certificate,
3149              you can use a command such as:
3150
3151              openssl req -nodes -new -keyout mycert.key -out mycert.csr
3152
3153              If  your  certificate  authority  private  key  lives on another
3154              machine, copy the certificate signing  request  (mycert.csr)  to
3155              this  other  machine  (this can be done over an insecure channel
3156              such as email).  Now sign the certificate with  a  command  such
3157              as:
3158
3159              openssl ca -out mycert.crt -in mycert.csr
3160
3161              Now  copy  the  certificate  (mycert.crt) back to the peer which
3162              initially generated the .csr file (this can  be  over  a  public
3163              medium).  Note that the openssl ca command reads the location of
3164              the certificate authority key from its configuration  file  such
3165              as  /usr/share/ssl/openssl.cnf -- note also that for certificate
3166              authority functions, you must set up the files index.txt (may be
3167              empty) and serial (initialize to 01 ).
3168
3169       --extra-certs file
3170              Specify  a  file  containing one or more PEM certs (concatenated
3171              together) that complete the local certificate chain.
3172
3173              This option is useful for "split" CAs, where the CA  for  server
3174              certs  is different than the CA for client certs.  Putting certs
3175              in this file allows them to be used to complete the  local  cer‐
3176              tificate  chain without trusting them to verify the peer-submit‐
3177              ted certificate, as would be the case if the certs  were  placed
3178              in the ca file.
3179
3180       --key file
3181              Local  peer's  private  key in .pem format.  Use the private key
3182              which was generated when you built your peer's certificate  (see
3183              --cert file above).
3184
3185       --tls-version-min version ['or-highest']
3186              Sets  the  minimum  TLS  version  we  will  accept from the peer
3187              (default is "1.0").  Examples for version include "1.0",  "1.1",
3188              or  "1.2".  If 'or-highest' is specified and version is not rec‐
3189              ognized, we will only accept the highest TLS  version  supported
3190              by the local SSL implementation.
3191
3192       --tls-version-max version
3193              Set  the maximum TLS version we will use (default is the highest
3194              version supported).  Examples for version include "1.0",  "1.1",
3195              or "1.2".
3196
3197       --pkcs12 file
3198              Specify a PKCS #12 file containing local private key, local cer‐
3199              tificate, and root CA certificate.   This  option  can  be  used
3200              instead  of  --ca,  --cert,  and --key.  Not available with mbed
3201              TLS.
3202
3203       --verify-hash hash [algo]
3204              Specify SHA1  or  SHA256  fingerprint  for  level-1  cert.   The
3205              level-1  cert  is  the  CA (or intermediate cert) that signs the
3206              leaf certificate, and is one removed from the  leaf  certificate
3207              in  the direction of the root.  When accepting a connection from
3208              a peer, the level-1 cert fingerprint must match hash or certifi‐
3209              cate verification will fail.  Hash is specified as XX:XX:... For
3210              example:
3211
3212                  AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16
3213
3214              The algo flag can be either SHA1 or SHA256.  If not provided, it
3215              defaults to SHA1.
3216
3217       --pkcs11-cert-private [0|1]...
3218              Set  if  access  to certificate object should be performed after
3219              login.  Every provider has its own setting.
3220
3221       --pkcs11-id name
3222              Specify the serialized certificate id to be used. The id can  be
3223              gotten by the standalone --show-pkcs11-ids option.
3224
3225       --pkcs11-id-management
3226              Acquire  PKCS#11  id  from  management interface. In this case a
3227              NEED-STR 'pkcs11-id-request' real-time  message  will  be  trig‐
3228              gered,  application  may use pkcs11-id-count command to retrieve
3229              available number of certificates, and pkcs11-id-get  command  to
3230              retrieve certificate id and certificate body.
3231
3232       --pkcs11-pin-cache seconds
3233              Specify  how  many seconds the PIN can be cached, the default is
3234              until the token is removed.
3235
3236       --pkcs11-protected-authentication [0|1]...
3237              Use PKCS#11 protected authentication path, useful for  biometric
3238              and  external  keypad  devices.  Every provider has its own set‐
3239              ting.
3240
3241       --pkcs11-providers provider...
3242              Specify a RSA Security Inc. PKCS #11 Cryptographic Token  Inter‐
3243              face  (Cryptoki)  providers  to  load.   This option can be used
3244              instead of --cert, --key, and --pkcs12.
3245
3246              If p11-kit is present on the system, its p11-kit-proxy.so module
3247              will   be  loaded  by  default  if  either  the  --pkcs11-id  or
3248              --pkcs11-id-management    options    are    specified    without
3249              --pkcs11-provider being given.
3250
3251       --pkcs11-private-mode mode...
3252              Specify  which  method  to  use  in order to perform private key
3253              operations.   A  different  mode  can  be  specified  for   each
3254              provider.   Mode is encoded as hex number, and can be a mask one
3255              of the following:
3256
3257              0 (default) -- Try to determine automatically.
3258              1 -- Use sign.
3259              2 -- Use sign recover.
3260              4 -- Use decrypt.
3261              8 -- Use unwrap.
3262
3263       --cryptoapicert select-string
3264              Load the certificate and private key from the  Windows  Certifi‐
3265              cate System Store (Windows/OpenSSL Only).
3266
3267              Use this option instead of --cert and --key.
3268
3269              This  makes it possible to use any smart card, supported by Win‐
3270              dows, but also any kind of certificate,  residing  in  the  Cert
3271              Store,  where  you  have access to the private key.  This option
3272              has been tested with a couple of different smart cards (GemSAFE,
3273              Cryptoflex, and Swedish Post Office eID) on the client side, and
3274              also an imported PKCS12 software certificate on the server side.
3275
3276              To select a certificate, based on a substring search in the cer‐
3277              tificate's subject:
3278
3279              cryptoapicert "SUBJ:Peter Runestig"
3280
3281              To select a certificate, based on certificate's thumbprint:
3282
3283              cryptoapicert "THUMB:f6 49 24 41 01 b4 ..."
3284
3285              The thumbprint hex string can easily be copy-and-pasted from the
3286              Windows Certificate Store GUI.
3287
3288
3289       --key-method m
3290              DEPRECATED This option will be removed in OpenVPN 2.5
3291
3292              Use data channel key negotiation method m.  The key method  must
3293              match on both sides of the connection.
3294
3295              After  OpenVPN  negotiates  a TLS session, a new set of keys for
3296              protecting the tunnel data channel is  generated  and  exchanged
3297              over the TLS session.
3298
3299              In  method  1 (the default for OpenVPN 1.x), both sides generate
3300              random encrypt and HMAC-send keys which  are  forwarded  to  the
3301              other host over the TLS channel. Method 1 is deprecated in Open‐
3302              VPN 2.4 , and will be removed in OpenVPN 2.5.
3303
3304              In method 2, (the default for OpenVPN 2.0) the client  generates
3305              a  random key.  Both client and server also generate some random
3306              seed material.  All key source material is  exchanged  over  the
3307              TLS  channel.  The  actual  keys are generated using the TLS PRF
3308              function, taking source entropy from  both  client  and  server.
3309              Method  2  is  designed  to  closely parallel the key generation
3310              process used by TLS 1.0.
3311
3312              Note that in TLS mode, two separate levels of keying occur:
3313
3314              (1) The TLS connection is initially negotiated, with both  sides
3315              of  the connection producing certificates and verifying the cer‐
3316              tificate (or other authentication info provided)  of  the  other
3317              side.  The --key-method parameter has no effect on this process.
3318
3319              (2)  After the TLS connection is established, the tunnel session
3320              keys are separately negotiated  over  the  existing  secure  TLS
3321              channel.   Here,  --key-method  determines the derivation of the
3322              tunnel session keys.
3323
3324       --tls-cipher l
3325       --tls-ciphersuites l
3326              A list l of allowable TLS ciphers delimited by a colon (":").
3327
3328              These setting can be used to ensure that certain  cipher  suites
3329              are used (or not used) for the TLS connection.  OpenVPN uses TLS
3330              to secure the control channel, over which the keys that are used
3331              to protect the actual VPN traffic are exchanged.
3332
3333              The  supplied  list  of ciphers is (after potential OpenSSL/IANA
3334              name translation) simply supplied to the crypto library.  Please
3335              see the OpenSSL and/or mbed TLS documentation for details on the
3336              cipher list interpretation.
3337
3338              For OpenSSL, the --tls-cipher is used for TLS 1.2 and below. For
3339              TLS 1.3 and up, the --tls-ciphersuites setting is used. mbed TLS
3340              has no TLS 1.3 support yet and only the --tls-cipher setting  is
3341              used.
3342
3343              Use  --show-tls  to  see a list of TLS ciphers supported by your
3344              crypto library.
3345
3346              Warning!  --tls-cipher and --tls-ciphersuites  are  expert  fea‐
3347              tures,  which  -  if used correcly - can improve the security of
3348              your VPN connection.  But it is also  easy  to  unwittingly  use
3349              them to carefully align a gun with your foot, or just break your
3350              connection.  Use with care!
3351
3352              The default for --tls-cipher is to use mbed TLS's default cipher
3353              list         when         using        mbed        TLS        or
3354              "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA"
3355              when using OpenSSL.
3356
3357              The   default  for  --tls-ciphersuites  is  to  use  the  crypto
3358              library's default.
3359
3360       --tls-cert-profile profile
3361              Set  the  allowed  cryptographic  algorithms  for   certificates
3362              according to profile.
3363
3364              The following profiles are supported:
3365
3366              legacy  (default):  SHA1  and newer, RSA 2048-bit+, any elliptic
3367              curve.
3368
3369              preferred : SHA2 and newer, RSA 2048-bit+, any elliptic curve.
3370
3371              suiteb : SHA256/SHA384, ECDSA with P-256 or P-384.
3372
3373              This option  is  only  fully  supported  for  mbed  TLS  builds.
3374              OpenSSL builds use the following approximation:
3375
3376              legacy (default): sets "security level 1"
3377
3378              preferred : sets "security level 2"
3379
3380              suiteb : sets "security level 3" and --tls-cipher "SUITEB128".
3381
3382              OpenVPN  will  migrate  to 'preferred' as default in the future.
3383              Please ensure that your keys already comply.
3384
3385       --tls-timeout n
3386              Packet retransmit timeout on TLS control channel if no  acknowl‐
3387              edgment  from remote within n seconds (default=2).  When OpenVPN
3388              sends a control packet to its peer, it will expect to receive an
