1openvpn(8)                  System Manager's Manual                 openvpn(8)
2
3
4

NAME

6       openvpn - secure IP tunnel daemon.
7

SYNOPSIS

9       openvpn [ options ... ]
10

INTRODUCTION

12       OpenVPN  is  an open source VPN daemon by James Yonan.  Because OpenVPN
13       tries to be a universal VPN tool offering a great deal of  flexibility,
14       there are a lot of options on this manual page.  If you're new to Open‐
15       VPN, you might want to skip ahead to the  examples  section  where  you
16       will  see how to construct simple VPNs on the command line without even
17       needing a configuration file.
18
19       Also note that there's more documentation and examples on  the  OpenVPN
20       web site: http://openvpn.net/
21
22       And  if you would like to see a shorter version of this manual, see the
23       openvpn usage message which can be obtained by running openvpn  without
24       any parameters.
25

DESCRIPTION

27       OpenVPN  is  a robust and highly flexible VPN daemon.  OpenVPN supports
28       SSL/TLS security,  ethernet  bridging,  TCP  or  UDP  tunnel  transport
29       through  proxies  or  NAT,  support  for dynamic IP addresses and DHCP,
30       scalability to hundreds or thousands of users, and portability to  most
31       major OS platforms.
32
33       OpenVPN  is  tightly  bound to the OpenSSL library, and derives much of
34       its crypto capabilities from it.
35
36       OpenVPN supports conventional encryption using a pre-shared secret  key
37       (Static  Key mode) or public key security (SSL/TLS mode) using client &
38       server certificates.  OpenVPN also supports non-encrypted TCP/UDP  tun‐
39       nels.
40
41       OpenVPN  is designed to work with the TUN/TAP virtual networking inter‐
42       face that exists on most platforms.
43
44       Overall, OpenVPN aims to offer many of the key features  of  IPSec  but
45       with a relatively lightweight footprint.
46

