1openvpn(8) System Manager's Manual openvpn(8)
2
3
4
6 openvpn - secure IP tunnel daemon.
7
9 openvpn [ options ... ]
10
12 OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN
13 tries to be a universal VPN tool offering a great deal of flexibility,
14 there are a lot of options on this manual page. If you're new to Open‐
15 VPN, you might want to skip ahead to the examples section where you
16 will see how to construct simple VPNs on the command line without even
17 needing a configuration file.
18
19 Also note that there's more documentation and examples on the OpenVPN
20 web site: http://openvpn.net/
21
22 And if you would like to see a shorter version of this manual, see the
23 openvpn usage message which can be obtained by running openvpn without
24 any parameters.
25
27 OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports
28 SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport
29 through proxies or NAT, support for dynamic IP addresses and DHCP,
30 scalability to hundreds or thousands of users, and portability to most
31 major OS platforms.
32
33 OpenVPN is tightly bound to the OpenSSL library, and derives much of
34 its crypto capabilities from it.
35
36 OpenVPN supports conventional encryption using a pre-shared secret key
37 (Static Key mode) or public key security (SSL/TLS mode) using client &
38 server certificates. OpenVPN also supports non-encrypted TCP/UDP tun‐
39 nels.
40
41 OpenVPN is designed to work with the TUN/TAP virtual networking inter‐
42 face that exists on most platforms.
43
44 Overall, OpenVPN aims to offer many of the key features of IPSec but
45 with a relatively lightweight footprint.
46
48 OpenVPN allows any option to be placed either on the command line or in
49 a configuration file. Though all command line options are preceded by
50 a double-leading-dash ("--"), this prefix can be removed when an option
51 is placed in a configuration file.
52
53 --help Show options.
54
55 --config file
56 Load additional config options from file where each line corre‐
57 sponds to one command line option, but with the leading '--'
58 removed.
59
60 If --config file is the only option to the openvpn command, the
61 --config can be removed, and the command can be given as openvpn
62 file
63
64 Note that configuration files can be nested to a reasonable
65 depth.
66
67 Double quotation or single quotation characters ("", '') can be
68 used to enclose single parameters containing whitespace, and "#"
69 or ";" characters in the first column can be used to denote com‐
70 ments.
71
72 Note that OpenVPN 2.0 and higher performs backslash-based shell
73 escaping for characters not in single quotations, so the follow‐
74 ing mappings should be observed:
75
76 \\ Maps to a single backslash character (\).
77 \" Pass a literal doublequote character ("), don't
78 interpret it as enclosing a parameter.
79 \[SPACE] Pass a literal space or tab character, don't
80 interpret it as a parameter delimiter.
81
82 For example on Windows, use double backslashes to represent
83 pathnames:
84
85 secret "c:\\OpenVPN\\secret.key"
86
87 For examples of configuration files, see http://open‐
88 vpn.net/examples.html
89
90 Here is an example configuration file:
91
92 #
93 # Sample OpenVPN configuration file for
94 # using a pre-shared static key.
95 #
96 # '#' or ';' may be used to delimit comments.
97
98 # Use a dynamic tun device.
99 dev tun
100
101 # Our remote peer
102 remote mypeer.mydomain
103
104 # 10.1.0.1 is our local VPN endpoint
105 # 10.1.0.2 is our remote VPN endpoint
106 ifconfig 10.1.0.1 10.1.0.2
107
108 # Our pre-shared static key
109 secret static.key
110
111 Tunnel Options:
112 --mode m
113 Set OpenVPN major mode. By default, OpenVPN runs in
114 point-to-point mode ("p2p"). OpenVPN 2.0 introduces a new mode
115 ("server") which implements a multi-client server capability.
116
117 --local host
118 Local host name or IP address for bind. If specified, OpenVPN
119 will bind to this address only. If unspecified, OpenVPN will
120 bind to all interfaces.
121
122 --remote host [port] [proto]
123 Remote host name or IP address. On the client, multiple
124 --remote options may be specified for redundancy, each referring
125 to a different OpenVPN server. Specifying multiple --remote
126 options for this purpose is a special case of the more general
127 connection-profile feature. See the <connection> documentation
128 below.
129
130 The OpenVPN client will try to connect to a server at host:port
131 in the order specified by the list of --remote options.
132
133 proto indicates the protocol to use when connecting with the
134 remote, and may be "tcp" or "udp".
135
136 For forcing IPv4 or IPv6 connection suffix tcp or udp with 4/6
137 like udp4/udp6/tcp4/tcp6.
138
139 The client will move on to the next host in the list, in the
140 event of connection failure. Note that at any given time, the
141 OpenVPN client will at most be connected to one server.
142
143 Note that since UDP is connectionless, connection failure is
144 defined by the --ping and --ping-restart options.
145
146 Note the following corner case: If you use multiple --remote
147 options, AND you are dropping root privileges on the client with
148 --user and/or --group, AND the client is running a non-Windows
149 OS, if the client needs to switch to a different server, and
150 that server pushes back different TUN/TAP or route settings, the
151 client may lack the necessary privileges to close and reopen the
152 TUN/TAP interface. This could cause the client to exit with a
153 fatal error.
154
155 If --remote is unspecified, OpenVPN will listen for packets from
156 any IP address, but will not act on those packets unless they
157 pass all authentication tests. This requirement for authentica‐
158 tion is binding on all potential peers, even those from known
159 and supposedly trusted IP addresses (it is very easy to forge a
160 source IP address on a UDP packet).
161
162 When used in TCP mode, --remote will act as a filter, rejecting
163 connections from any host which does not match host.
164
165 If host is a DNS name which resolves to multiple IP addresses,
166 OpenVPN will try them in the order that the system getaddrinfo()
167 presents them, so priorization and DNS randomization is done by
168 the system library. Unless an IP version is forced by the pro‐
169 tocol specification (4/6 suffix), OpenVPN will try both IPv4 and
170 IPv6 addresses, in the order getaddrinfo() returns them.
171
172 --remote-random-hostname
173 Prepend a random string (6 bytes, 12 hex characters) to hostname
174 to prevent DNS caching. For example, "foo.bar.gov" would be
175 modified to "<random-chars>.foo.bar.gov".
176
177 <connection>
178 Define a client connection profile. Client connection profiles
179 are groups of OpenVPN options that describe how to connect to a
180 given OpenVPN server. Client connection profiles are specified
181 within an OpenVPN configuration file, and each profile is brack‐
182 eted by <connection> and </connection>.
183
184 An OpenVPN client will try each connection profile sequentially
185 until it achieves a successful connection.
186
187 --remote-random can be used to initially "scramble" the connec‐
188 tion list.
189
190 Here is an example of connection profile usage:
191
192 client
193 dev tun
194
195 <connection>
196 remote 198.19.34.56 1194 udp
197 </connection>
198
199 <connection>
200 remote 198.19.34.56 443 tcp
201 </connection>
202
203 <connection>
204 remote 198.19.34.56 443 tcp
205 http-proxy 192.168.0.8 8080
206 </connection>
207
208 <connection>
209 remote 198.19.36.99 443 tcp
210 http-proxy 192.168.0.8 8080
211 </connection>
212
213 persist-key
214 persist-tun
215 pkcs12 client.p12
216 remote-cert-tls server
217 verb 3
218
219 First we try to connect to a server at 198.19.34.56:1194 using
220 UDP. If that fails, we then try to connect to 198.19.34.56:443
221 using TCP. If that also fails, then try connecting through an
222 HTTP proxy at 192.168.0.8:8080 to 198.19.34.56:443 using TCP.
223 Finally, try to connect through the same proxy to a server at
224 198.19.36.99:443 using TCP.
225
226 The following OpenVPN options may be used inside of a <connec‐
227 tion> block:
228
229 bind, connect-retry, connect-retry-max, connect-timeout,
230 explicit-exit-notify, float, fragment, http-proxy,
231 http-proxy-option, link-mtu, local, lport, mssfix, mtu-disc,
232 nobind, port, proto, remote, rport, socks-proxy, tun-mtu and
233 tun-mtu-extra.
234
235 A defaulting mechanism exists for specifying options to apply to
236 all <connection> profiles. If any of the above options (with
237 the exception of remote ) appear outside of a <connection>
238 block, but in a configuration file which has one or more <con‐
239 nection> blocks, the option setting will be used as a default
240 for <connection> blocks which follow it in the configuration
241 file.
242
243 For example, suppose the nobind option were placed in the sample
244 configuration file above, near the top of the file, before the
245 first <connection> block. The effect would be as if nobind were
246 declared in all <connection> blocks below it.
247
248 --proto-force p
249 When iterating through connection profiles, only consider pro‐
250 files using protocol p ('tcp'|'udp').
251
252 --remote-random
253 When multiple --remote address/ports are specified, or if con‐
254 nection profiles are being used, initially randomize the order
255 of the list as a kind of basic load-balancing measure.
256
257 --proto p
258 Use protocol p for communicating with remote host. p can be
259 udp, tcp-client, or tcp-server.
260
261 The default protocol is udp when --proto is not specified.
262
263 For UDP operation, --proto udp should be specified on both
264 peers.
265
266 For TCP operation, one peer must use --proto tcp-server and the
267 other must use --proto tcp-client. A peer started with
268 tcp-server will wait indefinitely for an incoming connection. A
269 peer started with tcp-client will attempt to connect, and if
270 that fails, will sleep for 5 seconds (adjustable via the --con‐
271 nect-retry option) and try again infinite or up to N retries
272 (adjustable via the --connect-retry-max option). Both TCP
273 client and server will simulate a SIGUSR1 restart signal if
274 either side resets the connection.
275
276 OpenVPN is designed to operate optimally over UDP, but TCP capa‐
277 bility is provided for situations where UDP cannot be used. In
278 comparison with UDP, TCP will usually be somewhat less efficient
279 and less robust when used over unreliable or congested networks.
280
281 This article outlines some of problems with tunneling IP over
282 TCP:
283
284 http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
285
286 There are certain cases, however, where using TCP may be advan‐
287 tageous from a security and robustness perspective, such as tun‐
288 neling non-IP or application-level UDP protocols, or tunneling
289 protocols which don't possess a built-in reliability layer.
290
291 --connect-retry n [max]
292 Wait n seconds between connection attempts (default=5).
293 Repeated reconnection attempts are slowed down after 5 retries
294 per remote by doubling the wait time after each unsuccessful
295 attempt. The optional argument max specifies the maximum value
296 of wait time in seconds at which it gets capped (default=300).
297
298 --connect-retry-max n
299 n specifies the number of times each --remote or <connection>
300 entry is tried. Specifying n as one would try each entry exactly
301 once. A successful connection resets the counter.
302 (default=unlimited).
303
304 --show-proxy-settings
305 Show sensed HTTP or SOCKS proxy settings. Currently, only Win‐
306 dows clients support this option.
307
308 --http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method]
309 Connect to remote host through an HTTP proxy at address server
310 and port port. If HTTP Proxy-Authenticate is required, authfile
311 is a file containing a username and password on 2 lines, or
312 "stdin" to prompt from console. Its content can also be speci‐
313 fied in the config file with the --http-proxy-user-pass option.
314 (See section on inline files)
315
316 auth-method should be one of "none", "basic", or "ntlm".
317
318 HTTP Digest authentication is supported as well, but only via
319 the auto or auto-nct flags (below).
320
321 The auto flag causes OpenVPN to automatically determine the
322 auth-method and query stdin or the management interface for
323 username/password credentials, if required. This flag exists on
324 OpenVPN 2.1 or higher.
325
326 The auto-nct flag (no clear-text auth) instructs OpenVPN to
327 automatically determine the authentication method, but to reject
328 weak authentication protocols such as HTTP Basic Authentication.
329
330 --http-proxy-option type [parm]
331 Set extended HTTP proxy options. Repeat to set multiple
332 options.
333
334 VERSION version -- Set HTTP version number to version
335 (default=1.0).
336
337 AGENT user-agent -- Set HTTP "User-Agent" string to user-agent.
338
339 CUSTOM-HEADER name content -- Adds the custom Header with name
340 as name and content as the content of the custom HTTP header.
341
342 --socks-proxy server [port] [authfile]
343 Connect to remote host through a Socks5 proxy at address server
344 and port port (default=1080). authfile (optional) is a file
345 containing a username and password on 2 lines, or "stdin" to
346 prompt from console.
347
348 --resolv-retry n
349 If hostname resolve fails for --remote, retry resolve for n sec‐
350 onds before failing.