3389              acknowledgement  within  n  seconds  or  it  will retransmit the
3390              packet, subject to a  TCP-like  exponential  backoff  algorithm.
3391              This  parameter  only  applies to control channel packets.  Data
3392              channel packets (which carry encrypted tunnel  data)  are  never
3393              acknowledged, sequenced, or retransmitted by OpenVPN because the
3394              higher level network protocols running on top of the tunnel such
3395              as TCP expect this role to be left to them.
3396
3397       --reneg-bytes n
3398              Renegotiate  data  channel  key  after  n bytes sent or received
3399              (disabled by default with an  exception,  see  below).   OpenVPN
3400              allows  the  lifetime  of  a  key to be expressed as a number of
3401              bytes encrypted/decrypted, a number of packets, or a  number  of
3402              seconds.   A  key  renegotiation  will be forced if any of these
3403              three criteria are met by either peer.
3404
3405              If using ciphers with cipher block  sizes  less  than  128-bits,
3406              --reneg-bytes is set to 64MB by default, unless it is explicitly
3407              disabled by setting the value to 0, but this is HIGHLY  DISCOUR‐
3408              AGED  as  this  is  designed  to add some protection against the
3409              SWEET32 attack vector.  For more information  see  the  --cipher
3410              option.
3411
3412       --reneg-pkts n
3413              Renegotiate  data  channel key after n packets sent and received
3414              (disabled by default).
3415
3416       --reneg-sec n
3417              Renegotiate data channel key after n seconds (default=3600).
3418
3419              When using dual-factor authentication, note  that  this  default
3420              value  may  cause  the  end user to be challenged to reauthorize
3421              once per hour.
3422
3423              Also, keep in mind that this option can  be  used  on  both  the
3424              client  and  server,  and whichever uses the lower value will be
3425              the one to trigger the renegotiation.  A common  mistake  is  to
3426              set  --reneg-sec  to  a  higher  value  on  either the client or
3427              server, while the other side of the connection  is  still  using
3428              the  default  value of 3600 seconds, meaning that the renegotia‐
3429              tion will still occur once per 3600 seconds.  The solution is to
3430              increase --reneg-sec on both the client and server, or set it to
3431              0 on one side of the connection (to disable), and to your chosen
3432              value on the other side.
3433
3434       --hand-window n
3435              Handshake  Window  --  the  TLS-based key exchange must finalize
3436              within n seconds of handshake initiation by any peer (default  =
3437              60  seconds).   If  the handshake fails we will attempt to reset
3438              our connection with our peer and try again.  Even in  the  event
3439              of  handshake  failure we will still use our expiring key for up
3440              to --tran-window seconds to maintain continuity of  transmission
3441              of tunnel data.
3442
3443       --tran-window n
3444              Transition  window  --  our  old  key can live this many seconds
3445              after a new a key renegotiation begins (default = 3600 seconds).
3446              This  feature  allows  for a graceful transition from old to new
3447              key, and removes the key renegotiation sequence from the  criti‐
3448              cal path of tunnel data forwarding.
3449
3450       --single-session
3451              After  initially  connecting  to a remote peer, disallow any new
3452              connections.  Using this option means that a remote peer  cannot
3453              connect, disconnect, and then reconnect.
3454
3455              If  the  daemon  is reset by a signal or --ping-restart, it will
3456              allow one new connection.
3457
3458              --single-session can be used with --ping-exit or  --inactive  to
3459              create a single dynamic session that will exit when finished.
3460
3461       --tls-exit
3462              Exit on TLS negotiation failure.
3463
3464       --tls-auth file [direction]
3465              Add an additional layer of HMAC authentication on top of the TLS
3466              control channel to mitigate DoS attacks and attacks on  the  TLS
3467              stack.
3468
3469              In  a  nutshell, --tls-auth enables a kind of "HMAC firewall" on
3470              OpenVPN's TCP/UDP port, where TLS control channel packets  bear‐
3471              ing an incorrect HMAC signature can be dropped immediately with‐
3472              out response.
3473
3474              file (required) is a file in OpenVPN static key format which can
3475              be generated by --genkey
3476
3477              Older   versions  (up  to  OpenVPN  2.3)  supported  a  freeform
3478              passphrase file.  This is no longer supported in newer  versions
3479              (v2.4+).
3480
3481              See  the  --secret  option  for more information on the optional
3482              direction parameter.
3483
3484              --tls-auth is recommended when you are running OpenVPN in a mode
3485              where  it  is listening for packets from any IP address, such as
3486              when --remote is not specified, or --remote  is  specified  with
3487              --float.
3488
3489              The  rationale  for  this feature is as follows.  TLS requires a
3490              multi-packet exchange before it is able to authenticate a  peer.
3491              During  this  time  before authentication, OpenVPN is allocating
3492              resources (memory and CPU) to this potential peer.   The  poten‐
3493              tial peer is also exposing many parts of OpenVPN and the OpenSSL
3494              library to the packets it is sending.  Most  successful  network
3495              attacks  today  seek to either exploit bugs in programs (such as
3496              buffer overflow attacks) or force a program to consume  so  many
3497              resources that it becomes unusable.  Of course the first line of
3498              defense is always to produce clean, well-audited code.   OpenVPN
3499              has been written with buffer overflow attack prevention as a top
3500              priority.  But as history has shown, many  of  the  most  widely
3501              used  network  applications  have,  from time to time, fallen to
3502              buffer overflow attacks.
3503
3504              So as a second line of  defense,  OpenVPN  offers  this  special
3505              layer  of  authentication  on  top of the TLS control channel so
3506              that every packet on the control channel is authenticated by  an
3507              HMAC signature and a unique ID for replay protection.  This sig‐
3508              nature will also help protect against DoS  (Denial  of  Service)
3509              attacks.   An  important rule of thumb in reducing vulnerability
3510              to DoS attacks is to minimize the amount of resources  a  poten‐
3511              tial, but as yet unauthenticated, client is able to consume.
3512
3513              --tls-auth does this by signing every TLS control channel packet
3514              with an HMAC signature, including packets which are sent  before
3515              the  TLS  level  has had a chance to authenticate the peer.  The
3516              result is that packets without  the  correct  signature  can  be
3517              dropped immediately upon reception, before they have a chance to
3518              consume additional system resources such as by initiating a  TLS
3519              handshake.    --tls-auth  can  be  strengthened  by  adding  the
3520              --replay-persist option which will keep OpenVPN's replay protec‐
3521              tion state in a file so that it is not lost across restarts.
3522
3523              It  should  be emphasized that this feature is optional and that
3524              the key file used with --tls-auth gives a peer nothing more than
3525              the  power  to  initiate  a  TLS  handshake.   It is not used to
3526              encrypt or authenticate any tunnel data.
3527
3528              Use --tls-crypt instead if you want to use the key file  to  not
3529              only authenticate, but also encrypt the TLS control channel.
3530
3531       --tls-crypt keyfile
3532
3533              Encrypt  and  authenticate  all control channel packets with the
3534              key from keyfile.  (See --tls-auth for more background.)
3535
3536              Encrypting (and authenticating) control channel packets:
3537
3538              · provides more privacy by hiding the certificate used  for  the
3539                TLS connection,
3540
3541              · makes it harder to identify OpenVPN traffic as such,
3542
3543              · provides "poor-man's" post-quantum security, against attackers
3544                who will never  know  the  pre-shared  key  (i.e.  no  forward
3545                secrecy).
3546
3547
3548              In  contrast  to  --tls-auth, --tls-crypt does *not* require the
3549              user to set --key-direction.
3550
3551              Security Considerations
3552
3553              All peers use the  same  --tls-crypt  pre-shared  group  key  to
3554              authenticate  and  encrypt  control channel messages.  To ensure
3555              that IV collisions remain unlikely, this key should not be  used
3556              to   encrypt   more   than   2^48   client-to-server   or   2^48
3557              server-to-client control channel messages.   A  typical  initial
3558              negotiation  is  about  10  packets in each direction.  Assuming
3559              both initial negotiation and renegotiations  are  at  most  2^16
3560              (65536)  packets (to be conservative), and (re)negotiations hap‐
3561              pen each minute for each user (24/7), this limits the  tls-crypt
3562              key lifetime to 8171 years divided by the number of users.  So a
3563              setup with 1000 users should rotate the key at least  once  each
3564              eight years.  (And a setup with 8000 users each year.)
3565
3566              If  IV  collisions were to occur, this could result in the secu‐
3567              rity of --tls-crypt degrading to  the  same  security  as  using
3568              --tls-auth.   That  is,  the control channel still benefits from
3569              the extra protection  against  active  man-in-the-middle-attacks
3570              and  DoS  attacks,  but  may  no  longer offer extra privacy and
3571              post-quantum security on top of what TLS itself offers.
3572
3573       --askpass [file]
3574              Get certificate password from console or file before  we  daemo‐
3575              nize.
3576
3577              For  the extremely security conscious, it is possible to protect
3578              your private key with a password.  Of  course  this  means  that
3579              every  time  the  OpenVPN daemon is started you must be there to
3580              type the password.  The --askpass option  allows  you  to  start
3581              OpenVPN from the command line.  It will query you for a password
3582              before it daemonizes.  To protect a private key with a  password
3583              you  should omit the -nodes option when you use the openssl com‐
3584              mand line tool to manage certificates and private keys.
3585
3586              If file is specified, read the password from the first  line  of
3587              file.   Keep  in  mind that storing your password in a file to a
3588              certain extent invalidates the extra security provided by  using
3589              an encrypted key.
3590
3591       --auth-nocache
3592              Don't  cache --askpass or --auth-user-pass username/passwords in
3593              virtual memory.
3594
3595              If specified, this directive will cause OpenVPN  to  immediately
3596              forget  username/password  inputs  after  they  are  used.  As a
3597              result, when OpenVPN needs a username/password, it  will  prompt
3598              for  input  from  stdin,  which may be multiple times during the