OPTIONS

48       OpenVPN allows any option to be placed either on the command line or in
49       a configuration file.  Though all command line options are preceded  by
50       a double-leading-dash ("--"), this prefix can be removed when an option
51       is placed in a configuration file.
52
53       --help Show options.
54
55       --config file
56              Load additional config options from file where each line  corre‐
57              sponds  to  one  command  line option, but with the leading '--'
58              removed.
59
60              If --config file is the only option to the openvpn command,  the
61              --config can be removed, and the command can be given as openvpn
62              file
63
64              Note that configuration files can  be  nested  to  a  reasonable
65              depth.
66
67              Double  quotation or single quotation characters ("", '') can be
68              used to enclose single parameters containing whitespace, and "#"
69              or ";" characters in the first column can be used to denote com‐
70              ments.
71
72              Note that OpenVPN 2.0 and higher performs backslash-based  shell
73              escaping for characters not in single quotations, so the follow‐
74              ing mappings should be observed:
75
76                  \\       Maps to a single backslash character (\).
77                  \"       Pass a literal doublequote character ("), don't
78                           interpret it as enclosing a parameter.
79                  \[SPACE] Pass a literal space or tab character, don't
80                           interpret it as a parameter delimiter.
81
82              For example on Windows,  use  double  backslashes  to  represent
83              pathnames:
84
85                  secret "c:\\OpenVPN\\secret.key"
86
87              For   examples   of   configuration   files,   see  http://open
88              vpn.net/examples.html
89
90              Here is an example configuration file:
91
92                  #
93                  # Sample OpenVPN configuration file for
94                  # using a pre-shared static key.
95                  #
96                  # '#' or ';' may be used to delimit comments.
97
98                  # Use a dynamic tun device.
99                  dev tun
100
101                  # Our remote peer
102                  remote mypeer.mydomain
103
104                  # 10.1.0.1 is our local VPN endpoint
105                  # 10.1.0.2 is our remote VPN endpoint
106                  ifconfig 10.1.0.1 10.1.0.2
107
108                  # Our pre-shared static key
109                  secret static.key
110
111   Tunnel Options:
112       --mode m
113              Set  OpenVPN  major  mode.   By   default,   OpenVPN   runs   in
114              point-to-point  mode ("p2p").  OpenVPN 2.0 introduces a new mode
115              ("server") which implements a multi-client server capability.
116
117       --local host
118              Local host name or IP address for bind.  If  specified,  OpenVPN
119              will  bind  to  this address only.  If unspecified, OpenVPN will
120              bind to all interfaces.
121
122       --remote host [port] [proto]
123              Remote host  name  or  IP  address.   On  the  client,  multiple
124              --remote options may be specified for redundancy, each referring
125              to a different OpenVPN  server.   Specifying  multiple  --remote
126              options  for  this purpose is a special case of the more general
127              connection-profile feature.  See the <connection>  documentation
128              below.
129
130              The  OpenVPN client will try to connect to a server at host:port
131              in the order specified by the list of --remote options.
132
133              proto indicates the protocol to use  when  connecting  with  the
134              remote, and may be "tcp" or "udp".
135
136              For  forcing  IPv4 or IPv6 connection suffix tcp or udp with 4/6
137              like udp4/udp6/tcp4/tcp6.
138
139              The client will move on to the next host in  the  list,  in  the
140              event  of  connection failure.  Note that at any given time, the
141              OpenVPN client will at most be connected to one server.
142
143              Note that since UDP is  connectionless,  connection  failure  is
144              defined by the --ping and --ping-restart options.
145
146              Note  the  following  corner case:  If you use multiple --remote
147              options, AND you are dropping root privileges on the client with
148              --user  and/or  --group, AND the client is running a non-Windows
149              OS, if the client needs to switch to  a  different  server,  and
150              that server pushes back different TUN/TAP or route settings, the
151              client may lack the necessary privileges to close and reopen the
152              TUN/TAP  interface.   This could cause the client to exit with a
153              fatal error.
154
155              If --remote is unspecified, OpenVPN will listen for packets from
156              any  IP  address,  but will not act on those packets unless they
157              pass all authentication tests.  This requirement for authentica‐
158              tion  is  binding  on all potential peers, even those from known
159              and supposedly trusted IP addresses (it is very easy to forge  a
160              source IP address on a UDP packet).
161
162              When  used in TCP mode, --remote will act as a filter, rejecting
163              connections from any host which does not match host.
164
165              If host is a DNS name which resolves to multiple  IP  addresses,
166              OpenVPN will try them in the order that the system getaddrinfo()
167              presents them, so priorization and DNS randomization is done  by
168              the  system library.  Unless an IP version is forced by the pro‐
169              tocol specification (4/6 suffix), OpenVPN will try both IPv4 and
170              IPv6 addresses, in the order getaddrinfo() returns them.
171
172       --remote-random-hostname
173              Prepend a random string (6 bytes, 12 hex characters) to hostname
174              to prevent DNS caching.  For  example,  "foo.bar.gov"  would  be
175              modified to "<random-chars>.foo.bar.gov".
176
177       <connection>
178              Define  a client connection profile.  Client connection profiles
179              are groups of OpenVPN options that describe how to connect to  a
180              given  OpenVPN server.  Client connection profiles are specified
181              within an OpenVPN configuration file, and each profile is brack‐
182              eted by <connection> and </connection>.
183
184              An  OpenVPN client will try each connection profile sequentially
185              until it achieves a successful connection.
186
187              --remote-random can be used to initially "scramble" the  connec‐
188              tion list.
189
190              Here is an example of connection profile usage:
191
192                  client
193                  dev tun
194
195                  <connection>
196                  remote 198.19.34.56 1194 udp
197                  </connection>
198
199                  <connection>
200                  remote 198.19.34.56 443 tcp
201                  </connection>
202
203                  <connection>
204                  remote 198.19.34.56 443 tcp
205                  http-proxy 192.168.0.8 8080
206                  </connection>
207
208                  <connection>
209                  remote 198.19.36.99 443 tcp
210                  http-proxy 192.168.0.8 8080
211                  </connection>
212
213                  persist-key
214                  persist-tun
215                  pkcs12 client.p12
216                  remote-cert-tls server
217                  verb 3
218
219              First  we  try to connect to a server at 198.19.34.56:1194 using
220              UDP.  If that fails, we then try to connect to  198.19.34.56:443
221              using  TCP.   If that also fails, then try connecting through an
222              HTTP proxy at 192.168.0.8:8080 to  198.19.34.56:443  using  TCP.
223              Finally,  try  to  connect through the same proxy to a server at
224              198.19.36.99:443 using TCP.
225
226              The following OpenVPN options may be used inside of  a  <connec‐
227              tion> block:
228
229              bind,    connect-retry,    connect-retry-max,   connect-timeout,
230              explicit-exit-notify,     float,      fragment,      http-proxy,
231              http-proxy-option,  link-mtu,  local,  lport,  mssfix, mtu-disc,
232              nobind, port, proto, remote,  rport,  socks-proxy,  tun-mtu  and
233              tun-mtu-extra.
234
235              A defaulting mechanism exists for specifying options to apply to
236              all <connection> profiles.  If any of the  above  options  (with
237              the  exception  of  remote  )  appear  outside of a <connection>
238              block, but in a configuration file which has one or  more  <con‐
239              nection>  blocks,  the  option setting will be used as a default
240              for <connection> blocks which follow  it  in  the  configuration
241              file.
242
243              For example, suppose the nobind option were placed in the sample
244              configuration file above, near the top of the file,  before  the
245              first <connection> block.  The effect would be as if nobind were
246              declared in all <connection> blocks below it.
247
248       --proto-force p
249              When iterating through connection profiles, only  consider  pro‐
250              files using protocol p ('tcp'|'udp').
251
252       --remote-random
253              When  multiple  --remote address/ports are specified, or if con‐
254              nection profiles are being used, initially randomize  the  order
255              of the list as a kind of basic load-balancing measure.
256
257       --proto p
258              Use  protocol  p  for  communicating with remote host.  p can be
259              udp, tcp-client, or tcp-server.
260
261              The default protocol is udp when --proto is not specified.
262
263              For UDP operation, --proto  udp  should  be  specified  on  both
264              peers.
265
266              For  TCP operation, one peer must use --proto tcp-server and the
267              other  must  use  --proto  tcp-client.   A  peer  started   with
268              tcp-server will wait indefinitely for an incoming connection.  A
269              peer started with tcp-client will attempt  to  connect,  and  if
270              that  fails, will sleep for 5 seconds (adjustable via the --con‐
271              nect-retry option) and try again infinite or  up  to  N  retries
272              (adjustable  via  the  --connect-retry-max  option).   Both  TCP
273              client and server will simulate  a  SIGUSR1  restart  signal  if
274              either side resets the connection.
275
276              OpenVPN is designed to operate optimally over UDP, but TCP capa‐
277              bility is provided for situations where UDP cannot be used.   In
278              comparison with UDP, TCP will usually be somewhat less efficient
279              and less robust when used over unreliable or congested networks.
280
281              This article outlines some of problems with  tunneling  IP  over
282              TCP:
283
284              http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
285
286              There  are certain cases, however, where using TCP may be advan‐
287              tageous from a security and robustness perspective, such as tun‐
288              neling  non-IP  or application-level UDP protocols, or tunneling
289              protocols which don't possess a built-in reliability layer.
290
291       --connect-retry n [max]
292              Wait  n  seconds   between  connection   attempts   (default=5).
293              Repeated  reconnection  attempts are slowed down after 5 retries
294              per remote by doubling the wait  time  after  each  unsuccessful
295              attempt.  The  optional argument max specifies the maximum value
296              of wait time in seconds at which it gets capped (default=300).
297
298       --connect-retry-max n
299              n specifies the number of times each  --remote  or  <connection>
300              entry is tried. Specifying n as one would try each entry exactly
301              once.   A   successful   connection    resets    the    counter.
302              (default=unlimited).
303
304       --show-proxy-settings
305              Show  sensed  HTTP or SOCKS proxy settings. Currently, only Win‐
306              dows clients support this option.
307
308       --http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method]
309              Connect to remote host through an HTTP proxy at  address  server
310              and port port.  If HTTP Proxy-Authenticate is required, authfile
311              is a file containing a username and  password  on  2  lines,  or
312              "stdin"  to  prompt from console. Its content can also be speci‐
313              fied in the config file with the --http-proxy-user-pass  option.
314              (See section on inline files)
315
316              auth-method should be one of "none", "basic", or "ntlm".
317
318              HTTP  Digest  authentication  is supported as well, but only via
319              the auto or auto-nct flags (below).
320
321              The auto flag causes  OpenVPN  to  automatically  determine  the
322              auth-method  and  query  stdin  or  the management interface for
323              username/password credentials, if required.  This flag exists on
324              OpenVPN 2.1 or higher.
325
326              The  auto-nct  flag  (no  clear-text  auth) instructs OpenVPN to
327              automatically determine the authentication method, but to reject
328              weak authentication protocols such as HTTP Basic Authentication.
329
330       --http-proxy-option type [parm]
331              Set  extended  HTTP  proxy  options.   Repeat  to  set  multiple
332              options.
333
334              VERSION  version  --  Set  HTTP  version   number   to   version
335              (default=1.0).
336
337              AGENT user-agent -- Set HTTP "User-Agent" string to user-agent.
338
339              CUSTOM-HEADER  name  content -- Adds the custom Header with name
340              as name and content as the content of the custom HTTP header.
341
342       --socks-proxy server [port] [authfile]
343              Connect to remote host through a Socks5 proxy at address  server
344              and  port  port  (default=1080).   authfile (optional) is a file
345              containing a username and password on 2  lines,  or  "stdin"  to
346              prompt from console.
347
348       --resolv-retry n
349              If hostname resolve fails for --remote, retry resolve for n sec‐
350              onds before failing.
351
352              Set n to "infinite" to retry indefinitely.
353
354              By default, --resolv-retry infinite is enabled.  You can disable
355              by setting n=0.
356
357       --float
358              Allow  remote  peer to change its IP address and/or port number,
359              such as due to DHCP (this is the  default  if  --remote  is  not
360              used).   --float  when specified with --remote allows an OpenVPN
361              session to initially connect to a peer at a known address,  how‐
362              ever if packets arrive from a new address and pass all authenti‐
363              cation tests, the new address will take control of the  session.
364              This  is  useful when you are connecting to a peer which holds a
365              dynamic address such as a dial-in user or DHCP client.
366
367              Essentially, --float tells OpenVPN to accept authenticated pack‐
368              ets  from  any address, not only the address which was specified
369              in the --remote option.
370
371       --ipchange cmd
372              Run command cmd when our remote ip-address is initially  authen‐
373              ticated or changes.
374
375              cmd  consists  of  a  path  to  script  (or executable program),
376              optionally followed by arguments. The path and arguments may  be
377              single-  or  double-quoted and/or escaped using a backslash, and
378              should be separated by one or more spaces.
379
380              When cmd is executed two arguments are appended after any  argu‐
381              ments specified in cmd , as follows:
382
383              cmd ip_address port_number
384
385              Don't use --ipchange in --mode server mode.  Use a --client-con‐
386              nect script instead.
387
388              See the "Environmental Variables" section below  for  additional
389              parameters passed as environmental variables.
390
391              If you are running in a dynamic IP address environment where the
392              IP addresses of either peer could change without notice, you can
393              use  this  script, for example, to edit the /etc/hosts file with
394              the current address of the peer.  The script will be  run  every
395              time the remote peer changes its IP address.
396
397              Similarly  if our IP address changes due to DHCP, we should con‐
398              figure our IP address change script (see man page for  dhcpcd(8)
399              )  to  deliver  a  SIGHUP or SIGUSR1 signal to OpenVPN.  OpenVPN
400              will then  reestablish  a  connection  with  its  most  recently
401              authenticated peer on its new IP address.
402
403       --port port
404              TCP/UDP port number or port name for both local and remote (sets
405              both --lport and --rport options to given  port).   The  current
406              default of 1194 represents the official IANA port number assign‐
407              ment for OpenVPN and has been  used  since  version  2.0-beta17.
408              Previous versions used port 5000 as the default.
409
410       --lport port
411              Set  local TCP/UDP port number or name.  Cannot be used together
412              with --nobind option.
413
414       --rport port
415              Set TCP/UDP port number or name used by the --remote option. The
416              port can also be set directly using the --remote option.
417
418       --bind [ipv6only]
419              Bind  to  local address and port. This is the default unless any
420              of --proto tcp-client , --http-proxy or --socks-proxy are used.
421
422              If the ipv6only keyword is present OpenVPN  will  bind  only  to
423              IPv6 (as oposed to IPv6 and IPv4) when a IPv6 socket is opened.
424
425
426       --nobind
427              Do  not bind to local address and port.  The IP stack will allo‐
428              cate a dynamic port for returning packets.  Since the  value  of
429              the  dynamic  port could not be known in advance by a peer, this
430              option is only suitable for peers which will be initiating  con‐
431              nections by using the --remote option.
432
433       --dev tunX | tapX | null
434              TUN/TAP  virtual network device ( X can be omitted for a dynamic
435              device.)
436
437              See examples section below for an example on setting  up  a  TUN
438              device.
439
440              You  must  use either tun devices on both ends of the connection
441              or tap devices on both ends.  You cannot mix them, as they  rep‐
442              resent different underlying network layers.
443
444              tun  devices  encapsulate  IPv4  or IPv6 (OSI Layer 3) while tap
445              devices encapsulate Ethernet 802.3 (OSI Layer 2).
446
447       --dev-type device-type
448              Which device type are we using?  device-type should be tun  (OSI
449              Layer  3)  or  tap  (OSI  Layer 2).  Use this option only if the
450              TUN/TAP device used with --dev does not begin with tun or tap.
451
452       --topology mode
453              Configure virtual addressing topology when running in --dev  tun
454              mode.   This  directive  has no meaning in --dev tap mode, which
455              always uses a subnet topology.
456
457              If you set this  directive  on  the  server,  the  --server  and
458              --server-bridge  directives  will automatically push your chosen
459              topology setting to clients as well.  This directive can also be
460              manually  pushed  to  clients.   Like  the --dev directive, this
461              directive must always be compatible between client and server.
462
463              mode can be one of:
464
465              net30 -- Use a point-to-point topology, by  allocating  one  /30
466              subnet  per  client.   This  is designed to allow point-to-point
467              semantics when some or all of the connecting  clients  might  be
468              Windows systems.  This is the default on OpenVPN 2.0.
469
470              p2p  --  Use a point-to-point topology where the remote endpoint
471              of the client's tun interface always points to  the  local  end‐
472              point of the server's tun interface.  This mode allocates a sin‐
473              gle IP address per connecting client.  Only use when none of the
474              connecting  clients are Windows systems.  This mode is function‐
475              ally equivalent to the --ifconfig-pool-linear directive which is
476              available  in  OpenVPN 2.0, is deprecated and will be removed in
477              OpenVPN 2.5
478
479              subnet -- Use a subnet rather than a point-to-point topology  by
480              configuring the tun interface with a local IP address and subnet
481              mask, similar to the topology used in  --dev  tap  and  ethernet
482              bridging mode.  This mode allocates a single IP address per con‐
483              necting client and works on Windows  as  well.   Only  available
484              when  server  and  clients are OpenVPN 2.1 or higher, or OpenVPN
485              2.0.x which has been manually patched with the --topology direc‐
486              tive code.  When used on Windows, requires version 8.2 or higher
487              of the TAP-Win32 driver.  When used on *nix, requires  that  the
488              tun  driver  supports an ifconfig(8) command which sets a subnet
489              instead of a remote endpoint IP address.
490
491              This option exists in OpenVPN 2.1 or higher.
492
493              Note: Using --topology subnet changes the interpretation of  the
494              arguments  of  --ifconfig  to  mean "address netmask", no longer
495              "local remote".
496
497       --dev-node node
498              Explicitly set the device node rather than  using  /dev/net/tun,
499              /dev/tun,  /dev/tap,  etc.  If OpenVPN cannot figure out whether
500              node is a TUN or TAP device based on the name, you  should  also
501              specify --dev-type tun or --dev-type tap.
502
503              Under  Mac  OS  X this option can be used to specify the default
504              tun implementation. Using --dev-node utun forces  usage  of  the
505              native Darwin tun kernel support. Use --dev-node utunN to select
506              a  specific  utun  instance.  To  force   using   the   tun.kext
507              (/dev/tunX)   use   --dev-node   tun.   When  not  specifying  a
508              --dev-node option openvpn will first try to open utun, and  fall
509              back to tun.kext.
510
511              On  Windows systems, select the TAP-Win32 adapter which is named
512              node in the Network Connections Control Panel or the raw GUID of
513              the  adapter  enclosed  by  braces.   The --show-adapters option
514              under Windows can  also  be  used  to  enumerate  all  available
515              TAP-Win32  adapters  and  will show both the network connections
516              control panel name and the GUID for each TAP-Win32 adapter.
517
518       --lladdr address
519              Specify the link layer address, more commonly known as  the  MAC
520              address.  Only applied to TAP devices.
521
522       --iproute cmd
523              Set  alternate  command  to  execute instead of default iproute2
524              command.  May be used in order to execute  OpenVPN  in  unprivi‐
525              leged environment.
526
527       --ifconfig l rn
528              Set  TUN/TAP  adapter  parameters.   l  is the IP address of the
529              local VPN endpoint.  For TUN devices in point-to-point mode,  rn
530              is  the IP address of the remote VPN endpoint.  For TAP devices,
531              or TUN devices used with --topology subnet,  rn  is  the  subnet
532              mask  of  the  virtual network segment which is being created or
533              connected to.
534
535              For TUN devices, which facilitate virtual point-to-point IP con‐
536              nections (when used in --topology net30 or p2p mode), the proper
537              usage of --ifconfig is to use two private IP addresses which are
538              not  a  member  of  any existing subnet which is in use.  The IP
539              addresses  may  be  consecutive  and  should  have  their  order
540              reversed  on  the remote peer.  After the VPN is established, by
541              pinging rn, you will be pinging across the VPN.
542
543              For TAP devices, which provide the  ability  to  create  virtual
544              ethernet  segments,  or  TUN  devices  in --topology subnet mode
545              (which create virtual "multipoint networks"), --ifconfig is used
546              to set an IP address and subnet mask just as a physical ethernet
547              adapter would be similarly configured.  If you are attempting to
548              connect  to  a remote ethernet bridge, the IP address and subnet
549              should be set to values which would be valid on the the  bridged
550              ethernet  segment  (note also that DHCP can be used for the same
551              purpose).
552
553              This option, while primarily a proxy for  the  ifconfig(8)  com‐
554              mand,  is  designed  to simplify TUN/TAP tunnel configuration by
555              providing a standard interface to the different ifconfig  imple‐
556              mentations on different platforms.
557
558              --ifconfig  parameters which are IP addresses can also be speci‐
559              fied as a DNS or /etc/hosts file resolvable name.
560
561              For TAP devices, --ifconfig should not be used if the TAP inter‐
562              face will be getting an IP address lease from a DHCP server.
563
564       --ifconfig-noexec
565              Don't  actually  execute  ifconfig/netsh  commands, instead pass
566              --ifconfig parameters to scripts using environmental variables.
567
568       --ifconfig-nowarn
569              Don't  output  an  options  consistency  check  warning  if  the
570              --ifconfig  option  on this side of the connection doesn't match
571              the remote side.  This is useful when you  want  to  retain  the
572              overall  benefits  of  the  options  consistency check (also see
573              --disable-occ option) while only disabling the  ifconfig  compo‐
574              nent of the check.
575
576              For  example,  if  you have a configuration where the local host
577              uses --ifconfig but the  remote  host  does  not,  use  --ifcon‐
578              fig-nowarn on the local host.
579
580              This  option  will also silence warnings about potential address
581              conflicts which occasionally annoy  more  experienced  users  by
582              triggering "false positive" warnings.
583
584       --route network/IP [netmask] [gateway] [metric]
585              Add  route  to  routing  table  after connection is established.
586              Multiple routes can be specified.  Routes will be  automatically
587              torn down in reverse order prior to TUN/TAP device close.
588
589              This  option is intended as a convenience proxy for the route(8)
590              shell command, while at the same time providing portable  seman‐
591              tics across OpenVPN's platform space.
592
593              netmask default -- 255.255.255.255
594
595              gateway  default  --  taken  from  --route-gateway or the second
596              parameter to --ifconfig when --dev tun is specified.
597
598              metric default -- taken from --route-metric otherwise 0.
599
600              The default can be specified by leaving an option blank or  set‐
601              ting it to "default".
602
603              The  network  and  gateway parameters can also be specified as a
604              DNS or /etc/hosts file resolvable name, or as one of three  spe‐
605              cial keywords:
606
607              vpn_gateway  --  The remote VPN endpoint address (derived either
608              from --route-gateway or the second parameter to --ifconfig  when
609              --dev tun is specified).
610
611              net_gateway  --  The  pre-existing IP default gateway, read from
612              the routing table (not supported on all OSes).
613
614              remote_host -- The --remote address if OpenVPN is being  run  in
615              client mode, and is undefined in server mode.
616
617       --route-gateway gw|'dhcp'
618              Specify a default gateway gw for use with --route.
619
620              If  dhcp is specified as the parameter, the gateway address will
621              be  extracted  from  a  DHCP  negotiation   with   the   OpenVPN
622              server-side LAN.
623
624       --route-metric m
625              Specify a default metric m for use with --route.
626
627       --route-delay [n] [w]
628              Delay  n  seconds  (default=0)  after  connection establishment,
629              before adding routes. If n is 0, routes will  be  added  immedi‐
630              ately  upon connection establishment.  If --route-delay is omit‐
631              ted, routes will be added immediately after TUN/TAP device  open
632              and  --up  script execution, before any --user or --group privi‐
633              lege downgrade (or --chroot execution.)
634
635              This option is designed to be useful in scenarios where DHCP  is
636              used to set tap adapter addresses.  The delay will give the DHCP
637              handshake time to complete before routes are added.
638
639              On Windows, --route-delay tries to be more intelligent by  wait‐
640              ing  w  seconds  (w=30  by default) for the TAP-Win32 adapter to
641              come up before adding routes.
642
643       --route-up cmd
644              Run  command  cmd   after   routes   are   added,   subject   to
645              --route-delay.
646
647              cmd  consists  of  a  path  to  script  (or executable program),
648              optionally followed by arguments. The path and arguments may  be
649              single-  or  double-quoted and/or escaped using a backslash, and
650              should be separated by one or more spaces.
651
652              See the "Environmental Variables" section below  for  additional
653              parameters passed as environmental variables.
654
655       --route-pre-down cmd
656              Run command cmd before routes are removed upon disconnection.
657
658              cmd  consists  of  a  path  to  script  (or executable program),
659              optionally followed by arguments. The path and arguments may  be
660              single-  or  double-quoted and/or escaped using a backslash, and
661              should be separated by one or more spaces.
662
663              See the "Environmental Variables" section below  for  additional
664              parameters passed as environmental variables.
665
666       --route-noexec
667              Don't  add  or remove routes automatically.  Instead pass routes
668              to --route-up script using environmental variables.
669
670       --route-nopull
671              When used with --client or  --pull,  accept  options  pushed  by
672              server  EXCEPT  for  routes,  block-outside-dns and dhcp options
673              like DNS servers.
674
675              When used on the client, this option effectively bars the server
676              from  adding  routes to the client's routing table, however note
677              that this option still allows the server to set the TCP/IP prop‐
678              erties of the client's TUN/TAP interface.
679
680       --allow-pull-fqdn
681              Allow  client  to  pull DNS names from server (rather than being
682              limited  to   IP   address)   for   --ifconfig,   --route,   and
683              --route-gateway.
684
685       --client-nat snat|dnat network netmask alias
686              This  pushable  client option sets up a stateless one-to-one NAT
687              rule on packet addresses (not ports), and  is  useful  in  cases
688              where  routes  or  ifconfig  settings pushed to the client would
689              create an IP numbering conflict.
690
691              network/netmask (for  example  192.168.0.0/255.255.0.0)  defines
692              the  local view of a resource from the client perspective, while
693              alias/netmask (for example  10.64.0.0/255.255.0.0)  defines  the
694              remote view from the server perspective.
695
696              Use snat (source NAT) for resources owned by the client and dnat
697              (destination NAT) for remote resources.
698
699              Set --verb 6 for debugging info showing  the  transformation  of
700              src/dest addresses in packets.
701
702       --redirect-gateway flags...
703              Automatically  execute routing commands to cause all outgoing IP
704              traffic to be redirected over the VPN.  This  is  a  client-side
705              option.
706
707              This option performs three steps:
708
709              (1)  Create  a  static route for the --remote address which for‐
710              wards to the pre-existing default gateway.  This is done so that
711              (3) will not create a routing loop.
712
713              (2) Delete the default gateway route.
714
715              (3)  Set  the new default gateway to be the VPN endpoint address
716              (derived either from --route-gateway or the second parameter  to
717              --ifconfig when --dev tun is specified).
718
719              When  the  tunnel  is  torn  down,  all  of  the above steps are
720              reversed so that the original default route is restored.
721
722              Option flags:
723
724              local -- Add the local flag if both OpenVPN peers  are  directly
725              connected via a common subnet, such as with wireless.  The local
726              flag will cause step 1 above to be omitted.
727
728              autolocal -- Try to automatically determine  whether  to  enable
729              local flag above.
730
731              def1  --  Use this flag to override the default gateway by using
732              0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0.  This  has  the
733              benefit  of  overriding  but not wiping out the original default
734              gateway.
735
736              bypass-dhcp -- Add a direct route to the DHCP server (if  it  is
737              non-local)  which  bypasses  the  tunnel  (Available  on Windows
738              clients, may not be available on non-Windows clients).
739
740              bypass-dns -- Add a direct route to the DNS server(s)  (if  they
741              are  non-local)  which bypasses the tunnel (Available on Windows
742              clients, may not be available on non-Windows clients).
743
744              block-local -- Block access to local  LAN  when  the  tunnel  is
745              active, except for the LAN gateway itself.  This is accomplished
746              by routing the local LAN (except for the  LAN  gateway  address)
747              into the tunnel.
748
749              ipv6 -- Redirect IPv6 routing into the tunnel.  This works simi‐
750              lar to the def1 flag, that is, more  specific  IPv6  routes  are
751              added  (2000::/4,  3000::/4),  covering  the  whole IPv6 unicast
752              space.
753
754              !ipv4 -- Do not redirect IPv4 traffic - typically  used  in  the
755              flag pair ipv6 !ipv4 to redirect IPv6-only.
756
757       --link-mtu n
758              Sets  an  upper  bound on the size of UDP packets which are sent
759              between OpenVPN peers.  It's best  not  to  set  this  parameter
760              unless you know what you're doing.
761
762       --redirect-private [flags]
763              Like  --redirect-gateway, but omit actually changing the default
764              gateway.  Useful when pushing private subnets.
765
766       --tun-mtu n
767              Take the TUN device MTU to be n and derive the link MTU from  it
768              (default=1500).   In most cases, you will probably want to leave
769              this parameter set to its default value.
770
771              The MTU (Maximum Transmission Units)  is  the  maximum  datagram
772              size  in  bytes  that can be sent unfragmented over a particular
773              network path.  OpenVPN requires that packets on the  control  or
774              data channels be sent unfragmented.
775
776              MTU problems often manifest themselves as connections which hang
777              during periods of active usage.
778
779              It's best to use the --fragment and/or --mssfix options to  deal
780              with MTU sizing issues.
781
782       --tun-mtu-extra n
783              Assume  that  the TUN/TAP device might return as many as n bytes
784              more than the --tun-mtu size on read.  This  parameter  defaults
785              to 0, which is sufficient for most TUN devices.  TAP devices may
786              introduce additional overhead in excess of the MTU size,  and  a