351
352 Set n to "infinite" to retry indefinitely.
353
354 By default, --resolv-retry infinite is enabled. You can disable
355 by setting n=0.
356
357 --float
358 Allow remote peer to change its IP address and/or port number,
359 such as due to DHCP (this is the default if --remote is not
360 used). --float when specified with --remote allows an OpenVPN
361 session to initially connect to a peer at a known address, how‐
362 ever if packets arrive from a new address and pass all authenti‐
363 cation tests, the new address will take control of the session.
364 This is useful when you are connecting to a peer which holds a
365 dynamic address such as a dial-in user or DHCP client.
366
367 Essentially, --float tells OpenVPN to accept authenticated pack‐
368 ets from any address, not only the address which was specified
369 in the --remote option.
370
371 --ipchange cmd
372 Run command cmd when our remote ip-address is initially authen‐
373 ticated or changes.
374
375 cmd consists of a path to script (or executable program),
376 optionally followed by arguments. The path and arguments may be
377 single- or double-quoted and/or escaped using a backslash, and
378 should be separated by one or more spaces.
379
380 When cmd is executed two arguments are appended after any argu‐
381 ments specified in cmd , as follows:
382
383 cmd ip_address port_number
384
385 Don't use --ipchange in --mode server mode. Use a --client-con‐
386 nect script instead.
387
388 See the "Environmental Variables" section below for additional
389 parameters passed as environmental variables.
390
391 If you are running in a dynamic IP address environment where the
392 IP addresses of either peer could change without notice, you can
393 use this script, for example, to edit the /etc/hosts file with
394 the current address of the peer. The script will be run every
395 time the remote peer changes its IP address.
396
397 Similarly if our IP address changes due to DHCP, we should con‐
398 figure our IP address change script (see man page for dhcpcd(8)
399 ) to deliver a SIGHUP or SIGUSR1 signal to OpenVPN. OpenVPN
400 will then reestablish a connection with its most recently
401 authenticated peer on its new IP address.
402
403 --port port
404 TCP/UDP port number or port name for both local and remote (sets
405 both --lport and --rport options to given port). The current
406 default of 1194 represents the official IANA port number assign‐
407 ment for OpenVPN and has been used since version 2.0-beta17.
408 Previous versions used port 5000 as the default.
409
410 --lport port
411 Set local TCP/UDP port number or name. Cannot be used together
412 with --nobind option.
413
414 --rport port
415 Set TCP/UDP port number or name used by the --remote option. The
416 port can also be set directly using the --remote option.
417
418 --bind [ipv6only]
419 Bind to local address and port. This is the default unless any
420 of --proto tcp-client , --http-proxy or --socks-proxy are used.
421
422 If the ipv6only keyword is present OpenVPN will bind only to
423 IPv6 (as oposed to IPv6 and IPv4) when a IPv6 socket is opened.
424
425
426 --nobind
427 Do not bind to local address and port. The IP stack will allo‐
428 cate a dynamic port for returning packets. Since the value of
429 the dynamic port could not be known in advance by a peer, this
430 option is only suitable for peers which will be initiating con‐
431 nections by using the --remote option.
432
433 --dev tunX | tapX | null
434 TUN/TAP virtual network device ( X can be omitted for a dynamic
435 device.)
436
437 See examples section below for an example on setting up a TUN
438 device.
439
440 You must use either tun devices on both ends of the connection
441 or tap devices on both ends. You cannot mix them, as they rep‐
442 resent different underlying network layers.
443
444 tun devices encapsulate IPv4 or IPv6 (OSI Layer 3) while tap
445 devices encapsulate Ethernet 802.3 (OSI Layer 2).
446
447 --dev-type device-type
448 Which device type are we using? device-type should be tun (OSI
449 Layer 3) or tap (OSI Layer 2). Use this option only if the
450 TUN/TAP device used with --dev does not begin with tun or tap.
451
452 --topology mode
453 Configure virtual addressing topology when running in --dev tun
454 mode. This directive has no meaning in --dev tap mode, which
455 always uses a subnet topology.
456
457 If you set this directive on the server, the --server and
458 --server-bridge directives will automatically push your chosen
459 topology setting to clients as well. This directive can also be
460 manually pushed to clients. Like the --dev directive, this
461 directive must always be compatible between client and server.
462
463 mode can be one of:
464
465 net30 -- Use a point-to-point topology, by allocating one /30
466 subnet per client. This is designed to allow point-to-point
467 semantics when some or all of the connecting clients might be
468 Windows systems. This is the default on OpenVPN 2.0.
469
470 p2p -- Use a point-to-point topology where the remote endpoint
471 of the client's tun interface always points to the local end‐
472 point of the server's tun interface. This mode allocates a sin‐
473 gle IP address per connecting client. Only use when none of the
474 connecting clients are Windows systems. This mode is function‐
475 ally equivalent to the --ifconfig-pool-linear directive which is
476 available in OpenVPN 2.0, is deprecated and will be removed in
477 OpenVPN 2.5
478
479 subnet -- Use a subnet rather than a point-to-point topology by
480 configuring the tun interface with a local IP address and subnet
481 mask, similar to the topology used in --dev tap and ethernet
482 bridging mode. This mode allocates a single IP address per con‐
483 necting client and works on Windows as well. Only available
484 when server and clients are OpenVPN 2.1 or higher, or OpenVPN
485 2.0.x which has been manually patched with the --topology direc‐
486 tive code. When used on Windows, requires version 8.2 or higher
487 of the TAP-Win32 driver. When used on *nix, requires that the
488 tun driver supports an ifconfig(8) command which sets a subnet
489 instead of a remote endpoint IP address.
490
491 This option exists in OpenVPN 2.1 or higher.
492
493 Note: Using --topology subnet changes the interpretation of the
494 arguments of --ifconfig to mean "address netmask", no longer
495 "local remote".
496
497 --dev-node node
498 Explicitly set the device node rather than using /dev/net/tun,
499 /dev/tun, /dev/tap, etc. If OpenVPN cannot figure out whether
500 node is a TUN or TAP device based on the name, you should also
501 specify --dev-type tun or --dev-type tap.
502
503 Under Mac OS X this option can be used to specify the default
504 tun implementation. Using --dev-node utun forces usage of the
505 native Darwin tun kernel support. Use --dev-node utunN to select
506 a specific utun instance. To force using the tun.kext
507 (/dev/tunX) use --dev-node tun. When not specifying a
508 --dev-node option openvpn will first try to open utun, and fall
509 back to tun.kext.
510
511 On Windows systems, select the TAP-Win32 adapter which is named
512 node in the Network Connections Control Panel or the raw GUID of
513 the adapter enclosed by braces. The --show-adapters option
514 under Windows can also be used to enumerate all available
515 TAP-Win32 adapters and will show both the network connections
516 control panel name and the GUID for each TAP-Win32 adapter.
517
518 --lladdr address
519 Specify the link layer address, more commonly known as the MAC
520 address. Only applied to TAP devices.
521
522 --iproute cmd
523 Set alternate command to execute instead of default iproute2
524 command. May be used in order to execute OpenVPN in unprivi‐
525 leged environment.
526
527 --ifconfig l rn
528 Set TUN/TAP adapter parameters. l is the IP address of the
529 local VPN endpoint. For TUN devices in point-to-point mode, rn
530 is the IP address of the remote VPN endpoint. For TAP devices,
531 or TUN devices used with --topology subnet, rn is the subnet
532 mask of the virtual network segment which is being created or
533 connected to.
534
535 For TUN devices, which facilitate virtual point-to-point IP con‐
536 nections (when used in --topology net30 or p2p mode), the proper
537 usage of --ifconfig is to use two private IP addresses which are
538 not a member of any existing subnet which is in use. The IP
539 addresses may be consecutive and should have their order
540 reversed on the remote peer. After the VPN is established, by
541 pinging rn, you will be pinging across the VPN.
542
543 For TAP devices, which provide the ability to create virtual
544 ethernet segments, or TUN devices in --topology subnet mode
545 (which create virtual "multipoint networks"), --ifconfig is used
546 to set an IP address and subnet mask just as a physical ethernet
547 adapter would be similarly configured. If you are attempting to
548 connect to a remote ethernet bridge, the IP address and subnet
549 should be set to values which would be valid on the the bridged
550 ethernet segment (note also that DHCP can be used for the same
551 purpose).
552
553 This option, while primarily a proxy for the ifconfig(8) com‐
554 mand, is designed to simplify TUN/TAP tunnel configuration by
555 providing a standard interface to the different ifconfig imple‐
556 mentations on different platforms.
557
558 --ifconfig parameters which are IP addresses can also be speci‐
559 fied as a DNS or /etc/hosts file resolvable name.
560
561 For TAP devices, --ifconfig should not be used if the TAP inter‐
562 face will be getting an IP address lease from a DHCP server.
563
564 --ifconfig-noexec
565 Don't actually execute ifconfig/netsh commands, instead pass
566 --ifconfig parameters to scripts using environmental variables.
567
568 --ifconfig-nowarn
569 Don't output an options consistency check warning if the
570 --ifconfig option on this side of the connection doesn't match
571 the remote side. This is useful when you want to retain the
572 overall benefits of the options consistency check (also see
573 --disable-occ option) while only disabling the ifconfig compo‐
574 nent of the check.
575
576 For example, if you have a configuration where the local host
577 uses --ifconfig but the remote host does not, use --ifcon‐
578 fig-nowarn on the local host.
579
580 This option will also silence warnings about potential address
581 conflicts which occasionally annoy more experienced users by
582 triggering "false positive" warnings.
583
584 --route network/IP [netmask] [gateway] [metric]
585 Add route to routing table after connection is established.
586 Multiple routes can be specified. Routes will be automatically
587 torn down in reverse order prior to TUN/TAP device close.
588
589 This option is intended as a convenience proxy for the route(8)
590 shell command, while at the same time providing portable seman‐
591 tics across OpenVPN's platform space.
592
593 netmask default -- 255.255.255.255
594
595 gateway default -- taken from --route-gateway or the second
596 parameter to --ifconfig when --dev tun is specified.
597
598 metric default -- taken from --route-metric otherwise 0.
599
600 The default can be specified by leaving an option blank or set‐
601 ting it to "default".
602
603 The network and gateway parameters can also be specified as a
604 DNS or /etc/hosts file resolvable name, or as one of three spe‐
605 cial keywords:
606
607 vpn_gateway -- The remote VPN endpoint address (derived either
608 from --route-gateway or the second parameter to --ifconfig when
609 --dev tun is specified).
610
611 net_gateway -- The pre-existing IP default gateway, read from
612 the routing table (not supported on all OSes).
613
614 remote_host -- The --remote address if OpenVPN is being run in
615 client mode, and is undefined in server mode.
616
617 --route-gateway gw|'dhcp'
618 Specify a default gateway gw for use with --route.
619
620 If dhcp is specified as the parameter, the gateway address will
621 be extracted from a DHCP negotiation with the OpenVPN
622 server-side LAN.
623
624 --route-metric m
625 Specify a default metric m for use with --route.
626
627 --route-delay [n] [w]
628 Delay n seconds (default=0) after connection establishment,
629 before adding routes. If n is 0, routes will be added immedi‐
630 ately upon connection establishment. If --route-delay is omit‐
631 ted, routes will be added immediately after TUN/TAP device open
632 and --up script execution, before any --user or --group privi‐
633 lege downgrade (or --chroot execution.)
634
635 This option is designed to be useful in scenarios where DHCP is
636 used to set tap adapter addresses. The delay will give the DHCP
637 handshake time to complete before routes are added.
638
639 On Windows, --route-delay tries to be more intelligent by wait‐
640 ing w seconds (w=30 by default) for the TAP-Win32 adapter to
641 come up before adding routes.
642
643 --route-up cmd
644 Run command cmd after routes are added, subject to
645 --route-delay.
646
647 cmd consists of a path to script (or executable program),
648 optionally followed by arguments. The path and arguments may be
649 single- or double-quoted and/or escaped using a backslash, and
650 should be separated by one or more spaces.
651
652 See the "Environmental Variables" section below for additional
653 parameters passed as environmental variables.
654
655 --route-pre-down cmd
656 Run command cmd before routes are removed upon disconnection.
657
658 cmd consists of a path to script (or executable program),
659 optionally followed by arguments. The path and arguments may be
660 single- or double-quoted and/or escaped using a backslash, and
661 should be separated by one or more spaces.
662
663 See the "Environmental Variables" section below for additional
664 parameters passed as environmental variables.
665
666 --route-noexec
667 Don't add or remove routes automatically. Instead pass routes
668 to --route-up script using environmental variables.