3599              duration of an OpenVPN session.
3600
3601              When using --auth-nocache in combination  with  a  user/password
3602              file  and  --chroot  or  --daemon,  make sure to use an absolute
3603              path.
3604
3605              This directive does not affect the  --http-proxy  username/pass‐
3606              word.  It is always cached.
3607
3608       --auth-token token
3609              This  is  not an option to be used directly in any configuration
3610              files, but rather  push  this  option  from  a  --client-connect
3611              script   or  a  --plugin  which  hooks  into  the  OPENVPN_PLUG‐
3612              IN_CLIENT_CONNECT  or  OPENVPN_PLUGIN_CLIENT_CONNECT_V2   calls.
3613              This  option provides a possibility to replace the clients pass‐
3614              word with an authentication token during  the  lifetime  of  the
3615              OpenVPN client.
3616
3617              Whenever    the    connection    is    renegotiated    and   the
3618              --auth-user-pass-verify script or --plugin  making  use  of  the
3619              OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY  hook is triggered, it will
3620              pass over this token as the password instead of the password the
3621              user  provided.  The authentication token can only be reset by a
3622              full reconnect where the server can  push  new  options  to  the
3623              client.   The  password the user entered is never preserved once
3624              an authentication token have been set.  If  the  OpenVPN  server
3625              side  rejects  the authentication token, the client will receive
3626              an AUTH_FAIL and disconnect.
3627
3628              The purpose of this is to enable two factor authentication meth‐
3629              ods,  such  as  HOTP  or  TOTP,  to  be  used without needing to
3630              retrieve a new OTP code each time the  connection  is  renegoti‐
3631              ated.   Another  use case is to cache authentication data on the
3632              client without needing to have the users password cached in mem‐
3633              ory during the life time of the session.
3634
3635              To  make  use  of  this  feature, the --client-connect script or
3636              --plugin needs to put
3637
3638                  push "auth-token UNIQUE_TOKEN_VALUE"
3639
3640              into the file/buffer for dynamic configuration data.  This  will
3641              then  make  the OpenVPN server to push this value to the client,
3642              which replaces the local password with the UNIQUE_TOKEN_VALUE.
3643
3644              Newer clients (2.4.7+) will fall back to the  original  password
3645              method  after  a  failed auth. Older clients will keep using the
3646              token value and react acording to --auth-retry
3647
3648       --tls-verify cmd
3649              Run command cmd to verify the X509 name of a pending TLS connec‐
3650              tion  that has otherwise passed all other tests of certification
3651              (except for revocation via --crl-verify directive;  the  revoca‐
3652              tion test occurs after the --tls-verify test).
3653
3654              cmd  should return 0 to allow the TLS handshake to proceed, or 1
3655              to fail.
3656
3657              cmd consists of  a  path  to  script  (or  executable  program),
3658              optionally  followed by arguments. The path and arguments may be
3659              single- or double-quoted and/or escaped using a  backslash,  and
3660              should be separated by one or more spaces.
3661
3662              When  cmd is executed two arguments are appended after any argu‐
3663              ments specified in cmd , as follows:
3664
3665              cmd certificate_depth subject
3666
3667              These arguments are, respectively, the current certificate depth
3668              and the X509 subject distinguished name (dn) of the peer.
3669
3670              This  feature is useful if the peer you want to trust has a cer‐
3671              tificate which was signed by a certificate  authority  who  also
3672              signed many other certificates, where you don't necessarily want
3673              to trust all of them, but rather be selective about  which  peer
3674              certificate you will accept.  This feature allows you to write a
3675              script which will test the X509 name on a certificate and decide
3676              whether  or not it should be accepted.  For a simple perl script
3677              which will test the common name field on  the  certificate,  see
3678              the file verify-cn in the OpenVPN distribution.
3679
3680              See  the  "Environmental Variables" section below for additional
3681              parameters passed as environmental variables.
3682
3683       --tls-export-cert directory
3684              Store the certificates the clients uses upon connection to  this
3685              directory. This will be done before --tls-verify is called.  The
3686              certificates will use a temporary name and will be deleted  when
3687              the  tls-verify script returns.  The file name used for the cer‐
3688              tificate is available via the peer_cert environment variable.
3689
3690       --x509-username-field [ext:]fieldname
3691              Field in the X.509 certificate subject to be used as  the  user‐
3692              name  (default=CN).   Typically,  this  option is specified with
3693              fieldname as either of the following:
3694
3695              --x509-username-field emailAddress
3696              --x509-username-field ext:subjectAltName
3697
3698              The first example uses the value of the "emailAddress" attribute
3699              in  the certificate's Subject field as the username.  The second
3700              example uses the ext: prefix to signify that the X.509 extension
3701              fieldname "subjectAltName" be searched for an rfc822Name (email)
3702              field to be used as the username.  In cases where there are mul‐
3703              tiple  email  addresses in ext:fieldname, the last occurrence is
3704              chosen.
3705
3706              When this option is used,  the  --verify-x509-name  option  will
3707              match against the chosen fieldname instead of the Common Name.
3708
3709              Only  the  subjectAltName and issuerAltName X.509 extensions are
3710              supported.
3711
3712              Please note: This option has a feature  which  will  convert  an
3713              all-lowercase fieldname to uppercase characters, e.g., ou -> OU.
3714              A mixed-case fieldname or one having the  ext:  prefix  will  be
3715              left  as-is.   This automatic upcasing feature is deprecated and
3716              will be removed in a future release.
3717
3718       --verify-x509-name name type
3719              Accept connections only if a host's X.509 name is equal to name.
3720              The remote host must also pass all other tests of verification.
3721
3722              Which  X.509  name is compared to name depends on the setting of
3723              type.  type can be "subject" to match the  complete  subject  DN
3724              (default),  "name"  to  match  a subject RDN or "name-prefix" to
3725              match a subject RDN prefix.   Which  RDN  is  verified  as  name
3726              depends  on the --x509-username-field option. But it defaults to
3727              the common name (CN), e.g.  a  certificate  with  a  subject  DN
3728              "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by:
3729
3730              --verify-x509-name  'C=KG,  ST=NA,  L=Bishkek,  CN=Server-1' and
3731              --verify-x509-name  Server-1  name  or  you  could  use   --ver‐
3732              ify-x509-name  Server-  name-prefix if you want a client to only
3733              accept connections to "Server-1", "Server-2", etc.
3734
3735              --verify-x509-name is a useful replacement for the  --tls-verify
3736              option  to  verify  the  remote host, because --verify-x509-name
3737              works in a --chroot environment without any dependencies.
3738
3739              Using a name prefix is a useful alternative to  managing  a  CRL
3740              (Certificate Revocation List) on the client, since it allows the
3741              client to refuse all certificates except  for  those  associated
3742              with designated servers.
3743
3744              NOTE: Test against a name prefix only when you are using OpenVPN
3745              with a custom CA certificate that is under your control.   Never
3746              use  this  option  with type "name-prefix" when your client cer‐
3747              tificates are signed by a third party, such as a commercial  web
3748              CA.
3749
3750       --x509-track attribute
3751              Save peer X509 attribute value in environment for use by plugins
3752              and management interface.  Prepend a '+' to  attribute  to  save
3753              values  from  full  cert  chain.   Values  will  be  encoded  as
3754              X509_<depth>_<attribute>=<value>.  Multiple --x509-track options
3755              can be defined to track multiple attributes.
3756
3757       --ns-cert-type client|server
3758              DEPRECATED  This option will be removed in OpenVPN 2.5.  Use the
3759              more modern equivalent --remote-cert-tls instead.   This  option
3760              will be removed in OpenVPN 2.5.
3761
3762              Require  that  peer  certificate  was  signed  with  an explicit
3763              nsCertType designation of "client" or "server".
3764
3765              This is a useful security option for clients, to ensure that the
3766              host they connect with is a designated server.
3767
3768              See  the  easy-rsa/build-key-server script for an example of how
3769              to generate a certificate  with  the  nsCertType  field  set  to
3770              "server".
3771
3772              If the server certificate's nsCertType field is set to "server",
3773              then the clients can verify this with --ns-cert-type server.
3774
3775              This is an important security precaution to  protect  against  a
3776              man-in-the-middle  attack where an authorized client attempts to
3777              connect to another client  by  impersonating  the  server.   The
3778              attack  is  easily prevented by having clients verify the server
3779              certificate using any one of --ns-cert-type, --verify-x509-name,
3780              or --tls-verify.
3781
3782       --remote-cert-ku [v...]
3783              Require  that  peer  certificate was signed with an explicit key
3784              usage.
3785
3786              If present in the certificate, the keyUsage value  is  validated
3787              by  the  TLS  library during the TLS handshake.  Specifying this
3788              option without arguments requires this extension to  be  present
3789              (so the TLS library will verify it).
3790
3791              If the list v...  is also supplied, the keyUsage field must have
3792              at least the same bits set as the bits in one of the values sup‐
3793              plied in the list v...
3794
3795              The  key  usage  values in the list must be encoded in hex, e.g.
3796              "--remote-cert-ku a0"
3797
3798       --remote-cert-eku oid
3799              Require that  peer  certificate  was  signed  with  an  explicit
3800              extended key usage.
3801
3802              This is a useful security option for clients, to ensure that the
3803              host they connect to is a designated server.
3804
3805              The extended key usage should be encoded  in  oid  notation,  or
3806              OpenSSL symbolic representation.
3807
3808       --remote-cert-tls client|server
3809              Require  that  peer  certificate was signed with an explicit key
3810              usage and extended key usage based on RFC3280 TLS rules.
3811
3812              This is a useful security option for clients, to ensure that the
3813              host  they  connect to is a designated server.  Or the other way
3814              around; for a server to verify that only  hosts  with  a  client
3815              certificate can connect.
3816
3817              The   --remote-cert-tls   client   option   is   equivalent   to