787              setting  of  32  is the default when TAP devices are used.  This
788              parameter only controls internal OpenVPN buffer sizing, so there
789              is  no  transmission  overhead  associated  with  using a larger
790              value.
791
792       --mtu-disc type
793              Should we do Path MTU discovery on TCP/UDP channel?   Only  sup‐
794              ported  on OSes such as Linux that supports the necessary system
795              call to set.
796
797              'no' -- Never send DF (Don't Fragment) frames
798              'maybe' -- Use per-route hints
799              'yes' -- Always DF (Don't Fragment)
800
801       --mtu-test
802              To empirically  measure  MTU  on  connection  startup,  add  the
803              --mtu-test option to your configuration.  OpenVPN will send ping
804              packets of various sizes to the  remote  peer  and  measure  the
805              largest   packets   which   were   successfully  received.   The
806              --mtu-test process normally takes about 3 minutes to complete.
807
808       --fragment max
809              Enable internal datagram fragmentation so that no UDP  datagrams
810              are sent which are larger than max bytes.
811
812              The  max  parameter  is  interpreted  in  the  same  way  as the
813              --link-mtu parameter, i.e. the UDP packet size after  encapsula‐
814              tion  overhead  has  been  added  in,  but not including the UDP
815              header itself.
816
817              The --fragment option only makes sense when you  are  using  the
818              UDP protocol ( --proto udp ).
819
820              --fragment adds 4 bytes of overhead per datagram.
821
822              See the --mssfix option below for an important related option to
823              --fragment.
824
825              It should also be noted that this option is not meant to replace
826              UDP  fragmentation at the IP stack level.  It is only meant as a
827              last resort when path  MTU  discovery  is  broken.   Using  this
828              option is less efficient than fixing path MTU discovery for your
829              IP link and using native IP fragmentation instead.
830
831              Having said that, there are circumstances where using  OpenVPN's
832              internal  fragmentation capability may be your only option, such
833              as tunneling a UDP multicast stream  which  requires  fragmenta‐
834              tion.
835
836       --mssfix max
837              Announce  to  TCP  sessions  running  over  the tunnel that they
838              should limit their send packet sizes such that after OpenVPN has
839              encapsulated  them,  the  resulting UDP packet size that OpenVPN
840              sends to its peer will not exceed max bytes. The  default  value
841              is 1450.
842
843              The  max  parameter  is  interpreted  in  the  same  way  as the
844              --link-mtu parameter, i.e. the UDP packet size after  encapsula‐
845              tion  overhead  has  been  added  in,  but not including the UDP
846              header itself. Resulting packet would be at most 28 bytes larger
847              for  IPv4 and 48 bytes for IPv6 (20/40 bytes for IP header and 8
848              bytes for UDP header). Default value of 1450 allows IPv4 packets
849              to be transmitted over a link with MTU 1473 or higher without IP
850              level fragmentation.
851
852              The --mssfix option only makes sense when you are using the  UDP
853              protocol  for  OpenVPN peer-to-peer communication, i.e.  --proto
854              udp.
855
856              --mssfix and --fragment can  be  ideally  used  together,  where
857              --mssfix  will try to keep TCP from needing packet fragmentation
858              in the first place, and if big packets come through anyhow (from
859              protocols  other  than TCP), --fragment will internally fragment
860              them.
861
862              Both --fragment and --mssfix are designed to work  around  cases
863              where  Path  MTU discovery is broken on the network path between
864              OpenVPN peers.
865
866              The usual symptom of such a breakdown is an  OpenVPN  connection
867              which successfully starts, but then stalls during active usage.
868
869              If --fragment and --mssfix are used together, --mssfix will take
870              its default max parameter from the --fragment max option.
871
872              Therefore, one could lower the maximum UDP packet size  to  1300
873              (a  good  first try for solving MTU-related connection problems)
874              with the following options:
875
876              --tun-mtu 1500 --fragment 1300 --mssfix
877
878       --sndbuf size
879              Set the TCP/UDP socket send buffer size.  Defaults to  operation
880              system default.
881
882       --rcvbuf size
883              Set  the TCP/UDP socket receive buffer size.  Defaults to opera‐
884              tion system default.
885
886       --mark value
887              Mark encrypted packets being sent with value. The mark value can
888              be matched in policy routing and packetfilter rules. This option
889              is only supported in Linux and does nothing on  other  operating
890              systems.
891
892       --socket-flags flags...
893              Apply  the  given  flags  to the OpenVPN transport socket.  Cur‐
894              rently, only TCP_NODELAY is supported.
895
896              The TCP_NODELAY socket flag is useful in TCP  mode,  and  causes
897              the  kernel to send tunnel packets immediately over the TCP con‐
898              nection without trying to group several smaller packets  into  a
899              larger packet.  This can result in a considerably improvement in
900              latency.
901
902              This option is pushable from server to  client,  and  should  be
903              used on both client and server for maximum effect.
904
905       --txqueuelen n
906              (Linux  only)  Set the TX queue length on the TUN/TAP interface.
907              Currently defaults to 100.
908
909       --shaper n
910              Limit bandwidth of outgoing tunnel data to n bytes per second on
911              the  TCP/UDP port.  Note that this will only work if mode is set
912              to p2p.  If you want to limit the bandwidth in both  directions,
913              use this option on both peers.
914
915              OpenVPN  uses the following algorithm to implement traffic shap‐
916              ing: Given a shaper rate of n bytes per second, after a datagram
917              write  of  b bytes is queued on the TCP/UDP port, wait a minimum
918              of (b / n) seconds before queuing the next write.
919
920              It should  be  noted  that  OpenVPN  supports  multiple  tunnels
921              between the same two peers, allowing you to construct full-speed
922              and reduced bandwidth tunnels at the same time, routing low-pri‐
923              ority  data  such as off-site backups over the reduced bandwidth
924              tunnel, and other data over the full-speed tunnel.
925
926              Also note that for low bandwidth tunnels (under 1000  bytes  per
927              second),  you  should probably use lower MTU values as well (see
928              above), otherwise the packet latency will grow so  large  as  to
929              trigger  timeouts  in  the TLS layer and TCP connections running
930              over the tunnel.
931
932              OpenVPN allows n to be between 100 bytes/sec and 100 Mbytes/sec.
933
934       --inactive n [bytes]
935              Causes OpenVPN to exit after n  seconds  of  inactivity  on  the
936              TUN/TAP  device. The time length of inactivity is measured since
937              the last incoming or outgoing tunnel packet.  The default  value
938              is 0 seconds, which disables this feature.
939
940              If  the  optional bytes parameter is included, exit if less than
941              bytes of combined in/out traffic are  produced  on  the  tun/tap
942              device in n seconds.
943
944              In  any  case,  OpenVPN's  internal ping packets (which are just
945              keepalives) and TLS control packets are not  considered  "activ‐
946              ity",  nor  are they counted as traffic, as they are used inter‐
947              nally by OpenVPN and are not an indication of actual user activ‐
948              ity.
949
950       --ping n
951              Ping  remote over the TCP/UDP control channel if no packets have
952              been sent for at least n seconds (specify --ping on  both  peers
953              to  cause ping packets to be sent in both directions since Open‐
954              VPN ping packets are not echoed like  IP  ping  packets).   When
955              used   in   one  of  OpenVPN's  secure  modes  (where  --secret,
956              --tls-server, or --tls-client is  specified),  the  ping  packet
957              will be cryptographically secure.
958
959              This option has two intended uses:
960
961              (1)  Compatibility  with  stateful firewalls.  The periodic ping
962              will ensure that a stateful firewall rule which  allows  OpenVPN
963              UDP packets to pass will not time out.
964
965              (2)  To  provide a basis for the remote to test the existence of
966              its peer using the --ping-exit option.
967
968       --ping-exit n
969              Causes OpenVPN to exit after n seconds pass without reception of
970              a ping or other packet from remote.  This option can be combined
971              with --inactive, --ping, and --ping-exit to create a  two-tiered
972              inactivity disconnect.
973
974              For example,
975
976              openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
977
978              when  used  on  both  peers will cause OpenVPN to exit within 60
979              seconds if its peer disconnects, but will exit after one hour if
980              no actual tunnel data is exchanged.
981
982       --ping-restart n
983              Similar  to  --ping-exit,  but trigger a SIGUSR1 restart after n
984              seconds pass without reception of a ping or  other  packet  from
985              remote.
986
987              This  option  is  useful  in  cases  where the remote peer has a
988              dynamic IP address and a low-TTL DNS name is used to  track  the
989              IP  address  using  a  service  such  as  http://dyndns.org/ + a
990              dynamic DNS client such as ddclient.
991
992              If the peer cannot be reached,  a  restart  will  be  triggered,
993              causing  the  hostname  used with --remote to be re-resolved (if
994              --resolv-retry is also specified).
995
996              In server mode, --ping-restart, --inactive, or any other type of
997              internally generated signal will always be applied to individual
998              client instance objects, never to  whole  server  itself.   Note
999              also  in  server mode that any internally generated signal which
1000              would normally cause a restart, will cause the deletion  of  the
1001              client instance object instead.
1002
1003              In  client mode, the --ping-restart parameter is set to 120 sec‐
1004              onds by default.  This default will hold until the client  pulls
1005              a  replacement  value  from the server, based on the --keepalive
1006              setting in the server configuration.  To disable the 120  second
1007              default, set --ping-restart 0 on the client.
1008
1009              See the signals section below for more information on SIGUSR1.
1010
1011              Note  that the behavior of SIGUSR1 can be modified by the --per‐
1012              sist-tun,   --persist-key,   --persist-local-ip,   and    --per‐
1013              sist-remote-ip options.
1014
1015              Also  note  that  --ping-exit  and  --ping-restart  are mutually
1016              exclusive and cannot be used together.
1017
1018       --keepalive interval timeout
1019              A helper directive designed to simplify the expression of --ping
1020              and --ping-restart.
1021
1022              This  option  can be used on both client and server side, but it
1023              is enough to add this on the server side as it will push  appro‐
1024              priate --ping and --ping-restart options to the client.  If used
1025              on both server and client, the values pushed  from  server  will
1026              override the client local values.
1027
1028              The  timeout  argument will be twice as long on the server side.
1029              This ensures that a timeout is detected on  client  side  before
1030              the server side drops the connection.
1031
1032              For example, --keepalive 10 60 expands as follows:
1033
1034                   if mode server:
1035                     ping 10                    # Argument: interval
1036                     ping-restart 120           # Argument: timeout*2
1037                     push "ping 10"             # Argument: interval
1038                     push "ping-restart 60"     # Argument: timeout
1039                   else
1040                     ping 10                    # Argument: interval
1041                     ping-restart 60            # Argument: timeout
1042
1043       --ping-timer-rem
1044              Run  the  --ping-exit  /  --ping-restart timer only if we have a
1045              remote address.  Use this option if you are starting the  daemon
1046              in listen mode (i.e. without an explicit --remote peer), and you
1047              don't want to start clocking timeouts until a remote  peer  con‐
1048              nects.
1049
1050       --persist-tun
1051              Don't  close  and  reopen  TUN/TAP device or run up/down scripts
1052              across SIGUSR1 or --ping-restart restarts.
1053
1054              SIGUSR1 is a restart signal similar to SIGHUP, but which  offers
1055              finer-grained control over reset options.
1056
1057       --persist-key
1058              Don't re-read key files across SIGUSR1 or --ping-restart.
1059
1060              This option can be combined with --user nobody to allow restarts
1061              triggered by the SIGUSR1 signal.   Normally  if  you  drop  root
1062              privileges  in  OpenVPN, the daemon cannot be restarted since it
1063              will now be unable to re-read protected key files.
1064
1065              This option solves the problem by persisting keys across SIGUSR1
1066              resets, so they don't need to be re-read.
1067
1068       --persist-local-ip
1069              Preserve  initially  resolved  local  IP address and port number
1070              across SIGUSR1 or --ping-restart restarts.
1071
1072       --persist-remote-ip
1073              Preserve most recently authenticated remote IP address and  port
1074              number across SIGUSR1 or --ping-restart restarts.
1075
1076       --mlock
1077              Disable paging by calling the POSIX mlockall function.  Requires
1078              that OpenVPN be initially run as root (though OpenVPN can subse‐
1079              quently downgrade its UID using the --user option).
1080
1081              Using  this option ensures that key material and tunnel data are
1082              never written to disk due to virtual  memory  paging  operations
1083              which  occur  under  most  modern operating systems.  It ensures
1084              that even if an attacker was able to crack the box running Open‐
1085              VPN,  he  would  not  be  able  to  scan the system swap file to
1086              recover previously used ephemeral keys, which  are  used  for  a
1087              period of time governed by the --reneg options (see below), then
1088              are discarded.
1089
1090              The downside of using --mlock is that it will reduce the  amount
1091              of physical memory available to other applications.
1092
1093       --up cmd
1094              Run command cmd after successful TUN/TAP device open (pre --user
1095              UID change).
1096
1097              cmd consists of  a  path  to  script  (or  executable  program),
1098              optionally  followed by arguments. The path and arguments may be
1099              single- or double-quoted and/or escaped using a  backslash,  and
1100              should be separated by one or more spaces.
1101
1102              The  up  command  is  useful for specifying route commands which
1103              route IP traffic destined for private subnets which exist at the
1104              other end of the VPN connection into the tunnel.
1105
1106              For --dev tun execute as:
1107
1108              cmd    tun_dev   tun_mtu   link_mtu   ifconfig_local_ip   ifcon‐
1109              fig_remote_ip [ init | restart ]
1110
1111              For --dev tap execute as:
1112
1113              cmd tap_dev tap_mtu link_mtu ifconfig_local_ip  ifconfig_netmask
1114              [ init | restart ]
1115
1116              See  the  "Environmental Variables" section below for additional
1117              parameters passed as environmental variables.
1118
1119              Note that if cmd includes arguments, all OpenVPN-generated argu‐
1120              ments  will  be  appended to them to build an argument list with
1121              which the executable will be called.
1122
1123              Typically, cmd will run a script to add routes to the tunnel.
1124
1125              Normally the up script is called after  the  TUN/TAP  device  is
1126              opened.  In this context, the last command line parameter passed
1127              to the script will be init.  If the --up-restart option is  also
1128              used,  the  up  script  will  be called for restarts as well.  A
1129              restart is considered to be a partial reinitialization of  Open‐
1130              VPN  where  the TUN/TAP instance is preserved (the --persist-tun
1131              option will enable such preservation).  A restart can be  gener‐
1132              ated by a SIGUSR1 signal, a --ping-restart timeout, or a connec‐
1133              tion reset when the TCP protocol is  enabled  with  the  --proto
1134              option.   If  a restart occurs, and --up-restart has been speci‐
1135              fied, the up script will be called  with  restart  as  the  last
1136              parameter.
1137
1138              NOTE: on restart, OpenVPN will not pass the full set of environ‐
1139              ment variables to the script.   Namely,  everything  related  to
1140              routing  and gateways will not be passed, as nothing needs to be
1141              done anyway - all the routing setup is already in place.   Addi‐
1142              tionally,  the  up-restart  script  will run with the downgraded
1143              UID/GID settings (if configured).
1144
1145              The following standalone example shows how the --up  script  can
1146              be called in both an initialization and restart context.  (NOTE:
1147              for security reasons, don't run the following example unless UDP
1148              port  9999  is blocked by your firewall.  Also, the example will
1149              run indefinitely, so you should abort with control-c).
1150
1151              openvpn --dev tun --port 9999 --verb 4  --ping-restart  10  --up
1152              'echo up' --down 'echo down' --persist-tun --up-restart
1153
1154              Note  that  OpenVPN also provides the --ifconfig option to auto‐
1155              matically ifconfig the  TUN  device,  eliminating  the  need  to
1156              define  an --up script, unless you also want to configure routes
1157              in the --up script.
1158
1159              If --ifconfig is also specified, OpenVPN will pass the  ifconfig
1160              local  and  remote  endpoints  on  the  command line to the --up
1161              script so that they can be used to configure routes such as:
1162
1163              route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
1164
1165       --up-delay
1166              Delay TUN/TAP open and  possible  --up  script  execution  until
1167              after TCP/UDP connection establishment with peer.
1168
1169              In  --proto  udp  mode, this option normally requires the use of
1170              --ping to allow  connection  initiation  to  be  sensed  in  the
1171              absence  of  tunnel data, since UDP is a "connectionless" proto‐
1172              col.
1173
1174              On Windows, this option will delay  the  TAP-Win32  media  state
1175              transitioning  to  "connected"  until  connection establishment,
1176              i.e. the receipt of the  first  authenticated  packet  from  the
1177              peer.
1178
1179       --down cmd
1180              Run  command  cmd  after  TUN/TAP  device close (post --user UID
1181              change and/or --chroot ).  cmd consists of a path to script  (or
1182              executable  program), optionally followed by arguments. The path
1183              and arguments may be single-  or  double-quoted  and/or  escaped
1184              using  a  backslash, and should be separated by one or more spa‐
1185              ces.
1186
1187              Called with the same parameters and environmental  variables  as
1188              the --up option above.
1189
1190              Note  that  if  you  reduce  privileges  by  using --user and/or
1191              --group, your --down script will also run at reduced privilege.
1192
1193       --down-pre
1194              Call --down cmd/script before, rather than after, TUN/TAP close.
1195
1196       --up-restart
1197              Enable the --up and --down scripts to be called for restarts  as
1198              well  as  initial  program start.  This option is described more
1199              fully above in the --up option documentation.
1200
1201       --setenv name value
1202              Set a  custom  environmental  variable  name=value  to  pass  to
1203              script.
1204
1205       --setenv FORWARD_COMPATIBLE 1
1206              Relax  config  file  syntax  checking so that unknown directives
1207              will trigger a warning but not a fatal error, on the  assumption
1208              that  a given unknown directive might be valid in future OpenVPN
1209              versions.
1210
1211              This option should be used with caution, as there are good secu‐
1212              rity reasons for having OpenVPN fail if it detects problems in a
1213              config file.  Having said that,  there  are  valid  reasons  for
1214              wanting new software features to gracefully degrade when encoun‐
1215              tered by older software versions.
1216
1217              It is also possible to tag a single directive so as not to trig‐
1218              ger  a  fatal  error  if  the directive isn't recognized.  To do
1219              this, prepend the following before the directive: setenv opt
1220
1221              Versions prior to OpenVPN 2.3.3 will always ignore  options  set
1222              with the setenv opt directive.
1223
1224              See also --ignore-unknown-option
1225
1226       --setenv-safe name value
1227              Set  a  custom environmental variable OPENVPN_name=value to pass
1228              to script.
1229
1230              This directive is  designed  to  be  pushed  by  the  server  to
1231              clients,  and  the prepending of "OPENVPN_" to the environmental
1232              variable is a safety precaution to prevent  a  LD_PRELOAD  style
1233              attack from a malicious or compromised server.
1234
1235       --ignore-unknown-option opt1 opt2 opt3 ... optN
1236              When one of options opt1 ... optN is encountered in the configu‐
1237              ration file the configuration file parsing does not fail if this
1238              OpenVPN   version   does   not   support  the  option.  Multiple
1239              --ignore-unknown-option options can be given to support a larger
1240              number of options to ignore.
1241
1242              This option should be used with caution, as there are good secu‐
1243              rity reasons for having OpenVPN fail if it detects problems in a
1244              config file. Having said that, there are valid reasons for want‐
1245              ing new software features to gracefully degrade when encountered
1246              by older software versions.
1247
1248              --ignore-unknown-option is available since OpenVPN 2.3.3.
1249
1250       --script-security level
1251              This  directive offers policy-level control over OpenVPN's usage
1252              of external programs and scripts.  Lower level values  are  more
1253              restrictive,  higher  values  are more permissive.  Settings for
1254              level:
1255
1256              0 -- Strictly no calling of external programs.
1257              1 -- (Default) Only call built-in executables such as  ifconfig,
1258              ip, route, or netsh.
1259              2  --  Allow  calling  of  built-in executables and user-defined
1260              scripts.
1261              3 -- Allow passwords to be passed to scripts  via  environmental
1262              variables (potentially unsafe).
1263
1264              OpenVPN  releases before v2.3 also supported a method flag which
1265              indicated how OpenVPN should call external commands and scripts.
1266              This  could be either execve or system.  As of OpenVPN 2.3, this
1267              flag is no longer  accepted.   In  most  *nix  environments  the
1268              execve() approach has been used without any issues.
1269
1270              Some  directives  such as --up allow options to be passed to the
1271              external script. In these cases make sure the script  name  does
1272              not  contain  any  spaces or the configuration parser will choke
1273              because it can't determine where the script name ends and script
1274              options start.
1275
1276              To run scripts in Windows in earlier OpenVPN versions you needed
1277              to either add a full path to the script  interpreter  which  can
1278              parse  the  script  or use the system flag to run these scripts.
1279              As of OpenVPN 2.3 it is now a strict requirement  to  have  full
1280              path  to  the  script  interpreter  when running non-executables
1281              files.  This is not needed for executable files, such  as  .exe,
1282              .com,  .bat  or  .cmd  files.  For example, if you have a Visual
1283              Basic script, you must use this syntax now:
1284
1285                  --up 'C:\\Windows\\System32\\wscript.exe C:\\Program\ Files\\OpenVPN\\config\\my-up-script.vbs'
1286
1287              Please note the single quote marks and the escaping of the back‐
1288              slashes (\) and the space character.
1289
1290              The reason the support for the system flag was removed is due to
1291              the security implications with shell expansions  when  executing
1292              scripts via the system() call.
1293
1294       --disable-occ
1295              Don't  output  a  warning  message if option inconsistencies are
1296              detected between peers.  An example of an  option  inconsistency
1297              would be where one peer uses --dev tun while the other peer uses
1298              --dev tap.
1299
1300              Use of this option is discouraged, but is provided as  a  tempo‐
1301              rary  fix  in  situations where a recent version of OpenVPN must
1302              connect to an old version.
1303
1304       --user user
1305              Change the user ID of the OpenVPN process to user after initial‐
1306              ization,  dropping  privileges  in  the process.  This option is
1307              useful to protect the system in  the  event  that  some  hostile
1308              party  was  able  to gain control of an OpenVPN session.  Though
1309              OpenVPN's security features make this unlikely, it  is  provided
1310              as a second line of defense.
1311
1312              By  setting  user  to nobody or somebody similarly unprivileged,
1313              the hostile party would be limited in  what  damage  they  could
1314              cause.   Of  course  once  you  take away privileges, you cannot
1315              return them to an OpenVPN session.   This  means,  for  example,
1316              that  if you want to reset an OpenVPN daemon with a SIGUSR1 sig‐
1317              nal (for example in response to a DHCP reset), you  should  make
1318              use of one or more of the --persist options to ensure that Open‐
1319              VPN doesn't need to execute any privileged operations  in  order
1320              to  restart (such as re-reading key files or running ifconfig on
1321              the TUN device).
1322
1323       --group group
1324              Similar to the --user option, this option changes the  group  ID
1325              of the OpenVPN process to group after initialization.
1326
1327       --cd dir
1328              Change  directory to dir prior to reading any files such as con‐
1329              figuration files, key files, scripts, etc.   dir  should  be  an
1330              absolute path, with a leading "/", and without any references to
1331              the current directory such as "." or "..".
1332
1333              This option is useful when you are running OpenVPN  in  --daemon
1334              mode,  and  you  want to consolidate all of your OpenVPN control
1335              files in one location.
1336
1337       --chroot dir
1338              Chroot to dir after initialization.  --chroot essentially  rede‐
1339              fines  dir  as  being the top level directory tree (/).  OpenVPN
1340              will therefore be unable to access any files outside this  tree.
1341              This can be desirable from a security standpoint.
1342
1343              Since  the  chroot  operation is delayed until after initializa‐
1344              tion, most OpenVPN options that reference files will operate  in
1345              a pre-chroot context.
1346
1347              In  many  cases,  the dir parameter can point to an empty direc‐
1348              tory, however complications can result when scripts or  restarts
1349              are executed after the chroot operation.
1350
1351              Note:  The  SSL  library  will  probably need /dev/urandom to be
1352              available inside the chroot directory dir.  This is because  SSL
1353              libraries  occasionally  need  to  collect  fresh random.  Newer
1354              linux kernels and some BSDs implement a  getrandom()  or  geten‐
1355              tropy()  syscall  that  removes  the need for /dev/urandom to be
1356              available.
1357
1358       --setcon context
1359              Apply SELinux context  after  initialization.  This  essentially
1360              provides  the  ability to restrict OpenVPN's rights to only net‐
1361              work I/O operations, thanks to SELinux. This goes  further  than
1362              --user  and  --chroot in that those two, while being great secu‐
1363              rity features, unfortunately do not  protect  against  privilege
1364              escalation  by exploitation of a vulnerable system call. You can
1365              of course combine all three, but please note that  since  setcon
1366              requires  access to /proc you will have to provide it inside the
1367              chroot directory (e.g. with mount --bind).
1368
1369              Since the setcon operation is delayed  until  after  initializa‐
1370              tion,  OpenVPN  can be restricted to just network-related system
1371              calls, whereas by applying the context before startup  (such  as
1372              the  OpenVPN one provided in the SELinux Reference Policies) you
1373              will have to allow many things required only during  initializa‐
1374              tion.
1375
1376              Like  with  chroot,  complications  can  result  when scripts or
1377              restarts are executed after the setcon operation, which  is  why
1378              you  should  really  consider using the --persist-key and --per‐
1379              sist-tun options.
1380
1381       --daemon [progname]
1382              Become a daemon after  all  initialization  functions  are  com‐
1383              pleted.   This option will cause all message and error output to
1384              be sent to the syslog file (such as  /var/log/messages),  except
1385              for  the  output of scripts and ifconfig commands, which will go
1386              to /dev/null unless otherwise redirected.  The syslog  redirect‐
1387              ion  occurs  immediately at the point that --daemon is parsed on
1388              the command line even  though  the  daemonization  point  occurs
1389              later.   If  one  of  the  --log  options  is  present,  it will
1390              supercede syslog redirection.
1391
1392              The optional progname parameter will cause OpenVPN to report its
1393              program name to the system logger as progname.  This can be use‐
1394              ful in linking OpenVPN messages in the syslog file with specific
1395              tunnels.  When unspecified, progname defaults to "openvpn".
1396
1397              When  OpenVPN  is  run  with the --daemon option, it will try to
1398              delay daemonization until the majority of  initialization  func‐
1399              tions which are capable of generating fatal errors are complete.
1400              This means that initialization scripts can test the return  sta‐
1401              tus  of  the openvpn command for a fairly reliable indication of
1402              whether the command has correctly initialized  and  entered  the
1403              packet forwarding event loop.
1404
1405              In  OpenVPN,  the vast majority of errors which occur after ini‐
1406              tialization are non-fatal.
1407
1408              Note: as soon as OpenVPN has daemonized,  it  can  not  ask  for
1409              usernames,  passwords,  or  key  pass phrases anymore.  This has
1410              certain consequences, namely  that  using  a  password-protected
1411              private  key  will  fail  unless the --askpass option is used to
1412              tell OpenVPN to ask for the pass phrase (this requirement is new
1413              in  v2.3.7, and is a consequence of calling daemon() before ini‐
1414              tializing the crypto layer).
1415
1416              Further, using --daemon together with --auth-user-pass  (entered
1417              on  console) and --auth-nocache will fail as soon as key renego‐
1418              tiation (and reauthentication) occurs.
1419
1420       --syslog [progname]
1421              Direct log output to system logger, but do not become a  daemon.
1422              See --daemon directive above for description of progname parame‐
1423              ter.
1424
1425       --errors-to-stderr
1426              Output errors to stderr instead of stdout unless log  output  is
1427              redirected by one of the --log options.
1428
1429       --passtos
1430              Set the TOS field of the tunnel packet to what the payload's TOS
1431              is.
1432
1433       --inetd [wait|nowait] [progname]
1434              Use this option when OpenVPN is being  run  from  the  inetd  or
1435              xinetd(8) server.
1436
1437              The  wait/nowait  option  must  match  what  is specified in the
1438              inetd/xinetd config file.  The nowait mode can only be used with
1439              --proto  tcp-server.   The default is wait.  The nowait mode can
1440              be used to instantiate the  OpenVPN  daemon  as  a  classic  TCP
1441              server,  where client connection requests are serviced on a sin‐
1442              gle port number.  For additional information  on  this  kind  of
1443              configuration,     see    the    OpenVPN    FAQ:    http://open
1444              vpn.net/faq.html#oneport
1445
1446              This option precludes the use of --daemon, --local, or --remote.
1447              Note that this option causes message and error output to be han‐
1448              dled in the same way as the --daemon option.  The optional prog‐
1449              name parameter is also handled exactly as in --daemon.
1450
1451              Also note that in wait mode, each OpenVPN tunnel requires a sep‐
1452              arate TCP/UDP port and a separate inetd or  xinetd  entry.   See
1453              the  OpenVPN  1.x  HOWTO  for  an  example on using OpenVPN with
1454              xinetd: http://openvpn.net/1xhowto.html
1455
1456       --log file
1457              Output logging  messages  to  file,  including  output  to  std‐
1458              out/stderr  which  is  generated  by  called  scripts.   If file
1459              already exists it will be truncated.  This option  takes  effect
1460              immediately  when  it  is  parsed  in  the command line and will
1461              supercede syslog output if --daemon or --inetd  is  also  speci‐
1462              fied.   This  option  is persistent over the entire course of an
1463              OpenVPN instantiation and will not be reset by SIGHUP,  SIGUSR1,
1464              or --ping-restart.
1465
1466              Note that on Windows, when OpenVPN is started as a service, log‐
1467              ging occurs by default without the need to specify this option.
1468
1469       --log-append file
1470              Append logging messages to file.  If file  does  not  exist,  it
1471              will  be created.  This option behaves exactly like --log except
1472              that it appends to rather than truncating the log file.
1473
1474       --suppress-timestamps
1475              Avoid writing timestamps to log messages, even when they  other‐
1476              wise would be prepended. In particular, this applies to log mes‐
1477              sages sent to stdout.
1478
1479       --machine-readable-output
1480              Always write timestamps and message flags to log messages,  even
1481              when  they  otherwise would not be prefixed. In particular, this
1482              applies to log messages sent to stdout.