669
670 --route-nopull
671 When used with --client or --pull, accept options pushed by
672 server EXCEPT for routes, block-outside-dns and dhcp options
673 like DNS servers.
674
675 When used on the client, this option effectively bars the server
676 from adding routes to the client's routing table, however note
677 that this option still allows the server to set the TCP/IP prop‐
678 erties of the client's TUN/TAP interface.
679
680 --allow-pull-fqdn
681 Allow client to pull DNS names from server (rather than being
682 limited to IP address) for --ifconfig, --route, and
683 --route-gateway.
684
685 --client-nat snat|dnat network netmask alias
686 This pushable client option sets up a stateless one-to-one NAT
687 rule on packet addresses (not ports), and is useful in cases
688 where routes or ifconfig settings pushed to the client would
689 create an IP numbering conflict.
690
691 network/netmask (for example 192.168.0.0/255.255.0.0) defines
692 the local view of a resource from the client perspective, while
693 alias/netmask (for example 10.64.0.0/255.255.0.0) defines the
694 remote view from the server perspective.
695
696 Use snat (source NAT) for resources owned by the client and dnat
697 (destination NAT) for remote resources.
698
699 Set --verb 6 for debugging info showing the transformation of
700 src/dest addresses in packets.
701
702 --redirect-gateway flags...
703 Automatically execute routing commands to cause all outgoing IP
704 traffic to be redirected over the VPN. This is a client-side
705 option.
706
707 This option performs three steps:
708
709 [1m(1) Create a static route for the --remote address which for‐
710 wards to the pre-existing default gateway. This is done so that
711 [1m(3) will not create a routing loop.
712
713 [1m(2) Delete the default gateway route.
714
715 [1m(3) Set the new default gateway to be the VPN endpoint address
716 (derived either from --route-gateway or the second parameter to
717 --ifconfig when --dev tun is specified).
718
719 When the tunnel is torn down, all of the above steps are
720 reversed so that the original default route is restored.
721
722 Option flags:
723
724 local -- Add the local flag if both OpenVPN peers are directly
725 connected via a common subnet, such as with wireless. The local
726 flag will cause step 1 above to be omitted.
727
728 autolocal -- Try to automatically determine whether to enable
729 local flag above.
730
731 def1 -- Use this flag to override the default gateway by using
732 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the
733 benefit of overriding but not wiping out the original default
734 gateway.
735
736 bypass-dhcp -- Add a direct route to the DHCP server (if it is
737 non-local) which bypasses the tunnel (Available on Windows
738 clients, may not be available on non-Windows clients).
739
740 bypass-dns -- Add a direct route to the DNS server(s) (if they
741 are non-local) which bypasses the tunnel (Available on Windows
742 clients, may not be available on non-Windows clients).
743
744 block-local -- Block access to local LAN when the tunnel is
745 active, except for the LAN gateway itself. This is accomplished
746 by routing the local LAN (except for the LAN gateway address)
747 into the tunnel.
748
749 ipv6 -- Redirect IPv6 routing into the tunnel. This works simi‐
750 lar to the def1 flag, that is, more specific IPv6 routes are
751 added (2000::/4, 3000::/4), covering the whole IPv6 unicast
752 space.
753
754 !ipv4 -- Do not redirect IPv4 traffic - typically used in the
755 flag pair ipv6 !ipv4 to redirect IPv6-only.
756
757 --link-mtu n
758 Sets an upper bound on the size of UDP packets which are sent
759 between OpenVPN peers. It's best not to set this parameter
760 unless you know what you're doing.
761
762 --redirect-private [flags]
763 Like --redirect-gateway, but omit actually changing the default
764 gateway. Useful when pushing private subnets.
765
766 --tun-mtu n
767 Take the TUN device MTU to be n and derive the link MTU from it
768 (default=1500). In most cases, you will probably want to leave
769 this parameter set to its default value.
770
771 The MTU (Maximum Transmission Units) is the maximum datagram
772 size in bytes that can be sent unfragmented over a particular
773 network path. OpenVPN requires that packets on the control or
774 data channels be sent unfragmented.
775
776 MTU problems often manifest themselves as connections which hang
777 during periods of active usage.
778
779 It's best to use the --fragment and/or --mssfix options to deal
780 with MTU sizing issues.
781
782 --tun-mtu-extra n
783 Assume that the TUN/TAP device might return as many as n bytes
784 more than the --tun-mtu size on read. This parameter defaults
785 to 0, which is sufficient for most TUN devices. TAP devices may
786 introduce additional overhead in excess of the MTU size, and a
787 setting of 32 is the default when TAP devices are used. This
788 parameter only controls internal OpenVPN buffer sizing, so there
789 is no transmission overhead associated with using a larger
790 value.
791
792 --mtu-disc type
793 Should we do Path MTU discovery on TCP/UDP channel? Only sup‐
794 ported on OSes such as Linux that supports the necessary system
795 call to set.
796
797 'no' -- Never send DF (Don't Fragment) frames
798 'maybe' -- Use per-route hints
799 'yes' -- Always DF (Don't Fragment)
800
801 --mtu-test
802 To empirically measure MTU on connection startup, add the
803 --mtu-test option to your configuration. OpenVPN will send ping
804 packets of various sizes to the remote peer and measure the
805 largest packets which were successfully received. The
806 --mtu-test process normally takes about 3 minutes to complete.
807
808 --fragment max
809 Enable internal datagram fragmentation so that no UDP datagrams
810 are sent which are larger than max bytes.
811
812 The max parameter is interpreted in the same way as the
813 --link-mtu parameter, i.e. the UDP packet size after encapsula‐
814 tion overhead has been added in, but not including the UDP
815 header itself.
816
817 The --fragment option only makes sense when you are using the
818 UDP protocol ( --proto udp ).
819
820 --fragment adds 4 bytes of overhead per datagram.
821
822 See the --mssfix option below for an important related option to
823 --fragment.
824
825 It should also be noted that this option is not meant to replace
826 UDP fragmentation at the IP stack level. It is only meant as a
827 last resort when path MTU discovery is broken. Using this
828 option is less efficient than fixing path MTU discovery for your
829 IP link and using native IP fragmentation instead.
830
831 Having said that, there are circumstances where using OpenVPN's
832 internal fragmentation capability may be your only option, such
833 as tunneling a UDP multicast stream which requires fragmenta‐
834 tion.
835
836 --mssfix max
837 Announce to TCP sessions running over the tunnel that they
838 should limit their send packet sizes such that after OpenVPN has
839 encapsulated them, the resulting UDP packet size that OpenVPN
840 sends to its peer will not exceed max bytes. The default value
841 is 1450.
842
843 The max parameter is interpreted in the same way as the
844 --link-mtu parameter, i.e. the UDP packet size after encapsula‐
845 tion overhead has been added in, but not including the UDP
846 header itself. Resulting packet would be at most 28 bytes larger
847 for IPv4 and 48 bytes for IPv6 (20/40 bytes for IP header and 8
848 bytes for UDP header). Default value of 1450 allows IPv4 packets
849 to be transmitted over a link with MTU 1473 or higher without IP
850 level fragmentation.
851
852 The --mssfix option only makes sense when you are using the UDP
853 protocol for OpenVPN peer-to-peer communication, i.e. --proto
854 udp.
855
856 --mssfix and --fragment can be ideally used together, where
857 --mssfix will try to keep TCP from needing packet fragmentation
858 in the first place, and if big packets come through anyhow (from
859 protocols other than TCP), --fragment will internally fragment
860 them.
861
862 Both --fragment and --mssfix are designed to work around cases
863 where Path MTU discovery is broken on the network path between
864 OpenVPN peers.
865
866 The usual symptom of such a breakdown is an OpenVPN connection
867 which successfully starts, but then stalls during active usage.
868
869 If --fragment and --mssfix are used together, --mssfix will take
870 its default max parameter from the --fragment max option.
871
872 Therefore, one could lower the maximum UDP packet size to 1300
873 (a good first try for solving MTU-related connection problems)
874 with the following options:
875
876 --tun-mtu 1500 --fragment 1300 --mssfix
877
878 --sndbuf size
879 Set the TCP/UDP socket send buffer size. Defaults to operation
880 system default.
881
882 --rcvbuf size
883 Set the TCP/UDP socket receive buffer size. Defaults to opera‐
884 tion system default.
885
886 --mark value
887 Mark encrypted packets being sent with value. The mark value can
888 be matched in policy routing and packetfilter rules. This option
889 is only supported in Linux and does nothing on other operating
890 systems.
891
892 --socket-flags flags...
893 Apply the given flags to the OpenVPN transport socket. Cur‐
894 rently, only TCP_NODELAY is supported.
895
896 The TCP_NODELAY socket flag is useful in TCP mode, and causes
897 the kernel to send tunnel packets immediately over the TCP con‐
898 nection without trying to group several smaller packets into a
899 larger packet. This can result in a considerably improvement in
900 latency.
901
902 This option is pushable from server to client, and should be
903 used on both client and server for maximum effect.
904
905 --txqueuelen n
906 (Linux only) Set the TX queue length on the TUN/TAP interface.
907 Currently defaults to 100.
908
909 --shaper n
910 Limit bandwidth of outgoing tunnel data to n bytes per second on
911 the TCP/UDP port. Note that this will only work if mode is set
912 to p2p. If you want to limit the bandwidth in both directions,
913 use this option on both peers.
914
915 OpenVPN uses the following algorithm to implement traffic shap‐
916 ing: Given a shaper rate of n bytes per second, after a datagram
917 write of b bytes is queued on the TCP/UDP port, wait a minimum
918 of (b / n) seconds before queuing the next write.
919
920 It should be noted that OpenVPN supports multiple tunnels
921 between the same two peers, allowing you to construct full-speed
922 and reduced bandwidth tunnels at the same time, routing low-pri‐
923 ority data such as off-site backups over the reduced bandwidth
924 tunnel, and other data over the full-speed tunnel.
925
926 Also note that for low bandwidth tunnels (under 1000 bytes per
927 second), you should probably use lower MTU values as well (see
928 above), otherwise the packet latency will grow so large as to
929 trigger timeouts in the TLS layer and TCP connections running
930 over the tunnel.
931
932 OpenVPN allows n to be between 100 bytes/sec and 100 Mbytes/sec.
933
934 --inactive n [bytes]
935 Causes OpenVPN to exit after n seconds of inactivity on the
936 TUN/TAP device. The time length of inactivity is measured since
937 the last incoming or outgoing tunnel packet. The default value
938 is 0 seconds, which disables this feature.
939
940 If the optional bytes parameter is included, exit if less than
941 bytes of combined in/out traffic are produced on the tun/tap
942 device in n seconds.
943
944 In any case, OpenVPN's internal ping packets (which are just
945 keepalives) and TLS control packets are not considered "activ‐
946 ity", nor are they counted as traffic, as they are used inter‐
947 nally by OpenVPN and are not an indication of actual user activ‐
948 ity.
949
950 --ping n
951 Ping remote over the TCP/UDP control channel if no packets have
952 been sent for at least n seconds (specify --ping on both peers
953 to cause ping packets to be sent in both directions since Open‐
954 VPN ping packets are not echoed like IP ping packets). When
955 used in one of OpenVPN's secure modes (where --secret,
956 --tls-server, or --tls-client is specified), the ping packet
957 will be cryptographically secure.
958
959 This option has two intended uses:
960
961 (1) Compatibility with stateful firewalls. The periodic ping
962 will ensure that a stateful firewall rule which allows OpenVPN
963 UDP packets to pass will not time out.
964
965 (2) To provide a basis for the remote to test the existence of
966 its peer using the --ping-exit option.
967
968 --ping-exit n
969 Causes OpenVPN to exit after n seconds pass without reception of
970 a ping or other packet from remote. This option can be combined
971 with --inactive, --ping, and --ping-exit to create a two-tiered
972 inactivity disconnect.
973
974 For example,
975
976 openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
977
978 when used on both peers will cause OpenVPN to exit within 60
979 seconds if its peer disconnects, but will exit after one hour if
980 no actual tunnel data is exchanged.
981
982 --ping-restart n
983 Similar to --ping-exit, but trigger a SIGUSR1 restart after n
984 seconds pass without reception of a ping or other packet from
985 remote.
986
987 This option is useful in cases where the remote peer has a
988 dynamic IP address and a low-TTL DNS name is used to track the
989 IP address using a service such as http://dyndns.org/ + a
990 dynamic DNS client such as ddclient.
991
992 If the peer cannot be reached, a restart will be triggered,
993 causing the hostname used with --remote to be re-resolved (if
994 --resolv-retry is also specified).