3818              --remote-cert-ku --remote-cert-eku "TLS Web  Client  Authentica‐
3819              tion"
3820
3821              The   --remote-cert-tls   server   option   is   equivalent   to
3822              --remote-cert-ku --remote-cert-eku "TLS Web  Server  Authentica‐
3823              tion"
3824
3825              This  is  an  important security precaution to protect against a
3826              man-in-the-middle attack where an authorized client attempts  to
3827              connect  to  another  client  by  impersonating the server.  The
3828              attack is easily prevented by having clients verify  the  server
3829              certificate   using   any   one   of  --remote-cert-tls,  --ver‐
3830              ify-x509-name, or --tls-verify.
3831
3832       --crl-verify crl ['dir']
3833              Check peer certificate against the file crl in PEM format.
3834
3835              A CRL (certificate revocation list) is used  when  a  particular
3836              key is compromised but when the overall PKI is still intact.
3837
3838              Suppose  you had a PKI consisting of a CA, root certificate, and
3839              a number of client certificates.  Suppose a laptop computer con‐
3840              taining  a client key and certificate was stolen.  By adding the
3841              stolen certificate to the CRL file, you could reject any connec‐
3842              tion  which  attempts  to  use  it, while preserving the overall
3843              integrity of the PKI.
3844
3845              The only time when it would be necessary to rebuild  the  entire
3846              PKI from scratch would be if the root certificate key itself was
3847              compromised.
3848
3849              The option is not mandatory - if the relevant  CRL  is  missing,
3850              OpenVPN  will  log a warning in the logs - e.g. "VERIFY WARNING:
3851              depth=0, unable to get certificate CRL"  -  but  the  connection
3852              will be allowed.
3853
3854              If  the  optional dir flag is specified, enable a different mode
3855              where crl is a  directory  containing  files  named  as  revoked
3856              serial  numbers  (the files may be empty, the contents are never
3857              read).  If a client requests a connection, where the client cer‐
3858              tificate  serial  number  (decimal string) is the name of a file
3859              present in the directory, it will be rejected.
3860
3861              Note: As the crl file (or directory) is read every time  a  peer
3862              connects,  if you are dropping root privileges with --user, make
3863              sure that this user has sufficient privileges to read the file.
3864
3865   SSL Library information:
3866       --show-ciphers
3867              (Standalone) Show all cipher algorithms to use with the --cipher
3868              option.
3869
3870       --show-digests
3871              (Standalone)  Show all message digest algorithms to use with the
3872              --auth option.
3873
3874       --show-tls
3875              (Standalone) Show  all  TLS  ciphers  supported  by  the  crypto
3876              library.   OpenVPN  uses TLS to secure the control channel, over
3877              which the keys that are used to protect the actual  VPN  traffic
3878              are  exchanged.   The  TLS  ciphers  will be sorted from highest
3879              preference (most secure) to lowest.
3880
3881              Be aware that whether a cipher suite in this list  can  actually
3882              work  depends  on  the  specific  setup of both peers (e.g. both
3883              peers must support the cipher, and an ECDSA  cipher  suite  will
3884              not work if you are using an RSA certificate, etc.).
3885
3886       --show-engines
3887              (Standalone)  Show  currently  available  hardware-based  crypto
3888              acceleration engines supported by the OpenSSL library.
3889
3890       --show-curves
3891              (Standalone) Show all available elliptic curves to use with  the
3892              --ecdh-curve option.
3893
3894   Generate a random key:
3895       Used only for non-TLS static key encryption mode.
3896
3897       --genkey
3898              (Standalone)  Generate  a  random  key  to  be  used as a shared
3899              secret, for use with the --secret option.   This  file  must  be
3900              shared  with the peer over a pre-existing secure channel such as
3901              scp(1)
3902
3903       --secret file
3904              Write key to file.
3905
3906   TUN/TAP persistent tunnel config mode:
3907       Available with Linux 2.4.7+.  These options comprise a standalone  mode
3908       of OpenVPN which can be used to create and delete persistent tunnels.
3909
3910       --mktun
3911              (Standalone)  Create a persistent tunnel on platforms which sup‐
3912              port them such as Linux.  Normally TUN/TAP  tunnels  exist  only
3913              for  the period of time that an application has them open.  This
3914              option takes advantage of the TUN/TAP driver's ability to  build
3915              persistent  tunnels that live through multiple instantiations of
3916              OpenVPN and die only when they are deleted  or  the  machine  is
3917              rebooted.
3918
3919              One  of the advantages of persistent tunnels is that they elimi‐
3920              nate the need for separate --up and --down scripts  to  run  the
3921              appropriate  ifconfig(8)  and route(8) commands.  These commands
3922              can be placed in the the same shell script which starts or  ter‐
3923              minates an OpenVPN session.
3924
3925              Another   advantage   is   that  open  connections  through  the
3926              TUN/TAP-based tunnel will not  be  reset  if  the  OpenVPN  peer
3927              restarts.   This  can be useful to provide uninterrupted connec‐
3928              tivity through the tunnel in the event of a DHCP  reset  of  the
3929              peer's public IP address (see the --ipchange option above).
3930
3931              One  disadvantage  of persistent tunnels is that it is harder to
3932              automatically configure their  MTU  value  (see  --link-mtu  and
3933              --tun-mtu above).
3934
3935              On some platforms such as Windows, TAP-Win32 tunnels are persis‐
3936              tent by default.
3937
3938       --rmtun
3939              (Standalone) Remove a persistent tunnel.
3940
3941       --dev tunX | tapX
3942              TUN/TAP device
3943
3944       --user user
3945              Optional user to be owner of this tunnel.
3946
3947       --group group
3948              Optional group to be owner of this tunnel.
3949
3950   Windows-Specific Options:
3951       --win-sys path
3952              Set the Windows system directory pathname to  use  when  looking
3953              for  system  executables  such  as  route.exe and netsh.exe.  By
3954              default, if this directive is not specified,  OpenVPN  will  use
3955              the SystemRoot environment variable.
3956
3957              This  option have changed behaviour in OpenVPN 2.3.  Earlier you
3958              had to define --win-sys env to use  the  SystemRoot  environment
3959              variable,  otherwise  it  defaulted  to  C:\WINDOWS.   It is not
3960              needed to use the env keyword any more,  and  it  will  just  be
3961              ignored.  A warning is logged when this is found in the configu‐
3962              ration file.
3963
3964       --ip-win32 method
3965              When using --ifconfig on Windows, set the TAP-Win32  adapter  IP
3966              address  and netmask using method.  Don't use this option unless
3967              you are also using --ifconfig.
3968
3969              manual -- Don't set the IP  address  or  netmask  automatically.
3970              Instead output a message to the console telling the user to con‐
3971              figure the adapter manually and indicating the IP/netmask  which
3972              OpenVPN expects the adapter to be set to.
3973
3974              dynamic  [offset]  [lease-time]  --  Automatically  set  the  IP
3975              address and netmask by replying to DHCP query messages generated
3976              by  the  kernel.   This mode is probably the "cleanest" solution
3977              for setting the TCP/IP properties since it uses  the  well-known
3978              DHCP  protocol.  There are, however, two prerequisites for using
3979              this mode: (1) The TCP/IP properties for the  TAP-Win32  adapter
3980              must  be  set  to  "Obtain an IP address automatically," and (2)
3981              OpenVPN needs to claim an IP address in the subnet  for  use  as
3982              the  virtual DHCP server address.  By default in --dev tap mode,
3983              OpenVPN will take the normally unused first address in the  sub‐
3984              net.   For  example,  if  your  subnet  is  192.168.4.0  netmask
3985              255.255.255.0, then OpenVPN will take the IP address 192.168.4.0
3986              to  use  as the virtual DHCP server address.  In --dev tun mode,
3987              OpenVPN will cause the DHCP server to masquerade as if  it  were
3988              coming  from the remote endpoint.  The optional offset parameter
3989              is an integer which is > -256 and < 256 and  which  defaults  to
3990              -1.   If  offset is positive, the DHCP server will masquerade as
3991              the IP address at network address + offset.  If offset is  nega‐
3992              tive,  the  DHCP  server  will  masquerade  as the IP address at
3993              broadcast address + offset.  The Windows ipconfig  /all  command
3994              can  be used to show what Windows thinks the DHCP server address
3995              is.  OpenVPN will "claim" this address, so make sure  to  use  a
3996              free  address.   Having  said that, different OpenVPN instantia‐
3997              tions, including different ends  of  the  same  connection,  can
3998              share  the  same  virtual  DHCP  server address.  The lease-time
3999              parameter controls the lease time of the DHCP  assignment  given
4000              to the TAP-Win32 adapter, and is denoted in seconds.  Normally a
4001              very long lease time is preferred  because  it  prevents  routes
4002              involving  the TAP-Win32 adapter from being lost when the system
4003              goes to sleep.  The default lease time is one year.
4004
4005              netsh -- Automatically set the IP address and netmask using  the
4006              Windows  command-line  "netsh"  command.  This method appears to
4007              work correctly on Windows XP but not Windows 2000.
4008
4009              ipapi -- Automatically set the IP address and netmask using  the
4010              Windows IP Helper API.  This approach does not have ideal seman‐
4011              tics, though testing has indicated that it works okay  in  prac‐
4012              tice.   If  you  use this option, it is best to leave the TCP/IP
4013              properties for the TAP-Win32 adapter  in  their  default  state,
4014              i.e. "Obtain an IP address automatically."
4015
4016              adaptive -- (Default) Try dynamic method initially and fail over
4017              to netsh if the DHCP negotiation with the TAP-Win32 adapter does
4018              not  succeed  in  20  seconds.  Such failures have been known to
4019              occur when certain third-party firewall  packages  installed  on
4020              the  client  machine  block  the  DHCP  negotiation  used by the
4021              TAP-Win32 adapter.  Note that if the netsh failover occurs,  the
4022              TAP-Win32  adapter  TCP/IP properties will be reset from DHCP to
4023              static, and this will cause future OpenVPN  startups  using  the
4024              adaptive  mode  to  use  netsh  immediately,  rather than trying
4025              dynamic first.  To "unstick" the adaptive mode from using netsh,
4026              run  OpenVPN at least once using the dynamic mode to restore the
4027              TAP-Win32 adapter TCP/IP properties to a DHCP configuration.
4028
4029       --route-method m
4030              Which method m to use for adding routes on Windows?
4031
4032              adaptive (default) -- Try IP helper API first.  If  that  fails,