1483
1484       --writepid file
1485              Write OpenVPN's main process ID to file.
1486
1487       --nice n
1488              Change process priority after initialization ( n greater than  0
1489              is lower priority, n less than zero is higher priority).
1490
1491       --fast-io
1492              (Experimental)  Optimize  TUN/TAP/UDP  I/O  writes by avoiding a
1493              call to poll/epoll/select prior to  the  write  operation.   The
1494              purpose  of  such  a  call  would normally be to block until the
1495              device or socket is ready to accept the write.  Such blocking is
1496              unnecessary on some platforms which don't support write blocking
1497              on UDP sockets or TUN/TAP devices.  In such cases, one can opti‐
1498              mize  the  event  loop  by  avoiding the poll/epoll/select call,
1499              improving CPU efficiency by 5% to 10%.
1500
1501              This option can  only  be  used  on  non-Windows  systems,  when
1502              --proto udp is specified, and when --shaper is NOT specified.
1503
1504       --multihome
1505              Configure  a  multi-homed  UDP  server.  This option needs to be
1506              used when a server has more than one IP address  (e.g.  multiple
1507              interfaces, or secondary IP addresses), and is not using --local
1508              to force binding to one specific address only.  This option will
1509              add some extra lookups to the packet path to ensure that the UDP
1510              reply packets are always sent from the address that  the  client
1511              is  talking  to.  This is not supported on all platforms, and it
1512              adds more processing, so it's not enabled by default.
1513
1514              Note: this option is only relevant for UDP servers.
1515
1516              Note 2: if you do  an  IPv6+IPv4  dual-stack  bind  on  a  Linux
1517              machine   with   multiple  IPv4  address,  connections  to  IPv4
1518              addresses will not work right on kernels  before  3.15,  due  to
1519              missing  kernel support for the IPv4-mapped case (some distribu‐
1520              tions have ported this to earlier kernel versions, though).
1521
1522       --echo [parms...]
1523              Echo parms to log output.
1524
1525              Designed to be used to send messages to a  controlling  applica‐
1526              tion which is receiving the OpenVPN log output.
1527
1528       --remap-usr1 signal
1529              Control  whether internally or externally generated SIGUSR1 sig‐
1530              nals are remapped to SIGHUP (restart without  persisting  state)
1531              or SIGTERM (exit).
1532
1533              signal  can  be  set  to  "SIGHUP" or "SIGTERM".  By default, no
1534              remapping occurs.
1535
1536       --verb n
1537              Set output verbosity to n (default=1).   Each  level  shows  all
1538              info  from  the  previous levels.  Level 3 is recommended if you
1539              want a good summary of what's happening without being swamped by
1540              output.
1541
1542              0 -- No output except fatal errors.
1543              1 to 4 -- Normal usage range.
1544              5  --  Output  R and W characters to the console for each packet
1545              read and write, uppercase is used for TCP/UDP packets and lower‐
1546              case is used for TUN/TAP packets.
1547              6  to  11  --  Debug  info  range (see errlevel.h for additional
1548              information on debug levels).
1549
1550       --status file [n]
1551              Write operational status to file every n seconds.
1552
1553              Status can also be written to the syslog by  sending  a  SIGUSR2
1554              signal.
1555
1556              With  multi-client  capability  enabled  on a server, the status
1557              file includes a list of clients and a routing table. The  output
1558              format  can be controlled by the --status-version option in that
1559              case.
1560
1561              For clients or instances running in point-to-point mode, it will
1562              contain the traffic statistics.
1563
1564       --status-version [n]
1565              Set the status file format version number to n.
1566
1567              This  only  affects the status file on servers with multi-client
1568              capability enabled.
1569
1570              1 -- traditional format (default). The client list contains  the
1571              following  fields  comma-separated:  Common  Name, Real Address,
1572              Bytes Received, Bytes Sent, Connected Since.
1573              2 -- a more reliable format for external processing. Compared to
1574              version 1, the client list contains some additional fields: Vir‐
1575              tual Address, Virtual IPv6 Address, Username,  Client  ID,  Peer
1576              ID.  Future versions may extend the number of fields.
1577              3 -- identical to 2, but fields are tab-separated.
1578
1579
1580       --mute n
1581              Log  at  most n consecutive messages in the same category.  This
1582              is useful to limit repetitive logging of similar message types.
1583
1584       --compress [algorithm]
1585              Enable a compression algorithm.
1586
1587              The algorithm parameter may be "lzo", "lz4", or empty.  LZO  and
1588              LZ4  are  different  compression  algorithms, with LZ4 generally
1589              offering the best performance with least CPU usage.   For  back‐
1590              wards compatibility with OpenVPN versions before v2.4, use "lzo"
1591              (which is identical to the older option "--comp-lzo yes").
1592
1593              If the algorithm parameter is empty, compression will be  turned
1594              off,  but  the  packet  framing  for  compression  will still be
1595              enabled, allowing a different setting to be pushed later.
1596
1597              Security Considerations
1598
1599              Compression and encryption  is  a  tricky  combination.   If  an
1600              attacker knows or is able to control (parts of) the plaintext of
1601              packets that contain secrets, the  attacker  might  be  able  to
1602              extract  the  secret  if  compression  is enabled.  See e.g. the
1603              CRIME and BREACH attacks on TLS which also leverage  compression
1604              to  break  encryption.   If  you  are not entirely sure that the
1605              above does not apply to your traffic, you are advised  to  *not*
1606              enable compression.
1607
1608
1609       --comp-lzo [mode]
1610              DEPRECATED  This  option  will  be  removed  in a future OpenVPN
1611              release.  Use the newer --compress instead.
1612
1613              Use LZO compression -- may add up  to  1  byte  per  packet  for
1614              incompressible  data.   mode  may  be "yes", "no", or "adaptive"
1615              (default).
1616
1617              In a server mode setup, it is possible to selectively turn  com‐
1618              pression on or off for individual clients.
1619
1620              First,  make  sure the client-side config file enables selective
1621              compression by having at least one --comp-lzo directive, such as
1622              --comp-lzo  no.   This will turn off compression by default, but
1623              allow a future directive push from  the  server  to  dynamically
1624              change the on/off/adaptive setting.
1625
1626              Next in a --client-config-dir file, specify the compression set‐
1627              ting for the client, for example:
1628
1629                  comp-lzo yes
1630                  push "comp-lzo yes"
1631
1632              The first line sets the comp-lzo setting for the server side  of
1633              the link, the second sets the client side.
1634
1635       --comp-noadapt
1636              When  used in conjunction with --comp-lzo, this option will dis‐
1637              able OpenVPN's adaptive compression algorithm.  Normally,  adap‐
1638              tive compression is enabled with --comp-lzo.
1639
1640              Adaptive  compression  tries to optimize the case where you have
1641              compression enabled, but you are  sending  predominantly  incom‐
1642              pressible  (or  pre-compressed) packets over the tunnel, such as
1643              an FTP or rsync transfer of  a  large,  compressed  file.   With
1644              adaptive  compression, OpenVPN will periodically sample the com‐
1645              pression process to measure its efficiency.  If the  data  being
1646              sent  over  the  tunnel  is  already compressed, the compression
1647              efficiency will be very low, triggering openvpn to disable  com‐
1648              pression for a period of time until the next re-sample test.
1649
1650       --management socket-name unix [pw-file]      (recommended)
1651       --management IP port [pw-file]
1652              Enable a management server on a socket-name Unix socket on those
1653              platforms supporting it, or on a designated TCP port.
1654
1655              pw-file , if specified, is a password file  where  the  password
1656              must  be  on  first  line.  Instead of a filename it can use the
1657              keyword stdin which will prompt the user for a password  to  use
1658              when OpenVPN is starting.
1659
1660              For  unix  sockets, the  default  behaviour  is to create a unix
1661              domain socket that may be connected to by any process.  Use  the
1662              --management-client-user  and  --management-client-group  direc‐
1663              tives to restrict access.
1664
1665              The management interface provides a special mode where  the  TCP
1666              management  link  can operate over the tunnel itself.  To enable
1667              this mode, set IP to tunnel.  Tunnel mode will cause  the   man‐
1668              agement  interface  to  listen for a TCP connection on the local
1669              VPN address of the TUN/TAP interface.
1670
1671              BEWARE of enabling the management interface over TCP.  In  these
1672              cases  you should ALWAYS make use of pw-file to password protect
1673              the management interface.  Any user who can connect to this  TCP
1674              IP:port  will be able to manage and control (and interfere with)
1675              the OpenVPN process.  It is also strongly recommended to set  IP
1676              to  127.0.0.1  (localhost) to restrict accessibility of the man‐
1677              agement server to local clients.
1678
1679              While the management port is designed for  programmatic  control
1680              of  OpenVPN  by  other applications, it is possible to telnet to
1681              the port, using a telnet client in "raw" mode.  Once  connected,
1682              type "help" for a list of commands.
1683
1684              For  detailed documentation on the management interface, see the
1685              management-notes.txt file in the management folder of the  Open‐
1686              VPN source distribution.
1687
1688
1689       --management-client
1690              Management interface will connect as a TCP/unix domain client to
1691              IP:port specified by --management rather than listen  as  a  TCP
1692              server or on a unix domain socket.
1693
1694              If  the client connection fails to connect or is disconnected, a
1695              SIGTERM signal will be generated causing OpenVPN to quit.
1696
1697       --management-query-passwords
1698              Query  management  channel  for   private   key   password   and
1699              --auth-user-pass  username/password.   Only query the management
1700              channel for inputs which ordinarily would have been queried from
1701              the console.
1702
1703       --management-query-proxy
1704              Query management channel for proxy server information for a spe‐
1705              cific --remote (client-only).
1706
1707       --management-query-remote
1708              Allow  management  interface  to  override  --remote  directives
1709              (client-only).
1710
1711       --management-external-key
1712              Allows  usage  for  external  private  key file instead of --key
1713              option (client-only).
1714
1715       --management-external-cert certificate-hint
1716              Allows usage for external certificate instead of  --cert  option
1717              (client-only).  certificate-hint is an arbitrary string which is
1718              passed to a  management  interface  client  as  an  argument  of
1719              NEED-CERTIFICATE   notification.   Requires  --management-exter‐
1720              nal-key.
1721
1722       --management-forget-disconnect
1723              Make OpenVPN forget passwords when  management  session  discon‐
1724              nects.
1725
1726              This  directive  does not affect the --http-proxy username/pass‐
1727              word.  It is always cached.
1728
1729       --management-hold
1730              Start OpenVPN in a hibernating state, until a client of the man‐
1731              agement  interface  explicitly  starts  it with the hold release
1732              command.
1733
1734       --management-signal
1735              Send SIGUSR1 signal to OpenVPN  if  management  session  discon‐
1736              nects.   This  is  useful when you wish to disconnect an OpenVPN
1737              session on user logoff. For --management-client this  option  is
1738              not needed since a disconnect will always generate a SIGTERM.
1739
1740       --management-log-cache n
1741              Cache  the  most recent n lines of log file history for usage by
1742              the management channel.
1743
1744       --management-up-down
1745              Report tunnel up/down events to management interface.
1746
1747       --management-client-auth
1748              Gives management interface client the responsibility to  authen‐
1749              ticate clients after their client certificate has been verified.
1750              See management-notes.txt in OpenVPN  distribution  for  detailed
1751              notes.
1752
1753       --management-client-pf
1754              Management  interface  clients must specify a packet filter file
1755              for each connecting client.  See management-notes.txt in OpenVPN
1756              distribution for detailed notes.
1757
1758       --management-client-user u
1759              When  the  management  interface  is  listening on a unix domain
1760              socket, only allow connections from user u.
1761
1762       --management-client-group g
1763              When the management interface is  listening  on  a  unix  domain
1764              socket, only allow connections from group g.
1765
1766       --plugin module-pathname [init-string]
1767              Load  plug-in  module  from  the  file  module-pathname, passing
1768              init-string as an argument to the  module  initialization  func‐
1769              tion.   Multiple  plugin  modules may be loaded into one OpenVPN
1770              process.
1771
1772              The module-pathname argument can be just a filename or  a  file‐
1773              name  with a relative or absolute path.  The format of the file‐
1774              name and path defines if the  plug-in  will  be  loaded  from  a
1775              default plug-in directory or outside this directory.
1776
1777                  --plugin path        Effective directory used
1778                  ====================================================
1779                   myplug.so            DEFAULT_DIR/myplug.so
1780                   subdir/myplug.so     DEFAULT_DIR/subdir/myplug.so
1781                   ./subdir/myplug.so   CWD/subdir/myplug.so
1782                   /usr/lib/my/plug.so  /usr/lib/my/plug.so
1783
1784              DEFAULT_DIR  is replaced by the default plug-in directory, which
1785              is configured at the build time of OpenVPN.  CWD is the  current
1786              directory  where  OpenVPN  was  started or the directory OpenVPN
1787              have swithed into  via  the  --cd  option  before  the  --plugin
1788              option.
1789
1790              For  more  information  and  examples  on  how  to build OpenVPN
1791              plug-in modules, see the README file in the plugin folder of the
1792              OpenVPN source distribution.
1793
1794              If you are using an RPM install of OpenVPN, see /usr/lib64/open‐
1795              vpn/plugin.  The documentation is in doc and the  actual  plugin
1796              modules are in lib.
1797
1798              Multiple plugin modules can be cascaded, and modules can be used
1799              in tandem with scripts.  The modules will be called  by  OpenVPN
1800              in the order that they are declared in the config file.  If both
1801              a plugin and script are configured for the  same  callback,  the
1802              script  will  be  called  last.   If the return code of the mod‐
1803              ule/script controls an authentication function (such as tls-ver‐
1804              ify,  auth-user-pass-verify, or client-connect), then every mod‐
1805              ule and script must return success (0) in order for the  connec‐
1806              tion to be authenticated.
1807
1808       --keying-material-exporter label len
1809              Save  Exported  Keying  Material [RFC5705] of len bytes (must be
1810              between  16  and  4095  bytes)  using   label   in   environment
1811              (exported_keying_material)  for  use by plugins in OPENVPN_PLUG‐
1812              IN_TLS_FINAL callback.
1813
1814              Note that exporter labels have the  potential  to  collide  with
1815              existing PRF labels. In order to prevent this, labels MUST begin
1816              with "EXPORTER".
1817
1818              This option requires OpenSSL 1.0.1 or newer.
1819
1820   Server Mode
1821       Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode  is  sup‐
1822       ported,  and  can  be enabled with the --mode server option.  In server
1823       mode, OpenVPN will listen on a single port for incoming client  connec‐
1824       tions.   All  client connections will be routed through a single tun or
1825       tap interface.  This mode is designed for  scalability  and  should  be
1826       able  to  support hundreds or even thousands of clients on sufficiently
1827       fast hardware.  SSL/TLS authentication must be used in this mode.
1828
1829       --server network netmask ['nopool']
1830              A helper directive designed to  simplify  the  configuration  of
1831              OpenVPN's  server  mode.   This directive will set up an OpenVPN
1832              server which will allocate addresses to clients out of the given
1833              network/netmask.   The  server itself will take the ".1" address
1834              of the given network for use as the server-side endpoint of  the
1835              local TUN/TAP interface.
1836
1837              For example, --server 10.8.0.0 255.255.255.0 expands as follows:
1838
1839                   mode server
1840                   tls-server
1841                   push "topology [topology]"
1842
1843                   if dev tun AND (topology == net30 OR topology == p2p):
1844                     ifconfig 10.8.0.1 10.8.0.2
1845                     if !nopool:
1846                       ifconfig-pool 10.8.0.4 10.8.0.251
1847                     route 10.8.0.0 255.255.255.0
1848                     if client-to-client:
1849                       push "route 10.8.0.0 255.255.255.0"
1850                     else if topology == net30:
1851                       push "route 10.8.0.1"
1852
1853                   if dev tap OR (dev tun AND topology == subnet):
1854                     ifconfig 10.8.0.1 255.255.255.0
1855                     if !nopool:
1856                       ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
1857                     push "route-gateway 10.8.0.1"
1858                     if route-gateway unset:
1859                       route-gateway 10.8.0.2
1860
1861
1862              Don't   use   --server   if  you  are  ethernet  bridging.   Use
1863              --server-bridge instead.
1864
1865       --server-bridge gateway netmask pool-start-IP pool-end-IP
1866
1867       --server-bridge ['nogw']
1868
1869              A helper directive similar to --server which is designed to sim‐
1870              plify  the  configuration  of  OpenVPN's server mode in ethernet
1871              bridging configurations.
1872
1873              If --server-bridge is  used  without  any  parameters,  it  will
1874              enable  a DHCP-proxy mode, where connecting OpenVPN clients will
1875              receive an IP address for their TAP adapter from the DHCP server
1876              running  on the OpenVPN server-side LAN.  Note that only clients
1877              that support the binding of a DHCP client with the  TAP  adapter
1878              (such as Windows) can support this mode.  The optional nogw flag
1879              (advanced) indicates that  gateway  information  should  not  be
1880              pushed to the client.
1881
1882              To  configure  ethernet  bridging,  you must first use your OS's
1883              bridging capability to bridge the TAP interface with the  ether‐
1884              net  NIC interface.  For example, on Linux this is done with the
1885              brctl tool, and with Windows XP it is done in the  Network  Con‐
1886              nections  Panel  by  selecting the ethernet and TAP adapters and
1887              right-clicking on "Bridge Connections".
1888
1889              Next you you must manually set  the  IP/netmask  on  the  bridge
1890              interface.     The    gateway    and   netmask   parameters   to
1891              --server-bridge can be set  to  either  the  IP/netmask  of  the
1892              bridge  interface,  or  the  IP/netmask  of  the  default  gate‐
1893              way/router on the bridged subnet.
1894
1895              Finally, set aside a IP range in the bridged subnet, denoted  by
1896              pool-start-IP  and  pool-end-IP, for OpenVPN to allocate to con‐
1897              necting clients.
1898
1899              For example,  server-bridge  10.8.0.4  255.255.255.0  10.8.0.128
1900              10.8.0.254 expands as follows:
1901
1902                  mode server
1903                  tls-server
1904
1905                  ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
1906                  push "route-gateway 10.8.0.4"
1907
1908              In another example, --server-bridge (without parameters) expands
1909              as follows:
1910
1911                  mode server
1912                  tls-server
1913
1914                  push "route-gateway dhcp"
1915
1916              Or --server-bridge nogw expands as follows:
1917
1918                  mode server
1919                  tls-server
1920
1921       --push option
1922              Push a config file option back to the client for  remote  execu‐
1923              tion.   Note that option must be enclosed in double quotes ("").
1924              The client must specify --pull in its config file.  The  set  of
1925              options  which  can be pushed is limited by both feasibility and
1926              security.  Some  options  such  as  those  which  would  execute
1927              scripts are banned, since they would effectively allow a compro‐
1928              mised server to execute arbitrary code  on  the  client.   Other
1929              options  such  as TLS or MTU parameters cannot be pushed because
1930              the client needs to know  them  before  the  connection  to  the
1931              server can be initiated.
1932
1933              This is a partial list of options which can currently be pushed:
1934              --route,  --route-gateway,  --route-delay,   --redirect-gateway,
1935              --ip-win32,   --dhcp-option,  --inactive,  --ping,  --ping-exit,
1936              --ping-restart, --setenv,  --auth-token,  --persist-key,  --per‐
1937              sist-tun, --echo, --comp-lzo, --socket-flags, --sndbuf, --rcvbuf
1938
1939       --push-reset
1940              Don't  inherit  the  global  push  list  for  a  specific client
1941              instance.  Specify this option in a client-specific context such
1942              as  with  a --client-config-dir configuration file.  This option
1943              will ignore --push options at the global config file level.
1944
1945       --push-remove opt
1946              selectively remove all --push options matching  "opt"  from  the
1947              option  list  for  a  client.   "opt"  is matched as a substring
1948              against the whole option string to-be-pushed to the  client,  so
1949              --push-remove  route  would  remove  all  --push  route ...  and
1950              --push   route-ipv6   ...    statements,   while   --push-remove
1951              'route-ipv6  2001:'  would  only remove IPv6 routes for 2001:...
1952              networks.
1953
1954              --push-remove can only be used  in  a  client-specific  context,
1955              like  in  a --client-config-dir file, or --client-connect script
1956              or plugin -- similar to --push-reset, just more selective.
1957
1958              NOTE: to change an option, --push-remove can be  used  to  first
1959              remove  the old value, and then add a new --push option with the
1960              new value.
1961
1962       --push-peer-info
1963              Push additional information about the  client  to  server.   The
1964              following data is always pushed to the server:
1965
1966              IV_VER=<version> -- the client OpenVPN version
1967
1968              IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]   --  the
1969              client OS platform
1970
1971              IV_LZO_STUB=1 -- if client was built with LZO stub capability
1972
1973              IV_LZ4=1 -- if the client supports LZ4 compressions.
1974
1975              IV_PROTO=2 -- if the client supports peer-id floating mechansim
1976
1977              IV_NCP=2 -- negotiable ciphers, client supports --cipher  pushed
1978              by the server, a value of 2 or greater indicates client supports
1979              AES-GCM-128 and AES-GCM-256.
1980
1981              IV_GUI_VER=<gui_id> <version> -- the UI version of a UI  if  one
1982              is  running,  for  example  "de.blinkt.openvpn  0.5.47"  for the
1983              Android app.
1984
1985              When --push-peer-info is enabled the additional information con‐
1986              sists of the following data:
1987
1988              IV_HWADDR=<mac  address>  --  the MAC address of clients default
1989              gateway
1990
1991              IV_SSL=<version string> -- the ssl version used by  the  client,
1992              e.g. "OpenSSL 1.0.2f 28 Jan 2016".
1993
1994              IV_PLAT_VER=x.y  - the version of the operating system, e.g. 6.1
1995              for Windows 7.
1996
1997              UV_<name>=<value> -- client environment  variables  whose  names
1998              start with "UV_"
1999
2000       --disable
2001              Disable a particular client (based on the common name) from con‐
2002              necting.  Don't use this option to disable a client due  to  key
2003              or password compromise.  Use a CRL (certificate revocation list)
2004              instead (see the --crl-verify option).
2005
2006              This option must be associated with a specific client  instance,
2007              which  means  that  it  must  be  specified  either  in a client
2008              instance config file using  --client-config-dir  or  dynamically
2009              generated using a --client-connect script.
2010
2011       --ifconfig-pool start-IP end-IP [netmask]
2012              Set  aside a pool of subnets to be dynamically allocated to con‐
2013              necting clients, similar to a DHCP server.  For  tun-style  tun‐
2014              nels, each client will be given a /30 subnet (for interoperabil‐
2015              ity with Windows clients).  For  tap-style  tunnels,  individual
2016              addresses  will be allocated, and the optional netmask parameter
2017              will also be pushed to clients.
2018
2019
2020       --ifconfig-pool-persist file [seconds]
2021              Persist/unpersist ifconfig-pool data to file, at seconds  inter‐
2022              vals (default=600), as well as on program startup and shutdown.
2023
2024              The  goal  of  this option is to provide a long-term association
2025              between clients (denoted by their common name) and  the  virtual
2026              IP address assigned to them from the ifconfig-pool.  Maintaining
2027              a long-term association is good for clients  because  it  allows
2028              them to effectively use the --persist-tun option.
2029
2030              file  is  a  comma-delimited  ASCII  file,  formatted  as  <Com‐
2031              mon-Name>,<IP-address>.
2032
2033              If seconds = 0, file will be treated as read-only.  This is use‐
2034              ful if you would like to treat file as a configuration file.
2035
2036              Note  that  the  entries  in this file are treated by OpenVPN as
2037              suggestions only, based on past associations  between  a  common
2038              name  and IP address.  They do not guarantee that the given com‐
2039              mon name will always receive the given IP address.  If you  want
2040              guaranteed assignment, use --ifconfig-push
2041
2042
2043       --ifconfig-pool-linear
2044              DEPRECATED This option will be removed in OpenVPN 2.5
2045
2046              Modifies  the  --ifconfig-pool  directive to allocate individual
2047              TUN interface addresses for clients  rather  than  /30  subnets.
2048              NOTE:  This option is incompatible with Windows clients.
2049
2050              This  option is deprecated, and should be replaced with --topol‐
2051              ogy p2p which is functionally equivalent.
2052
2053       --ifconfig-push local remote-netmask [alias]
2054              Push virtual IP endpoints  for  client  tunnel,  overriding  the
2055              --ifconfig-pool dynamic allocation.
2056
2057              The parameters local and remote-netmask are set according to the
2058              --ifconfig directive which you want to  execute  on  the  client
2059              machine  to  configure  the remote end of the tunnel.  Note that
2060              the parameters local and remote-netmask are from the perspective
2061              of  the  client,  not  the server.  They may be DNS names rather
2062              than IP addresses, in which case they will be  resolved  on  the
2063              server at the time of client connection.
2064
2065              The  optional  alias  parameter  may  be used in cases where NAT
2066              causes the client view of its local endpoint to differ from  the
2067              server  view.   In  this case local/remote-netmask will refer to
2068              the server view while alias/remote-netmask  will  refer  to  the
2069              client view.
2070
2071              This  option must be associated with a specific client instance,
2072              which means that  it  must  be  specified  either  in  a  client
2073              instance  config  file  using --client-config-dir or dynamically
2074              generated using a --client-connect script.
2075
2076              Remember also to include a --route directive in the main OpenVPN
2077              config  file  which encloses local, so that the kernel will know
2078              to route it to the server's TUN/TAP interface.
2079
2080              OpenVPN's internal client IP address selection  algorithm  works
2081              as follows:
2082
2083              1  --  Use  --client-connect script generated file for static IP
2084              (first choice).
2085              2 -- Use --client-config-dir file for static IP (next choice).
2086              3  --  Use  --ifconfig-pool  allocation  for  dynamic  IP  (last
2087              choice).
2088
2089       --iroute network [netmask]
2090              Generate  an  internal  route  to a specific client. The netmask
2091              parameter, if omitted, defaults to 255.255.255.255.
2092
2093              This directive can be used to route  a  fixed  subnet  from  the
2094              server to a particular client, regardless of where the client is
2095              connecting from.  Remember that you must also add the  route  to
2096              the  system  routing table as well (such as by using the --route
2097              directive).  The reason why two routes are needed  is  that  the
2098              --route  directive routes the packet from the kernel to OpenVPN.
2099              Once in OpenVPN, the --iroute directive routes to  the  specific
2100              client.
2101
2102              This option must be specified either in a client instance config
2103              file using --client-config-dir or dynamically generated using  a
2104              --client-connect script.
2105
2106              The  --iroute  directive  also has an important interaction with
2107              --push "route ...".  --iroute essentially defines a subnet which
2108              is  owned  by  a particular client (we will call this client A).
2109              If you would like other clients to be able to reach A's  subnet,
2110              you can use --push "route ..."  together with --client-to-client
2111              to effect this.  In order for all clients  to  see  A's  subnet,
2112              OpenVPN  must push this route to all clients EXCEPT for A, since
2113              the subnet is already owned by A.  OpenVPN accomplishes this  by
2114              not  not  pushing  a  route to a client if it matches one of the
2115              client's iroutes.
2116
2117       --client-to-client
2118              Because the OpenVPN server mode handles multiple clients through
2119              a  single tun or tap interface, it is effectively a router.  The
2120              --client-to-client  flag  tells  OpenVPN  to  internally   route
2121              client-to-client  traffic  rather than pushing all client-origi‐
2122              nating traffic to the TUN/TAP interface.
2123
2124              When this option is used,  each  client  will  "see"  the  other
2125              clients  which  are currently connected.  Otherwise, each client
2126              will only see the server.  Don't use this option if you want  to
2127              firewall tunnel traffic using custom, per-client rules.
2128
2129       --duplicate-cn
2130              Allow multiple clients with the same common name to concurrently
2131              connect.  In the absence of this option, OpenVPN will disconnect
2132              a  client  instance  upon  connection of a new client having the
2133              same common name.
2134
2135       --client-connect cmd
2136              Run command cmd on client connection.
2137
2138              cmd consists of  a  path  to  script  (or  executable  program),
2139              optionally  followed by arguments. The path and arguments may be
2140              single- or double-quoted and/or escaped using a  backslash,  and
2141              should be separated by one or more spaces.
2142
2143              The  command  is  passed  the  common name and IP address of the
2144              just-authenticated client as environmental variables (see  envi‐
2145              ronmental  variable  section below).  The command is also passed
2146              the pathname of a freshly created temporary  file  as  the  last
2147              argument  (after any arguments specified in cmd ), to be used by
2148              the command to pass dynamically generated config file directives
2149              back to OpenVPN.
2150
2151              If  the  script  wants  to  generate a dynamic config file to be
2152              applied on the server when the client connects, it should  write
2153              it to the file named by the last argument.
2154
2155              See  the  --client-config-dir option below for options which can
2156              be legally used in a dynamically generated config file.
2157
2158              Note that the return value of script is significant.  If  script
2159              returns  a non-zero error status, it will cause the client to be
2160              disconnected.
2161
2162       --client-disconnect cmd
2163              Like --client-connect but called on  client  instance  shutdown.
2164              Will  not be called unless the --client-connect script and plug‐
2165              ins (if defined) were previously called on  this  instance  with
2166              successful (0) status returns.
2167
2168              The exception to this rule is if the --client-disconnect command
2169              or plugins are cascaded, and at least one  client-connect  func‐
2170              tion  succeeded, then ALL of the client-disconnect functions for
2171              scripts and plugins will be called  on  client  instance  object
2172              deletion, even in cases where some of the related client-connect
2173              functions returned an error status.
2174
2175              The --client-disconnect command is passed the same  pathname  as
2176              the corresponding --client-connect command as its last argument.
2177              (after any arguments specified in cmd ).
2178
2179       --client-config-dir dir
2180              Specify a directory dir for custom client config files.  After a
2181              connecting  client  has been authenticated, OpenVPN will look in
2182              this directory for a file having the same name as  the  client's
2183              X509  common name.  If a matching file exists, it will be opened
2184              and parsed for client-specific  configuration  options.   If  no
2185              matching  file  is  found,  OpenVPN will instead try to open and
2186              parse a default file called "DEFAULT", which may be provided but
2187              is not required. Note that the configuration files must be read‐
2188              able by the OpenVPN process after it has dropped it's root priv‐