995
996 In server mode, --ping-restart, --inactive, or any other type of
997 internally generated signal will always be applied to individual
998 client instance objects, never to whole server itself. Note
999 also in server mode that any internally generated signal which
1000 would normally cause a restart, will cause the deletion of the
1001 client instance object instead.
1002
1003 In client mode, the --ping-restart parameter is set to 120 sec‐
1004 onds by default. This default will hold until the client pulls
1005 a replacement value from the server, based on the --keepalive
1006 setting in the server configuration. To disable the 120 second
1007 default, set --ping-restart 0 on the client.
1008
1009 See the signals section below for more information on SIGUSR1.
1010
1011 Note that the behavior of SIGUSR1 can be modified by the --per‐
1012 sist-tun, --persist-key, --persist-local-ip, and --per‐
1013 sist-remote-ip options.
1014
1015 Also note that --ping-exit and --ping-restart are mutually
1016 exclusive and cannot be used together.
1017
1018 --keepalive interval timeout
1019 A helper directive designed to simplify the expression of --ping
1020 and --ping-restart.
1021
1022 This option can be used on both client and server side, but it
1023 is enough to add this on the server side as it will push appro‐
1024 priate --ping and --ping-restart options to the client. If used
1025 on both server and client, the values pushed from server will
1026 override the client local values.
1027
1028 The timeout argument will be twice as long on the server side.
1029 This ensures that a timeout is detected on client side before
1030 the server side drops the connection.
1031
1032 For example, --keepalive 10 60 expands as follows:
1033
1034 if mode server:
1035 ping 10 # Argument: interval
1036 ping-restart 120 # Argument: timeout*2
1037 push "ping 10" # Argument: interval
1038 push "ping-restart 60" # Argument: timeout
1039 else
1040 ping 10 # Argument: interval
1041 ping-restart 60 # Argument: timeout
1042
1043 --ping-timer-rem
1044 Run the --ping-exit / --ping-restart timer only if we have a
1045 remote address. Use this option if you are starting the daemon
1046 in listen mode (i.e. without an explicit --remote peer), and you
1047 don't want to start clocking timeouts until a remote peer con‐
1048 nects.
1049
1050 --persist-tun
1051 Don't close and reopen TUN/TAP device or run up/down scripts
1052 across SIGUSR1 or --ping-restart restarts.
1053
1054 SIGUSR1 is a restart signal similar to SIGHUP, but which offers
1055 finer-grained control over reset options.
1056
1057 --persist-key
1058 Don't re-read key files across SIGUSR1 or --ping-restart.
1059
1060 This option can be combined with --user nobody to allow restarts
1061 triggered by the SIGUSR1 signal. Normally if you drop root
1062 privileges in OpenVPN, the daemon cannot be restarted since it
1063 will now be unable to re-read protected key files.
1064
1065 This option solves the problem by persisting keys across SIGUSR1
1066 resets, so they don't need to be re-read.
1067
1068 --persist-local-ip
1069 Preserve initially resolved local IP address and port number
1070 across SIGUSR1 or --ping-restart restarts.
1071
1072 --persist-remote-ip
1073 Preserve most recently authenticated remote IP address and port
1074 number across SIGUSR1 or --ping-restart restarts.
1075
1076 --mlock
1077 Disable paging by calling the POSIX mlockall function. Requires
1078 that OpenVPN be initially run as root (though OpenVPN can subse‐
1079 quently downgrade its UID using the --user option).
1080
1081 Using this option ensures that key material and tunnel data are
1082 never written to disk due to virtual memory paging operations
1083 which occur under most modern operating systems. It ensures
1084 that even if an attacker was able to crack the box running Open‐
1085 VPN, he would not be able to scan the system swap file to
1086 recover previously used ephemeral keys, which are used for a
1087 period of time governed by the --reneg options (see below), then
1088 are discarded.
1089
1090 The downside of using --mlock is that it will reduce the amount
1091 of physical memory available to other applications.
1092
1093 --up cmd
1094 Run command cmd after successful TUN/TAP device open (pre --user
1095 UID change).
1096
1097 cmd consists of a path to script (or executable program),
1098 optionally followed by arguments. The path and arguments may be
1099 single- or double-quoted and/or escaped using a backslash, and
1100 should be separated by one or more spaces.
1101
1102 The up command is useful for specifying route commands which
1103 route IP traffic destined for private subnets which exist at the
1104 other end of the VPN connection into the tunnel.
1105
1106 For --dev tun execute as:
1107
1108 cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifcon‐
1109 fig_remote_ip [ init | restart ]
1110
1111 For --dev tap execute as:
1112
1113 cmd tap_dev tap_mtu link_mtu ifconfig_local_ip ifconfig_netmask
1114 [ init | restart ]
1115
1116 See the "Environmental Variables" section below for additional
1117 parameters passed as environmental variables.
1118
1119 Note that if cmd includes arguments, all OpenVPN-generated argu‐
1120 ments will be appended to them to build an argument list with
1121 which the executable will be called.
1122
1123 Typically, cmd will run a script to add routes to the tunnel.
1124
1125 Normally the up script is called after the TUN/TAP device is
1126 opened. In this context, the last command line parameter passed
1127 to the script will be init. If the --up-restart option is also
1128 used, the up script will be called for restarts as well. A
1129 restart is considered to be a partial reinitialization of Open‐
1130 VPN where the TUN/TAP instance is preserved (the --persist-tun
1131 option will enable such preservation). A restart can be gener‐
1132 ated by a SIGUSR1 signal, a --ping-restart timeout, or a connec‐
1133 tion reset when the TCP protocol is enabled with the --proto
1134 option. If a restart occurs, and --up-restart has been speci‐
1135 fied, the up script will be called with restart as the last
1136 parameter.
1137
1138 NOTE: on restart, OpenVPN will not pass the full set of environ‐
1139 ment variables to the script. Namely, everything related to
1140 routing and gateways will not be passed, as nothing needs to be
1141 done anyway - all the routing setup is already in place. Addi‐
1142 tionally, the up-restart script will run with the downgraded
1143 UID/GID settings (if configured).
1144
1145 The following standalone example shows how the --up script can
1146 be called in both an initialization and restart context. (NOTE:
1147 for security reasons, don't run the following example unless UDP
1148 port 9999 is blocked by your firewall. Also, the example will
1149 run indefinitely, so you should abort with control-c).
1150
1151 openvpn --dev tun --port 9999 --verb 4 --ping-restart 10 --up
1152 'echo up' --down 'echo down' --persist-tun --up-restart
1153
1154 Note that OpenVPN also provides the --ifconfig option to auto‐
1155 matically ifconfig the TUN device, eliminating the need to
1156 define an --up script, unless you also want to configure routes
1157 in the --up script.
1158
1159 If --ifconfig is also specified, OpenVPN will pass the ifconfig
1160 local and remote endpoints on the command line to the --up
1161 script so that they can be used to configure routes such as:
1162
1163 route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
1164
1165 --up-delay
1166 Delay TUN/TAP open and possible --up script execution until
1167 after TCP/UDP connection establishment with peer.
1168
1169 In --proto udp mode, this option normally requires the use of
1170 --ping to allow connection initiation to be sensed in the
1171 absence of tunnel data, since UDP is a "connectionless" proto‐
1172 col.
1173
1174 On Windows, this option will delay the TAP-Win32 media state
1175 transitioning to "connected" until connection establishment,
1176 i.e. the receipt of the first authenticated packet from the
1177 peer.
1178
1179 --down cmd
1180 Run command cmd after TUN/TAP device close (post --user UID
1181 change and/or --chroot ). cmd consists of a path to script (or
1182 executable program), optionally followed by arguments. The path
1183 and arguments may be single- or double-quoted and/or escaped
1184 using a backslash, and should be separated by one or more spa‐
1185 ces.
1186
1187 Called with the same parameters and environmental variables as
1188 the --up option above.
1189
1190 Note that if you reduce privileges by using --user and/or
1191 --group, your --down script will also run at reduced privilege.
1192
1193 --down-pre
1194 Call --down cmd/script before, rather than after, TUN/TAP close.
1195
1196 --up-restart
1197 Enable the --up and --down scripts to be called for restarts as
1198 well as initial program start. This option is described more
1199 fully above in the --up option documentation.
1200
1201 --setenv name value
1202 Set a custom environmental variable name=value to pass to
1203 script.
1204
1205 --setenv FORWARD_COMPATIBLE 1
1206 Relax config file syntax checking so that unknown directives
1207 will trigger a warning but not a fatal error, on the assumption
1208 that a given unknown directive might be valid in future OpenVPN
1209 versions.
1210
1211 This option should be used with caution, as there are good secu‐
1212 rity reasons for having OpenVPN fail if it detects problems in a
1213 config file. Having said that, there are valid reasons for
1214 wanting new software features to gracefully degrade when encoun‐
1215 tered by older software versions.
1216
1217 It is also possible to tag a single directive so as not to trig‐
1218 ger a fatal error if the directive isn't recognized. To do
1219 this, prepend the following before the directive: setenv opt
1220
1221 Versions prior to OpenVPN 2.3.3 will always ignore options set
1222 with the setenv opt directive.
1223
1224 See also --ignore-unknown-option
1225
1226 --setenv-safe name value
1227 Set a custom environmental variable OPENVPN_name=value to pass
1228 to script.
1229
1230 This directive is designed to be pushed by the server to
1231 clients, and the prepending of "OPENVPN_" to the environmental
1232 variable is a safety precaution to prevent a LD_PRELOAD style
1233 attack from a malicious or compromised server.
1234
1235 --ignore-unknown-option opt1 opt2 opt3 ... optN
1236 When one of options opt1 ... optN is encountered in the configu‐
1237 ration file the configuration file parsing does not fail if this
1238 OpenVPN version does not support the option. Multiple
1239 --ignore-unknown-option options can be given to support a larger
1240 number of options to ignore.
1241
1242 This option should be used with caution, as there are good secu‐
1243 rity reasons for having OpenVPN fail if it detects problems in a
1244 config file. Having said that, there are valid reasons for want‐
1245 ing new software features to gracefully degrade when encountered
1246 by older software versions.
1247
1248 --ignore-unknown-option is available since OpenVPN 2.3.3.
1249
1250 --script-security level
1251 This directive offers policy-level control over OpenVPN's usage
1252 of external programs and scripts. Lower level values are more
1253 restrictive, higher values are more permissive. Settings for
1254 level:
1255
1256 0 -- Strictly no calling of external programs.
1257 1 -- (Default) Only call built-in executables such as ifconfig,
1258 ip, route, or netsh.
1259 2 -- Allow calling of built-in executables and user-defined
1260 scripts.
1261 3 -- Allow passwords to be passed to scripts via environmental
1262 variables (potentially unsafe).
1263
1264 OpenVPN releases before v2.3 also supported a method flag which
1265 indicated how OpenVPN should call external commands and scripts.
1266 This could be either execve or system. As of OpenVPN 2.3, this
1267 flag is no longer accepted. In most *nix environments the
1268 execve() approach has been used without any issues.
1269
1270 Some directives such as --up allow options to be passed to the
1271 external script. In these cases make sure the script name does
1272 not contain any spaces or the configuration parser will choke
1273 because it can't determine where the script name ends and script
1274 options start.
1275
1276 To run scripts in Windows in earlier OpenVPN versions you needed
1277 to either add a full path to the script interpreter which can
1278 parse the script or use the system flag to run these scripts.
1279 As of OpenVPN 2.3 it is now a strict requirement to have full
1280 path to the script interpreter when running non-executables
1281 files. This is not needed for executable files, such as .exe,
1282 .com, .bat or .cmd files. For example, if you have a Visual
1283 Basic script, you must use this syntax now:
1284
1285 --up 'C:\\Windows\\System32\\wscript.exe C:\\Program\ Files\\OpenVPN\\config\\my-up-script.vbs'
1286
1287 Please note the single quote marks and the escaping of the back‐
1288 slashes (\) and the space character.
1289
1290 The reason the support for the system flag was removed is due to
1291 the security implications with shell expansions when executing
1292 scripts via the system() call.
1293
1294 --disable-occ
1295 Don't output a warning message if option inconsistencies are
1296 detected between peers. An example of an option inconsistency
1297 would be where one peer uses --dev tun while the other peer uses
1298 --dev tap.
1299
1300 Use of this option is discouraged, but is provided as a tempo‐
1301 rary fix in situations where a recent version of OpenVPN must
1302 connect to an old version.