4033              fall back to the route.exe shell command.
4034              ipapi -- Use IP helper API.
4035              exe -- Call the route.exe shell command.
4036
4037       --dhcp-option type [parm]
4038              Set  extended  TAP-Win32  TCP/IP  properties,  must be used with
4039              --ip-win32 dynamic or --ip-win32 adaptive.  This option  can  be
4040              used  to  set  additional  TCP/IP  properties  on  the TAP-Win32
4041              adapter, and is particularly useful for configuring  an  OpenVPN
4042              client to access a Samba server across the VPN.
4043
4044              DOMAIN name -- Set Connection-specific DNS Suffix.
4045
4046              DNS addr -- Set primary domain name server IPv4 or IPv6 address.
4047              Repeat this option to set secondary DNS server addresses.
4048
4049              Note: DNS IPv6 servers are currently set using netsh (the exist‐
4050              ing DHCP code can only do IPv4 DHCP, and that protocol only per‐
4051              mits IPv4 addresses anywhere).  The option will be put into  the
4052              environment, so an --up script could act upon it if needed.
4053
4054              WINS  addr  --  Set  primary  WINS  server address (NetBIOS over
4055              TCP/IP Name Server).  Repeat this option to set  secondary  WINS
4056              server addresses.
4057
4058              NBDD  addr  --  Set  primary  NBDD  server address (NetBIOS over
4059              TCP/IP Datagram Distribution Server) Repeat this option  to  set
4060              secondary NBDD server addresses.
4061
4062              NTP  addr -- Set primary NTP server address (Network Time Proto‐
4063              col).  Repeat this option to set secondary NTP server addresses.
4064
4065              NBT type  --  Set  NetBIOS  over  TCP/IP  Node  type.   Possible
4066              options:  1  =  b-node  (broadcasts), 2 = p-node (point-to-point
4067              name queries to a WINS server), 4 = m-node (broadcast then query
4068              name  server),  and  8  = h-node (query name server, then broad‐
4069              cast).
4070
4071              NBS scope-id -- Set NetBIOS over TCP/IP Scope. A  NetBIOS  Scope
4072              ID  provides  an  extended  naming  service for the NetBIOS over
4073              TCP/IP (Known as NBT) module. The primary purpose of  a  NetBIOS
4074              scope  ID  is  to isolate NetBIOS traffic on a single network to
4075              only those nodes with the same NetBIOS scope  ID.   The  NetBIOS
4076              scope  ID  is a character string that is appended to the NetBIOS
4077              name. The NetBIOS scope ID on two hosts must match, or  the  two
4078              hosts will not be able to communicate. The NetBIOS Scope ID also
4079              allows computers to use the same computer  name,  as  they  have
4080              different  scope IDs. The Scope ID becomes a part of the NetBIOS
4081              name, making the name  unique.   (This  description  of  NetBIOS
4082              scopes courtesy of NeonSurge@abyss.com)
4083
4084              DISABLE-NBT -- Disable Netbios-over-TCP/IP.
4085
4086              Note that if --dhcp-option is pushed via --push to a non-windows
4087              client, the option will be saved  in  the  client's  environment
4088              before   the   up   script  is  called,  under  the  name  "for‐
4089              eign_option_{n}".
4090
4091       --tap-sleep n
4092              Cause OpenVPN to sleep  for  n  seconds  immediately  after  the
4093              TAP-Win32 adapter state is set to "connected".
4094
4095              This option is intended to be used to troubleshoot problems with
4096              the --ifconfig and --ip-win32 options, and is used to  give  the
4097              TAP-Win32  adapter  time to come up before Windows IP Helper API
4098              operations are applied to it.
4099
4100       --show-net-up
4101              Output OpenVPN's view of the system routing  table  and  network
4102              adapter list to the syslog or log file after the TUN/TAP adapter
4103              has been brought up and any routes have been added.
4104
4105       --block-outside-dns
4106              Block DNS servers on  other  network  adapters  to  prevent  DNS
4107              leaks.  This  option prevents any application from accessing TCP
4108              or UDP port 53 except one inside the  tunnel.  It  uses  Windows
4109              Filtering Platform (WFP) and works on Windows Vista or later.
4110
4111              This  option  is considered unknown on non-Windows platforms and
4112              unsupported on Windows XP, resulting in fatal  error.   You  may
4113              want  to  use --setenv opt or --ignore-unknown-option (not suit‐
4114              able for Windows XP) to ignore said error.   Note  that  pushing
4115              unknown options from server does not trigger fatal errors.
4116
4117       --dhcp-renew
4118              Ask  Windows  to  renew  the TAP adapter lease on startup.  This
4119              option is normally unnecessary, as Windows  automatically  trig‐
4120              gers  a  DHCP renegotiation on the TAP adapter when it comes up,
4121              however if you set the TAP-Win32 adapter Media  Status  property
4122              to "Always Connected", you may need this flag.
4123
4124       --dhcp-release
4125              Ask  Windows to release the TAP adapter lease on shutdown.  This
4126              option has no effect now, as it is enabled by  default  starting
4127              with OpenVPN 2.4.1.
4128
4129       --register-dns
4130              Run  ipconfig  /flushdns and ipconfig /registerdns on connection
4131              initiation.  This is known  to  kick  Windows  into  recognizing
4132              pushed DNS servers.
4133
4134       --pause-exit
4135              Put  up  a  "press  any  key to continue" message on the console
4136              prior to OpenVPN program exit.   This  option  is  automatically
4137              used by the Windows explorer when OpenVPN is run on a configura‐
4138              tion file using the right-click explorer menu.
4139
4140       --service exit-event [0|1]
4141              Should be used when OpenVPN is being automatically  executed  by
4142              another  program  in such a context that no interaction with the
4143              user via display or keyboard is possible.  In general, end-users
4144              should  never need to explicitly use this option, as it is auto‐
4145              matically added by the OpenVPN  service  wrapper  when  a  given
4146              OpenVPN configuration is being run as a service.
4147
4148              exit-event  is  the  name  of a Windows global event object, and
4149              OpenVPN will continuously monitor the state of this event object
4150              and exit when it becomes signaled.
4151
4152              The  second  parameter indicates the initial state of exit-event
4153              and normally defaults to 0.
4154
4155              Multiple OpenVPN processes can be simultaneously  executed  with
4156              the  same  exit-event  parameter.   In any case, the controlling
4157              process can signal exit-event, causing  all  such  OpenVPN  pro‐
4158              cesses to exit.
4159
4160              When executing an OpenVPN process using the --service directive,
4161              OpenVPN will probably not have a console window to  output  sta‐
4162              tus/error  messages,  therefore  it  is  useful  to use --log or
4163              --log-append to write these messages to a file.
4164
4165       --show-adapters
4166              (Standalone) Show available  TAP-Win32  adapters  which  can  be
4167              selected  using  the --dev-node option.  On non-Windows systems,
4168              the ifconfig(8) command provides similar functionality.
4169
4170       --allow-nonadmin [TAP-adapter]
4171              (Standalone) Set TAP-adapter to allow access  from  non-adminis‐
4172              trative  accounts.   If TAP-adapter is omitted, all TAP adapters
4173              on the system will be configured to allow non-admin access.  The
4174              non-admin  access  setting  will  only persist for the length of
4175              time that the TAP-Win32 device object and driver remain  loaded,
4176              and  will need to be re-enabled after a reboot, or if the driver
4177              is unloaded and reloaded.  This directive can only be used by an
4178              administrator.
4179
4180       --show-valid-subnets
4181              (Standalone)  Show valid subnets for --dev tun emulation.  Since
4182              the TAP-Win32 driver exports an ethernet interface  to  Windows,
4183              and since TUN devices are point-to-point in nature, it is neces‐
4184              sary for the TAP-Win32 driver to impose certain  constraints  on
4185              TUN endpoint address selection.
4186
4187              Namely,  the  point-to-point endpoints used in TUN device emula‐
4188              tion must be the middle two addresses of a /30  subnet  (netmask
4189              255.255.255.252).
4190
4191       --show-net
4192              (Standalone) Show OpenVPN's view of the system routing table and
4193              network adapter list.
4194
4195   PKCS#11 Standalone Options:
4196       --show-pkcs11-ids [provider] [cert_private]
4197              (Standalone) Show PKCS#11 token object list.  Specify  cert_pri‐
4198              vate as 1 if certificates are stored as private objects.
4199
4200              If  p11-kit  is  present on the system, the provider argument is
4201              optional; if omitted the default p11-kit-proxy.so module will be
4202              queried.
4203
4204              --verb  option  can be used BEFORE this option to produce debug‐
4205              ging information.
4206
4207   Standalone Debug Options:
4208       --show-gateway [v6target]
4209              (Standalone) Show current IPv4  and  IPv6  default  gateway  and
4210              interface  towards  the  gateway (if the protocol in question is
4211              enabled).  If an IPv6 address is passed as  argument,  the  IPv6
4212              route for this host is reported.
4213
4214   IPv6 Related Options
4215       The  following  options exist to support IPv6 tunneling in peer-to-peer
4216       and client-server mode.  All options are modeled after their IPv4 coun‐
4217       terparts,  so more detailed explanations given there apply here as well
4218       (except for --topology , which has no effect on IPv6).
4219
4220       --ifconfig-ipv6 ipv6addr/bits ipv6remote
4221              configure IPv6 address ipv6addr/bits on the ``tun'' device.  The
4222              second  parameter is used as route target for --route-ipv6 if no
4223              gateway is specified.
4224
4225       --route-ipv6 ipv6addr/bits [gateway] [metric]
4226              setup IPv6 routing in the system to send the specified IPv6 net‐
4227              work into OpenVPN's ``tun''.  The gateway parameter is only used
4228              for IPv6 routes across ``tap''  devices,  and  if  missing,  the
4229              ``ipv6remote'' field from --ifconfig-ipv6 is used.
4230
4231       --server-ipv6 ipv6addr/bits
4232              convenience-function  to enable a number of IPv6 related options
4233              at once, namely --ifconfig-ipv6, --ifconfig-ipv6-pool and --push
4234              tun-ipv6  Is  only accepted if ``--mode server'' or ``--server''
4235              is set. Pushing of the --tun-ipv6 directive is  done  for  older
4236              clients  which  require an explicit ``--tun-ipv6'' in their con‐
4237              figuration.
4238
4239       --ifconfig-ipv6-pool ipv6addr/bits
4240              Specify an IPv6 address pool for dynamic assignment to  clients.
4241              The  pool  starts  at ipv6addr and matches the offset determined
4242              from the start of the IPv4 pool.
4243
4244       --ifconfig-ipv6-push ipv6addr/bits ipv6remote
4245              for ccd/ per-client static  IPv6  interface  configuration,  see
4246              --client-config-dir and --ifconfig-push for more details.
4247
4248       --iroute-ipv6 ipv6addr/bits
4249              for   ccd/  per-client  static  IPv6  route  configuration,  see
4250              --iroute for more details how to setup and  use  this,  and  how
4251              --iroute and --route interact.
4252
4253