2189              ileges.
2190
2191              This  file  can  specify  a  fixed IP address for a given client
2192              using --ifconfig-push, as well as fixed  subnets  owned  by  the
2193              client using --iroute.
2194
2195              One  of  the  useful properties of this option is that it allows
2196              client configuration files to be conveniently  created,  edited,
2197              or  removed while the server is live, without needing to restart
2198              the server.
2199
2200              The following options are legal in  a  client-specific  context:
2201              --push,  --push-reset, --push-remove, --iroute, --ifconfig-push,
2202              and --config.
2203
2204       --ccd-exclusive
2205              Require, as a condition of  authentication,  that  a  connecting
2206              client has a --client-config-dir file.
2207
2208       --tmp-dir dir
2209              Specify  a  directory  dir  for temporary files.  This directory
2210              will be used by openvpn processes and script to communicate tem‐
2211              porary  data  with openvpn main process. Note that the directory
2212              must be writable by the OpenVPN process  after  it  has  dropped
2213              it's root privileges.
2214
2215              This directory will be used by in the following cases:
2216
2217              *  --client-connect  scripts to dynamically generate client-spe‐
2218              cific configuration files.
2219
2220              * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY  plugin  hook  to  return
2221              success/failure  via  auth_control_file when using deferred auth
2222              method
2223
2224              * OPENVPN_PLUGIN_ENABLE_PF plugin hook to pass  filtering  rules
2225              via pf_file
2226
2227       --hash-size r v
2228              Set the size of the real address hash table to r and the virtual
2229              address table to v.  By default, both tables are  sized  at  256
2230              buckets.
2231
2232       --bcast-buffers n
2233              Allocate n buffers for broadcast datagrams (default=256).
2234
2235       --tcp-queue-limit n
2236              Maximum number of output packets queued before TCP (default=64).
2237
2238              When OpenVPN is tunneling data from a TUN/TAP device to a remote
2239              client over a TCP connection, it is possible  that  the  TUN/TAP
2240              device  might produce data at a faster rate than the TCP connec‐
2241              tion can support.  When the  number  of  output  packets  queued
2242              before  sending to the TCP socket reaches this limit for a given
2243              client connection, OpenVPN will start to drop  outgoing  packets
2244              directed at this client.
2245
2246       --tcp-nodelay
2247              This  macro  sets  the  TCP_NODELAY socket flag on the server as
2248              well as pushes it to connecting clients.  The  TCP_NODELAY  flag
2249              disables  the  Nagle algorithm on TCP sockets causing packets to
2250              be transmitted immediately with low latency, rather than waiting
2251              a  short  period  of  time in order to aggregate several packets
2252              into a larger containing packet.  In VPN applications over  TCP,
2253              TCP_NODELAY is generally a good latency optimization.
2254
2255              The macro expands as follows:
2256
2257                   if mode server:
2258                     socket-flags TCP_NODELAY
2259                     push "socket-flags TCP_NODELAY"
2260
2261       --max-clients n
2262              Limit server to a maximum of n concurrent clients.
2263
2264       --max-routes-per-client n
2265              Allow  a  maximum of n internal routes per client (default=256).
2266              This is designed to help contain DoS attacks where an  authenti‐
2267              cated  client  floods  the server with packets appearing to come
2268              from many unique MAC addresses, forcing the  server  to  deplete
2269              virtual  memory  as  its  internal  routing table expands.  This
2270              directive can be used in a --client-config-dir file or auto-gen‐
2271              erated by a --client-connect script to override the global value
2272              for a particular client.
2273
2274              Note that this directive affects OpenVPN's internal routing  ta‐
2275              ble, not the kernel routing table.
2276
2277       --stale-routes-check n [t]
2278              Remove  routes haven't had activity for n seconds (i.e. the age‐
2279              ing time).
2280
2281              This check is ran every t seconds (i.e. check interval).
2282
2283              If t is not present it defaults to n
2284
2285              This option helps to keep the dynamic routing table small.   See
2286              also --max-routes-per-client
2287
2288       --connect-freq n sec
2289              Allow  a  maximum  of  n  new  connections  per sec seconds from
2290              clients.  This is designed to contain DoS  attacks  which  flood
2291              the  server  with  connection  requests using certificates which
2292              will ultimately fail to authenticate.
2293
2294              This is an imperfect solution however, because  in  a  real  DoS
2295              scenario, legitimate connections might also be refused.
2296
2297              For  the best protection against DoS attacks in server mode, use
2298              --proto udp and either --tls-auth or --tls-crypt.
2299
2300       --learn-address cmd
2301              Run command cmd to validate client virtual addresses or routes.
2302
2303              cmd consists of  a  path  to  script  (or  executable  program),
2304              optionally  followed by arguments. The path and arguments may be
2305              single- or double-quoted and/or escaped using a  backslash,  and
2306              should be separated by one or more spaces.
2307
2308              Three arguments will be appended to any arguments in cmd as fol‐
2309              lows:
2310
2311              [1] operation -- "add", "update", or "delete" based  on  whether
2312              or  not the address is being added to, modified, or deleted from
2313              OpenVPN's internal routing table.
2314              [2] address -- The address being learned or unlearned.  This can
2315              be  an IPv4 address such as "198.162.10.14", an IPv4 subnet such
2316              as "198.162.10.0/24", or an ethernet MAC address (when --dev tap
2317              is being used) such as "00:FF:01:02:03:04".
2318              [3] common name -- The common name on the certificate associated
2319              with the client linked to this address.  Only present for  "add"
2320              or "update" operations, not "delete".
2321
2322              On  "add"  or  "update" methods, if the script returns a failure
2323              code (non-zero), OpenVPN will reject the address  and  will  not
2324              modify its internal routing table.
2325
2326              Normally, the cmd script will use the information provided above
2327              to set appropriate firewall entries on the  VPN  TUN/TAP  inter‐
2328              face.  Since OpenVPN provides the association between virtual IP
2329              or MAC address and the client's authenticated  common  name,  it
2330              allows  a user-defined script to configure firewall access poli‐
2331              cies with regard to the client's high-level common name,  rather
2332              than the low level client virtual addresses.
2333
2334       --auth-user-pass-verify cmd method
2335              Require  the  client to provide a username/password (possibly in
2336              addition to a client certificate) for authentication.
2337
2338              OpenVPN will run command cmd to validate  the  username/password
2339              provided by the client.
2340
2341              cmd  consists  of  a  path  to  script  (or executable program),
2342              optionally followed by arguments. The path and arguments may  be
2343              single-  or  double-quoted and/or escaped using a backslash, and
2344              should be separated by one or more spaces.
2345
2346              If method is set to "via-env", OpenVPN will call script with the
2347              environmental  variables  username and password set to the user‐
2348              name/password strings provided by the  client.   Be  aware  that
2349              this  method  is insecure on some platforms which make the envi‐
2350              ronment of a process publicly visible to other unprivileged pro‐
2351              cesses.
2352
2353              If  method is set to "via-file", OpenVPN will write the username
2354              and password to the first two lines of a  temporary  file.   The
2355              filename  will  be passed as an argument to script, and the file
2356              will be  automatically  deleted  by  OpenVPN  after  the  script
2357              returns.   The  location  of the temporary file is controlled by
2358              the --tmp-dir option, and will default to the current  directory
2359              if  unspecified.   For security, consider setting --tmp-dir to a
2360              volatile storage medium such as /dev/shm (if available) to  pre‐
2361              vent the username/password file from touching the hard drive.
2362
2363              The script should examine the username and password, returning a
2364              success exit code (0) if the client's authentication request  is
2365              to be accepted, or a failure code (1) to reject the client.
2366
2367              This  directive  is  designed to enable a plugin-style interface
2368              for extending OpenVPN's authentication capabilities.
2369
2370              To protect against a client passing a maliciously  formed  user‐
2371              name  or  password string, the username string must consist only
2372              of these characters: alphanumeric, underbar ('_'),  dash  ('-'),
2373              dot  ('.'), or at ('@').  The password string can consist of any
2374              printable characters except for CR or LF.  Any  illegal  charac‐
2375              ters in either the username or password string will be converted
2376              to underbar ('_').
2377
2378              Care must be taken by any user-defined scripts to avoid creating
2379              a  security vulnerability in the way that these strings are han‐
2380              dled.  Never use these strings in such a way that they might  be
2381              escaped or evaluated by a shell interpreter.
2382
2383              For  a  sample script that performs PAM authentication, see sam‐
2384              ple-scripts/auth-pam.pl in the OpenVPN source distribution.
2385
2386       --auth-gen-token [lifetime]
2387              After  successful  user/password  authentication,  the   OpenVPN
2388              server will with this option generate a temporary authentication
2389              token and push that to client.  On the following renegotiations,
2390              the  OpenVPN  client  will  pass this token instead of the users
2391              password.  On the server side  the  server  will  do  the  token
2392              authentication  internally  and  it  will  NOT do any additional
2393              authentications  against   configured   external   user/password
2394              authentication mechanisms.
2395
2396              The  lifetime  argument  defines how long the generated token is
2397              valid.  The lifetime is defined in seconds.  If lifetime is  not
2398              set or it is set to 0, the token will never expire.
2399
2400              This  feature  is useful for environments which is configured to
2401              use One Time  Passwords  (OTP)  as  part  of  the  user/password
2402              authentications  and  that  authentication  mechanism  does  not
2403              implement any auth-token support.
2404
2405       --opt-verify
2406              Clients that connect with options  that  are  incompatible  with
2407              those of the server will be disconnected.
2408
2409              Options   that   will  be  compared  for  compatibility  include
2410              dev-type, link-mtu, tun-mtu, proto,  ifconfig,  comp-lzo,  frag‐
2411              ment,  keydir,  cipher, auth, keysize, secret, no-replay, no-iv,
2412              tls-auth, key-method, tls-server, and tls-client.
2413
2414              This option requires that --disable-occ NOT be used.
2415
2416       --auth-user-pass-optional
2417              Allow connections  by  clients  that  do  not  specify  a  user‐
2418              name/password.  Normally, when --auth-user-pass-verify or --man‐
2419              agement-client-auth is specified (or  an  authentication  plugin
2420              module),  the  OpenVPN  server  daemon  will  require connecting
2421              clients to specify a username and password.  This  option  makes
2422              the submission of a username/password by clients optional, pass‐
2423              ing the responsibility to the user-defined  authentication  mod‐
2424              ule/script  to  accept or deny the client based on other factors
2425              (such as the setting of X509  certificate  fields).   When  this
2426              option  is used, and a connecting client does not submit a user‐
2427              name/password,  the  user-defined  authentication  module/script
2428              will see the username and password as being set to empty strings
2429              ("").  The  authentication  module/script  MUST  have  logic  to
2430              detect this condition and respond accordingly.
2431
2432       --client-cert-not-required
2433              DEPRECATED This option will be removed in OpenVPN 2.5
2434
2435              Don't require client certificate, client will authenticate using
2436              username/password only.  Be aware that using this  directive  is
2437              less secure than requiring certificates from all clients.
2438
2439              Please  note:  This  is  replaced  by --verify-client-cert which
2440              allows for more  flexibility.  The  option  --verify-client-cert
2441              none is functionally equivalent to --client-cert-not-required
2442
2443
2444       --verify-client-cert none|optional|require
2445              Specify  whether  the  client is required to supply a valid cer‐
2446              tificate.
2447
2448              Possible options are
2449
2450              none : a client certificate is not required. the client need  to
2451              authenticate  using username/password only.  Be aware that using
2452              this directive is less secure than requiring  certificates  from
2453              all clients.
2454
2455              If  you use this directive, the entire responsibility of authen‐
2456              tication will rest on your  --auth-user-pass-verify  script,  so
2457              keep  in mind that bugs in your script could potentially compro‐
2458              mise the security of your VPN.
2459
2460              --verify-client-cert  none   is   functionally   equivalent   to
2461              --client-cert-not-required.
2462
2463              optional  :  a  client  may  present a certificate but it is not
2464              required to do so.  When using this directive, you  should  also
2465              use  a --auth-user-pass-verify script to ensure that clients are
2466              authenticated using a certificate, a username and  password,  or
2467              possibly even both.
2468
2469              Again,  the entire responsibility of authentication will rest on
2470              your --auth-user-pass-verify script, so keep in mind  that  bugs
2471              in your script could potentially compromise the security of your
2472              VPN.
2473
2474              require : this is the default option. A client  is  required  to
2475              present a certificate, otherwise VPN access is refused.
2476
2477              If  you  don't  use  this directive (or use --verify-client-cert
2478              require  )  but  you  also  specify  an  --auth-user-pass-verify
2479              script,  then  OpenVPN  will perform double authentication.  The
2480              client certificate verification AND the  --auth-user-pass-verify
2481              script  will need to succeed in order for a client to be authen‐
2482              ticated and accepted onto the VPN.
2483
2484       --username-as-common-name
2485              For --auth-user-pass-verify authentication,  use  the  authenti‐
2486              cated  username  as the common name, rather than the common name
2487              from the client cert.
2488
2489       --compat-names [no-remapping]
2490              DEPRECATED This option will be removed in OpenVPN 2.5
2491
2492              Until OpenVPN v2.3 the format of the X.509  Subject  fields  was
2493              formatted like this:
2494
2495              /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com
2496
2497              In  addition  the old behaviour was to remap any character other
2498              than alphanumeric, underscore ('_'), dash ('-'), dot ('.'),  and
2499              slash  ('/')  to  underscore ('_').  The X.509 Subject string as
2500              returned by the tls_id environmental variable,  could  addition‐
2501              ally contain colon (':') or equal ('=').
2502
2503              When  using  the  --compat-names option, this old formatting and
2504              remapping will be re-enabled again.  This is purely  implemented
2505              for  compatibility  reasons when using older plug-ins or scripts
2506              which does not handle the new formatting or UTF-8 characters.
2507
2508              In OpenVPN 2.3 the formatting of these  fields  changed  into  a
2509              more standardised format.  It now looks like:
2510
2511              C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com
2512
2513              The new default format in OpenVPN 2.3 also does not do the char‐
2514              acter remapping which happened earlier.  This new format enables
2515              proper support for UTF-8 characters in the usernames, X.509 Sub‐
2516              ject fields and Common Name variables and it complies to the RFC
2517              2253, UTF-8 String Representation of Distinguished Names.
2518
2519              The  no-remapping  mode flag can be used with the --compat-names
2520              option to be compatible with the now deprecated --no-name-remap‐
2521              ping option.  It is only available at the server. When this mode
2522              flag is used, the Common Name, Subject, and username strings are
2523              allowed  to include any printable character including space, but
2524              excluding control characters such  as  tab,  newline,  and  car‐
2525              riage-return. no-remapping is only available on the server side.
2526
2527              Please  note: This option is immediately deprecated.  It is only
2528              implemented to make the transition to the  new  formatting  less
2529              intrusive.  It will be removed in OpenVPN 2.5.  So please update
2530              your scripts/plug-ins where necessary.
2531
2532       --no-name-remapping
2533              DEPRECATED This option will be removed in OpenVPN 2.5
2534
2535              The  --no-name-remapping  option  is   an   alias   for   --com‐
2536              pat-names no-remapping.   It  ensures  compatibility with server
2537              configurations using the --no-name-remapping option.
2538
2539              Please note: This option is now deprecated.  It will be  removed
2540              in  OpenVPN  2.5.  So please make sure you support the new X.509
2541              name formatting described with the --compat-names option as soon
2542              as possible.
2543
2544       --port-share host port [dir]
2545              When run in TCP server mode, share the OpenVPN port with another
2546              application, such as an HTTPS server.  If OpenVPN senses a  con‐
2547              nection  to  its  port which is using a non-OpenVPN protocol, it
2548              will proxy the connection to the server at host:port.  Currently
2549              only  designed to work with HTTP/HTTPS, though it would be theo‐
2550              retically possible to extend to other protocols such as ssh.
2551
2552              dir specifies an optional directory where a temporary file  with
2553              name  N  containing  content C will be dynamically generated for
2554              each proxy connection, where N is  the  source  IP:port  of  the
2555              client  connection and C is the source IP:port of the connection
2556              to the proxy receiver.  This directory can be used as a  dictio‐
2557              nary  by  the proxy receiver to determine the origin of the con‐
2558              nection.  Each generated file will be automatically deleted when
2559              the proxied connection is torn down.
2560
2561              Not implemented on Windows.
2562
2563   Client Mode
2564       Use  client  mode  when  connecting  to  an  OpenVPN  server  which has
2565       --server, --server-bridge, or --mode server in it's configuration.
2566
2567       --client
2568              A helper directive designed to  simplify  the  configuration  of
2569              OpenVPN's client mode.  This directive is equivalent to:
2570
2571                   pull
2572                   tls-client
2573
2574       --pull This  option  must  be used on a client which is connecting to a
2575              multi-client server.  It indicates to  OpenVPN  that  it  should
2576              accept  options  pushed by the server, provided they are part of
2577              the legal set of pushable options (note that the  --pull  option
2578              is implied by --client ).
2579
2580              In  particular,  --pull  allows the server to push routes to the
2581              client, so you should not use --pull or --client  in  situations
2582              where  you  don't  trust  the  server  to  have control over the
2583              client's routing table.
2584
2585       --pull-filter accept|ignore|reject text
2586              Filter options received from the server  if  the  option  starts
2587              with  text.   Runs  on client. The action flag accept allows the
2588              option, ignore removes it and reject flags an error and triggers
2589              a SIGUSR1 restart.  The filters may be specified multiple times,
2590              and each filter is applied in the order  it  is  specified.  The
2591              filtering  of  each  option  stops  as soon as a match is found.
2592              Unmatched options are accepted by default.
2593
2594              Prefix comparison is used to match  text  against  the  received
2595              option so that
2596
2597                  --pull-filter ignore "route"
2598
2599              would  remove all pushed options starting with route which would
2600              include, for example, route-gateway.  Enclose text in quotes  to
2601              embed spaces.
2602
2603                  --pull-filter accept "route 192.168.1."
2604                  --pull-filter ignore "route "
2605
2606              would remove all routes that do not start with 192.168.1.
2607
2608              This  option  may be used only on clients.  Note that reject may
2609              result in a repeated cycle of failure and reconnect, unless mul‐
2610              tiple  remotes  are  specified and connection to the next remote
2611              succeeds. To silently ignore an option pushed by the server, use
2612              ignore.
2613
2614       --auth-user-pass [up]
2615              Authenticate  with server using username/password.  up is a file
2616              containing username/password on 2 lines. If the password line is
2617              missing, OpenVPN will prompt for one.
2618
2619              If  up  is  omitted, username/password will be prompted from the
2620              console.
2621
2622              The server configuration must specify an --auth-user-pass-verify
2623              script to verify the username/password provided by the client.
2624
2625       --auth-retry type
2626              Controls  how OpenVPN responds to username/password verification
2627              errors such as the client-side response to an  AUTH_FAILED  mes‐
2628              sage  from the server or verification failure of the private key
2629              password.
2630
2631              Normally used to prevent auth errors from  being  fatal  on  the
2632              client  side,  and to permit username/password requeries in case
2633              of error.
2634
2635              An AUTH_FAILED message is generated by the server if the  client
2636              fails  --auth-user-pass  authentication,  or  if the server-side
2637              --client-connect script returns an error status when the  client
2638              tries to connect.
2639
2640              type can be one of:
2641
2642              none  --  Client  will  exit  with  a  fatal  error (this is the
2643              default).
2644              nointeract -- Client will retry the connection without  requery‐
2645              ing  for an --auth-user-pass username/password.  Use this option
2646              for unattended clients.
2647              interact -- Client will requery for  an  --auth-user-pass  user‐
2648              name/password  and/or  private  key password before attempting a
2649              reconnection.
2650
2651              Note that while this option cannot be pushed,  it  can  be  con‐
2652              trolled from the management interface.
2653
2654       --static-challenge t e
2655              Enable  static  challenge/response protocol using challenge text
2656              t, with echo flag given by e (0|1).
2657
2658              The echo flag indicates whether or not the  user's  response  to
2659              the challenge should be echoed.
2660
2661              See  management-notes.txt  in  the  OpenVPN  distribution  for a
2662              description of the OpenVPN challenge/response protocol.
2663
2664       --server-poll-timeout n, --connect-timeout n
2665              When connecting to a remote server do not wait for more  than  n
2666              seconds  waiting  for  a response before trying the next server.
2667              The default value is 120s. This timeout includes proxy  and  TCP
2668              connect timeouts.
2669
2670       --explicit-exit-notify [n]
2671              In  UDP  client mode or point-to-point mode, send server/peer an
2672              exit notification if tunnel is restarted or OpenVPN  process  is
2673              exited.   In client mode, on exit/restart, this option will tell
2674              the server to  immediately  close  its  client  instance  object
2675              rather  than waiting for a timeout.  The n parameter (default=1)
2676              controls the maximum number of attempts that the client will try
2677              to resend the exit notification message.
2678
2679              In UDP server mode, send RESTART control channel command to con‐
2680              nected clients. The  n  parameter  (default=1)  controls  client
2681              behavior.  With  n  =  1 client will attempt to reconnect to the
2682              same server, with n = 2 client will advance to the next server.
2683
2684              OpenVPN will not send any exit notifications unless this  option
2685              is enabled.
2686
2687       --allow-recursive-routing
2688              When  this  option  is  set,  OpenVPN will not drop incoming tun
2689              packets with same destination as host.
2690
2691   Data Channel Encryption Options:
2692       These options are meaningful for both Static & TLS-negotiated key modes
2693       (must be compatible between peers).
2694
2695       --secret file [direction]
2696              Enable  Static  Key  encryption  mode (non-TLS).  Use pre-shared
2697              secret file which was generated with --genkey.
2698
2699              The optional direction parameter enables the use of  4  distinct
2700              keys  (HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt),
2701              so that each data flow direction has a different set of HMAC and
2702              cipher keys.  This has a number of desirable security properties
2703              including eliminating certain kinds of DoS  and  message  replay
2704              attacks.
2705
2706              When  the  direction parameter is omitted, 2 keys are used bidi‐
2707              rectionally, one for HMAC and the other  for  encryption/decryp‐
2708              tion.
2709
2710              The direction parameter should always be complementary on either
2711              side of the connection, i.e. one side should  use  "0"  and  the
2712              other should use "1", or both sides should omit it altogether.
2713
2714              The  direction  parameter requires that file contains a 2048 bit
2715              key.  While pre-1.5 versions of OpenVPN generate  1024  bit  key
2716              files,  any  version  of  OpenVPN  which  supports the direction
2717              parameter, will also support 2048 bit key file generation  using
2718              the --genkey option.
2719
2720              Static  key  encryption mode has certain advantages, the primary
2721              being ease of configuration.
2722
2723              There are no certificates or certificate authorities or  compli‐
2724              cated  negotiation  handshakes and protocols.  The only require‐
2725              ment is that you have a pre-existing secure  channel  with  your
2726              peer  (such  as  ssh ) to initially copy the key.  This require‐
2727              ment, along with the fact that your key never changes unless you
2728              manually  generate a new one, makes it somewhat less secure than
2729              TLS mode (see below).  If an attacker manages to steal your key,
2730              everything that was ever encrypted with it is compromised.  Con‐
2731              trast that to the perfect forward secrecy features of  TLS  mode
2732              (using  Diffie  Hellman key exchange), where even if an attacker
2733              was able to steal your private key, he would gain no information
2734              to help him decrypt past sessions.
2735
2736              Another  advantageous  aspect  of  Static Key encryption mode is
2737              that it is a handshake-free protocol without any  distinguishing
2738              signature  or  feature  (such  as a header or protocol handshake
2739              sequence) that would mark the ciphertext packets as being gener‐
2740              ated  by  OpenVPN.   Anyone  eavesdropping on the wire would see
2741              nothing but random-looking data.
2742
2743       --key-direction
2744              Alternative way of specifying the optional  direction  parameter
2745              for  the  --tls-auth  and  --secret  options.  Useful when using
2746              inline files (See section on inline files).
2747
2748       --auth alg
2749              Authenticate data channel packets and (if enabled) tls-auth con‐
2750              trol  channel  packets  with HMAC using message digest algorithm
2751              alg.  (The default is SHA1 ).  HMAC is a commonly  used  message
2752              authentication algorithm (MAC) that uses a data string, a secure
2753              hash algorithm, and a key, to produce a digital signature.
2754
2755              The OpenVPN data channel protocol  uses  encrypt-then-mac  (i.e.
2756              first  encrypt  a  packet,  then HMAC the resulting ciphertext),
2757              which prevents padding oracle attacks.
2758
2759              If an AEAD cipher mode  (e.g.  GCM)  is  chosen,  the  specified
2760              --auth  algorithm  is  ignored  for  the  data  channel, and the
2761              authentication method of the AEAD cipher is used instead.   Note
2762              that alg still specifies the digest used for tls-auth.
2763
2764              In  static-key  encryption mode, the HMAC key is included in the
2765              key file generated by --genkey.  In TLS mode, the  HMAC  key  is
2766              dynamically  generated and shared between peers via the TLS con‐
2767              trol channel.  If OpenVPN receives a packet with a bad  HMAC  it
2768              will  drop  the  packet.   HMAC  usually adds 16 or 20 bytes per
2769              packet.  Set alg=none to disable authentication.
2770
2771              For       more       information       on        HMAC        see
2772              http://www.cs.ucsd.edu/users/mihir/papers/hmac.html
2773
2774       --cipher alg
2775              Encrypt data channel packets with cipher algorithm alg.
2776
2777              The  default  is  BF-CBC, an abbreviation for Blowfish in Cipher
2778              Block Chaining mode.  When cipher negotiation (NCP) is  allowed,
2779              OpenVPN  2.4 and newer on both client and server side will auto‐
2780              matically  upgrade  to  AES-256-GCM.   See   --ncp-ciphers   and
2781              --ncp-disable for more details on NCP.
2782
2783              Using  BF-CBC  is  no  longer recommended, because of its 64-bit
2784              block size.  This small block size allows attacks based on  col‐
2785              lisions,   as   demonstrated  by  SWEET32.   See  https://commu
2786              nity.openvpn.net/openvpn/wiki/SWEET32 for details.  Due to this,
2787              support  for  BF-CBC,  DES,  CAST5, IDEA and RC2 ciphers will be
2788              removed in OpenVPN 2.6.
2789
2790              To see other ciphers that are available with  OpenVPN,  use  the
2791              --show-ciphers option.
2792
2793              Set alg=none to disable encryption.
2794
2795
2796       --ncp-ciphers cipher_list
2797              Restrict  the allowed ciphers to be negotiated to the ciphers in
2798              cipher_list.  cipher_list is a colon-separated list of  ciphers,
2799              and defaults to "AES-256-GCM:AES-128-GCM".
2800
2801              For servers, the first cipher from cipher_list will be pushed to
2802              clients that support cipher negotiation.
2803
2804              Cipher negotiation is enabled in client-server mode only.   I.e.
2805              if  --mode  is  set to 'server' (server-side, implied by setting
2806              --server ), or if --pull is specified (client-side,  implied  by
2807              setting --client).
2808
2809              If  both  peers  support  and do not disable NCP, the negotiated
2810              cipher will override the cipher specified by --cipher.
2811
2812              Additionally, to allow for more smooth  transition,  if  NCP  is
2813              enabled,  OpenVPN  will  inherit  the cipher of the peer if that
2814              cipher is different from the local  --cipher  setting,  but  the
2815              peer  cipher  is  one of the ciphers specified in --ncp-ciphers.
2816              E.g. a non-NCP client (<=v2.3, or with --ncp-disabled set)  con‐
2817              necting  to  a  NCP  server  (v2.4+)  with "--cipher BF-CBC" and
2818              "--ncp-ciphers AES-256-GCM:AES-256-CBC" set can  either  specify
2819              "--cipher BF-CBC" or "--cipher AES-256-CBC" and both will work.
2820
2821
2822       --ncp-disable
2823              Disable  "negotiable  crypto  parameters".  This completely dis‐
2824              ables cipher negotiation.
2825
2826       --keysize n
2827              DEPRECATED This option will be removed in OpenVPN 2.6.
2828
2829              Size of cipher key in bits (optional).  If unspecified, defaults
2830              to  cipher-specific  default.   The  --show-ciphers  option (see
2831              below) shows all available OpenSSL ciphers,  their  default  key
2832              sizes,  and  whether  the  key size can be changed.  Use care in
2833              changing a cipher's default key size.   Many  ciphers  have  not
2834              been  extensively  cryptanalyzed  with non-standard key lengths,
2835              and a larger key may offer no real guarantee  of  greater  secu‐
2836              rity, or may even reduce security.
2837
2838       --prng alg [nsl]
2839              (Advanced) For PRNG (Pseudo-random number generator), use digest
2840              algorithm alg (default=sha1), and set nsl  (default=16)  to  the
2841              size in bytes of the nonce secret length (between 16 and 64).
2842
2843              Set  alg=none to disable the PRNG and use the OpenSSL RAND_bytes
2844              function instead  for  all  of  OpenVPN's  pseudo-random  number
2845              needs.
2846
2847       --engine [engine-name]
2848              Enable OpenSSL hardware-based crypto engine functionality.
2849
2850              If  engine-name is specified, use a specific crypto engine.  Use
2851              the --show-engines standalone option to list the crypto  engines
2852              which are supported by OpenSSL.
2853
2854       --no-replay
2855              DEPRECATED This option will be removed in OpenVPN 2.5.
2856
2857              (Advanced)  Disable OpenVPN's protection against replay attacks.
2858              Don't use this option unless you are prepared to make a tradeoff
2859              of greater efficiency in exchange for less security.
2860
2861              OpenVPN provides datagram replay protection by default.
2862
2863              Replay protection is accomplished by tagging each outgoing data‐
2864              gram with an identifier that is guaranteed to be unique for  the
2865              key  being used.  The peer that receives the datagram will check
2866              for the uniqueness of the identifier.   If  the  identifier  was
2867              already  received  in a previous datagram, OpenVPN will drop the
2868              packet.  Replay protection is important to defeat  attacks  such
2869              as  a  SYN flood attack, where the attacker listens in the wire,
2870              intercepts a TCP SYN packet (identifying it by  the  context  in
2871              which  it  occurs in relation to other packets), then floods the
2872              receiving peer with copies of this packet.
2873