1303
1304 --user user
1305 Change the user ID of the OpenVPN process to user after initial‐
1306 ization, dropping privileges in the process. This option is
1307 useful to protect the system in the event that some hostile
1308 party was able to gain control of an OpenVPN session. Though
1309 OpenVPN's security features make this unlikely, it is provided
1310 as a second line of defense.
1311
1312 By setting user to nobody or somebody similarly unprivileged,
1313 the hostile party would be limited in what damage they could
1314 cause. Of course once you take away privileges, you cannot
1315 return them to an OpenVPN session. This means, for example,
1316 that if you want to reset an OpenVPN daemon with a SIGUSR1 sig‐
1317 nal (for example in response to a DHCP reset), you should make
1318 use of one or more of the --persist options to ensure that Open‐
1319 VPN doesn't need to execute any privileged operations in order
1320 to restart (such as re-reading key files or running ifconfig on
1321 the TUN device).
1322
1323 --group group
1324 Similar to the --user option, this option changes the group ID
1325 of the OpenVPN process to group after initialization.
1326
1327 --cd dir
1328 Change directory to dir prior to reading any files such as con‐
1329 figuration files, key files, scripts, etc. dir should be an
1330 absolute path, with a leading "/", and without any references to
1331 the current directory such as "." or "..".
1332
1333 This option is useful when you are running OpenVPN in --daemon
1334 mode, and you want to consolidate all of your OpenVPN control
1335 files in one location.
1336
1337 --chroot dir
1338 Chroot to dir after initialization. --chroot essentially rede‐
1339 fines dir as being the top level directory tree (/). OpenVPN
1340 will therefore be unable to access any files outside this tree.
1341 This can be desirable from a security standpoint.
1342
1343 Since the chroot operation is delayed until after initializa‐
1344 tion, most OpenVPN options that reference files will operate in
1345 a pre-chroot context.
1346
1347 In many cases, the dir parameter can point to an empty direc‐
1348 tory, however complications can result when scripts or restarts
1349 are executed after the chroot operation.
1350
1351 Note: The SSL library will probably need /dev/urandom to be
1352 available inside the chroot directory dir. This is because SSL
1353 libraries occasionally need to collect fresh random. Newer
1354 linux kernels and some BSDs implement a getrandom() or geten‐
1355 tropy() syscall that removes the need for /dev/urandom to be
1356 available.
1357
1358 --setcon context
1359 Apply SELinux context after initialization. This essentially
1360 provides the ability to restrict OpenVPN's rights to only net‐
1361 work I/O operations, thanks to SELinux. This goes further than
1362 --user and --chroot in that those two, while being great secu‐
1363 rity features, unfortunately do not protect against privilege
1364 escalation by exploitation of a vulnerable system call. You can
1365 of course combine all three, but please note that since setcon
1366 requires access to /proc you will have to provide it inside the
1367 chroot directory (e.g. with mount --bind).
1368
1369 Since the setcon operation is delayed until after initializa‐
1370 tion, OpenVPN can be restricted to just network-related system
1371 calls, whereas by applying the context before startup (such as
1372 the OpenVPN one provided in the SELinux Reference Policies) you
1373 will have to allow many things required only during initializa‐
1374 tion.
1375
1376 Like with chroot, complications can result when scripts or
1377 restarts are executed after the setcon operation, which is why
1378 you should really consider using the --persist-key and --per‐
1379 sist-tun options.
1380
1381 --daemon [progname]
1382 Become a daemon after all initialization functions are com‐
1383 pleted. This option will cause all message and error output to
1384 be sent to the syslog file (such as /var/log/messages), except
1385 for the output of scripts and ifconfig commands, which will go
1386 to /dev/null unless otherwise redirected. The syslog redirect‐
1387 ion occurs immediately at the point that --daemon is parsed on
1388 the command line even though the daemonization point occurs
1389 later. If one of the --log options is present, it will
1390 supercede syslog redirection.
1391
1392 The optional progname parameter will cause OpenVPN to report its
1393 program name to the system logger as progname. This can be use‐
1394 ful in linking OpenVPN messages in the syslog file with specific
1395 tunnels. When unspecified, progname defaults to "openvpn".
1396
1397 When OpenVPN is run with the --daemon option, it will try to
1398 delay daemonization until the majority of initialization func‐
1399 tions which are capable of generating fatal errors are complete.
1400 This means that initialization scripts can test the return sta‐
1401 tus of the openvpn command for a fairly reliable indication of
1402 whether the command has correctly initialized and entered the
1403 packet forwarding event loop.
1404
1405 In OpenVPN, the vast majority of errors which occur after ini‐
1406 tialization are non-fatal.
1407
1408 Note: as soon as OpenVPN has daemonized, it can not ask for
1409 usernames, passwords, or key pass phrases anymore. This has
1410 certain consequences, namely that using a password-protected
1411 private key will fail unless the --askpass option is used to
1412 tell OpenVPN to ask for the pass phrase (this requirement is new
1413 in v2.3.7, and is a consequence of calling daemon() before ini‐
1414 tializing the crypto layer).
1415
1416 Further, using --daemon together with --auth-user-pass (entered
1417 on console) and --auth-nocache will fail as soon as key renego‐
1418 tiation (and reauthentication) occurs.
1419
1420 --syslog [progname]
1421 Direct log output to system logger, but do not become a daemon.
1422 See --daemon directive above for description of progname parame‐
1423 ter.
1424
1425 --errors-to-stderr
1426 Output errors to stderr instead of stdout unless log output is
1427 redirected by one of the --log options.
1428
1429 --passtos
1430 Set the TOS field of the tunnel packet to what the payload's TOS
1431 is.
1432
1433 --inetd [wait|nowait] [progname]
1434 Use this option when OpenVPN is being run from the inetd or
1435 xinetd(8) server.
1436
1437 The wait/nowait option must match what is specified in the
1438 inetd/xinetd config file. The nowait mode can only be used with
1439 --proto tcp-server. The default is wait. The nowait mode can
1440 be used to instantiate the OpenVPN daemon as a classic TCP
1441 server, where client connection requests are serviced on a sin‐
1442 gle port number. For additional information on this kind of
1443 configuration, see the OpenVPN FAQ: http://open‐
1444 vpn.net/faq.html#oneport
1445
1446 This option precludes the use of --daemon, --local, or --remote.
1447 Note that this option causes message and error output to be han‐
1448 dled in the same way as the --daemon option. The optional prog‐
1449 name parameter is also handled exactly as in --daemon.
1450
1451 Also note that in wait mode, each OpenVPN tunnel requires a sep‐
1452 arate TCP/UDP port and a separate inetd or xinetd entry. See
1453 the OpenVPN 1.x HOWTO for an example on using OpenVPN with
1454 xinetd: http://openvpn.net/1xhowto.html
1455
1456 --log file
1457 Output logging messages to file, including output to std‐
1458 out/stderr which is generated by called scripts. If file
1459 already exists it will be truncated. This option takes effect
1460 immediately when it is parsed in the command line and will
1461 supercede syslog output if --daemon or --inetd is also speci‐
1462 fied. This option is persistent over the entire course of an
1463 OpenVPN instantiation and will not be reset by SIGHUP, SIGUSR1,
1464 or --ping-restart.
1465
1466 Note that on Windows, when OpenVPN is started as a service, log‐
1467 ging occurs by default without the need to specify this option.
1468
1469 --log-append file
1470 Append logging messages to file. If file does not exist, it
1471 will be created. This option behaves exactly like --log except
1472 that it appends to rather than truncating the log file.
1473
1474 --suppress-timestamps
1475 Avoid writing timestamps to log messages, even when they other‐
1476 wise would be prepended. In particular, this applies to log mes‐
1477 sages sent to stdout.
1478
1479 --machine-readable-output
1480 Always write timestamps and message flags to log messages, even
1481 when they otherwise would not be prefixed. In particular, this
1482 applies to log messages sent to stdout.
1483
1484 --writepid file
1485 Write OpenVPN's main process ID to file.
1486
1487 --nice n
1488 Change process priority after initialization ( n greater than 0
1489 is lower priority, n less than zero is higher priority).
1490
1491 --fast-io
1492 (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a
1493 call to poll/epoll/select prior to the write operation. The
1494 purpose of such a call would normally be to block until the
1495 device or socket is ready to accept the write. Such blocking is
1496 unnecessary on some platforms which don't support write blocking
1497 on UDP sockets or TUN/TAP devices. In such cases, one can opti‐
1498 mize the event loop by avoiding the poll/epoll/select call,
1499 improving CPU efficiency by 5% to 10%.
1500
1501 This option can only be used on non-Windows systems, when
1502 --proto udp is specified, and when --shaper is NOT specified.
1503
1504 --multihome
1505 Configure a multi-homed UDP server. This option needs to be
1506 used when a server has more than one IP address (e.g. multiple
1507 interfaces, or secondary IP addresses), and is not using --local
1508 to force binding to one specific address only. This option will
1509 add some extra lookups to the packet path to ensure that the UDP
1510 reply packets are always sent from the address that the client
1511 is talking to. This is not supported on all platforms, and it
1512 adds more processing, so it's not enabled by default.
1513
1514 Note: this option is only relevant for UDP servers.
1515
1516 Note 2: if you do an IPv6+IPv4 dual-stack bind on a Linux
1517 machine with multiple IPv4 address, connections to IPv4
1518 addresses will not work right on kernels before 3.15, due to
1519 missing kernel support for the IPv4-mapped case (some distribu‐
1520 tions have ported this to earlier kernel versions, though).
1521
1522 --echo [parms...]
1523 Echo parms to log output.
1524
1525 Designed to be used to send messages to a controlling applica‐
1526 tion which is receiving the OpenVPN log output.
1527
1528 --remap-usr1 signal
1529 Control whether internally or externally generated SIGUSR1 sig‐
1530 nals are remapped to SIGHUP (restart without persisting state)
1531 or SIGTERM (exit).
1532
1533 signal can be set to "SIGHUP" or "SIGTERM". By default, no
1534 remapping occurs.
1535
1536 --verb n
1537 Set output verbosity to n (default=1). Each level shows all
1538 info from the previous levels. Level 3 is recommended if you
1539 want a good summary of what's happening without being swamped by
1540 output.
1541
1542 0 -- No output except fatal errors.
1543 1 to 4 -- Normal usage range.
1544 5 -- Output R and W characters to the console for each packet
1545 read and write, uppercase is used for TCP/UDP packets and lower‐
1546 case is used for TUN/TAP packets.
1547 6 to 11 -- Debug info range (see errlevel.h for additional
1548 information on debug levels).
1549
1550 --status file [n]
1551 Write operational status to file every n seconds.
1552
1553 Status can also be written to the syslog by sending a SIGUSR2
1554 signal.
1555
1556 With multi-client capability enabled on a server, the status
1557 file includes a list of clients and a routing table. The output
1558 format can be controlled by the --status-version option in that
1559 case.
1560
1561 For clients or instances running in point-to-point mode, it will
1562 contain the traffic statistics.
1563
1564 --status-version [n]
1565 Set the status file format version number to n.
1566
1567 This only affects the status file on servers with multi-client
1568 capability enabled.
1569
1570 1 -- traditional format (default). The client list contains the
1571 following fields comma-separated: Common Name, Real Address,
1572 Bytes Received, Bytes Sent, Connected Since.
1573 2 -- a more reliable format for external processing. Compared to
1574 version 1, the client list contains some additional fields: Vir‐
1575 tual Address, Virtual IPv6 Address, Username, Client ID, Peer
1576 ID. Future versions may extend the number of fields.
1577 3 -- identical to 2, but fields are tab-separated.
1578
1579
1580 --mute n
1581 Log at most n consecutive messages in the same category. This
1582 is useful to limit repetitive logging of similar message types.
1583
1584 --compress [algorithm]
1585 Enable a compression algorithm.
1586
1587 The algorithm parameter may be "lzo", "lz4", or empty. LZO and
1588 LZ4 are different compression algorithms, with LZ4 generally
1589 offering the best performance with least CPU usage. For back‐
1590 wards compatibility with OpenVPN versions before v2.4, use "lzo"
1591 (which is identical to the older option "--comp-lzo yes").
1592
1593 If the algorithm parameter is empty, compression will be turned
1594 off, but the packet framing for compression will still be
1595 enabled, allowing a different setting to be pushed later.
1596
1597 Security Considerations
1598
1599 Compression and encryption is a tricky combination. If an
1600 attacker knows or is able to control (parts of) the plaintext of
1601 packets that contain secrets, the attacker might be able to
1602 extract the secret if compression is enabled. See e.g. the
1603 CRIME and BREACH attacks on TLS which also leverage compression
1604 to break encryption. If you are not entirely sure that the
1605 above does not apply to your traffic, you are advised to *not*
1606 enable compression.