SCRIPTING AND ENVIRONMENTAL VARIABLES

4255       OpenVPN  exports  a  series  of  environmental  variables  for  use  by
4256       user-defined scripts.
4257
4258   Script Order of Execution
4259       --up   Executed after TCP/UDP socket bind and TUN/TAP open.
4260
4261       --tls-verify
4262              Executed when we have a still untrusted remote peer.
4263
4264       --ipchange
4265              Executed after connection authentication, or remote  IP  address
4266              change.
4267
4268       --client-connect
4269              Executed  in --mode server mode immediately after client authen‐
4270              tication.
4271
4272       --route-up
4273              Executed after  connection  authentication,  either  immediately
4274              after,  or  some  number  of  seconds  after  as  defined by the
4275              --route-delay option.
4276
4277       --route-pre-down
4278              Executed right before the routes are removed.
4279
4280       --client-disconnect
4281              Executed in --mode server mode on client instance shutdown.
4282
4283       --down Executed after TCP/UDP and TUN/TAP close.
4284
4285       --learn-address
4286              Executed in --mode server mode whenever an IPv4 address/route or
4287              MAC address is added to OpenVPN's internal routing table.
4288
4289       --auth-user-pass-verify
4290              Executed  in  --mode server mode on new client connections, when
4291              the client is still untrusted.
4292
4293   String Types and Remapping
4294       In certain cases, OpenVPN  will  perform  remapping  of  characters  in
4295       strings.   Essentially,  any  characters  outside  the set of permitted
4296       characters for each string type will be converted to underbar ('_').
4297
4298       Q: Why is string remapping necessary?
4299
4300       A: It's an important security feature to prevent the  malicious  coding
4301       of  strings  from  untrusted  sources  to  be  passed  as parameters to
4302       scripts, saved in the environment, used as a common name, translated to
4303       a filename, etc.
4304
4305       Q: Can string remapping be disabled?
4306
4307       A: Yes, by using the --no-name-remapping option, however this should be
4308       considered an advanced option.
4309
4310       Here is a brief rundown of OpenVPN's current string types and the  per‐
4311       mitted character class for each string:
4312
4313       X509  Names:  Alphanumeric,  underbar  ('_'), dash ('-'), dot ('.'), at
4314       ('@'), colon (':'), slash ('/'),  and  equal  ('=').   Alphanumeric  is
4315       defined  as  a character which will cause the C library isalnum() func‐
4316       tion to return true.
4317
4318       Common Names: Alphanumeric, underbar ('_'), dash ('-'), dot ('.'),  and
4319       at ('@').
4320
4321       --auth-user-pass  username:  Same  as  Common Name, with one exception:
4322       starting with OpenVPN 2.0.1,  the  username  is  passed  to  the  OPEN‐
4323       VPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin in its raw form, without string
4324       remapping.
4325
4326       --auth-user-pass password: Any "printable" character except CR  or  LF.
4327       Printable  is  defined to be a character which will cause the C library
4328       isprint() function to return true.
4329
4330       --client-config-dir filename as derived from common name  or  username:
4331       Alphanumeric,  underbar ('_'), dash ('-'), and dot ('.') except for "."
4332       or ".." as standalone strings.  As of v2.0.1-rc6, the at ('@')  charac‐
4333       ter has been added as well for compatibility with the common name char‐
4334       acter class.
4335
4336       Environmental variable names: Alphanumeric or underbar ('_').
4337
4338       Environmental variable values: Any printable character.
4339
4340       For all cases, characters in a string which  are  not  members  of  the
4341       legal character class for that string type will be remapped to underbar
4342       ('_').
4343
4344   Environmental Variables
4345       Once set, a variable is persisted indefinitely until it is reset  by  a
4346       new value or a restart,
4347
4348       As  of  OpenVPN 2.0-beta12, in server mode, environmental variables set
4349       by OpenVPN are scoped according to the client objects they are  associ‐
4350       ated with, so there should not be any issues with scripts having access
4351       to stale, previously set variables  which  refer  to  different  client
4352       instances.
4353
4354       bytes_received
4355              Total  number  of bytes received from client during VPN session.
4356              Set prior to execution of the --client-disconnect script.
4357
4358       bytes_sent
4359              Total number of bytes sent to client during  VPN  session.   Set
4360              prior to execution of the --client-disconnect script.
4361
4362       common_name
4363              The  X509  common name of an authenticated client.  Set prior to
4364              execution   of   --client-connect,   --client-disconnect,    and
4365              --auth-user-pass-verify scripts.
4366
4367       config Name  of  first  --config  file.   Set on program initiation and
4368              reset on SIGHUP.
4369
4370       daemon Set to "1" if the --daemon directive is specified, or "0" other‐
4371              wise.  Set on program initiation and reset on SIGHUP.
4372
4373       daemon_log_redirect
4374              Set  to  "1"  if the --log or --log-append directives are speci‐
4375              fied, or "0" otherwise.  Set on program initiation and reset  on
4376              SIGHUP.
4377
4378       dev    The  actual  name of the TUN/TAP device, including a unit number
4379              if it exists.  Set prior to --up or --down script execution.
4380
4381       dev_idx
4382              On Windows, the device index of the TUN/TAP adapter (to be  used
4383              in  netsh.exe  calls which sometimes just do not work right with
4384              interface names).  Set prior to --up or --down script execution.
4385
4386       foreign_option_{n}
4387              An option pushed via --push to a client which does not  natively
4388              support  it, such as --dhcp-option on a non-Windows system, will
4389              be recorded to this environmental  variable  sequence  prior  to
4390              --up script execution.
4391
4392       ifconfig_broadcast
4393              The  broadcast address for the virtual ethernet segment which is
4394              derived from the --ifconfig option when --dev tap is used.   Set
4395              prior  to OpenVPN calling the ifconfig or netsh (windows version
4396              of ifconfig) commands which normally occurs prior to --up script
4397              execution.
4398
4399       ifconfig_ipv6_local
4400              The  local  VPN  endpoint IPv6 address specified in the --ifcon‐
4401              fig-ipv6 option (first parameter).  Set prior to OpenVPN calling
4402              the  ifconfig  or  netsh  (windows version of ifconfig) commands
4403              which normally occurs prior to --up script execution.
4404
4405       ifconfig_ipv6_netbits
4406              The prefix length of the IPv6  network  on  the  VPN  interface.
4407              Derived  from  the  /nnn  parameter  of  the IPv6 address in the
4408              --ifconfig-ipv6 option (first parameter).  Set prior to  OpenVPN
4409              calling the ifconfig or netsh (windows version of ifconfig) com‐
4410              mands which normally occurs prior to --up script execution.
4411
4412       ifconfig_ipv6_remote
4413              The remote VPN endpoint IPv6 address specified in  the  --ifcon‐
4414              fig-ipv6  option (second parameter).  Set prior to OpenVPN call‐
4415              ing the ifconfig or netsh (windows version of ifconfig) commands
4416              which normally occurs prior to --up script execution.
4417
4418       ifconfig_local
4419              The  local  VPN  endpoint IP address specified in the --ifconfig
4420              option (first parameter).  Set  prior  to  OpenVPN  calling  the
4421              ifconfig  or  netsh (windows version of ifconfig) commands which
4422              normally occurs prior to --up script execution.
4423
4424       ifconfig_remote
4425              The remote VPN endpoint IP address specified in  the  --ifconfig
4426              option  (second parameter) when --dev tun is used.  Set prior to
4427              OpenVPN calling the ifconfig or netsh (windows version of ifcon‐
4428              fig)  commands which normally occurs prior to --up script execu‐
4429              tion.
4430
4431       ifconfig_netmask
4432              The subnet mask of the virtual ethernet segment that  is  speci‐
4433              fied  as  the  second  parameter to --ifconfig when --dev tap is
4434              being used.  Set prior to OpenVPN calling the ifconfig or  netsh
4435              (windows  version  of  ifconfig)  commands which normally occurs
4436              prior to --up script execution.
4437
4438       ifconfig_pool_local_ip
4439              The local virtual IP address for the TUN/TAP tunnel  taken  from
4440              an --ifconfig-push directive if specified, or otherwise from the
4441              ifconfig pool (controlled by  the  --ifconfig-pool  config  file
4442              directive).  Only set for --dev tun tunnels.  This option is set
4443              on the server prior to execution  of  the  --client-connect  and
4444              --client-disconnect scripts.
4445
4446       ifconfig_pool_netmask
4447              The  virtual  IP  netmask  for  the TUN/TAP tunnel taken from an
4448              --ifconfig-push directive if specified, or  otherwise  from  the
4449              ifconfig  pool  (controlled  by  the --ifconfig-pool config file
4450              directive).  Only set for --dev tap tunnels.  This option is set
4451              on  the  server  prior  to execution of the --client-connect and
4452              --client-disconnect scripts.
4453
4454       ifconfig_pool_remote_ip
4455              The remote virtual IP address for the TUN/TAP tunnel taken  from
4456              an --ifconfig-push directive if specified, or otherwise from the
4457              ifconfig pool (controlled by  the  --ifconfig-pool  config  file
4458              directive).  This option is set on the server prior to execution
4459              of the --client-connect and --client-disconnect scripts.
4460
4461       link_mtu
4462              The maximum packet size (not including the IP header) of  tunnel
4463              data  in UDP tunnel transport mode.  Set prior to --up or --down
4464              script execution.
4465
4466       local  The --local parameter.  Set on program initiation and  reset  on
4467              SIGHUP.
4468
4469       local_port
4470              The  local  port number or name, specified by --port or --lport.
4471              Set on program initiation and reset on SIGHUP.
4472
4473       password
4474              The password provided by a  connecting  client.   Set  prior  to
4475              --auth-user-pass-verify  script  execution only when the via-env
4476              modifier is specified, and deleted from  the  environment  after
4477              the script returns.
4478
4479       proto  The  --proto  parameter.  Set on program initiation and reset on
4480              SIGHUP.
4481
4482       remote_{n}
4483              The --remote parameter.  Set on program initiation and reset  on
4484              SIGHUP.
4485
4486       remote_port_{n}
4487              The  remote port number, specified by --port or --rport.  Set on
4488              program initiation and reset on SIGHUP.
4489
4490       route_net_gateway
4491              The pre-existing default IP gateway in the system routing table.
4492              Set prior to --up script execution.
4493
4494       route_vpn_gateway
4495              The  default  gateway  used  by --route options, as specified in
4496              either the --route-gateway option or  the  second  parameter  to
4497              --ifconfig  when  --dev  tun  is  specified.   Set prior to --up
4498              script execution.
4499
4500       route_{parm}_{n}
4501              A set of variables which define each route to be added, and  are
4502              set prior to --up script execution.
4503
4504              parm  will  be  one of "network", "netmask", "gateway", or "met‐
4505              ric".
4506
4507              n is the OpenVPN route number, starting from 1.
4508
4509              If the network or gateway are resolvable  DNS  names,  their  IP
4510              address translations will be recorded rather than their names as
4511              denoted on the command line or configuration file.
4512
4513       route_ipv6_{parm}_{n}
4514              A set of variables which define each IPv6 route to be added, and
4515              are set prior to --up script execution.
4516
4517              parm  will  be  one of "network" or "gateway" ("netmask" is con‐
4518              tained as "/nnn"  in  the  route_ipv6_network_{n},  unlike  IPv4
4519              where it is passed in a separate environment variable).
4520
4521              n is the OpenVPN route number, starting from 1.
4522
4523              If  the  network  or  gateway are resolvable DNS names, their IP
4524              address translations will be recorded rather than their names as
4525              denoted on the command line or configuration file.
4526
4527       peer_cert
4528              Temporary  file name containing the client certificate upon con‐
4529              nection.  Useful in conjunction with --tls-verify
4530
4531       script_context
4532              Set to "init" or "restart" prior to  up/down  script  execution.
4533              For more information, see documentation for --up.
4534
4535       script_type
4536              Prior  to  execution  of any script, this variable is set to the
4537              type of script being run.  It can be one of the  following:  up,
4538              down,  ipchange,  route-up,  tls-verify,  auth-user-pass-verify,
4539              client-connect, client-disconnect, or learn-address.  Set  prior
4540              to execution of any script.
4541
4542       signal The  reason for exit or restart.  Can be one of sigusr1, sighup,
4543              sigterm, sigint, inactive  (controlled  by  --inactive  option),
4544              ping-exit (controlled by --ping-exit option), ping-restart (con‐
4545              trolled by --ping-restart option),  connection-reset  (triggered
4546              on  TCP  connection  reset), error, or unknown (unknown signal).
4547              This variable is set just prior to down script execution.
4548
4549       time_ascii
4550              Client connection timestamp, formatted as a human-readable  time
4551              string.  Set prior to execution of the --client-connect script.
4552
4553       time_duration
4554              The  duration  (in  seconds)  of the client session which is now
4555              disconnecting.  Set prior to execution of  the  --client-discon‐
4556              nect script.
4557
4558       time_unix
4559              Client   connection  timestamp,  formatted  as  a  unix  integer
4560              date/time value.  Set prior to execution of the --client-connect
4561              script.
4562
4563       tls_digest_{n} / tls_digest_sha256_{n}
4564              Contains  the  certificate SHA1 / SHA256 fingerprint, where n is
4565              the verification level.  Only  set  for  TLS  connections.   Set
4566              prior to execution of --tls-verify script.
4567
4568       tls_id_{n}
4569              A  series of certificate fields from the remote peer, where n is
4570              the verification level.  Only  set  for  TLS  connections.   Set
4571              prior to execution of --tls-verify script.
4572
4573       tls_serial_{n}
4574              The serial number of the certificate from the remote peer, where
4575              n is the verification level.  Only set for TLS connections.  Set
4576              prior  to  execution of --tls-verify script. This is in the form
4577              of a decimal string like  "933971680",  which  is  suitable  for
4578              doing  serial-based  OCSP  queries (with OpenSSL, do not prepend
4579              "0x" to the string) If something goes wrong  while  reading  the
4580              value  from  the certificate it will be an empty string, so your
4581              code     should     check     that.       See      the      con‐
4582              trib/OCSP_check/OCSP_check.sh script for an example.
4583
4584       tls_serial_hex_{n}
4585              Like tls_serial_{n}, but in hex form (e.g. "12:34:56:78:9A").
4586
4587       tun_mtu
4588              The  MTU  of  the  TUN/TAP  device.  Set prior to --up or --down
4589              script execution.
4590
4591       trusted_ip (or trusted_ip6)
4592              Actual IP address of connecting client or peer  which  has  been
4593              authenticated.    Set   prior   to   execution   of  --ipchange,
4594              --client-connect, and  --client-disconnect  scripts.   If  using
4595              ipv6 endpoints (udp6, tcp6), trusted_ip6 will be set instead.
4596
4597       trusted_port
4598              Actual  port  number of connecting client or peer which has been
4599              authenticated.   Set   prior   to   execution   of   --ipchange,
4600              --client-connect, and --client-disconnect scripts.
4601
4602       untrusted_ip (or untrusted_ip6)
4603              Actual  IP  address  of  connecting client or peer which has not
4604              been authenticated yet.  Sometimes used to nmap  the  connecting
4605              host  in  a --tls-verify script to ensure it is firewalled prop‐
4606              erly.    Set   prior   to   execution   of   --tls-verify    and
4607              --auth-user-pass-verify scripts.  If using ipv6 endpoints (udp6,
4608              tcp6), untrusted_ip6 will be set instead.
4609
4610       untrusted_port
4611              Actual port number of connecting client or peer  which  has  not
4612              been  authenticated yet.  Set prior to execution of --tls-verify
4613              and --auth-user-pass-verify scripts.
4614
4615       username
4616              The username provided by a  connecting  client.   Set  prior  to
4617              --auth-user-pass-verify  script  execution only when the via-env
4618              modifier is specified.
4619
4620       X509_{n}_{subject_field}
4621              An X509 subject field from the remote peer certificate, where  n
4622              is  the  verification level.  Only set for TLS connections.  Set
4623              prior to execution of --tls-verify  script.   This  variable  is
4624              similar  to  tls_id_{n} except the component X509 subject fields
4625              are broken out, and no string remapping occurs  on  these  field
4626              values (except for remapping of control characters to "_").  For
4627              example, the following variables would be  set  on  the  OpenVPN
4628              server  using  the  sample  client  certificate  in  sample-keys
4629              (client.crt).  Note that the verification level  is  0  for  the
4630              client certificate and 1 for the CA certificate.
4631
4632                  X509_0_emailAddress=me@myhost.mydomain
4633                  X509_0_CN=Test-Client
4634                  X509_0_O=OpenVPN-TEST
4635                  X509_0_ST=NA
4636                  X509_0_C=KG
4637                  X509_1_emailAddress=me@myhost.mydomain
4638                  X509_1_O=OpenVPN-TEST
4639                  X509_1_L=BISHKEK
4640                  X509_1_ST=NA
4641                  X509_1_C=KG
4642