2874              OpenVPN's replay protection is implemented in slightly different
2875              ways, depending on the key management mode you have selected.
2876
2877              In  Static  Key  mode  or  when using an CFB or OFB mode cipher,
2878              OpenVPN uses a 64 bit unique identifier  that  combines  a  time
2879              stamp with an incrementing sequence number.
2880
2881              When  using  TLS  mode  for  key exchange and a CBC cipher mode,
2882              OpenVPN uses only a 32 bit sequence number without a time stamp,
2883              since  OpenVPN  can  guarantee  the uniqueness of this value for
2884              each key.  As in IPSec, if the sequence number is close to wrap‐
2885              ping back to zero, OpenVPN will trigger a new key exchange.
2886
2887              To  check for replays, OpenVPN uses the sliding window algorithm
2888              used by IPSec.
2889
2890       --replay-window n [t]
2891              Use a replay protection sliding-window of size n and a time win‐
2892              dow of t seconds.
2893
2894              By default n is 64 (the IPSec default) and t is 15 seconds.
2895
2896              This  option  is  only  relevant  in UDP mode, i.e.  when either
2897              --proto udp is specified, or no --proto option is specified.
2898
2899              When OpenVPN tunnels IP packets over UDP, there is the possibil‐
2900              ity  that  packets  might  be dropped or delivered out of order.
2901              Because OpenVPN, like IPSec, is emulating the  physical  network
2902              layer,  it will accept an out-of-order packet sequence, and will
2903              deliver such packets in the same order they were received to the
2904              TCP/IP  protocol  stack,  provided  they  satisfy  several  con‐
2905              straints.
2906
2907              (a) The packet cannot be a replay (unless --no-replay is  speci‐
2908              fied, which disables replay protection altogether).
2909
2910              (b)  If  a packet arrives out of order, it will only be accepted
2911              if the difference between its sequence number  and  the  highest
2912              sequence number received so far is less than n.
2913
2914              (c)  If  a packet arrives out of order, it will only be accepted
2915              if it arrives no later than t seconds after any packet  contain‐
2916              ing a higher sequence number.
2917
2918              If  you  are using a network link with a large pipeline (meaning
2919              that the product of bandwidth and latency is high), you may want
2920              to  use  a  larger  value  for n.  Satellite links in particular
2921              often require this.
2922
2923              If you run OpenVPN  at  --verb  4,  you  will  see  the  message
2924              "Replay-window  backtrack  occurred  [x]" every time the maximum
2925              sequence number backtrack seen thus far increases.  This can  be
2926              used to calibrate n.
2927
2928              There  is some controversy on the appropriate method of handling
2929              packet reordering at the security layer.
2930
2931              Namely, to what extent should the  security  layer  protect  the
2932              encapsulated protocol from attacks which masquerade as the kinds
2933              of normal packet loss and reordering that  occur  over  IP  net‐
2934              works?
2935
2936              The  IPSec  and  OpenVPN  approach is to allow packet reordering
2937              within a certain fixed sequence number window.
2938
2939              OpenVPN adds to the IPSec model by limiting the window  size  in
2940              time as well as sequence space.
2941
2942              OpenVPN  also  adds  TCP  transport as an option (not offered by
2943              IPSec) in which case OpenVPN can adopt a  very  strict  attitude
2944              towards message deletion and reordering:  Don't allow it.  Since
2945              TCP guarantees reliability, any packet loss or reordering  event
2946              can be assumed to be an attack.
2947
2948              In  this  sense, it could be argued that TCP tunnel transport is
2949              preferred when tunneling non-IP  or  UDP  application  protocols
2950              which  might  be  vulnerable to a message deletion or reordering
2951              attack which falls within the normal operational  parameters  of
2952              IP networks.
2953
2954              So  I  would  make  the statement that one should never tunnel a
2955              non-IP protocol or UDP application protocol  over  UDP,  if  the
2956              protocol might be vulnerable to a message deletion or reordering
2957              attack that falls within the normal operating parameters of what
2958              is  to  be  expected from the physical IP layer.  The problem is
2959              easily fixed by simply using TCP as the VPN transport layer.
2960
2961       --mute-replay-warnings
2962              Silence the output of replay warnings, which are a common  false
2963              alarm  on  WiFi networks.  This option preserves the security of
2964              the replay protection code without the verbosity associated with
2965              warnings about duplicate packets.
2966
2967       --replay-persist file
2968              Persist  replay-protection  state  across sessions using file to
2969              save and reload the state.
2970
2971              This option will strengthen protection against  replay  attacks,
2972              especially when you are using OpenVPN in a dynamic context (such
2973              as with --inetd) when OpenVPN sessions  are  frequently  started
2974              and stopped.
2975
2976              This  option will keep a disk copy of the current replay protec‐
2977              tion state (i.e. the most recent packet timestamp  and  sequence
2978              number  received  from  the  remote peer), so that if an OpenVPN
2979              session is stopped and restarted, it will reject any replays  of
2980              packets which were already received by the prior session.
2981
2982              This  option  only makes sense when replay protection is enabled
2983              (the default) and you are using either  --secret  (shared-secret
2984              key mode) or TLS mode with --tls-auth.
2985
2986       --no-iv
2987              DEPRECATED This option will be removed in OpenVPN 2.5.
2988
2989              (Advanced)  Disable  OpenVPN's  use of IV (cipher initialization
2990              vector).  Don't use this option unless you are prepared to  make
2991              a tradeoff of greater efficiency in exchange for less security.
2992
2993              OpenVPN  uses  an IV by default, and requires it for CFB and OFB
2994              cipher modes (which are totally insecure without it).  Using  an
2995              IV  is  important  for security when multiple messages are being
2996              encrypted/decrypted with the same key.
2997
2998              IV is implemented differently depending on the cipher mode used.
2999
3000              In CBC mode, OpenVPN uses a pseudo-random IV for each packet.
3001
3002              In CFB/OFB mode, OpenVPN uses a unique sequence number and  time
3003              stamp as the IV.  In fact, in CFB/OFB mode, OpenVPN uses a data‐
3004              gram space-saving optimization that uses the  unique  identifier
3005              for datagram replay protection as the IV.
3006
3007       --use-prediction-resistance
3008              Enable prediction resistance on mbed TLS's RNG.
3009
3010              Enabling  prediction resistance causes the RNG to reseed in each
3011              call for random. Reseeding this often can  quickly  deplete  the
3012              kernel entropy pool.
3013
3014              If  you  need this option, please consider running a daemon that
3015              adds entropy to the kernel pool.
3016
3017
3018       --test-crypto
3019              Do a self-test of OpenVPN's crypto  options  by  encrypting  and
3020              decrypting  test  packets  using  the  data  channel  encryption
3021              options specified above.  This option does not require a peer to
3022              function,  and  therefore  can  be  specified  without  --dev or
3023              --remote.
3024
3025              The typical usage of --test-crypto would be something like this:
3026
3027              openvpn --test-crypto --secret key
3028
3029              or
3030
3031              openvpn --test-crypto --secret key --verb 9
3032
3033              This option is very useful to test OpenVPN  after  it  has  been
3034              ported  to  a  new  platform, or to isolate problems in the com‐
3035              piler, OpenSSL crypto library, or OpenVPN's crypto code.   Since
3036              it is a self-test mode, problems with encryption and authentica‐
3037              tion can be debugged independently of network and tunnel issues.
3038
3039   TLS Mode Options:
3040       TLS mode is the most powerful crypto mode of OpenVPN in  both  security
3041       and flexibility.  TLS mode works by establishing control and data chan‐
3042       nels which are multiplexed over a single TCP/UDP port.  OpenVPN  initi‐
3043       ates  a  TLS  session  over the control channel and uses it to exchange
3044       cipher and HMAC keys to protect the data  channel.   TLS  mode  uses  a
3045       robust  reliability layer over the UDP connection for all control chan‐
3046       nel communication, while the data channel, over which encrypted  tunnel
3047       data  passes,  is  forwarded  without any mediation.  The result is the
3048       best of both worlds: a fast data channel that forwards  over  UDP  with
3049       only  the  overhead of encrypt, decrypt, and HMAC functions, and a con‐
3050       trol channel that provides all of the security features of TLS, includ‐
3051       ing   certificate-based   authentication  and  Diffie  Hellman  forward
3052       secrecy.
3053
3054       To use TLS mode, each peer that runs OpenVPN should have its own  local
3055       certificate/key  pair ( --cert and --key ), signed by the root certifi‐
3056       cate which is specified in --ca.
3057
3058       When two OpenVPN peers connect, each presents its local certificate  to
3059       the other.  Each peer will then check that its partner peer presented a
3060       certificate which was signed by the master root certificate  as  speci‐
3061       fied in --ca.
3062
3063       If  that  check  on  both peers succeeds, then the TLS negotiation will
3064       succeed, both OpenVPN peers will exchange temporary session  keys,  and
3065       the tunnel will begin passing data.
3066
3067       The OpenVPN project provides a set of scripts for managing RSA certifi‐
3068       cates & keys: https://github.com/OpenVPN/easy-rsa
3069
3070       --tls-server
3071              Enable TLS and assume server role during  TLS  handshake.   Note
3072              that  OpenVPN  is  designed  as a peer-to-peer application.  The
3073              designation of client or server is only for the purpose of nego‐
3074              tiating the TLS control channel.
3075
3076       --tls-client
3077              Enable TLS and assume client role during TLS handshake.
3078
3079       --ca file
3080              Certificate authority (CA) file in .pem format, also referred to
3081              as the root certificate.  This file can have  multiple  certifi‐
3082              cates  in .pem format, concatenated together.  You can construct
3083              your own certificate authority certificate and  private  key  by
3084              using a command such as:
3085
3086              openssl req -nodes -new -x509 -keyout ca.key -out ca.crt
3087
3088              Then  edit  your openssl.cnf file and edit the certificate vari‐
3089              able to point to your new root certificate ca.crt.
3090
3091              For testing purposes only, the OpenVPN distribution  includes  a
3092              sample  CA certificate (ca.crt).  Of course you should never use
3093              the test certificates and test keys distributed with OpenVPN  in
3094              a  production environment, since by virtue of the fact that they
3095              are distributed with OpenVPN, they are totally insecure.
3096
3097       --capath dir
3098              Directory containing trusted certificates (CAs and  CRLs).   Not
3099              available with mbed TLS.
3100
3101              CAs in the capath directory are expected to be named <hash>.<n>.
3102              CRLs are expected to  be  named  <hash>.r<n>.  See  the  -CApath
3103              option  of openssl verify , and the -hash option of openssl x509
3104              , openssl crl and X509_LOOKUP_hash_dir(3) for more information.
3105
3106              Similarly to the --crl-verify option CRLs are  not  mandatory  -
3107              OpenVPN  will  log the usual warning in the logs if the relevant
3108              CRL is missing, but the connection will be allowed.
3109
3110       --dh file
3111              File  containing  Diffie  Hellman  parameters  in  .pem   format
3112              (required for --tls-server only).
3113
3114              Set  file=none  to  disable Diffie Hellman key exchange (and use
3115              ECDH only). Note that this requires peers to  be  using  an  SSL
3116              library  that  supports  ECDH  TLS  cipher  suites (e.g. OpenSSL
3117              1.0.1+, or mbed TLS 2.0+).
3118
3119              Use openssl dhparam -out dh2048.pem 2048 to generate 2048-bit DH
3120              parameters. Diffie Hellman parameters may be considered public.
3121
3122       --ecdh-curve name
3123              Specify  the  curve  to  use  for elliptic curve Diffie Hellman.
3124              Available curves can be listed with --show-curves.   The  speci‐
3125              fied curve will only be used for ECDH TLS-ciphers.
3126
3127              This option is not supported in mbed TLS builds of OpenVPN.
3128
3129       --cert file
3130              Local peer's signed certificate in .pem format -- must be signed
3131              by a certificate authority whose certificate is  in  --ca  file.
3132              Each peer in an OpenVPN link running in TLS mode should have its
3133              own certificate and private key file.  In  addition,  each  cer‐
3134              tificate  should  have  been  signed by the key of a certificate
3135              authority whose public  key  resides  in  the  --ca  certificate
3136              authority  file.   You  can  easily  make  your  own certificate
3137              authority (see above) or pay money to use a  commercial  service
3138              such as thawte.com (in which case you will be helping to finance
3139              the world's second space tourist :).  To generate a certificate,
3140              you can use a command such as:
3141
3142              openssl req -nodes -new -keyout mycert.key -out mycert.csr
3143
3144              If  your  certificate  authority  private  key  lives on another
3145              machine, copy the certificate signing  request  (mycert.csr)  to
3146              this  other  machine  (this can be done over an insecure channel
3147              such as email).  Now sign the certificate with  a  command  such
3148              as:
3149
3150              openssl ca -out mycert.crt -in mycert.csr
3151
3152              Now  copy  the  certificate  (mycert.crt) back to the peer which
3153              initially generated the .csr file (this can  be  over  a  public
3154              medium).  Note that the openssl ca command reads the location of
3155              the certificate authority key from its configuration  file  such
3156              as  /usr/share/ssl/openssl.cnf -- note also that for certificate
3157              authority functions, you must set up the files index.txt (may be
3158              empty) and serial (initialize to 01 ).
3159
3160       --extra-certs file
3161              Specify  a  file  containing one or more PEM certs (concatenated
3162              together) that complete the local certificate chain.
3163
3164              This option is useful for "split" CAs, where the CA  for  server
3165              certs  is different than the CA for client certs.  Putting certs
3166              in this file allows them to be used to complete the  local  cer‐
3167              tificate  chain without trusting them to verify the peer-submit‐
3168              ted certificate, as would be the case if the certs  were  placed
3169              in the ca file.
3170
3171       --key file
3172              Local  peer's  private  key in .pem format.  Use the private key
3173              which was generated when you built your peer's certificate  (see
3174              --cert file above).
3175
3176       --tls-version-min version ['or-highest']
3177              Sets  the  minimum  TLS  version  we  will  accept from the peer
3178              (default is "1.0").  Examples for version include "1.0",  "1.1",
3179              or  "1.2".  If 'or-highest' is specified and version is not rec‐
3180              ognized, we will only accept the highest TLS  version  supported
3181              by the local SSL implementation.
3182
3183       --tls-version-max version
3184              Set  the maximum TLS version we will use (default is the highest
3185              version supported).  Examples for version include "1.0",  "1.1",
3186              or "1.2".
3187
3188       --pkcs12 file
3189              Specify a PKCS #12 file containing local private key, local cer‐
3190              tificate, and root CA certificate.   This  option  can  be  used
3191              instead  of  --ca,  --cert,  and --key.  Not available with mbed
3192              TLS.
3193
3194       --verify-hash hash [algo]
3195              Specify SHA1  or  SHA256  fingerprint  for  level-1  cert.   The
3196              level-1  cert  is  the  CA (or intermediate cert) that signs the
3197              leaf certificate, and is one removed from the  leaf  certificate
3198              in  the direction of the root.  When accepting a connection from
3199              a peer, the level-1 cert fingerprint must match hash or certifi‐
3200              cate verification will fail.  Hash is specified as XX:XX:... For
3201              example:
3202
3203                  AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16
3204
3205              The algo flag can be either SHA1 or SHA256.  If not provided, it
3206              defaults to SHA1.
3207
3208       --pkcs11-cert-private [0|1]...
3209              Set  if  access  to certificate object should be performed after
3210              login.  Every provider has its own setting.
3211
3212       --pkcs11-id name
3213              Specify the serialized certificate id to be used. The id can  be
3214              gotten by the standalone --show-pkcs11-ids option.
3215
3216       --pkcs11-id-management
3217              Acquire  PKCS#11  id  from  management interface. In this case a
3218              NEED-STR 'pkcs11-id-request' real-time  message  will  be  trig‐
3219              gered,  application  may use pkcs11-id-count command to retrieve
3220              available number of certificates, and pkcs11-id-get  command  to
3221              retrieve certificate id and certificate body.
3222
3223       --pkcs11-pin-cache seconds
3224              Specify  how  many seconds the PIN can be cached, the default is
3225              until the token is removed.
3226
3227       --pkcs11-protected-authentication [0|1]...
3228              Use PKCS#11 protected authentication path, useful for  biometric
3229              and  external  keypad  devices.  Every provider has its own set‐
3230              ting.
3231
3232       --pkcs11-providers provider...
3233              Specify a RSA Security Inc. PKCS #11 Cryptographic Token  Inter‐
3234              face  (Cryptoki)  providers  to  load.   This option can be used
3235              instead of --cert, --key, and --pkcs12.
3236
3237              If p11-kit is present on the system, its p11-kit-proxy.so module
3238              will   be  loaded  by  default  if  either  the  --pkcs11-id  or
3239              --pkcs11-id-management    options    are    specified    without
3240              --pkcs11-provider being given.
3241
3242       --pkcs11-private-mode mode...
3243              Specify  which  method  to  use  in order to perform private key
3244              operations.   A  different  mode  can  be  specified  for   each
3245              provider.   Mode is encoded as hex number, and can be a mask one
3246              of the following:
3247
3248              0 (default) -- Try to determine automatically.
3249              1 -- Use sign.
3250              2 -- Use sign recover.
3251              4 -- Use decrypt.
3252              8 -- Use unwrap.
3253
3254       --cryptoapicert select-string
3255              Load the certificate and private key from the  Windows  Certifi‐
3256              cate System Store (Windows/OpenSSL Only).
3257
3258              Use this option instead of --cert and --key.
3259
3260              This  makes it possible to use any smart card, supported by Win‐
3261              dows, but also any kind of certificate,  residing  in  the  Cert
3262              Store,  where  you  have access to the private key.  This option
3263              has been tested with a couple of different smart cards (GemSAFE,
3264              Cryptoflex, and Swedish Post Office eID) on the client side, and
3265              also an imported PKCS12 software certificate on the server side.
3266
3267              To select a certificate, based on a substring search in the cer‐
3268              tificate's subject:
3269
3270              cryptoapicert "SUBJ:Peter Runestig"
3271
3272              To select a certificate, based on certificate's thumbprint:
3273
3274              cryptoapicert "THUMB:f6 49 24 41 01 b4 ..."
3275
3276              The thumbprint hex string can easily be copy-and-pasted from the
3277              Windows Certificate Store GUI.
3278
3279
3280       --key-method m
3281              DEPRECATED This option will be removed in OpenVPN 2.5
3282
3283              Use data channel key negotiation method m.  The key method  must
3284              match on both sides of the connection.
3285
3286              After  OpenVPN  negotiates  a TLS session, a new set of keys for
3287              protecting the tunnel data channel is  generated  and  exchanged
3288              over the TLS session.
3289
3290              In  method  1 (the default for OpenVPN 1.x), both sides generate
3291              random encrypt and HMAC-send keys which  are  forwarded  to  the
3292              other host over the TLS channel. Method 1 is deprecated in Open‐
3293              VPN 2.4 , and will be removed in OpenVPN 2.5.
3294
3295              In method 2, (the default for OpenVPN 2.0) the client  generates
3296              a  random key.  Both client and server also generate some random
3297              seed material.  All key source material is  exchanged  over  the
3298              TLS  channel.  The  actual  keys are generated using the TLS PRF
3299              function, taking source entropy from  both  client  and  server.
3300              Method  2  is  designed  to  closely parallel the key generation
3301              process used by TLS 1.0.
3302
3303              Note that in TLS mode, two separate levels of keying occur:
3304
3305              (1) The TLS connection is initially negotiated, with both  sides
3306              of  the connection producing certificates and verifying the cer‐
3307              tificate (or other authentication info provided)  of  the  other
3308              side.  The --key-method parameter has no effect on this process.
3309
3310              (2)  After the TLS connection is established, the tunnel session
3311              keys are separately negotiated  over  the  existing  secure  TLS
3312              channel.   Here,  --key-method  determines the derivation of the
3313              tunnel session keys.
3314
3315       --tls-cipher l
3316       --tls-ciphersuites l
3317              A list l of allowable TLS ciphers delimited by a colon (":").
3318
3319              These setting can be used to ensure that certain  cipher  suites
3320              are used (or not used) for the TLS connection.  OpenVPN uses TLS
3321              to secure the control channel, over which the keys that are used
3322              to protect the actual VPN traffic are exchanged.
3323
3324              The  supplied  list  of ciphers is (after potential OpenSSL/IANA
3325              name translation) simply supplied to the crypto library.  Please
3326              see the OpenSSL and/or mbed TLS documentation for details on the
3327              cipher list interpretation.
3328
3329              For OpenSSL, the --tls-cipher is used for TLS 1.2 and below. For
3330              TLS 1.3 and up, the --tls-ciphersuites setting is used. mbed TLS
3331              has no TLS 1.3 support yet and only the --tls-cipher setting  is
3332              used.
3333
3334              Use  --show-tls  to  see a list of TLS ciphers supported by your
3335              crypto library.
3336
3337              Warning!  --tls-cipher and --tls-ciphersuites  are  expert  fea‐
3338              tures,  which  -  if used correcly - can improve the security of
3339              your VPN connection.  But it is also  easy  to  unwittingly  use
3340              them to carefully align a gun with your foot, or just break your
3341              connection.  Use with care!
3342
3343              The default for --tls-cipher is to use mbed TLS's default cipher
3344              list         when         using        mbed        TLS        or
3345              "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA"
3346              when using OpenSSL.
3347
3348              The   default  for  --tls-ciphersuites  is  to  use  the  crypto
3349              library's default.
3350
3351       --tls-cert-profile profile
3352              Set  the  allowed  cryptographic  algorithms  for   certificates
3353              according to profile.
3354
3355              The following profiles are supported:
3356
3357              legacy  (default):  SHA1  and newer, RSA 2048-bit+, any elliptic
3358              curve.
3359
3360              preferred : SHA2 and newer, RSA 2048-bit+, any elliptic curve.
3361
3362              suiteb : SHA256/SHA384, ECDSA with P-256 or P-384.
3363
3364              This option  is  only  fully  supported  for  mbed  TLS  builds.
3365              OpenSSL builds use the following approximation:
3366
3367              legacy (default): sets "security level 1"
3368
3369              preferred : sets "security level 2"
3370
3371              suiteb : sets "security level 3" and --tls-cipher "SUITEB128".
3372
3373              OpenVPN  will  migrate  to 'preferred' as default in the future.
3374              Please ensure that your keys already comply.
3375
3376       --tls-timeout n
3377              Packet retransmit timeout on TLS control channel if no  acknowl‐
3378              edgment  from remote within n seconds (default=2).  When OpenVPN
3379              sends a control packet to its peer, it will expect to receive an
3380              acknowledgement  within  n  seconds  or  it  will retransmit the
3381              packet, subject to a  TCP-like  exponential  backoff  algorithm.
3382              This  parameter  only  applies to control channel packets.  Data
3383              channel packets (which carry encrypted tunnel  data)  are  never
3384              acknowledged, sequenced, or retransmitted by OpenVPN because the
3385              higher level network protocols running on top of the tunnel such
3386              as TCP expect this role to be left to them.
3387
3388       --reneg-bytes n
3389              Renegotiate  data  channel  key  after  n bytes sent or received
3390              (disabled by default with an  exception,  see  below).   OpenVPN
3391              allows  the  lifetime  of  a  key to be expressed as a number of
3392              bytes encrypted/decrypted, a number of packets, or a  number  of
3393              seconds.   A  key  renegotiation  will be forced if any of these
3394              three criteria are met by either peer.
3395
3396              If using ciphers with cipher block  sizes  less  than  128-bits,
3397              --reneg-bytes is set to 64MB by default, unless it is explicitly
3398              disabled by setting the value to 0, but this is HIGHLY  DISCOUR‐
3399              AGED  as  this  is  designed  to add some protection against the
3400              SWEET32 attack vector.  For more information  see  the  --cipher
3401              option.
3402
3403       --reneg-pkts n
3404              Renegotiate  data  channel key after n packets sent and received
3405              (disabled by default).
3406
3407       --reneg-sec n
3408              Renegotiate data channel key after n seconds (default=3600).
3409
3410              When using dual-factor authentication, note  that  this  default
3411              value  may  cause  the  end user to be challenged to reauthorize
3412              once per hour.
3413
3414              Also, keep in mind that this option can  be  used  on  both  the
3415              client  and  server,  and whichever uses the lower value will be
3416              the one to trigger the renegotiation.  A common  mistake  is  to
3417              set  --reneg-sec  to  a  higher  value  on  either the client or
3418              server, while the other side of the connection  is  still  using
3419              the  default  value of 3600 seconds, meaning that the renegotia‐
3420              tion will still occur once per 3600 seconds.  The solution is to
3421              increase --reneg-sec on both the client and server, or set it to
3422              0 on one side of the connection (to disable), and to your chosen
3423              value on the other side.
3424
3425       --hand-window n
3426              Handshake  Window  --  the  TLS-based key exchange must finalize
3427              within n seconds of handshake initiation by any peer (default  =
3428              60  seconds).   If  the handshake fails we will attempt to reset
3429              our connection with our peer and try again.  Even in  the  event
3430              of  handshake  failure we will still use our expiring key for up
3431              to --tran-window seconds to maintain continuity of  transmission
3432              of tunnel data.
3433
3434       --tran-window n
3435              Transition  window  --  our  old  key can live this many seconds
3436              after a new a key renegotiation begins (default = 3600 seconds).
3437              This  feature  allows  for a graceful transition from old to new
3438              key, and removes the key renegotiation sequence from the  criti‐
3439              cal path of tunnel data forwarding.
3440
3441       --single-session
3442              After  initially  connecting  to a remote peer, disallow any new
3443              connections.  Using this option means that a remote peer  cannot
3444              connect, disconnect, and then reconnect.
3445
3446              If  the  daemon  is reset by a signal or --ping-restart, it will
3447              allow one new connection.
3448
3449              --single-session can be used with --ping-exit or  --inactive  to
3450              create a single dynamic session that will exit when finished.
3451
3452       --tls-exit
3453              Exit on TLS negotiation failure.
3454
3455       --tls-auth file [direction]
3456              Add an additional layer of HMAC authentication on top of the TLS
3457              control channel to mitigate DoS attacks and attacks on  the  TLS
3458              stack.
3459
3460              In  a  nutshell, --tls-auth enables a kind of "HMAC firewall" on
3461              OpenVPN's TCP/UDP port, where TLS control channel packets  bear‐
3462              ing an incorrect HMAC signature can be dropped immediately with‐
3463              out response.
3464
3465              file (required) is a file in OpenVPN static key format which can
3466              be generated by --genkey
3467
3468              Older   versions  (up  to  OpenVPN  2.3)  supported  a  freeform
3469              passphrase file.  This is no longer supported in newer  versions
3470              (v2.4+).
3471
3472              See  the  --secret  option  for more information on the optional
3473              direction parameter.
3474
3475              --tls-auth is recommended when you are running OpenVPN in a mode
3476              where  it  is listening for packets from any IP address, such as
3477              when --remote is not specified, or --remote  is  specified  with
3478              --float.
3479
3480              The  rationale  for  this feature is as follows.  TLS requires a
3481              multi-packet exchange before it is able to authenticate a  peer.
3482              During  this  time  before authentication, OpenVPN is allocating
3483              resources (memory and CPU) to this potential peer.   The  poten‐
3484              tial peer is also exposing many parts of OpenVPN and the OpenSSL
3485              library to the packets it is sending.  Most  successful  network
3486              attacks  today  seek to either exploit bugs in programs (such as
3487              buffer overflow attacks) or force a program to consume  so  many
3488              resources that it becomes unusable.  Of course the first line of
3489              defense is always to produce clean, well-audited code.   OpenVPN
3490              has been written with buffer overflow attack prevention as a top
3491              priority.  But as history has shown, many  of  the  most  widely
3492              used  network  applications  have,  from time to time, fallen to
3493              buffer overflow attacks.
3494
3495              So as a second line of  defense,  OpenVPN  offers  this  special
3496              layer  of  authentication  on  top of the TLS control channel so
3497              that every packet on the control channel is authenticated by  an
3498              HMAC signature and a unique ID for replay protection.  This sig‐
3499              nature will also help protect against DoS  (Denial  of  Service)
3500              attacks.   An  important rule of thumb in reducing vulnerability
3501              to DoS attacks is to minimize the amount of resources  a  poten‐
3502              tial, but as yet unauthenticated, client is able to consume.
3503
3504              --tls-auth does this by signing every TLS control channel packet
3505              with an HMAC signature, including packets which are sent  before
3506              the  TLS  level  has had a chance to authenticate the peer.  The
3507              result is that packets without  the  correct  signature  can  be
3508              dropped immediately upon reception, before they have a chance to
3509              consume additional system resources such as by initiating a  TLS
3510              handshake.    --tls-auth  can  be  strengthened  by  adding  the
3511              --replay-persist option which will keep OpenVPN's replay protec‐
3512              tion state in a file so that it is not lost across restarts.
3513
3514              It  should  be emphasized that this feature is optional and that
3515              the key file used with --tls-auth gives a peer nothing more than
3516              the  power  to  initiate  a  TLS  handshake.   It is not used to
3517              encrypt or authenticate any tunnel data.
3518
3519              Use --tls-crypt instead if you want to use the key file  to  not
3520              only authenticate, but also encrypt the TLS control channel.
3521
3522       --tls-crypt keyfile
3523
3524              Encrypt  and  authenticate  all control channel packets with the
3525              key from keyfile.  (See --tls-auth for more background.)
3526
3527              Encrypting (and authenticating) control channel packets:
3528
3529              · provides more privacy by hiding the certificate used  for  the
3530                TLS connection,
3531
3532              · makes it harder to identify OpenVPN traffic as such,
3533
3534              · provides "poor-man's" post-quantum security, against attackers
3535                who will never  know  the  pre-shared  key  (i.e.  no  forward
3536                secrecy).
3537
3538
3539              In  contrast  to  --tls-auth, --tls-crypt does *not* require the
3540              user to set --key-direction.
3541
3542              Security Considerations
3543
3544              All peers use the  same  --tls-crypt  pre-shared  group  key  to
3545              authenticate  and  encrypt  control channel messages.  To ensure
3546              that IV collisions remain unlikely, this key should not be  used
3547              to   encrypt   more   than   2^48   client-to-server   or   2^48
3548              server-to-client control channel messages.   A  typical  initial
3549              negotiation  is  about  10  packets in each direction.  Assuming
3550              both initial negotiation and renegotiations  are  at  most  2^16
3551              (65536)  packets (to be conservative), and (re)negotiations hap‐
3552              pen each minute for each user (24/7), this limits the  tls-crypt
3553              key lifetime to 8171 years divided by the number of users.  So a
3554              setup with 1000 users should rotate the key at least  once  each
3555              eight years.  (And a setup with 8000 users each year.)
3556
3557              If  IV  collisions were to occur, this could result in the secu‐
3558              rity of --tls-crypt degrading to  the  same  security  as  using
3559              --tls-auth.   That  is,  the control channel still benefits from
3560              the extra protection  against  active  man-in-the-middle-attacks
3561              and  DoS  attacks,  but  may  no  longer offer extra privacy and
3562              post-quantum security on top of what TLS itself offers.
3563
3564       --askpass [file]
3565              Get certificate password from console or file before  we  daemo‐
3566              nize.
3567
3568              For  the extremely security conscious, it is possible to protect
3569              your private key with a password.  Of  course  this  means  that
3570              every  time  the  OpenVPN daemon is started you must be there to