1607
1608
1609 --comp-lzo [mode]
1610 DEPRECATED This option will be removed in a future OpenVPN
1611 release. Use the newer --compress instead.
1612
1613 Use LZO compression -- may add up to 1 byte per packet for
1614 incompressible data. mode may be "yes", "no", or "adaptive"
1615 (default).
1616
1617 In a server mode setup, it is possible to selectively turn com‐
1618 pression on or off for individual clients.
1619
1620 First, make sure the client-side config file enables selective
1621 compression by having at least one --comp-lzo directive, such as
1622 --comp-lzo no. This will turn off compression by default, but
1623 allow a future directive push from the server to dynamically
1624 change the on/off/adaptive setting.
1625
1626 Next in a --client-config-dir file, specify the compression set‐
1627 ting for the client, for example:
1628
1629 comp-lzo yes
1630 push "comp-lzo yes"
1631
1632 The first line sets the comp-lzo setting for the server side of
1633 the link, the second sets the client side.
1634
1635 --comp-noadapt
1636 When used in conjunction with --comp-lzo, this option will dis‐
1637 able OpenVPN's adaptive compression algorithm. Normally, adap‐
1638 tive compression is enabled with --comp-lzo.
1639
1640 Adaptive compression tries to optimize the case where you have
1641 compression enabled, but you are sending predominantly incom‐
1642 pressible (or pre-compressed) packets over the tunnel, such as
1643 an FTP or rsync transfer of a large, compressed file. With
1644 adaptive compression, OpenVPN will periodically sample the com‐
1645 pression process to measure its efficiency. If the data being
1646 sent over the tunnel is already compressed, the compression
1647 efficiency will be very low, triggering openvpn to disable com‐
1648 pression for a period of time until the next re-sample test.
1649
1650 --management socket-name unix [pw-file] (recommended)
1651 --management IP port [pw-file]
1652 Enable a management server on a socket-name Unix socket on those
1653 platforms supporting it, or on a designated TCP port.
1654
1655 pw-file , if specified, is a password file where the password
1656 must be on first line. Instead of a filename it can use the
1657 keyword stdin which will prompt the user for a password to use
1658 when OpenVPN is starting.
1659
1660 For unix sockets, the default behaviour is to create a unix
1661 domain socket that may be connected to by any process. Use the
1662 --management-client-user and --management-client-group direc‐
1663 tives to restrict access.
1664
1665 The management interface provides a special mode where the TCP
1666 management link can operate over the tunnel itself. To enable
1667 this mode, set IP to tunnel. Tunnel mode will cause the man‐
1668 agement interface to listen for a TCP connection on the local
1669 VPN address of the TUN/TAP interface.
1670
1671 BEWARE of enabling the management interface over TCP. In these
1672 cases you should ALWAYS make use of pw-file to password protect
1673 the management interface. Any user who can connect to this TCP
1674 IP:port will be able to manage and control (and interfere with)
1675 the OpenVPN process. It is also strongly recommended to set IP
1676 to 127.0.0.1 (localhost) to restrict accessibility of the man‐
1677 agement server to local clients.
1678
1679 While the management port is designed for programmatic control
1680 of OpenVPN by other applications, it is possible to telnet to
1681 the port, using a telnet client in "raw" mode. Once connected,
1682 type "help" for a list of commands.
1683
1684 For detailed documentation on the management interface, see the
1685 management-notes.txt file in the management folder of the Open‐
1686 VPN source distribution.
1687
1688
1689 --management-client
1690 Management interface will connect as a TCP/unix domain client to
1691 IP:port specified by --management rather than listen as a TCP
1692 server or on a unix domain socket.
1693
1694 If the client connection fails to connect or is disconnected, a
1695 SIGTERM signal will be generated causing OpenVPN to quit.
1696
1697 --management-query-passwords
1698 Query management channel for private key password and
1699 --auth-user-pass username/password. Only query the management
1700 channel for inputs which ordinarily would have been queried from
1701 the console.
1702
1703 --management-query-proxy
1704 Query management channel for proxy server information for a spe‐
1705 cific --remote (client-only).
1706
1707 --management-query-remote
1708 Allow management interface to override --remote directives
1709 (client-only).
1710
1711 --management-external-key
1712 Allows usage for external private key file instead of --key
1713 option (client-only).
1714
1715 --management-external-cert certificate-hint
1716 Allows usage for external certificate instead of --cert option
1717 (client-only). certificate-hint is an arbitrary string which is
1718 passed to a management interface client as an argument of
1719 NEED-CERTIFICATE notification. Requires --management-exter‐
1720 nal-key.
1721
1722 --management-forget-disconnect
1723 Make OpenVPN forget passwords when management session discon‐
1724 nects.
1725
1726 This directive does not affect the --http-proxy username/pass‐
1727 word. It is always cached.
1728
1729 --management-hold
1730 Start OpenVPN in a hibernating state, until a client of the man‐
1731 agement interface explicitly starts it with the hold release
1732 command.
1733
1734 --management-signal
1735 Send SIGUSR1 signal to OpenVPN if management session discon‐
1736 nects. This is useful when you wish to disconnect an OpenVPN
1737 session on user logoff. For --management-client this option is
1738 not needed since a disconnect will always generate a SIGTERM.
1739
1740 --management-log-cache n
1741 Cache the most recent n lines of log file history for usage by
1742 the management channel.
1743
1744 --management-up-down
1745 Report tunnel up/down events to management interface.
1746
1747 --management-client-auth
1748 Gives management interface client the responsibility to authen‐
1749 ticate clients after their client certificate has been verified.
1750 See management-notes.txt in OpenVPN distribution for detailed
1751 notes.
1752
1753 --management-client-pf
1754 Management interface clients must specify a packet filter file
1755 for each connecting client. See management-notes.txt in OpenVPN
1756 distribution for detailed notes.
1757
1758 --management-client-user u
1759 When the management interface is listening on a unix domain
1760 socket, only allow connections from user u.
1761
1762 --management-client-group g
1763 When the management interface is listening on a unix domain
1764 socket, only allow connections from group g.
1765
1766 --plugin module-pathname [init-string]
1767 Load plug-in module from the file module-pathname, passing
1768 init-string as an argument to the module initialization func‐
1769 tion. Multiple plugin modules may be loaded into one OpenVPN
1770 process.
1771
1772 The module-pathname argument can be just a filename or a file‐
1773 name with a relative or absolute path. The format of the file‐
1774 name and path defines if the plug-in will be loaded from a
1775 default plug-in directory or outside this directory.
1776
1777 --plugin path Effective directory used
1778 ====================================================
1779 myplug.so DEFAULT_DIR/myplug.so
1780 subdir/myplug.so DEFAULT_DIR/subdir/myplug.so
1781 ./subdir/myplug.so CWD/subdir/myplug.so
1782 /usr/lib/my/plug.so /usr/lib/my/plug.so
1783
1784 DEFAULT_DIR is replaced by the default plug-in directory, which
1785 is configured at the build time of OpenVPN. CWD is the current
1786 directory where OpenVPN was started or the directory OpenVPN
1787 have swithed into via the --cd option before the --plugin
1788 option.
1789
1790 For more information and examples on how to build OpenVPN
1791 plug-in modules, see the README file in the plugin folder of the
1792 OpenVPN source distribution.
1793
1794 If you are using an RPM install of OpenVPN, see /usr/lib64/open‐
1795 vpn/plugin. The documentation is in doc and the actual plugin
1796 modules are in lib.
1797
1798 Multiple plugin modules can be cascaded, and modules can be used
1799 in tandem with scripts. The modules will be called by OpenVPN
1800 in the order that they are declared in the config file. If both
1801 a plugin and script are configured for the same callback, the
1802 script will be called last. If the return code of the mod‐
1803 ule/script controls an authentication function (such as tls-ver‐
1804 ify, auth-user-pass-verify, or client-connect), then every mod‐
1805 ule and script must return success (0) in order for the connec‐
1806 tion to be authenticated.
1807
1808 --keying-material-exporter label len
1809 Save Exported Keying Material [RFC5705] of len bytes (must be
1810 between 16 and 4095 bytes) using label in environment
1811 (exported_keying_material) for use by plugins in OPENVPN_PLUG‐
1812 IN_TLS_FINAL callback.
1813
1814 Note that exporter labels have the potential to collide with
1815 existing PRF labels. In order to prevent this, labels MUST begin
1816 with "EXPORTER".
1817
1818 This option requires OpenSSL 1.0.1 or newer.
1819
1820 Server Mode
1821 Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode is sup‐
1822 ported, and can be enabled with the --mode server option. In server
1823 mode, OpenVPN will listen on a single port for incoming client connec‐
1824 tions. All client connections will be routed through a single tun or
1825 tap interface. This mode is designed for scalability and should be
1826 able to support hundreds or even thousands of clients on sufficiently
1827 fast hardware. SSL/TLS authentication must be used in this mode.
1828
1829 --server network netmask ['nopool']
1830 A helper directive designed to simplify the configuration of
1831 OpenVPN's server mode. This directive will set up an OpenVPN
1832 server which will allocate addresses to clients out of the given
1833 network/netmask. The server itself will take the ".1" address
1834 of the given network for use as the server-side endpoint of the
1835 local TUN/TAP interface.
1836
1837 For example, --server 10.8.0.0 255.255.255.0 expands as follows:
1838
1839 mode server
1840 tls-server
1841 push "topology [topology]"
1842
1843 if dev tun AND (topology == net30 OR topology == p2p):
1844 ifconfig 10.8.0.1 10.8.0.2
1845 if !nopool:
1846 ifconfig-pool 10.8.0.4 10.8.0.251
1847 route 10.8.0.0 255.255.255.0
1848 if client-to-client:
1849 push "route 10.8.0.0 255.255.255.0"
1850 else if topology == net30:
1851 push "route 10.8.0.1"
1852
1853 if dev tap OR (dev tun AND topology == subnet):
1854 ifconfig 10.8.0.1 255.255.255.0
1855 if !nopool:
1856 ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
1857 push "route-gateway 10.8.0.1"
1858 if route-gateway unset:
1859 route-gateway 10.8.0.2
1860
1861
1862 Don't use --server if you are ethernet bridging. Use
1863 --server-bridge instead.
1864
1865 --server-bridge gateway netmask pool-start-IP pool-end-IP
1866
1867 --server-bridge ['nogw']
1868
1869 A helper directive similar to --server which is designed to sim‐
1870 plify the configuration of OpenVPN's server mode in ethernet
1871 bridging configurations.
1872
1873 If --server-bridge is used without any parameters, it will
1874 enable a DHCP-proxy mode, where connecting OpenVPN clients will
1875 receive an IP address for their TAP adapter from the DHCP server
1876 running on the OpenVPN server-side LAN. Note that only clients
1877 that support the binding of a DHCP client with the TAP adapter
1878 (such as Windows) can support this mode. The optional nogw flag
1879 (advanced) indicates that gateway information should not be
1880 pushed to the client.
1881
1882 To configure ethernet bridging, you must first use your OS's
1883 bridging capability to bridge the TAP interface with the ether‐
1884 net NIC interface. For example, on Linux this is done with the
1885 brctl tool, and with Windows XP it is done in the Network Con‐
1886 nections Panel by selecting the ethernet and TAP adapters and
1887 right-clicking on "Bridge Connections".
1888
1889 Next you you must manually set the IP/netmask on the bridge
1890 interface. The gateway and netmask parameters to
1891 --server-bridge can be set to either the IP/netmask of the
1892 bridge interface, or the IP/netmask of the default gate‐
1893 way/router on the bridged subnet.
1894
1895 Finally, set aside a IP range in the bridged subnet, denoted by
1896 pool-start-IP and pool-end-IP, for OpenVPN to allocate to con‐
1897 necting clients.
1898
1899 For example, server-bridge 10.8.0.4 255.255.255.0 10.8.0.128
1900 10.8.0.254 expands as follows:
1901
1902 mode server
1903 tls-server
1904
1905 ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
1906 push "route-gateway 10.8.0.4"
1907
1908 In another example, --server-bridge (without parameters) expands
1909 as follows:
1910
1911 mode server
1912 tls-server
1913
1914 push "route-gateway dhcp"
1915
1916 Or --server-bridge nogw expands as follows:
1917
1918 mode server
1919 tls-server
1920
1921 --push option
1922 Push a config file option back to the client for remote execu‐
1923 tion. Note that option must be enclosed in double quotes ("").