INLINE FILE SUPPORT

4644       OpenVPN  allows including files in the main configuration for the --ca,
4645       --cert, --dh, --extra-certs, --key, --pkcs12,  --secret,  --crl-verify,
4646       --http-proxy-user-pass, --tls-auth and --tls-crypt options.
4647
4648       Each  inline  file  started  by the line <option> and ended by the line
4649       </option>
4650
4651       Here is an example of an inline file usage
4652
4653           <cert>
4654           -----BEGIN CERTIFICATE-----
4655           [...]
4656           -----END CERTIFICATE-----
4657           </cert>
4658
4659       When using the inline file feature with --pkcs12 the inline file has to
4660       be  base64 encoded. Encoding of a .p12 file into base64 can be done for
4661       example with OpenSSL by running openssl base64 -in input.p12
4662
4663

SIGNALS

4665       SIGHUP Cause OpenVPN to close  all  TUN/TAP  and  network  connections,
4666              restart,  re-read  the  configuration  file (if any), and reopen
4667              TUN/TAP and network connections.
4668
4669       SIGUSR1
4670              Like SIGHUP, except don't re-read configuration file, and possi‐
4671              bly  don't  close  and reopen TUN/TAP device, re-read key files,
4672              preserve  local  IP  address/port,  or  preserve  most  recently
4673              authenticated  remote  IP  address/port  based on --persist-tun,
4674              --persist-key,   --persist-local-ip,   and   --persist-remote-ip
4675              options respectively (see above).
4676
4677              This signal may also be internally generated by a timeout condi‐
4678              tion, governed by the --ping-restart option.
4679
4680              This signal, when combined with --persist-remote-ip, may be sent
4681              when  the  underlying parameters of the host's network interface
4682              change such as when the host is a DHCP client and is assigned  a
4683              new IP address.  See --ipchange above for more information.
4684
4685       SIGUSR2
4686              Causes  OpenVPN to display its current statistics (to the syslog
4687              file if --daemon is used, or stdout otherwise).
4688
4689       SIGINT, SIGTERM
4690              Causes OpenVPN to exit gracefully.
4691

TUN/TAP DRIVER SETUP

4693       If you are running Linux 2.4.7 or higher, you probably have the TUN/TAP
4694       driver already installed.  If so, there are still a few things you need
4695       to do:
4696
4697       Make device: mknod /dev/net/tun c 10 200
4698
4699       Load driver: modprobe tun
4700