3571              type the password.  The --askpass option  allows  you  to  start
3572              OpenVPN from the command line.  It will query you for a password
3573              before it daemonizes.  To protect a private key with a  password
3574              you  should omit the -nodes option when you use the openssl com‐
3575              mand line tool to manage certificates and private keys.
3576
3577              If file is specified, read the password from the first  line  of
3578              file.   Keep  in  mind that storing your password in a file to a
3579              certain extent invalidates the extra security provided by  using
3580              an encrypted key.
3581
3582       --auth-nocache
3583              Don't  cache --askpass or --auth-user-pass username/passwords in
3584              virtual memory.
3585
3586              If specified, this directive will cause OpenVPN  to  immediately
3587              forget  username/password  inputs  after  they  are  used.  As a
3588              result, when OpenVPN needs a username/password, it  will  prompt
3589              for  input  from  stdin,  which may be multiple times during the
3590              duration of an OpenVPN session.
3591
3592              When using --auth-nocache in combination  with  a  user/password
3593              file  and  --chroot  or  --daemon,  make sure to use an absolute
3594              path.
3595
3596              This directive does not affect the  --http-proxy  username/pass‐
3597              word.  It is always cached.
3598
3599       --auth-token token
3600              This  is  not an option to be used directly in any configuration
3601              files, but rather  push  this  option  from  a  --client-connect
3602              script   or  a  --plugin  which  hooks  into  the  OPENVPN_PLUG‐
3603              IN_CLIENT_CONNECT  or  OPENVPN_PLUGIN_CLIENT_CONNECT_V2   calls.
3604              This  option provides a possibility to replace the clients pass‐
3605              word with an authentication token during  the  lifetime  of  the
3606              OpenVPN client.
3607
3608              Whenever    the    connection    is    renegotiated    and   the
3609              --auth-user-pass-verify script or --plugin  making  use  of  the
3610              OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY  hook is triggered, it will
3611              pass over this token as the password instead of the password the
3612              user  provided.  The authentication token can only be reset by a
3613              full reconnect where the server can  push  new  options  to  the
3614              client.   The  password the user entered is never preserved once
3615              an authentication token have been set.  If  the  OpenVPN  server
3616              side  rejects  the authentication token, the client will receive
3617              an AUTH_FAIL and disconnect.
3618
3619              The purpose of this is to enable two factor authentication meth‐
3620              ods,  such  as  HOTP  or  TOTP,  to  be  used without needing to
3621              retrieve a new OTP code each time the  connection  is  renegoti‐
3622              ated.   Another  use case is to cache authentication data on the
3623              client without needing to have the users password cached in mem‐
3624              ory during the life time of the session.
3625
3626              To  make  use  of  this  feature, the --client-connect script or
3627              --plugin needs to put
3628
3629                  push "auth-token UNIQUE_TOKEN_VALUE"
3630
3631              into the file/buffer for dynamic configuration data.  This  will
3632              then  make  the OpenVPN server to push this value to the client,
3633              which replaces the local password with the UNIQUE_TOKEN_VALUE.
3634
3635              Newer clients (2.4.7+) will fall back to the  original  password
3636              method  after  a  failed auth. Older clients will keep using the
3637              token value and react acording to --auth-retry
3638
3639       --tls-verify cmd
3640              Run command cmd to verify the X509 name of a pending TLS connec‐
3641              tion  that has otherwise passed all other tests of certification
3642              (except for revocation via --crl-verify directive;  the  revoca‐
3643              tion test occurs after the --tls-verify test).
3644
3645              cmd  should return 0 to allow the TLS handshake to proceed, or 1
3646              to fail.
3647
3648              cmd consists of  a  path  to  script  (or  executable  program),
3649              optionally  followed by arguments. The path and arguments may be
3650              single- or double-quoted and/or escaped using a  backslash,  and
3651              should be separated by one or more spaces.
3652
3653              When  cmd is executed two arguments are appended after any argu‐
3654              ments specified in cmd , as follows:
3655
3656              cmd certificate_depth subject
3657
3658              These arguments are, respectively, the current certificate depth
3659              and the X509 subject distinguished name (dn) of the peer.
3660
3661              This  feature is useful if the peer you want to trust has a cer‐
3662              tificate which was signed by a certificate  authority  who  also
3663              signed many other certificates, where you don't necessarily want
3664              to trust all of them, but rather be selective about  which  peer
3665              certificate you will accept.  This feature allows you to write a
3666              script which will test the X509 name on a certificate and decide
3667              whether  or not it should be accepted.  For a simple perl script
3668              which will test the common name field on  the  certificate,  see
3669              the file verify-cn in the OpenVPN distribution.
3670
3671              See  the  "Environmental Variables" section below for additional
3672              parameters passed as environmental variables.
3673
3674       --tls-export-cert directory
3675              Store the certificates the clients uses upon connection to  this
3676              directory. This will be done before --tls-verify is called.  The
3677              certificates will use a temporary name and will be deleted  when
3678              the  tls-verify script returns.  The file name used for the cer‐
3679              tificate is available via the peer_cert environment variable.
3680
3681       --x509-username-field [ext:]fieldname
3682              Field in the X.509 certificate subject to be used as  the  user‐
3683              name  (default=CN).   Typically,  this  option is specified with
3684              fieldname as either of the following:
3685
3686              --x509-username-field emailAddress
3687              --x509-username-field ext:subjectAltName
3688
3689              The first example uses the value of the "emailAddress" attribute
3690              in  the certificate's Subject field as the username.  The second
3691              example uses the ext: prefix to signify that the X.509 extension
3692              fieldname "subjectAltName" be searched for an rfc822Name (email)
3693              field to be used as the username.  In cases where there are mul‐
3694              tiple  email  addresses in ext:fieldname, the last occurrence is
3695              chosen.
3696
3697              When this option is used,  the  --verify-x509-name  option  will
3698              match against the chosen fieldname instead of the Common Name.
3699
3700              Only  the  subjectAltName and issuerAltName X.509 extensions are
3701              supported.
3702
3703              Please note: This option has a feature  which  will  convert  an
3704              all-lowercase fieldname to uppercase characters, e.g., ou -> OU.
3705              A mixed-case fieldname or one having the  ext:  prefix  will  be
3706              left  as-is.   This automatic upcasing feature is deprecated and
3707              will be removed in a future release.
3708
3709       --verify-x509-name name type
3710              Accept connections only if a host's X.509 name is equal to name.
3711              The remote host must also pass all other tests of verification.
3712
3713              Which  X.509  name is compared to name depends on the setting of
3714              type.  type can be "subject" to match the  complete  subject  DN
3715              (default),  "name"  to  match  a subject RDN or "name-prefix" to
3716              match a subject RDN prefix.   Which  RDN  is  verified  as  name
3717              depends  on the --x509-username-field option. But it defaults to
3718              the common name (CN), e.g.  a  certificate  with  a  subject  DN
3719              "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by:
3720
3721              --verify-x509-name  'C=KG,  ST=NA,  L=Bishkek,  CN=Server-1' and
3722              --verify-x509-name  Server-1  name  or  you  could  use   --ver‐
3723              ify-x509-name  Server-  name-prefix if you want a client to only
3724              accept connections to "Server-1", "Server-2", etc.
3725
3726              --verify-x509-name is a useful replacement for the  --tls-verify
3727              option  to  verify  the  remote host, because --verify-x509-name
3728              works in a --chroot environment without any dependencies.
3729
3730              Using a name prefix is a useful alternative to  managing  a  CRL
3731              (Certificate Revocation List) on the client, since it allows the
3732              client to refuse all certificates except  for  those  associated
3733              with designated servers.
3734
3735              NOTE: Test against a name prefix only when you are using OpenVPN
3736              with a custom CA certificate that is under your control.   Never
3737              use  this  option  with type "name-prefix" when your client cer‐
3738              tificates are signed by a third party, such as a commercial  web
3739              CA.
3740
3741       --x509-track attribute
3742              Save peer X509 attribute value in environment for use by plugins
3743              and management interface.  Prepend a '+' to  attribute  to  save
3744              values  from  full  cert  chain.   Values  will  be  encoded  as
3745              X509_<depth>_<attribute>=<value>.  Multiple --x509-track options
3746              can be defined to track multiple attributes.
3747
3748       --ns-cert-type client|server
3749              DEPRECATED  This option will be removed in OpenVPN 2.5.  Use the
3750              more modern equivalent --remote-cert-tls instead.   This  option
3751              will be removed in OpenVPN 2.5.
3752
3753              Require  that  peer  certificate  was  signed  with  an explicit
3754              nsCertType designation of "client" or "server".
3755
3756              This is a useful security option for clients, to ensure that the
3757              host they connect with is a designated server.
3758
3759              See  the  easy-rsa/build-key-server script for an example of how
3760              to generate a certificate  with  the  nsCertType  field  set  to
3761              "server".
3762
3763              If the server certificate's nsCertType field is set to "server",
3764              then the clients can verify this with --ns-cert-type server.
3765
3766              This is an important security precaution to  protect  against  a
3767              man-in-the-middle  attack where an authorized client attempts to
3768              connect to another client  by  impersonating  the  server.   The
3769              attack  is  easily prevented by having clients verify the server
3770              certificate using any one of --ns-cert-type, --verify-x509-name,
3771              or --tls-verify.
3772
3773       --remote-cert-ku [v...]
3774              Require  that  peer  certificate was signed with an explicit key
3775              usage.
3776
3777              If present in the certificate, the keyUsage value  is  validated
3778              by  the  TLS  library during the TLS handshake.  Specifying this
3779              option without arguments requires this extension to  be  present
3780              (so the TLS library will verify it).
3781
3782              If the list v...  is also supplied, the keyUsage field must have
3783              at least the same bits set as the bits in one of the values sup‐
3784              plied in the list v...
3785
3786              The  key  usage  values in the list must be encoded in hex, e.g.
3787              "--remote-cert-ku a0"
3788
3789       --remote-cert-eku oid
3790              Require that  peer  certificate  was  signed  with  an  explicit
3791              extended key usage.
3792
3793              This is a useful security option for clients, to ensure that the
3794              host they connect to is a designated server.
3795
3796              The extended key usage should be encoded  in  oid  notation,  or
3797              OpenSSL symbolic representation.
3798
3799       --remote-cert-tls client|server
3800              Require  that  peer  certificate was signed with an explicit key
3801              usage and extended key usage based on RFC3280 TLS rules.
3802
3803              This is a useful security option for clients, to ensure that the
3804              host  they  connect to is a designated server.  Or the other way
3805              around; for a server to verify that only  hosts  with  a  client
3806              certificate can connect.
3807
3808              The   --remote-cert-tls   client   option   is   equivalent   to
3809              --remote-cert-ku --remote-cert-eku "TLS Web  Client  Authentica‐
3810              tion"
3811
3812              The   --remote-cert-tls   server   option   is   equivalent   to
3813              --remote-cert-ku --remote-cert-eku "TLS Web  Server  Authentica‐
3814              tion"
3815
3816              This  is  an  important security precaution to protect against a
3817              man-in-the-middle attack where an authorized client attempts  to
3818              connect  to  another  client  by  impersonating the server.  The
3819              attack is easily prevented by having clients verify  the  server
3820              certificate   using   any   one   of  --remote-cert-tls,  --ver‐
3821              ify-x509-name, or --tls-verify.
3822
3823       --crl-verify crl ['dir']
3824              Check peer certificate against the file crl in PEM format.
3825
3826              A CRL (certificate revocation list) is used  when  a  particular
3827              key is compromised but when the overall PKI is still intact.
3828
3829              Suppose  you had a PKI consisting of a CA, root certificate, and
3830              a number of client certificates.  Suppose a laptop computer con‐
3831              taining  a client key and certificate was stolen.  By adding the
3832              stolen certificate to the CRL file, you could reject any connec‐
3833              tion  which  attempts  to  use  it, while preserving the overall
3834              integrity of the PKI.
3835
3836              The only time when it would be necessary to rebuild  the  entire
3837              PKI from scratch would be if the root certificate key itself was
3838              compromised.
3839
3840              The option is not mandatory - if the relevant  CRL  is  missing,
3841              OpenVPN  will  log a warning in the logs - e.g. "VERIFY WARNING:
3842              depth=0, unable to get certificate CRL"  -  but  the  connection
3843              will be allowed.
3844
3845              If  the  optional dir flag is specified, enable a different mode
3846              where crl is a  directory  containing  files  named  as  revoked
3847              serial  numbers  (the files may be empty, the contents are never
3848              read).  If a client requests a connection, where the client cer‐
3849              tificate  serial  number  (decimal string) is the name of a file
3850              present in the directory, it will be rejected.
3851
3852              Note: As the crl file (or directory) is read every time  a  peer
3853              connects,  if you are dropping root privileges with --user, make
3854              sure that this user has sufficient privileges to read the file.
3855
3856   SSL Library information:
3857       --show-ciphers
3858              (Standalone) Show all cipher algorithms to use with the --cipher
3859              option.
3860
3861       --show-digests
3862              (Standalone)  Show all message digest algorithms to use with the
3863              --auth option.
3864
3865       --show-tls
3866              (Standalone) Show  all  TLS  ciphers  supported  by  the  crypto
3867              library.   OpenVPN  uses TLS to secure the control channel, over
3868              which the keys that are used to protect the actual  VPN  traffic
3869              are  exchanged.   The  TLS  ciphers  will be sorted from highest
3870              preference (most secure) to lowest.
3871
3872              Be aware that whether a cipher suite in this list  can  actually
3873              work  depends  on  the  specific  setup of both peers (e.g. both
3874              peers must support the cipher, and an ECDSA  cipher  suite  will
3875              not work if you are using an RSA certificate, etc.).
3876
3877       --show-engines
3878              (Standalone)  Show  currently  available  hardware-based  crypto
3879              acceleration engines supported by the OpenSSL library.
3880
3881       --show-curves
3882              (Standalone) Show all available elliptic curves to use with  the
3883              --ecdh-curve option.
3884
3885   Generate a random key:
3886       Used only for non-TLS static key encryption mode.
3887
3888       --genkey
3889              (Standalone)  Generate  a  random  key  to  be  used as a shared
3890              secret, for use with the --secret option.   This  file  must  be
3891              shared  with the peer over a pre-existing secure channel such as
3892              scp(1)
3893
3894       --secret file
3895              Write key to file.
3896
3897   TUN/TAP persistent tunnel config mode:
3898       Available with Linux 2.4.7+.  These options comprise a standalone  mode
3899       of OpenVPN which can be used to create and delete persistent tunnels.
3900
3901       --mktun
3902              (Standalone)  Create a persistent tunnel on platforms which sup‐
3903              port them such as Linux.  Normally TUN/TAP  tunnels  exist  only
3904              for  the period of time that an application has them open.  This
3905              option takes advantage of the TUN/TAP driver's ability to  build
3906              persistent  tunnels that live through multiple instantiations of
3907              OpenVPN and die only when they are deleted  or  the  machine  is
3908              rebooted.
3909
3910              One  of the advantages of persistent tunnels is that they elimi‐
3911              nate the need for separate --up and --down scripts  to  run  the
3912              appropriate  ifconfig(8)  and route(8) commands.  These commands
3913              can be placed in the the same shell script which starts or  ter‐
3914              minates an OpenVPN session.
3915
3916              Another   advantage   is   that  open  connections  through  the
3917              TUN/TAP-based tunnel will not  be  reset  if  the  OpenVPN  peer
3918              restarts.   This  can be useful to provide uninterrupted connec‐
3919              tivity through the tunnel in the event of a DHCP  reset  of  the
3920              peer's public IP address (see the --ipchange option above).
3921
3922              One  disadvantage  of persistent tunnels is that it is harder to
3923              automatically configure their  MTU  value  (see  --link-mtu  and
3924              --tun-mtu above).
3925
3926              On some platforms such as Windows, TAP-Win32 tunnels are persis‐
3927              tent by default.
3928
3929       --rmtun
3930              (Standalone) Remove a persistent tunnel.
3931
3932       --dev tunX | tapX
3933              TUN/TAP device
3934
3935       --user user
3936              Optional user to be owner of this tunnel.
3937
3938       --group group
3939              Optional group to be owner of this tunnel.
3940
3941   Windows-Specific Options:
3942       --win-sys path
3943              Set the Windows system directory pathname to  use  when  looking
3944              for  system  executables  such  as  route.exe and netsh.exe.  By
3945              default, if this directive is not specified,  OpenVPN  will  use
3946              the SystemRoot environment variable.
3947
3948              This  option have changed behaviour in OpenVPN 2.3.  Earlier you
3949              had to define --win-sys env to use  the  SystemRoot  environment
3950              variable,  otherwise  it  defaulted  to  C:\WINDOWS.   It is not
3951              needed to use the env keyword any more,  and  it  will  just  be
3952              ignored.  A warning is logged when this is found in the configu‐
3953              ration file.
3954
3955       --ip-win32 method
3956              When using --ifconfig on Windows, set the TAP-Win32  adapter  IP
3957              address  and netmask using method.  Don't use this option unless
3958              you are also using --ifconfig.
3959
3960              manual -- Don't set the IP  address  or  netmask  automatically.
3961              Instead output a message to the console telling the user to con‐
3962              figure the adapter manually and indicating the IP/netmask  which
3963              OpenVPN expects the adapter to be set to.
3964
3965              dynamic  [offset]  [lease-time]  --  Automatically  set  the  IP
3966              address and netmask by replying to DHCP query messages generated
3967              by  the  kernel.   This mode is probably the "cleanest" solution
3968              for setting the TCP/IP properties since it uses  the  well-known
3969              DHCP  protocol.  There are, however, two prerequisites for using
3970              this mode: (1) The TCP/IP properties for the  TAP-Win32  adapter
3971              must  be  set  to  "Obtain an IP address automatically," and (2)
3972              OpenVPN needs to claim an IP address in the subnet  for  use  as
3973              the  virtual DHCP server address.  By default in --dev tap mode,
3974              OpenVPN will take the normally unused first address in the  sub‐
3975              net.   For  example,  if  your  subnet  is  192.168.4.0  netmask
3976              255.255.255.0, then OpenVPN will take the IP address 192.168.4.0
3977              to  use  as the virtual DHCP server address.  In --dev tun mode,
3978              OpenVPN will cause the DHCP server to masquerade as if  it  were
3979              coming  from the remote endpoint.  The optional offset parameter
3980              is an integer which is > -256 and < 256 and  which  defaults  to
3981              -1.   If  offset is positive, the DHCP server will masquerade as
3982              the IP address at network address + offset.  If offset is  nega‐
3983              tive,  the  DHCP  server  will  masquerade  as the IP address at
3984              broadcast address + offset.  The Windows ipconfig  /all  command
3985              can  be used to show what Windows thinks the DHCP server address
3986              is.  OpenVPN will "claim" this address, so make sure  to  use  a
3987              free  address.   Having  said that, different OpenVPN instantia‐
3988              tions, including different ends  of  the  same  connection,  can
3989              share  the  same  virtual  DHCP  server address.  The lease-time
3990              parameter controls the lease time of the DHCP  assignment  given
3991              to the TAP-Win32 adapter, and is denoted in seconds.  Normally a
3992              very long lease time is preferred  because  it  prevents  routes
3993              involving  the TAP-Win32 adapter from being lost when the system
3994              goes to sleep.  The default lease time is one year.
3995
3996              netsh -- Automatically set the IP address and netmask using  the
3997              Windows  command-line  "netsh"  command.  This method appears to
3998              work correctly on Windows XP but not Windows 2000.
3999
4000              ipapi -- Automatically set the IP address and netmask using  the
4001              Windows IP Helper API.  This approach does not have ideal seman‐
4002              tics, though testing has indicated that it works okay  in  prac‐
4003              tice.   If  you  use this option, it is best to leave the TCP/IP
4004              properties for the TAP-Win32 adapter  in  their  default  state,
4005              i.e. "Obtain an IP address automatically."
4006
4007              adaptive -- (Default) Try dynamic method initially and fail over
4008              to netsh if the DHCP negotiation with the TAP-Win32 adapter does
4009              not  succeed  in  20  seconds.  Such failures have been known to
4010              occur when certain third-party firewall  packages  installed  on
4011              the  client  machine  block  the  DHCP  negotiation  used by the
4012              TAP-Win32 adapter.  Note that if the netsh failover occurs,  the
4013              TAP-Win32  adapter  TCP/IP properties will be reset from DHCP to
4014              static, and this will cause future OpenVPN  startups  using  the
4015              adaptive  mode  to  use  netsh  immediately,  rather than trying
4016              dynamic first.  To "unstick" the adaptive mode from using netsh,
4017              run  OpenVPN at least once using the dynamic mode to restore the
4018              TAP-Win32 adapter TCP/IP properties to a DHCP configuration.
4019
4020       --route-method m
4021              Which method m to use for adding routes on Windows?
4022
4023              adaptive (default) -- Try IP helper API first.  If  that  fails,
4024              fall back to the route.exe shell command.
4025              ipapi -- Use IP helper API.
4026              exe -- Call the route.exe shell command.
4027
4028       --dhcp-option type [parm]
4029              Set  extended  TAP-Win32  TCP/IP  properties,  must be used with
4030              --ip-win32 dynamic or --ip-win32 adaptive.  This option  can  be
4031              used  to  set  additional  TCP/IP  properties  on  the TAP-Win32
4032              adapter, and is particularly useful for configuring  an  OpenVPN
4033              client to access a Samba server across the VPN.
4034
4035              DOMAIN name -- Set Connection-specific DNS Suffix.
4036
4037              DNS addr -- Set primary domain name server IPv4 or IPv6 address.
4038              Repeat this option to set secondary DNS server addresses.
4039
4040              Note: DNS IPv6 servers are currently set using netsh (the exist‐
4041              ing DHCP code can only do IPv4 DHCP, and that protocol only per‐
4042              mits IPv4 addresses anywhere).  The option will be put into  the
4043              environment, so an --up script could act upon it if needed.
4044
4045              WINS  addr  --  Set  primary  WINS  server address (NetBIOS over
4046              TCP/IP Name Server).  Repeat this option to set  secondary  WINS
4047              server addresses.
4048
4049              NBDD  addr  --  Set  primary  NBDD  server address (NetBIOS over
4050              TCP/IP Datagram Distribution Server) Repeat this option  to  set
4051              secondary NBDD server addresses.
4052
4053              NTP  addr -- Set primary NTP server address (Network Time Proto‐
4054              col).  Repeat this option to set secondary NTP server addresses.
4055
4056              NBT type  --  Set  NetBIOS  over  TCP/IP  Node  type.   Possible
4057              options:  1  =  b-node  (broadcasts), 2 = p-node (point-to-point
4058              name queries to a WINS server), 4 = m-node (broadcast then query
4059              name  server),  and  8  = h-node (query name server, then broad‐
4060              cast).
4061
4062              NBS scope-id -- Set NetBIOS over TCP/IP Scope. A  NetBIOS  Scope
4063              ID  provides  an  extended  naming  service for the NetBIOS over
4064              TCP/IP (Known as NBT) module. The primary purpose of  a  NetBIOS
4065              scope  ID  is  to isolate NetBIOS traffic on a single network to
4066              only those nodes with the same NetBIOS scope  ID.   The  NetBIOS
4067              scope  ID  is a character string that is appended to the NetBIOS
4068              name. The NetBIOS scope ID on two hosts must match, or  the  two
4069              hosts will not be able to communicate. The NetBIOS Scope ID also
4070              allows computers to use the same computer  name,  as  they  have
4071              different  scope IDs. The Scope ID becomes a part of the NetBIOS
4072              name, making the name  unique.   (This  description  of  NetBIOS
4073              scopes courtesy of NeonSurge@abyss.com)
4074
4075              DISABLE-NBT -- Disable Netbios-over-TCP/IP.
4076
4077              Note that if --dhcp-option is pushed via --push to a non-windows
4078              client, the option will be saved  in  the  client's  environment
4079              before   the   up   script  is  called,  under  the  name  "for‐
4080              eign_option_{n}".
4081
4082       --tap-sleep n
4083              Cause OpenVPN to sleep  for  n  seconds  immediately  after  the
4084              TAP-Win32 adapter state is set to "connected".
4085
4086              This option is intended to be used to troubleshoot problems with
4087              the --ifconfig and --ip-win32 options, and is used to  give  the
4088              TAP-Win32  adapter  time to come up before Windows IP Helper API
4089              operations are applied to it.
4090
4091       --show-net-up
4092              Output OpenVPN's view of the system routing  table  and  network
4093              adapter list to the syslog or log file after the TUN/TAP adapter
4094              has been brought up and any routes have been added.
4095
4096       --block-outside-dns
4097              Block DNS servers on  other  network  adapters  to  prevent  DNS
4098              leaks.  This  option prevents any application from accessing TCP
4099              or UDP port 53 except one inside the  tunnel.  It  uses  Windows
4100              Filtering Platform (WFP) and works on Windows Vista or later.
4101
4102              This  option  is considered unknown on non-Windows platforms and
4103              unsupported on Windows XP, resulting in fatal  error.   You  may
4104              want  to  use --setenv opt or --ignore-unknown-option (not suit‐
4105              able for Windows XP) to ignore said error.   Note  that  pushing
4106              unknown options from server does not trigger fatal errors.
4107
4108       --dhcp-renew
4109              Ask  Windows  to  renew  the TAP adapter lease on startup.  This
4110              option is normally unnecessary, as Windows  automatically  trig‐
4111              gers  a  DHCP renegotiation on the TAP adapter when it comes up,
4112              however if you set the TAP-Win32 adapter Media  Status  property
4113              to "Always Connected", you may need this flag.
4114
4115       --dhcp-release
4116              Ask  Windows to release the TAP adapter lease on shutdown.  This
4117              option has no effect now, as it is enabled by  default  starting
4118              with OpenVPN 2.4.1.
4119
4120       --register-dns
4121              Run  ipconfig  /flushdns and ipconfig /registerdns on connection
4122              initiation.  This is known  to  kick  Windows  into  recognizing
4123              pushed DNS servers.
4124
4125       --pause-exit
4126              Put  up  a  "press  any  key to continue" message on the console
4127              prior to OpenVPN program exit.   This  option  is  automatically
4128              used by the Windows explorer when OpenVPN is run on a configura‐
4129              tion file using the right-click explorer menu.
4130
4131       --service exit-event [0|1]
4132              Should be used when OpenVPN is being automatically  executed  by
4133              another  program  in such a context that no interaction with the
4134              user via display or keyboard is possible.  In general, end-users
4135              should  never need to explicitly use this option, as it is auto‐
4136              matically added by the OpenVPN  service  wrapper  when  a  given
4137              OpenVPN configuration is being run as a service.
4138
4139              exit-event  is  the  name  of a Windows global event object, and
4140              OpenVPN will continuously monitor the state of this event object
4141              and exit when it becomes signaled.
4142
4143              The  second  parameter indicates the initial state of exit-event
4144              and normally defaults to 0.
4145
4146              Multiple OpenVPN processes can be simultaneously  executed  with
4147              the  same  exit-event  parameter.   In any case, the controlling
4148              process can signal exit-event, causing  all  such  OpenVPN  pro‐
4149              cesses to exit.
4150
4151              When executing an OpenVPN process using the --service directive,
4152              OpenVPN will probably not have a console window to  output  sta‐
4153              tus/error  messages,  therefore  it  is  useful  to use --log or
4154              --log-append to write these messages to a file.
4155
4156       --show-adapters
4157              (Standalone) Show available  TAP-Win32  adapters  which  can  be
4158              selected  using  the --dev-node option.  On non-Windows systems,
4159              the ifconfig(8) command provides similar functionality.
4160
4161       --allow-nonadmin [TAP-adapter]
4162              (Standalone) Set TAP-adapter to allow access  from  non-adminis‐
4163              trative  accounts.   If TAP-adapter is omitted, all TAP adapters
4164              on the system will be configured to allow non-admin access.  The
4165              non-admin  access  setting  will  only persist for the length of
4166              time that the TAP-Win32 device object and driver remain  loaded,
4167              and  will need to be re-enabled after a reboot, or if the driver
4168              is unloaded and reloaded.  This directive can only be used by an
4169              administrator.
4170
4171       --show-valid-subnets
4172              (Standalone)  Show valid subnets for --dev tun emulation.  Since
4173              the TAP-Win32 driver exports an ethernet interface  to  Windows,
4174              and since TUN devices are point-to-point in nature, it is neces‐
4175              sary for the TAP-Win32 driver to impose certain  constraints  on
4176              TUN endpoint address selection.
4177
4178              Namely,  the  point-to-point endpoints used in TUN device emula‐
4179              tion must be the middle two addresses of a /30  subnet  (netmask
4180              255.255.255.252).
4181
4182       --show-net
4183              (Standalone) Show OpenVPN's view of the system routing table and
4184              network adapter list.
4185
4186   PKCS#11 Standalone Options:
4187       --show-pkcs11-ids [provider] [cert_private]
4188              (Standalone) Show PKCS#11 token object list.  Specify  cert_pri‐
4189              vate as 1 if certificates are stored as private objects.
4190
4191              If  p11-kit  is  present on the system, the provider argument is
4192              optional; if omitted the default p11-kit-proxy.so module will be
4193              queried.
4194
4195              --verb  option  can be used BEFORE this option to produce debug‐
4196              ging information.
4197
4198   Standalone Debug Options:
4199       --show-gateway [v6target]
4200              (Standalone) Show current IPv4  and  IPv6  default  gateway  and
4201              interface  towards  the  gateway (if the protocol in question is
4202              enabled).  If an IPv6 address is passed as  argument,  the  IPv6
4203              route for this host is reported.
4204
4205   IPv6 Related Options
4206       The  following  options exist to support IPv6 tunneling in peer-to-peer
4207       and client-server mode.  All options are modeled after their IPv4 coun‐
4208       terparts,  so more detailed explanations given there apply here as well
4209       (except for --topology , which has no effect on IPv6).
4210
4211       --ifconfig-ipv6 ipv6addr/bits ipv6remote
4212              configure IPv6 address ipv6addr/bits on the ``tun'' device.  The
4213              second  parameter is used as route target for --route-ipv6 if no
4214              gateway is specified.
4215
4216       --route-ipv6 ipv6addr/bits [gateway] [metric]
4217              setup IPv6 routing in the system to send the specified IPv6 net‐
4218              work into OpenVPN's ``tun''.  The gateway parameter is only used
4219              for IPv6 routes across ``tap''  devices,  and  if  missing,  the
4220              ``ipv6remote'' field from --ifconfig-ipv6 is used.
4221
4222       --server-ipv6 ipv6addr/bits
4223              convenience-function  to enable a number of IPv6 related options
4224              at once, namely --ifconfig-ipv6, --ifconfig-ipv6-pool and --push
4225              tun-ipv6  Is  only accepted if ``--mode server'' or ``--server''
4226              is set. Pushing of the --tun-ipv6 directive is  done  for  older
4227              clients  which  require an explicit ``--tun-ipv6'' in their con‐
4228              figuration.
4229
4230       --ifconfig-ipv6-pool ipv6addr/bits
4231              Specify an IPv6 address pool for dynamic assignment to  clients.
4232              The  pool  starts  at ipv6addr and matches the offset determined
4233              from the start of the IPv4 pool.
4234
4235       --ifconfig-ipv6-push ipv6addr/bits ipv6remote
4236              for ccd/ per-client static  IPv6  interface  configuration,  see
4237              --client-config-dir and --ifconfig-push for more details.
4238
4239       --iroute-ipv6 ipv6addr/bits
4240              for   ccd/  per-client  static  IPv6  route  configuration,  see
4241              --iroute for more details how to setup and  use  this,  and  how
4242              --iroute and --route interact.
4243
4244