1924 The client must specify --pull in its config file. The set of
1925 options which can be pushed is limited by both feasibility and
1926 security. Some options such as those which would execute
1927 scripts are banned, since they would effectively allow a compro‐
1928 mised server to execute arbitrary code on the client. Other
1929 options such as TLS or MTU parameters cannot be pushed because
1930 the client needs to know them before the connection to the
1931 server can be initiated.
1932
1933 This is a partial list of options which can currently be pushed:
1934 --route, --route-gateway, --route-delay, --redirect-gateway,
1935 --ip-win32, --dhcp-option, --inactive, --ping, --ping-exit,
1936 --ping-restart, --setenv, --auth-token, --persist-key, --per‐
1937 sist-tun, --echo, --comp-lzo, --socket-flags, --sndbuf, --rcvbuf
1938
1939 --push-reset
1940 Don't inherit the global push list for a specific client
1941 instance. Specify this option in a client-specific context such
1942 as with a --client-config-dir configuration file. This option
1943 will ignore --push options at the global config file level.
1944
1945 --push-remove opt
1946 selectively remove all --push options matching "opt" from the
1947 option list for a client. "opt" is matched as a substring
1948 against the whole option string to-be-pushed to the client, so
1949 --push-remove route would remove all --push route ... and
1950 --push route-ipv6 ... statements, while --push-remove
1951 'route-ipv6 2001:' would only remove IPv6 routes for 2001:...
1952 networks.
1953
1954 --push-remove can only be used in a client-specific context,
1955 like in a --client-config-dir file, or --client-connect script
1956 or plugin -- similar to --push-reset, just more selective.
1957
1958 NOTE: to change an option, --push-remove can be used to first
1959 remove the old value, and then add a new --push option with the
1960 new value.
1961
1962 --push-peer-info
1963 Push additional information about the client to server. The
1964 following data is always pushed to the server:
1965
1966 IV_VER=<version> -- the client OpenVPN version
1967
1968 IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win] -- the
1969 client OS platform
1970
1971 IV_LZO_STUB=1 -- if client was built with LZO stub capability
1972
1973 IV_LZ4=1 -- if the client supports LZ4 compressions.
1974
1975 IV_PROTO=2 -- if the client supports peer-id floating mechansim
1976
1977 IV_NCP=2 -- negotiable ciphers, client supports --cipher pushed
1978 by the server, a value of 2 or greater indicates client supports
1979 AES-GCM-128 and AES-GCM-256.
1980
1981 IV_GUI_VER=<gui_id> <version> -- the UI version of a UI if one
1982 is running, for example "de.blinkt.openvpn 0.5.47" for the
1983 Android app.
1984
1985 When --push-peer-info is enabled the additional information con‐
1986 sists of the following data:
1987
1988 IV_HWADDR=<mac address> -- the MAC address of clients default
1989 gateway
1990
1991 IV_SSL=<version string> -- the ssl version used by the client,
1992 e.g. "OpenSSL 1.0.2f 28 Jan 2016".
1993
1994 IV_PLAT_VER=x.y - the version of the operating system, e.g. 6.1
1995 for Windows 7.
1996
1997 UV_<name>=<value> -- client environment variables whose names
1998 start with "UV_"
1999
2000 --disable
2001 Disable a particular client (based on the common name) from con‐
2002 necting. Don't use this option to disable a client due to key
2003 or password compromise. Use a CRL (certificate revocation list)
2004 instead (see the --crl-verify option).
2005
2006 This option must be associated with a specific client instance,
2007 which means that it must be specified either in a client
2008 instance config file using --client-config-dir or dynamically
2009 generated using a --client-connect script.
2010
2011 --ifconfig-pool start-IP end-IP [netmask]
2012 Set aside a pool of subnets to be dynamically allocated to con‐
2013 necting clients, similar to a DHCP server. For tun-style tun‐
2014 nels, each client will be given a /30 subnet (for interoperabil‐
2015 ity with Windows clients). For tap-style tunnels, individual
2016 addresses will be allocated, and the optional netmask parameter
2017 will also be pushed to clients.
2018
2019
2020 --ifconfig-pool-persist file [seconds]
2021 Persist/unpersist ifconfig-pool data to file, at seconds inter‐
2022 vals (default=600), as well as on program startup and shutdown.
2023
2024 The goal of this option is to provide a long-term association
2025 between clients (denoted by their common name) and the virtual
2026 IP address assigned to them from the ifconfig-pool. Maintaining
2027 a long-term association is good for clients because it allows
2028 them to effectively use the --persist-tun option.
2029
2030 file is a comma-delimited ASCII file, formatted as <Com‐
2031 mon-Name>,<IP-address>.
2032
2033 If seconds = 0, file will be treated as read-only. This is use‐
2034 ful if you would like to treat file as a configuration file.
2035
2036 Note that the entries in this file are treated by OpenVPN as
2037 suggestions only, based on past associations between a common
2038 name and IP address. They do not guarantee that the given com‐
2039 mon name will always receive the given IP address. If you want
2040 guaranteed assignment, use --ifconfig-push
2041
2042
2043 --ifconfig-pool-linear
2044 DEPRECATED This option will be removed in OpenVPN 2.5
2045
2046 Modifies the --ifconfig-pool directive to allocate individual
2047 TUN interface addresses for clients rather than /30 subnets.
2048 NOTE: This option is incompatible with Windows clients.
2049
2050 This option is deprecated, and should be replaced with --topol‐
2051 ogy p2p which is functionally equivalent.
2052
2053 --ifconfig-push local remote-netmask [alias]
2054 Push virtual IP endpoints for client tunnel, overriding the
2055 --ifconfig-pool dynamic allocation.
2056
2057 The parameters local and remote-netmask are set according to the
2058 --ifconfig directive which you want to execute on the client
2059 machine to configure the remote end of the tunnel. Note that
2060 the parameters local and remote-netmask are from the perspective
2061 of the client, not the server. They may be DNS names rather
2062 than IP addresses, in which case they will be resolved on the
2063 server at the time of client connection.
2064
2065 The optional alias parameter may be used in cases where NAT
2066 causes the client view of its local endpoint to differ from the
2067 server view. In this case local/remote-netmask will refer to
2068 the server view while alias/remote-netmask will refer to the
2069 client view.
2070
2071 This option must be associated with a specific client instance,
2072 which means that it must be specified either in a client
2073 instance config file using --client-config-dir or dynamically
2074 generated using a --client-connect script.
2075
2076 Remember also to include a --route directive in the main OpenVPN
2077 config file which encloses local, so that the kernel will know
2078 to route it to the server's TUN/TAP interface.
2079
2080 OpenVPN's internal client IP address selection algorithm works
2081 as follows:
2082
2083 1 -- Use --client-connect script generated file for static IP
2084 (first choice).
2085 2 -- Use --client-config-dir file for static IP (next choice).
2086 3 -- Use --ifconfig-pool allocation for dynamic IP (last
2087 choice).
2088
2089 --iroute network [netmask]
2090 Generate an internal route to a specific client. The netmask
2091 parameter, if omitted, defaults to 255.255.255.255.
2092
2093 This directive can be used to route a fixed subnet from the
2094 server to a particular client, regardless of where the client is
2095 connecting from. Remember that you must also add the route to
2096 the system routing table as well (such as by using the --route
2097 directive). The reason why two routes are needed is that the
2098 --route directive routes the packet from the kernel to OpenVPN.
2099 Once in OpenVPN, the --iroute directive routes to the specific
2100 client.
2101
2102 This option must be specified either in a client instance config
2103 file using --client-config-dir or dynamically generated using a
2104 --client-connect script.
2105
2106 The --iroute directive also has an important interaction with
2107 --push "route ...". --iroute essentially defines a subnet which
2108 is owned by a particular client (we will call this client A).
2109 If you would like other clients to be able to reach A's subnet,
2110 you can use --push "route ..." together with --client-to-client
2111 to effect this. In order for all clients to see A's subnet,
2112 OpenVPN must push this route to all clients EXCEPT for A, since
2113 the subnet is already owned by A. OpenVPN accomplishes this by
2114 not not pushing a route to a client if it matches one of the
2115 client's iroutes.
2116
2117 --client-to-client
2118 Because the OpenVPN server mode handles multiple clients through
2119 a single tun or tap interface, it is effectively a router. The
2120 --client-to-client flag tells OpenVPN to internally route
2121 client-to-client traffic rather than pushing all client-origi‐
2122 nating traffic to the TUN/TAP interface.
2123
2124 When this option is used, each client will "see" the other
2125 clients which are currently connected. Otherwise, each client
2126 will only see the server. Don't use this option if you want to
2127 firewall tunnel traffic using custom, per-client rules.
2128
2129 --duplicate-cn
2130 Allow multiple clients with the same common name to concurrently
2131 connect. In the absence of this option, OpenVPN will disconnect
2132 a client instance upon connection of a new client having the
2133 same common name.
2134
2135 --client-connect cmd
2136 Run command cmd on client connection.
2137
2138 cmd consists of a path to script (or executable program),
2139 optionally followed by arguments. The path and arguments may be
2140 single- or double-quoted and/or escaped using a backslash, and
2141 should be separated by one or more spaces.
2142
2143 The command is passed the common name and IP address of the
2144 just-authenticated client as environmental variables (see envi‐
2145 ronmental variable section below). The command is also passed
2146 the pathname of a freshly created temporary file as the last
2147 argument (after any arguments specified in cmd ), to be used by
2148 the command to pass dynamically generated config file directives
2149 back to OpenVPN.
2150
2151 If the script wants to generate a dynamic config file to be
2152 applied on the server when the client connects, it should write
2153 it to the file named by the last argument.
2154
2155 See the --client-config-dir option below for options which can
2156 be legally used in a dynamically generated config file.
2157
2158 Note that the return value of script is significant. If script
2159 returns a non-zero error status, it will cause the client to be
2160 disconnected.
2161
2162 --client-disconnect cmd
2163 Like --client-connect but called on client instance shutdown.
2164 Will not be called unless the --client-connect script and plug‐
2165 ins (if defined) were previously called on this instance with
2166 successful (0) status returns.
2167
2168 The exception to this rule is if the --client-disconnect command
2169 or plugins are cascaded, and at least one client-connect func‐
2170 tion succeeded, then ALL of the client-disconnect functions for
2171 scripts and plugins will be called on client instance object
2172 deletion, even in cases where some of the related client-connect
2173 functions returned an error status.
2174
2175 The --client-disconnect command is passed the same pathname as
2176 the corresponding --client-connect command as its last argument.
2177 (after any arguments specified in cmd ).
2178
2179 --client-config-dir dir
2180 Specify a directory dir for custom client config files. After a
2181 connecting client has been authenticated, OpenVPN will look in
2182 this directory for a file having the same name as the client's
2183 X509 common name. If a matching file exists, it will be opened
2184 and parsed for client-specific configuration options. If no
2185 matching file is found, OpenVPN will instead try to open and
2186 parse a default file called "DEFAULT", which may be provided but
2187 is not required. Note that the configuration files must be read‐
2188 able by the OpenVPN process after it has dropped it's root priv‐
2189 ileges.
2190
2191 This file can specify a fixed IP address for a given client
2192 using --ifconfig-push, as well as fixed subnets owned by the
2193 client using --iroute.
2194
2195 One of the useful properties of this option is that it allows
2196 client configuration files to be conveniently created, edited,
2197 or removed while the server is live, without needing to restart
2198 the server.
2199
2200 The following options are legal in a client-specific context:
2201 --push, --push-reset, --push-remove, --iroute, --ifconfig-push,
2202 and --config.
2203
2204 --ccd-exclusive
2205 Require, as a condition of authentication, that a connecting
2206 client has a --client-config-dir file.
2207
2208 --tmp-dir dir
2209 Specify a directory dir for temporary files. This directory
2210 will be used by openvpn processes and script to communicate tem‐
2211 porary data with openvpn main process. Note that the directory
2212 must be writable by the OpenVPN process after it has dropped
2213 it's root privileges.
2214
2215 This directory will be used by in the following cases:
2216
2217 * --client-connect scripts to dynamically generate client-spe‐
2218 cific configuration files.
2219
2220 * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin hook to return
2221 success/failure via auth_control_file when using deferred auth
2222 method
2223
2224 * OPENVPN_PLUGIN_ENABLE_PF plugin hook to pass filtering rules
2225 via pf_file
2226
2227 --hash-size r v
2228 Set the size of the real address hash table to r and the virtual
2229 address table to v. By default, both tables are sized at 256
2230 buckets.