EXAMPLES

4702       Prior to running these examples, you should have OpenVPN  installed  on
4703       two  machines  with network connectivity between them.  If you have not
4704       yet installed OpenVPN, consult the INSTALL file included in the OpenVPN
4705       distribution.
4706
4707   TUN/TAP Setup:
4708       If you are using Linux 2.4 or higher, make the tun device node and load
4709       the tun module:
4710
4711              mknod /dev/net/tun c 10 200
4712
4713              modprobe tun
4714
4715       If you installed from RPM, the mknod step may be omitted,  because  the
4716       RPM install does that for you.
4717
4718       Only Linux 2.4 and newer are supported.
4719
4720       For   other   platforms,  consult  the  INSTALL  file  at  http://open
4721       vpn.net/install.html for more information.
4722
4723   Firewall Setup:
4724       If firewalls exist between the two machines, they should be set to for‐
4725       ward UDP port 1194 in both directions.  If you do not have control over
4726       the firewalls between the two machines, you may still be  able  to  use
4727       OpenVPN  by adding --ping 15 to each of the openvpn commands used below
4728       in the examples (this will cause each peer to send out a  UDP  ping  to
4729       its  remote  peer  once every 15 seconds which will cause many stateful
4730       firewalls to forward packets in both  directions  without  an  explicit
4731       firewall rule).
4732
4733       If you are using a Linux iptables-based firewall, you may need to enter
4734       the following command to allow incoming packets on the TUN device:
4735
4736              iptables -A INPUT -i tun+ -j ACCEPT
4737
4738       See the firewalls section below for  more  information  on  configuring
4739       firewalls for use with OpenVPN.
4740
4741   VPN Address Setup:
4742       For  purposes of our example, our two machines will be called bob.exam‐
4743       ple.com and alice.example.com.  If you are constructing a VPN over  the
4744       internet,  then  replace bob.example.com and alice.example.com with the
4745       internet hostname or IP address that each machine will use  to  contact
4746       the other over the internet.
4747
4748       Now  we will choose the tunnel endpoints.  Tunnel endpoints are private
4749       IP addresses that only have meaning in the context of  the  VPN.   Each
4750       machine  will use the tunnel endpoint of the other machine to access it
4751       over the VPN.  In our example, the tunnel endpoint for  bob.example.com
4752       will be 10.4.0.1 and for alice.example.com, 10.4.0.2.
4753
4754       Once  the  VPN  is  established,  you have essentially created a secure
4755       alternate path between the two hosts which is addressed  by  using  the
4756       tunnel endpoints.  You can control which network traffic passes between
4757       the hosts (a) over the VPN or (b) independently of the VPN, by choosing
4758       whether  to use (a) the VPN endpoint address or (b) the public internet
4759       address, to access the remote host. For example if you are on bob.exam‐
4760       ple.com  and  you  wish to connect to alice.example.com via ssh without
4761       using the VPN (since ssh has its own built-in security) you  would  use
4762       the  command  ssh alice.example.com.  However in the same scenario, you
4763       could also use the command telnet 10.4.0.2 to create a  telnet  session
4764       with  alice.example.com  over the VPN, that would use the VPN to secure
4765       the session rather than ssh.
4766
4767       You can use any address you wish for the tunnel endpoints but make sure
4768       that  they  are  private addresses (such as those that begin with 10 or
4769       192.168) and that they are not part of any existing subnet on the  net‐
4770       works  of  either peer, unless you are bridging.  If you use an address
4771       that is part of your local subnet for either of the  tunnel  endpoints,
4772       you will get a weird feedback loop.
4773
4774   Example 1: A simple tunnel without security
4775       On bob:
4776
4777              openvpn   --remote   alice.example.com   --dev  tun1  --ifconfig
4778              10.4.0.1 10.4.0.2 --verb 9
4779
4780       On alice:
4781
4782              openvpn --remote bob.example.com --dev tun1 --ifconfig  10.4.0.2
4783              10.4.0.1 --verb 9
4784
4785       Now verify the tunnel is working by pinging across the tunnel.
4786
4787       On bob:
4788
4789              ping 10.4.0.2
4790
4791       On alice:
4792
4793              ping 10.4.0.1
4794
4795       The  --verb  9  option will produce verbose output, similar to the tcp‐
4796       dump(8) program.  Omit the --verb 9 option to have OpenVPN run quietly.
4797
4798   Example 2: A tunnel with  static-key  security  (i.e.  using  a  pre-shared
4799       secret)
4800       First build a static key on bob.
4801
4802              openvpn --genkey --secret key
4803
4804       This command will build a random key file called key (in ascii format).
4805       Now copy key to alice over a secure medium such as by using the  scp(1)
4806       program.
4807
4808       On bob:
4809
4810              openvpn   --remote   alice.example.com   --dev  tun1  --ifconfig
4811              10.4.0.1 10.4.0.2 --verb 5 --secret key
4812
4813       On alice:
4814
4815              openvpn --remote bob.example.com --dev tun1 --ifconfig  10.4.0.2
4816              10.4.0.1 --verb 5 --secret key
4817
4818       Now verify the tunnel is working by pinging across the tunnel.
4819
4820       On bob:
4821
4822              ping 10.4.0.2
4823
4824       On alice:
4825
4826              ping 10.4.0.1
4827
4828   Example 3: A tunnel with full TLS-based security
4829       For this test, we will designate bob as the TLS client and alice as the
4830       TLS server.  Note that client or server designation  only  has  meaning
4831       for  the  TLS  subsystem.  It has no bearing on OpenVPN's peer-to-peer,
4832       UDP-based communication model.
4833
4834       First, build a separate certificate/key pair for  both  bob  and  alice
4835       (see  above  where  --cert is discussed for more info).  Then construct
4836       Diffie Hellman parameters (see above where --dh is discussed  for  more
4837       info).    You   can  also  use  the  included  test  files  client.crt,
4838       client.key, server.crt, server.key and ca.crt.  The .crt files are cer‐
4839       tificates/public-keys, the .key files are private keys, and ca.crt is a
4840       certification authority who has signed both client.crt and  server.crt.
4841       For Diffie Hellman parameters you can use the included file dh1024.pem.
4842       Note that all client, server, and  certificate  authority  certificates
4843       and  keys included in the OpenVPN distribution are totally insecure and
4844       should be used for testing only.
4845
4846       On bob:
4847
4848              openvpn  --remote  alice.example.com   --dev   tun1   --ifconfig
4849              10.4.0.1  10.4.0.2  --tls-client  --ca  ca.crt --cert client.crt
4850              --key client.key --reneg-sec 60 --verb 5
4851
4852       On alice:
4853
4854              openvpn --remote bob.example.com --dev tun1 --ifconfig  10.4.0.2
4855              10.4.0.1   --tls-server   --dh  dh1024.pem  --ca  ca.crt  --cert
4856              server.crt --key server.key --reneg-sec 60 --verb 5
4857
4858       Now verify the tunnel is working by pinging across the tunnel.
4859
4860       On bob:
4861
4862              ping 10.4.0.2
4863
4864       On alice:
4865
4866              ping 10.4.0.1
4867
4868       Notice the --reneg-sec 60 option we used above.  That tells OpenVPN  to
4869       renegotiate the data channel keys every minute.  Since we used --verb 5
4870       above, you will see status information on each new key negotiation.
4871
4872       For production operations, a key renegotiation interval of  60  seconds
4873       is  probably too frequent.  Omit the --reneg-sec 60 option to use Open‐
4874       VPN's default key renegotiation interval of one hour.
4875
4876   Routing:
4877       Assuming you can ping across the tunnel, the next step is  to  route  a
4878       real  subnet  over  the secure tunnel.  Suppose that bob and alice have
4879       two network interfaces each, one connected to  the  internet,  and  the
4880       other  to a private network.  Our goal is to securely connect both pri‐
4881       vate networks.  We will assume that bob's private subnet is 10.0.0.0/24
4882       and alice's is 10.0.1.0/24.
4883
4884       First,  ensure  that IP forwarding is enabled on both peers.  On Linux,
4885       enable routing:
4886
4887              echo 1 > /proc/sys/net/ipv4/ip_forward
4888
4889       and enable TUN packet forwarding through the firewall:
4890
4891              iptables -A FORWARD -i tun+ -j ACCEPT
4892
4893       On bob:
4894
4895              route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
4896
4897       On alice:
4898
4899              route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
4900
4901       Now any machine on the 10.0.0.0/24 subnet can access any machine on the
4902       10.0.1.0/24 subnet over the secure tunnel (or vice versa).
4903
4904       In  a  production  environment, you could put the route command(s) in a
4905       script and execute with the --up option.
4906

FIREWALLS

4908       OpenVPN's usage of a single UDP port makes it fairly firewall-friendly.
4909       You  should add an entry to your firewall rules to allow incoming Open‐
4910       VPN packets.  On Linux 2.4+:
4911
4912              iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT
4913
4914       This will allow incoming packets on UDP port  1194  (OpenVPN's  default
4915       UDP port) from an OpenVPN peer at 1.2.3.4.
4916
4917       If  you  are using HMAC-based packet authentication (the default in any
4918       of OpenVPN's secure  modes),  having  the  firewall  filter  on  source
4919       address can be considered optional, since HMAC packet authentication is
4920       a much more secure method of verifying the  authenticity  of  a  packet
4921       source.  In that case:
4922
4923              iptables -A INPUT -p udp --dport 1194 -j ACCEPT
4924
4925       would be adequate and would not render the host inflexible with respect
4926       to its peer having a dynamic IP address.
4927
4928       OpenVPN also works well on stateful firewalls.  In some cases, you  may
4929       not  need to add any static rules to the firewall list if you are using
4930       a stateful firewall that knows how to track UDP  connections.   If  you
4931       specify  --ping  n,  OpenVPN will be guaranteed to send a packet to its
4932       peer at least once every n seconds.  If n is  less  than  the  stateful
4933       firewall  connection  timeout,  you  can maintain an OpenVPN connection
4934       indefinitely without explicit firewall rules.
4935
4936       You should also add firewall rules to allow incoming IP traffic on  TUN
4937       or TAP devices such as:
4938
4939              iptables -A INPUT -i tun+ -j ACCEPT
4940
4941       to allow input packets from tun devices,
4942
4943              iptables -A FORWARD -i tun+ -j ACCEPT
4944
4945       to  allow input packets from tun devices to be forwarded to other hosts
4946       on the local network,
4947
4948              iptables -A INPUT -i tap+ -j ACCEPT
4949
4950       to allow input packets from tap devices, and
4951
4952              iptables -A FORWARD -i tap+ -j ACCEPT
4953
4954       to allow input packets from tap devices to be forwarded to other  hosts
4955       on the local network.
4956
4957       These  rules  are  secure  if  you  use packet authentication, since no
4958       incoming packets will arrive on a TUN or TAP virtual device unless they
4959       first pass an HMAC authentication test.
4960

FAQ

4962       http://openvpn.net/faq.html
4963

HOWTO

4965       For  a  more  comprehensive guide to setting up OpenVPN in a production
4966       setting, see the OpenVPN HOWTO at http://openvpn.net/howto.html
4967

PROTOCOL

4969       For a description of OpenVPN's underlying  protocol,  see  http://open
4970       vpn.net/security.html
4971

WEB

4973       OpenVPN's web site is at http://openvpn.net/
4974
4975       Go  here  to  download  the latest version of OpenVPN, subscribe to the
4976       mailing lists, read the mailing list archives, or browse the SVN repos‐
4977       itory.
4978

BUGS

4980       Report all bugs to the OpenVPN team <info@openvpn.net>.
4981

SEE ALSO

4983       dhcpcd(8), ifconfig(8), openssl(1), route(8), scp(1) ssh(1)
4984

NOTES

4986       This  product  includes  software  developed  by  the OpenSSL Project (
4987       http://www.openssl.org/ )
4988
4989       For    more    information     on     the     TLS     protocol,     see
4990       http://www.ietf.org/rfc/rfc2246.txt
4991
4992       For  more  information  on  the  LZO  real-time compression library see
4993       http://www.oberhumer.com/opensource/lzo/
4994
4996       Copyright (C) 2002-2018 OpenVPN Inc This program is free software;  you
4997       can redistribute it and/or modify it under the terms of the GNU General
4998       Public License version 2 as published by the Free Software Foundation.
4999

AUTHORS

5001       James Yonan <jim@yonan.net>
5002
5003
5004
5005                               28 February 2018                     openvpn(8)
Impressum