SCRIPTING AND ENVIRONMENTAL VARIABLES

4246       OpenVPN  exports  a  series  of  environmental  variables  for  use  by
4247       user-defined scripts.
4248
4249   Script Order of Execution
4250       --up   Executed after TCP/UDP socket bind and TUN/TAP open.
4251
4252       --tls-verify
4253              Executed when we have a still untrusted remote peer.
4254
4255       --ipchange
4256              Executed after connection authentication, or remote  IP  address
4257              change.
4258
4259       --client-connect
4260              Executed  in --mode server mode immediately after client authen‐
4261              tication.
4262
4263       --route-up
4264              Executed after  connection  authentication,  either  immediately
4265              after,  or  some  number  of  seconds  after  as  defined by the
4266              --route-delay option.
4267
4268       --route-pre-down
4269              Executed right before the routes are removed.
4270
4271       --client-disconnect
4272              Executed in --mode server mode on client instance shutdown.
4273
4274       --down Executed after TCP/UDP and TUN/TAP close.
4275
4276       --learn-address
4277              Executed in --mode server mode whenever an IPv4 address/route or
4278              MAC address is added to OpenVPN's internal routing table.
4279
4280       --auth-user-pass-verify
4281              Executed  in  --mode server mode on new client connections, when
4282              the client is still untrusted.
4283
4284   String Types and Remapping
4285       In certain cases, OpenVPN  will  perform  remapping  of  characters  in
4286       strings.   Essentially,  any  characters  outside  the set of permitted
4287       characters for each string type will be converted to underbar ('_').
4288
4289       Q: Why is string remapping necessary?
4290
4291       A: It's an important security feature to prevent the  malicious  coding
4292       of  strings  from  untrusted  sources  to  be  passed  as parameters to
4293       scripts, saved in the environment, used as a common name, translated to
4294       a filename, etc.
4295
4296       Q: Can string remapping be disabled?
4297
4298       A: Yes, by using the --no-name-remapping option, however this should be
4299       considered an advanced option.
4300
4301       Here is a brief rundown of OpenVPN's current string types and the  per‐
4302       mitted character class for each string:
4303
4304       X509  Names:  Alphanumeric,  underbar  ('_'), dash ('-'), dot ('.'), at
4305       ('@'), colon (':'), slash ('/'),  and  equal  ('=').   Alphanumeric  is
4306       defined  as  a character which will cause the C library isalnum() func‐
4307       tion to return true.
4308
4309       Common Names: Alphanumeric, underbar ('_'), dash ('-'), dot ('.'),  and
4310       at ('@').
4311
4312       --auth-user-pass  username:  Same  as  Common Name, with one exception:
4313       starting with OpenVPN 2.0.1,  the  username  is  passed  to  the  OPEN‐
4314       VPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin in its raw form, without string
4315       remapping.
4316
4317       --auth-user-pass password: Any "printable" character except CR  or  LF.
4318       Printable  is  defined to be a character which will cause the C library
4319       isprint() function to return true.
4320
4321       --client-config-dir filename as derived from common name  or  username:
4322       Alphanumeric,  underbar ('_'), dash ('-'), and dot ('.') except for "."
4323       or ".." as standalone strings.  As of v2.0.1-rc6, the at ('@')  charac‐
4324       ter has been added as well for compatibility with the common name char‐
4325       acter class.
4326
4327       Environmental variable names: Alphanumeric or underbar ('_').
4328
4329       Environmental variable values: Any printable character.
4330
4331       For all cases, characters in a string which  are  not  members  of  the
4332       legal character class for that string type will be remapped to underbar
4333       ('_').
4334
4335   Environmental Variables
4336       Once set, a variable is persisted indefinitely until it is reset  by  a
4337       new value or a restart,
4338
4339       As  of  OpenVPN 2.0-beta12, in server mode, environmental variables set
4340       by OpenVPN are scoped according to the client objects they are  associ‐
4341       ated with, so there should not be any issues with scripts having access
4342       to stale, previously set variables  which  refer  to  different  client
4343       instances.
4344
4345       bytes_received
4346              Total  number  of bytes received from client during VPN session.
4347              Set prior to execution of the --client-disconnect script.
4348
4349       bytes_sent
4350              Total number of bytes sent to client during  VPN  session.   Set
4351              prior to execution of the --client-disconnect script.
4352
4353       common_name
4354              The  X509  common name of an authenticated client.  Set prior to
4355              execution   of   --client-connect,   --client-disconnect,    and
4356              --auth-user-pass-verify scripts.
4357
4358       config Name  of  first  --config  file.   Set on program initiation and
4359              reset on SIGHUP.
4360
4361       daemon Set to "1" if the --daemon directive is specified, or "0" other‐
4362              wise.  Set on program initiation and reset on SIGHUP.
4363
4364       daemon_log_redirect
4365              Set  to  "1"  if the --log or --log-append directives are speci‐
4366              fied, or "0" otherwise.  Set on program initiation and reset  on
4367              SIGHUP.
4368
4369       dev    The  actual  name of the TUN/TAP device, including a unit number
4370              if it exists.  Set prior to --up or --down script execution.
4371
4372       dev_idx
4373              On Windows, the device index of the TUN/TAP adapter (to be  used
4374              in  netsh.exe  calls which sometimes just do not work right with
4375              interface names).  Set prior to --up or --down script execution.
4376
4377       foreign_option_{n}
4378              An option pushed via --push to a client which does not  natively
4379              support  it, such as --dhcp-option on a non-Windows system, will
4380              be recorded to this environmental  variable  sequence  prior  to
4381              --up script execution.
4382
4383       ifconfig_broadcast
4384              The  broadcast address for the virtual ethernet segment which is
4385              derived from the --ifconfig option when --dev tap is used.   Set
4386              prior  to OpenVPN calling the ifconfig or netsh (windows version
4387              of ifconfig) commands which normally occurs prior to --up script
4388              execution.
4389
4390       ifconfig_ipv6_local
4391              The  local  VPN  endpoint IPv6 address specified in the --ifcon‐
4392              fig-ipv6 option (first parameter).  Set prior to OpenVPN calling
4393              the  ifconfig  or  netsh  (windows version of ifconfig) commands
4394              which normally occurs prior to --up script execution.
4395
4396       ifconfig_ipv6_netbits
4397              The prefix length of the IPv6  network  on  the  VPN  interface.
4398              Derived  from  the  /nnn  parameter  of  the IPv6 address in the
4399              --ifconfig-ipv6 option (first parameter).  Set prior to  OpenVPN
4400              calling the ifconfig or netsh (windows version of ifconfig) com‐
4401              mands which normally occurs prior to --up script execution.
4402
4403       ifconfig_ipv6_remote
4404              The remote VPN endpoint IPv6 address specified in  the  --ifcon‐
4405              fig-ipv6  option (second parameter).  Set prior to OpenVPN call‐
4406              ing the ifconfig or netsh (windows version of ifconfig) commands
4407              which normally occurs prior to --up script execution.
4408
4409       ifconfig_local
4410              The  local  VPN  endpoint IP address specified in the --ifconfig
4411              option (first parameter).  Set  prior  to  OpenVPN  calling  the
4412              ifconfig  or  netsh (windows version of ifconfig) commands which
4413              normally occurs prior to --up script execution.
4414
4415       ifconfig_remote
4416              The remote VPN endpoint IP address specified in  the  --ifconfig
4417              option  (second parameter) when --dev tun is used.  Set prior to
4418              OpenVPN calling the ifconfig or netsh (windows version of ifcon‐
4419              fig)  commands which normally occurs prior to --up script execu‐
4420              tion.
4421
4422       ifconfig_netmask
4423              The subnet mask of the virtual ethernet segment that  is  speci‐
4424              fied  as  the  second  parameter to --ifconfig when --dev tap is
4425              being used.  Set prior to OpenVPN calling the ifconfig or  netsh
4426              (windows  version  of  ifconfig)  commands which normally occurs
4427              prior to --up script execution.
4428
4429       ifconfig_pool_local_ip
4430              The local virtual IP address for the TUN/TAP tunnel  taken  from
4431              an --ifconfig-push directive if specified, or otherwise from the
4432              ifconfig pool (controlled by  the  --ifconfig-pool  config  file
4433              directive).  Only set for --dev tun tunnels.  This option is set
4434              on the server prior to execution  of  the  --client-connect  and
4435              --client-disconnect scripts.
4436
4437       ifconfig_pool_netmask
4438              The  virtual  IP  netmask  for  the TUN/TAP tunnel taken from an
4439              --ifconfig-push directive if specified, or  otherwise  from  the
4440              ifconfig  pool  (controlled  by  the --ifconfig-pool config file
4441              directive).  Only set for --dev tap tunnels.  This option is set
4442              on  the  server  prior  to execution of the --client-connect and
4443              --client-disconnect scripts.
4444
4445       ifconfig_pool_remote_ip
4446              The remote virtual IP address for the TUN/TAP tunnel taken  from
4447              an --ifconfig-push directive if specified, or otherwise from the
4448              ifconfig pool (controlled by  the  --ifconfig-pool  config  file
4449              directive).  This option is set on the server prior to execution
4450              of the --client-connect and --client-disconnect scripts.
4451
4452       link_mtu
4453              The maximum packet size (not including the IP header) of  tunnel
4454              data  in UDP tunnel transport mode.  Set prior to --up or --down
4455              script execution.
4456
4457       local  The --local parameter.  Set on program initiation and  reset  on
4458              SIGHUP.
4459
4460       local_port
4461              The  local  port number or name, specified by --port or --lport.
4462              Set on program initiation and reset on SIGHUP.
4463
4464       password
4465              The password provided by a  connecting  client.   Set  prior  to
4466              --auth-user-pass-verify  script  execution only when the via-env
4467              modifier is specified, and deleted from  the  environment  after
4468              the script returns.
4469
4470       proto  The  --proto  parameter.  Set on program initiation and reset on
4471              SIGHUP.
4472
4473       remote_{n}
4474              The --remote parameter.  Set on program initiation and reset  on
4475              SIGHUP.
4476
4477       remote_port_{n}
4478              The  remote port number, specified by --port or --rport.  Set on
4479              program initiation and reset on SIGHUP.
4480
4481       route_net_gateway
4482              The pre-existing default IP gateway in the system routing table.
4483              Set prior to --up script execution.
4484
4485       route_vpn_gateway
4486              The  default  gateway  used  by --route options, as specified in
4487              either the --route-gateway option or  the  second  parameter  to
4488              --ifconfig  when  --dev  tun  is  specified.   Set prior to --up
4489              script execution.
4490
4491       route_{parm}_{n}
4492              A set of variables which define each route to be added, and  are
4493              set prior to --up script execution.
4494
4495              parm  will  be  one of "network", "netmask", "gateway", or "met‐
4496              ric".
4497
4498              n is the OpenVPN route number, starting from 1.
4499
4500              If the network or gateway are resolvable  DNS  names,  their  IP
4501              address translations will be recorded rather than their names as
4502              denoted on the command line or configuration file.
4503
4504       route_ipv6_{parm}_{n}
4505              A set of variables which define each IPv6 route to be added, and
4506              are set prior to --up script execution.
4507
4508              parm  will  be  one of "network" or "gateway" ("netmask" is con‐
4509              tained as "/nnn"  in  the  route_ipv6_network_{n},  unlike  IPv4
4510              where it is passed in a separate environment variable).
4511
4512              n is the OpenVPN route number, starting from 1.
4513
4514              If  the  network  or  gateway are resolvable DNS names, their IP
4515              address translations will be recorded rather than their names as
4516              denoted on the command line or configuration file.
4517
4518       peer_cert
4519              Temporary  file name containing the client certificate upon con‐
4520              nection.  Useful in conjunction with --tls-verify
4521
4522       script_context
4523              Set to "init" or "restart" prior to  up/down  script  execution.
4524              For more information, see documentation for --up.
4525
4526       script_type
4527              Prior  to  execution  of any script, this variable is set to the
4528              type of script being run.  It can be one of the  following:  up,
4529              down,  ipchange,  route-up,  tls-verify,  auth-user-pass-verify,
4530              client-connect, client-disconnect, or learn-address.  Set  prior
4531              to execution of any script.
4532
4533       signal The  reason for exit or restart.  Can be one of sigusr1, sighup,
4534              sigterm, sigint, inactive  (controlled  by  --inactive  option),
4535              ping-exit (controlled by --ping-exit option), ping-restart (con‐
4536              trolled by --ping-restart option),  connection-reset  (triggered
4537              on  TCP  connection  reset), error, or unknown (unknown signal).
4538              This variable is set just prior to down script execution.
4539
4540       time_ascii
4541              Client connection timestamp, formatted as a human-readable  time
4542              string.  Set prior to execution of the --client-connect script.
4543
4544       time_duration
4545              The  duration  (in  seconds)  of the client session which is now
4546              disconnecting.  Set prior to execution of  the  --client-discon‐
4547              nect script.
4548
4549       time_unix
4550              Client   connection  timestamp,  formatted  as  a  unix  integer
4551              date/time value.  Set prior to execution of the --client-connect
4552              script.
4553
4554       tls_digest_{n} / tls_digest_sha256_{n}
4555              Contains  the  certificate SHA1 / SHA256 fingerprint, where n is
4556              the verification level.  Only  set  for  TLS  connections.   Set
4557              prior to execution of --tls-verify script.
4558
4559       tls_id_{n}
4560              A  series of certificate fields from the remote peer, where n is
4561              the verification level.  Only  set  for  TLS  connections.   Set
4562              prior to execution of --tls-verify script.
4563
4564       tls_serial_{n}
4565              The serial number of the certificate from the remote peer, where
4566              n is the verification level.  Only set for TLS connections.  Set
4567              prior  to  execution of --tls-verify script. This is in the form
4568              of a decimal string like  "933971680",  which  is  suitable  for
4569              doing  serial-based  OCSP  queries (with OpenSSL, do not prepend
4570              "0x" to the string) If something goes wrong  while  reading  the
4571              value  from  the certificate it will be an empty string, so your
4572              code     should     check     that.       See      the      con‐
4573              trib/OCSP_check/OCSP_check.sh script for an example.
4574
4575       tls_serial_hex_{n}
4576              Like tls_serial_{n}, but in hex form (e.g. "12:34:56:78:9A").
4577
4578       tun_mtu
4579              The  MTU  of  the  TUN/TAP  device.  Set prior to --up or --down
4580              script execution.
4581
4582       trusted_ip (or trusted_ip6)
4583              Actual IP address of connecting client or peer  which  has  been
4584              authenticated.    Set   prior   to   execution   of  --ipchange,
4585              --client-connect, and  --client-disconnect  scripts.   If  using
4586              ipv6 endpoints (udp6, tcp6), trusted_ip6 will be set instead.
4587
4588       trusted_port
4589              Actual  port  number of connecting client or peer which has been
4590              authenticated.   Set   prior   to   execution   of   --ipchange,
4591              --client-connect, and --client-disconnect scripts.
4592
4593       untrusted_ip (or untrusted_ip6)
4594              Actual  IP  address  of  connecting client or peer which has not
4595              been authenticated yet.  Sometimes used to nmap  the  connecting
4596              host  in  a --tls-verify script to ensure it is firewalled prop‐
4597              erly.    Set   prior   to   execution   of   --tls-verify    and
4598              --auth-user-pass-verify scripts.  If using ipv6 endpoints (udp6,
4599              tcp6), untrusted_ip6 will be set instead.
4600
4601       untrusted_port
4602              Actual port number of connecting client or peer  which  has  not
4603              been  authenticated yet.  Set prior to execution of --tls-verify
4604              and --auth-user-pass-verify scripts.
4605
4606       username
4607              The username provided by a  connecting  client.   Set  prior  to
4608              --auth-user-pass-verify  script  execution only when the via-env
4609              modifier is specified.
4610
4611       X509_{n}_{subject_field}
4612              An X509 subject field from the remote peer certificate, where  n
4613              is  the  verification level.  Only set for TLS connections.  Set
4614              prior to execution of --tls-verify  script.   This  variable  is
4615              similar  to  tls_id_{n} except the component X509 subject fields
4616              are broken out, and no string remapping occurs  on  these  field
4617              values (except for remapping of control characters to "_").  For
4618              example, the following variables would be  set  on  the  OpenVPN
4619              server  using  the  sample  client  certificate  in  sample-keys
4620              (client.crt).  Note that the verification level  is  0  for  the
4621              client certificate and 1 for the CA certificate.
4622
4623                  X509_0_emailAddress=me@myhost.mydomain
4624                  X509_0_CN=Test-Client
4625                  X509_0_O=OpenVPN-TEST
4626                  X509_0_ST=NA
4627                  X509_0_C=KG
4628                  X509_1_emailAddress=me@myhost.mydomain
4629                  X509_1_O=OpenVPN-TEST
4630                  X509_1_L=BISHKEK
4631                  X509_1_ST=NA
4632                  X509_1_C=KG
4633

INLINE FILE SUPPORT

4635       OpenVPN  allows including files in the main configuration for the --ca,
4636       --cert, --dh, --extra-certs, --key, --pkcs12,  --secret,  --crl-verify,
4637       --http-proxy-user-pass, --tls-auth and --tls-crypt options.
4638
4639       Each  inline  file  started  by the line <option> and ended by the line
4640       </option>
4641
4642       Here is an example of an inline file usage
4643
4644           <cert>
4645           -----BEGIN CERTIFICATE-----
4646           [...]
4647           -----END CERTIFICATE-----
4648           </cert>
4649
4650       When using the inline file feature with --pkcs12 the inline file has to
4651       be  base64 encoded. Encoding of a .p12 file into base64 can be done for
4652       example with OpenSSL by running openssl base64 -in input.p12
4653
4654

SIGNALS

4656       SIGHUP Cause OpenVPN to close  all  TUN/TAP  and  network  connections,
4657              restart,  re-read  the  configuration  file (if any), and reopen
4658              TUN/TAP and network connections.
4659
4660       SIGUSR1
4661              Like SIGHUP, except don't re-read configuration file, and possi‐
4662              bly  don't  close  and reopen TUN/TAP device, re-read key files,
4663              preserve  local  IP  address/port,  or  preserve  most  recently
4664              authenticated  remote  IP  address/port  based on --persist-tun,
4665              --persist-key,   --persist-local-ip,   and   --persist-remote-ip
4666              options respectively (see above).
4667
4668              This signal may also be internally generated by a timeout condi‐
4669              tion, governed by the --ping-restart option.
4670
4671              This signal, when combined with --persist-remote-ip, may be sent
4672              when  the  underlying parameters of the host's network interface
4673              change such as when the host is a DHCP client and is assigned  a
4674              new IP address.  See --ipchange above for more information.
4675
4676       SIGUSR2
4677              Causes  OpenVPN to display its current statistics (to the syslog
4678              file if --daemon is used, or stdout otherwise).
4679
4680       SIGINT, SIGTERM
4681              Causes OpenVPN to exit gracefully.
4682

TUN/TAP DRIVER SETUP

4684       If you are running Linux 2.4.7 or higher, you probably have the TUN/TAP
4685       driver already installed.  If so, there are still a few things you need
4686       to do:
4687
4688       Make device: mknod /dev/net/tun c 10 200
4689
4690       Load driver: modprobe tun
4691

EXAMPLES

4693       Prior to running these examples, you should have OpenVPN  installed  on
4694       two  machines  with network connectivity between them.  If you have not
4695       yet installed OpenVPN, consult the INSTALL file included in the OpenVPN
4696       distribution.
4697
4698   TUN/TAP Setup:
4699       If you are using Linux 2.4 or higher, make the tun device node and load
4700       the tun module:
4701
4702              mknod /dev/net/tun c 10 200
4703
4704              modprobe tun
4705
4706       If you installed from RPM, the mknod step may be omitted,  because  the
4707       RPM install does that for you.
4708
4709       Only Linux 2.4 and newer are supported.
4710
4711       For   other   platforms,  consult  the  INSTALL  file  at  http://open
4712       vpn.net/install.html for more information.
4713
4714   Firewall Setup:
4715       If firewalls exist between the two machines, they should be set to for‐
4716       ward UDP port 1194 in both directions.  If you do not have control over
4717       the firewalls between the two machines, you may still be  able  to  use
4718       OpenVPN  by adding --ping 15 to each of the openvpn commands used below
4719       in the examples (this will cause each peer to send out a  UDP  ping  to
4720       its  remote  peer  once every 15 seconds which will cause many stateful
4721       firewalls to forward packets in both  directions  without  an  explicit
4722       firewall rule).
4723
4724       If you are using a Linux iptables-based firewall, you may need to enter
4725       the following command to allow incoming packets on the TUN device:
4726
4727              iptables -A INPUT -i tun+ -j ACCEPT
4728
4729       See the firewalls section below for  more  information  on  configuring
4730       firewalls for use with OpenVPN.
4731
4732   VPN Address Setup:
4733       For  purposes of our example, our two machines will be called bob.exam‐
4734       ple.com and alice.example.com.  If you are constructing a VPN over  the
4735       internet,  then  replace bob.example.com and alice.example.com with the
4736       internet hostname or IP address that each machine will use  to  contact
4737       the other over the internet.
4738
4739       Now  we will choose the tunnel endpoints.  Tunnel endpoints are private
4740       IP addresses that only have meaning in the context of  the  VPN.   Each
4741       machine  will use the tunnel endpoint of the other machine to access it
4742       over the VPN.  In our example, the tunnel endpoint for  bob.example.com
4743       will be 10.4.0.1 and for alice.example.com, 10.4.0.2.
4744
4745       Once  the  VPN  is  established,  you have essentially created a secure
4746       alternate path between the two hosts which is addressed  by  using  the
4747       tunnel endpoints.  You can control which network traffic passes between
4748       the hosts (a) over the VPN or (b) independently of the VPN, by choosing
4749       whether  to use (a) the VPN endpoint address or (b) the public internet
4750       address, to access the remote host. For example if you are on bob.exam‐
4751       ple.com  and  you  wish to connect to alice.example.com via ssh without
4752       using the VPN (since ssh has its own built-in security) you  would  use
4753       the  command  ssh alice.example.com.  However in the same scenario, you
4754       could also use the command telnet 10.4.0.2 to create a  telnet  session
4755       with  alice.example.com  over the VPN, that would use the VPN to secure
4756       the session rather than ssh.
4757
4758       You can use any address you wish for the tunnel endpoints but make sure
4759       that  they  are  private addresses (such as those that begin with 10 or
4760       192.168) and that they are not part of any existing subnet on the  net‐
4761       works  of  either peer, unless you are bridging.  If you use an address
4762       that is part of your local subnet for either of the  tunnel  endpoints,
4763       you will get a weird feedback loop.
4764
4765   Example 1: A simple tunnel without security
4766       On bob:
4767
4768              openvpn   --remote   alice.example.com   --dev  tun1  --ifconfig
4769              10.4.0.1 10.4.0.2 --verb 9
4770
4771       On alice:
4772
4773              openvpn --remote bob.example.com --dev tun1 --ifconfig  10.4.0.2
4774              10.4.0.1 --verb 9
4775
4776       Now verify the tunnel is working by pinging across the tunnel.
4777
4778       On bob:
4779
4780              ping 10.4.0.2
4781
4782       On alice:
4783
4784              ping 10.4.0.1
4785
4786       The  --verb  9  option will produce verbose output, similar to the tcp‐
4787       dump(8) program.  Omit the --verb 9 option to have OpenVPN run quietly.
4788
4789   Example 2: A tunnel with  static-key  security  (i.e.  using  a  pre-shared
4790       secret)
4791       First build a static key on bob.
4792
4793              openvpn --genkey --secret key
4794
4795       This command will build a random key file called key (in ascii format).
4796       Now copy key to alice over a secure medium such as by using the  scp(1)
4797       program.
4798
4799       On bob:
4800
4801              openvpn   --remote   alice.example.com   --dev  tun1  --ifconfig
4802              10.4.0.1 10.4.0.2 --verb 5 --secret key
4803
4804       On alice:
4805
4806              openvpn --remote bob.example.com --dev tun1 --ifconfig  10.4.0.2
4807              10.4.0.1 --verb 5 --secret key
4808
4809       Now verify the tunnel is working by pinging across the tunnel.
4810
4811       On bob:
4812
4813              ping 10.4.0.2
4814
4815       On alice:
4816
4817              ping 10.4.0.1
4818
4819   Example 3: A tunnel with full TLS-based security
4820       For this test, we will designate bob as the TLS client and alice as the
4821       TLS server.  Note that client or server designation  only  has  meaning
4822       for  the  TLS  subsystem.  It has no bearing on OpenVPN's peer-to-peer,
4823       UDP-based communication model.
4824
4825       First, build a separate certificate/key pair for  both  bob  and  alice
4826       (see  above  where  --cert is discussed for more info).  Then construct
4827       Diffie Hellman parameters (see above where --dh is discussed  for  more
4828       info).    You   can  also  use  the  included  test  files  client.crt,
4829       client.key, server.crt, server.key and ca.crt.  The .crt files are cer‐
4830       tificates/public-keys, the .key files are private keys, and ca.crt is a
4831       certification authority who has signed both client.crt and  server.crt.
4832       For Diffie Hellman parameters you can use the included file dh1024.pem.
4833       Note that all client, server, and  certificate  authority  certificates
4834       and  keys included in the OpenVPN distribution are totally insecure and
4835       should be used for testing only.
4836
4837       On bob:
4838
4839              openvpn  --remote  alice.example.com   --dev   tun1   --ifconfig
4840              10.4.0.1  10.4.0.2  --tls-client  --ca  ca.crt --cert client.crt
4841              --key client.key --reneg-sec 60 --verb 5
4842
4843       On alice:
4844
4845              openvpn --remote bob.example.com --dev tun1 --ifconfig  10.4.0.2
4846              10.4.0.1   --tls-server   --dh  dh1024.pem  --ca  ca.crt  --cert
4847              server.crt --key server.key --reneg-sec 60 --verb 5
4848
4849       Now verify the tunnel is working by pinging across the tunnel.
4850
4851       On bob:
4852
4853              ping 10.4.0.2
4854
4855       On alice:
4856
4857              ping 10.4.0.1
4858
4859       Notice the --reneg-sec 60 option we used above.  That tells OpenVPN  to
4860       renegotiate the data channel keys every minute.  Since we used --verb 5
4861       above, you will see status information on each new key negotiation.
4862
4863       For production operations, a key renegotiation interval of  60  seconds
4864       is  probably too frequent.  Omit the --reneg-sec 60 option to use Open‐
4865       VPN's default key renegotiation interval of one hour.
4866
4867   Routing:
4868       Assuming you can ping across the tunnel, the next step is  to  route  a
4869       real  subnet  over  the secure tunnel.  Suppose that bob and alice have
4870       two network interfaces each, one connected to  the  internet,  and  the
4871       other  to a private network.  Our goal is to securely connect both pri‐
4872       vate networks.  We will assume that bob's private subnet is 10.0.0.0/24
4873       and alice's is 10.0.1.0/24.
4874
4875       First,  ensure  that IP forwarding is enabled on both peers.  On Linux,
4876       enable routing:
4877
4878              echo 1 > /proc/sys/net/ipv4/ip_forward
4879
4880       and enable TUN packet forwarding through the firewall:
4881
4882              iptables -A FORWARD -i tun+ -j ACCEPT
4883
4884       On bob:
4885
4886              route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
4887
4888       On alice:
4889
4890              route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
4891
4892       Now any machine on the 10.0.0.0/24 subnet can access any machine on the
4893       10.0.1.0/24 subnet over the secure tunnel (or vice versa).
4894
4895       In  a  production  environment, you could put the route command(s) in a
4896       script and execute with the --up option.
4897

FIREWALLS

4899       OpenVPN's usage of a single UDP port makes it fairly firewall-friendly.
4900       You  should add an entry to your firewall rules to allow incoming Open‐
4901       VPN packets.  On Linux 2.4+:
4902
4903              iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT
4904
4905       This will allow incoming packets on UDP port  1194  (OpenVPN's  default
4906       UDP port) from an OpenVPN peer at 1.2.3.4.
4907
4908       If  you  are using HMAC-based packet authentication (the default in any
4909       of OpenVPN's secure  modes),  having  the  firewall  filter  on  source
4910       address can be considered optional, since HMAC packet authentication is
4911       a much more secure method of verifying the  authenticity  of  a  packet
4912       source.  In that case:
4913
4914              iptables -A INPUT -p udp --dport 1194 -j ACCEPT
4915
4916       would be adequate and would not render the host inflexible with respect
4917       to its peer having a dynamic IP address.
4918
4919       OpenVPN also works well on stateful firewalls.  In some cases, you  may
4920       not  need to add any static rules to the firewall list if you are using
4921       a stateful firewall that knows how to track UDP  connections.   If  you
4922       specify  --ping  n,  OpenVPN will be guaranteed to send a packet to its
4923       peer at least once every n seconds.  If n is  less  than  the  stateful
4924       firewall  connection  timeout,  you  can maintain an OpenVPN connection
4925       indefinitely without explicit firewall rules.
4926
4927       You should also add firewall rules to allow incoming IP traffic on  TUN
4928       or TAP devices such as:
4929
4930              iptables -A INPUT -i tun+ -j ACCEPT
4931
4932       to allow input packets from tun devices,
4933
4934              iptables -A FORWARD -i tun+ -j ACCEPT
4935
4936       to  allow input packets from tun devices to be forwarded to other hosts
4937       on the local network,
4938
4939              iptables -A INPUT -i tap+ -j ACCEPT
4940
4941       to allow input packets from tap devices, and
4942
4943              iptables -A FORWARD -i tap+ -j ACCEPT
4944
4945       to allow input packets from tap devices to be forwarded to other  hosts
4946       on the local network.
4947
4948       These  rules  are  secure  if  you  use packet authentication, since no
4949       incoming packets will arrive on a TUN or TAP virtual device unless they
4950       first pass an HMAC authentication test.
4951

FAQ

4953       http://openvpn.net/faq.html
4954

HOWTO

4956       For  a  more  comprehensive guide to setting up OpenVPN in a production
4957       setting, see the OpenVPN HOWTO at http://openvpn.net/howto.html
4958

PROTOCOL

4960       For a description of OpenVPN's underlying  protocol,  see  http://open
4961       vpn.net/security.html
4962

WEB

4964       OpenVPN's web site is at http://openvpn.net/
4965
4966       Go  here  to  download  the latest version of OpenVPN, subscribe to the
4967       mailing lists, read the mailing list archives, or browse the SVN repos‐
4968       itory.
4969

BUGS

4971       Report all bugs to the OpenVPN team <info@openvpn.net>.
4972

SEE ALSO

4974       dhcpcd(8), ifconfig(8), openssl(1), route(8), scp(1) ssh(1)
4975

NOTES

4977       This  product  includes  software  developed  by  the OpenSSL Project (
4978       http://www.openssl.org/ )
4979
4980       For    more    information     on     the     TLS     protocol,     see
4981       http://www.ietf.org/rfc/rfc2246.txt
4982
4983       For  more  information  on  the  LZO  real-time compression library see
4984       http://www.oberhumer.com/opensource/lzo/
4985
4987       Copyright (C) 2002-2018 OpenVPN Inc This program is free software;  you
4988       can redistribute it and/or modify it under the terms of the GNU General
4989       Public License version 2 as published by the Free Software Foundation.
4990

AUTHORS

4992       James Yonan <jim@yonan.net>
4993
4994
4995
4996                               28 February 2018                     openvpn(8)
Impressum