2231
2232 --bcast-buffers n
2233 Allocate n buffers for broadcast datagrams (default=256).
2234
2235 --tcp-queue-limit n
2236 Maximum number of output packets queued before TCP (default=64).
2237
2238 When OpenVPN is tunneling data from a TUN/TAP device to a remote
2239 client over a TCP connection, it is possible that the TUN/TAP
2240 device might produce data at a faster rate than the TCP connec‐
2241 tion can support. When the number of output packets queued
2242 before sending to the TCP socket reaches this limit for a given
2243 client connection, OpenVPN will start to drop outgoing packets
2244 directed at this client.
2245
2246 --tcp-nodelay
2247 This macro sets the TCP_NODELAY socket flag on the server as
2248 well as pushes it to connecting clients. The TCP_NODELAY flag
2249 disables the Nagle algorithm on TCP sockets causing packets to
2250 be transmitted immediately with low latency, rather than waiting
2251 a short period of time in order to aggregate several packets
2252 into a larger containing packet. In VPN applications over TCP,
2253 TCP_NODELAY is generally a good latency optimization.
2254
2255 The macro expands as follows:
2256
2257 if mode server:
2258 socket-flags TCP_NODELAY
2259 push "socket-flags TCP_NODELAY"
2260
2261 --max-clients n
2262 Limit server to a maximum of n concurrent clients.
2263
2264 --max-routes-per-client n
2265 Allow a maximum of n internal routes per client (default=256).
2266 This is designed to help contain DoS attacks where an authenti‐
2267 cated client floods the server with packets appearing to come
2268 from many unique MAC addresses, forcing the server to deplete
2269 virtual memory as its internal routing table expands. This
2270 directive can be used in a --client-config-dir file or auto-gen‐
2271 erated by a --client-connect script to override the global value
2272 for a particular client.
2273
2274 Note that this directive affects OpenVPN's internal routing ta‐
2275 ble, not the kernel routing table.
2276
2277 --stale-routes-check n [t]
2278 Remove routes haven't had activity for n seconds (i.e. the age‐
2279 ing time).
2280
2281 This check is ran every t seconds (i.e. check interval).
2282
2283 If t is not present it defaults to n
2284
2285 This option helps to keep the dynamic routing table small. See
2286 also --max-routes-per-client
2287
2288 --connect-freq n sec
2289 Allow a maximum of n new connections per sec seconds from
2290 clients. This is designed to contain DoS attacks which flood
2291 the server with connection requests using certificates which
2292 will ultimately fail to authenticate.
2293
2294 This is an imperfect solution however, because in a real DoS
2295 scenario, legitimate connections might also be refused.
2296
2297 For the best protection against DoS attacks in server mode, use
2298 --proto udp and either --tls-auth or --tls-crypt.
2299
2300 --learn-address cmd
2301 Run command cmd to validate client virtual addresses or routes.
2302
2303 cmd consists of a path to script (or executable program),
2304 optionally followed by arguments. The path and arguments may be
2305 single- or double-quoted and/or escaped using a backslash, and
2306 should be separated by one or more spaces.
2307
2308 Three arguments will be appended to any arguments in cmd as fol‐
2309 lows:
2310
2311 [1] operation -- "add", "update", or "delete" based on whether
2312 or not the address is being added to, modified, or deleted from
2313 OpenVPN's internal routing table.
2314 [2] address -- The address being learned or unlearned. This can
2315 be an IPv4 address such as "198.162.10.14", an IPv4 subnet such
2316 as "198.162.10.0/24", or an ethernet MAC address (when --dev tap
2317 is being used) such as "00:FF:01:02:03:04".
2318 [3] common name -- The common name on the certificate associated
2319 with the client linked to this address. Only present for "add"
2320 or "update" operations, not "delete".
2321
2322 On "add" or "update" methods, if the script returns a failure
2323 code (non-zero), OpenVPN will reject the address and will not
2324 modify its internal routing table.
2325
2326 Normally, the cmd script will use the information provided above
2327 to set appropriate firewall entries on the VPN TUN/TAP inter‐
2328 face. Since OpenVPN provides the association between virtual IP
2329 or MAC address and the client's authenticated common name, it
2330 allows a user-defined script to configure firewall access poli‐
2331 cies with regard to the client's high-level common name, rather
2332 than the low level client virtual addresses.
2333
2334 --auth-user-pass-verify cmd method
2335 Require the client to provide a username/password (possibly in
2336 addition to a client certificate) for authentication.
2337
2338 OpenVPN will run command cmd to validate the username/password
2339 provided by the client.
2340
2341 cmd consists of a path to script (or executable program),
2342 optionally followed by arguments. The path and arguments may be
2343 single- or double-quoted and/or escaped using a backslash, and
2344 should be separated by one or more spaces.
2345
2346 If method is set to "via-env", OpenVPN will call script with the
2347 environmental variables username and password set to the user‐
2348 name/password strings provided by the client. Be aware that
2349 this method is insecure on some platforms which make the envi‐
2350 ronment of a process publicly visible to other unprivileged pro‐
2351 cesses.
2352
2353 If method is set to "via-file", OpenVPN will write the username
2354 and password to the first two lines of a temporary file. The
2355 filename will be passed as an argument to script, and the file
2356 will be automatically deleted by OpenVPN after the script
2357 returns. The location of the temporary file is controlled by
2358 the --tmp-dir option, and will default to the current directory
2359 if unspecified. For security, consider setting --tmp-dir to a
2360 volatile storage medium such as /dev/shm (if available) to pre‐
2361 vent the username/password file from touching the hard drive.
2362
2363 The script should examine the username and password, returning a
2364 success exit code (0) if the client's authentication request is
2365 to be accepted, or a failure code (1) to reject the client.
2366
2367 This directive is designed to enable a plugin-style interface
2368 for extending OpenVPN's authentication capabilities.
2369
2370 To protect against a client passing a maliciously formed user‐
2371 name or password string, the username string must consist only
2372 of these characters: alphanumeric, underbar ('_'), dash ('-'),
2373 dot ('.'), or at ('@'). The password string can consist of any
2374 printable characters except for CR or LF. Any illegal charac‐
2375 ters in either the username or password string will be converted
2376 to underbar ('_').
2377
2378 Care must be taken by any user-defined scripts to avoid creating
2379 a security vulnerability in the way that these strings are han‐
2380 dled. Never use these strings in such a way that they might be
2381 escaped or evaluated by a shell interpreter.
2382
2383 For a sample script that performs PAM authentication, see sam‐
2384 ple-scripts/auth-pam.pl in the OpenVPN source distribution.
2385
2386 --auth-gen-token [lifetime]
2387 After successful user/password authentication, the OpenVPN
2388 server will with this option generate a temporary authentication
2389 token and push that to client. On the following renegotiations,
2390 the OpenVPN client will pass this token instead of the users
2391 password. On the server side the server will do the token
2392 authentication internally and it will NOT do any additional
2393 authentications against configured external user/password
2394 authentication mechanisms.
2395
2396 The lifetime argument defines how long the generated token is
2397 valid. The lifetime is defined in seconds. If lifetime is not
2398 set or it is set to 0, the token will never expire.
2399
2400 This feature is useful for environments which is configured to
2401 use One Time Passwords (OTP) as part of the user/password
2402 authentications and that authentication mechanism does not
2403 implement any auth-token support.
2404
2405 --opt-verify
2406 Clients that connect with options that are incompatible with
2407 those of the server will be disconnected.
2408
2409 Options that will be compared for compatibility include
2410 dev-type, link-mtu, tun-mtu, proto, ifconfig, comp-lzo, frag‐
2411 ment, keydir, cipher, auth, keysize, secret, no-replay, no-iv,
2412 tls-auth, key-method, tls-server, and tls-client.
2413
2414 This option requires that --disable-occ NOT be used.
2415
2416 --auth-user-pass-optional
2417 Allow connections by clients that do not specify a user‐
2418 name/password. Normally, when --auth-user-pass-verify or --man‐
2419 agement-client-auth is specified (or an authentication plugin
2420 module), the OpenVPN server daemon will require connecting
2421 clients to specify a username and password. This option makes
2422 the submission of a username/password by clients optional, pass‐
2423 ing the responsibility to the user-defined authentication mod‐
2424 ule/script to accept or deny the client based on other factors
2425 (such as the setting of X509 certificate fields). When this
2426 option is used, and a connecting client does not submit a user‐
2427 name/password, the user-defined authentication module/script
2428 will see the username and password as being set to empty strings
2429 (""). The authentication module/script MUST have logic to
2430 detect this condition and respond accordingly.
2431
2432 --client-cert-not-required
2433 DEPRECATED This option will be removed in OpenVPN 2.5
2434
2435 Don't require client certificate, client will authenticate using
2436 username/password only. Be aware that using this directive is
2437 less secure than requiring certificates from all clients.
2438
2439 Please note: This is replaced by --verify-client-cert which
2440 allows for more flexibility. The option --verify-client-cert
2441 none is functionally equivalent to --client-cert-not-required
2442
2443
2444 --verify-client-cert none|optional|require
2445 Specify whether the client is required to supply a valid cer‐
2446 tificate.
2447
2448 Possible options are
2449
2450 none : a client certificate is not required. the client need to
2451 authenticate using username/password only. Be aware that using
2452 this directive is less secure than requiring certificates from
2453 all clients.
2454
2455 If you use this directive, the entire responsibility of authen‐
2456 tication will rest on your --auth-user-pass-verify script, so
2457 keep in mind that bugs in your script could potentially compro‐
2458 mise the security of your VPN.
2459
2460 --verify-client-cert none is functionally equivalent to
2461 --client-cert-not-required.
2462
2463 optional : a client may present a certificate but it is not
2464 required to do so. When using this directive, you should also
2465 use a --auth-user-pass-verify script to ensure that clients are
2466 authenticated using a certificate, a username and password, or
2467 possibly even both.
2468
2469 Again, the entire responsibility of authentication will rest on
2470 your --auth-user-pass-verify script, so keep in mind that bugs
2471 in your script could potentially compromise the security of your
2472 VPN.
2473
2474 require : this is the default option. A client is required to
2475 present a certificate, otherwise VPN access is refused.
2476
2477 If you don't use this directive (or use --verify-client-cert
2478 require ) but you also specify an --auth-user-pass-verify
2479 script, then OpenVPN will perform double authentication. The
2480 client certificate verification AND the --auth-user-pass-verify
2481 script will need to succeed in order for a client to be authen‐
2482 ticated and accepted onto the VPN.
2483
2484 --username-as-common-name
2485 For --auth-user-pass-verify authentication, use the authenti‐
2486 cated username as the common name, rather than the common name
2487 from the client cert.
2488
2489 --compat-names [no-remapping]
2490 DEPRECATED This option will be removed in OpenVPN 2.5
2491
2492 Until OpenVPN v2.3 the format of the X.509 Subject fields was
2493 formatted like this:
2494
2495 /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com
2496
2497 In addition the old behaviour was to remap any character other
2498 than alphanumeric, underscore ('_'), dash ('-'), dot ('.'), and
2499 slash ('/') to underscore ('_'). The X.509 Subject string as
2500 returned by the tls_id environmental variable, could addition‐
2501 ally contain colon (':') or equal ('=').
2502
2503 When using the --compat-names option, this old formatting and
2504 remapping will be re-enabled again. This is purely implemented
2505 for compatibility reasons when using older plug-ins or scripts
2506 which does not handle the new formatting or UTF-8 characters.
2507
2508 In OpenVPN 2.3 the formatting of these fields changed into a
2509 more standardised format. It now looks like:
2510
2511 C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com
2512
2513 The new default format in OpenVPN 2.3 also does not do the char‐
2514 acter remapping which happened earlier. This new format enables
2515 proper support for UTF-8 characters in the usernames, X.509 Sub‐
2516 ject fields and Common Name variables and it complies to the RFC
2517 2253, UTF-8 String Representation of Distinguished Names.
2518
2519 The no-remapping mode flag can be used with the --compat-names
2520 option to be compatible with the now deprecated --no-name-remap‐
2521 ping option. It is only available at the server. When this mode
2522 flag is used, the Common Name, Subject, and username strings are
2523 allowed to include any printable character including space, but
2524 excluding control characters such as tab, newline, and car‐
2525 riage-return. no-remapping is only available on the server side.
2526
2527 Please note: This option is immediately deprecated. It is only
2528 implemented to make the transition to the new formatting less
2529 intrusive. It will be removed in OpenVPN 2.5. So please update
2530 your scripts/plug-ins where necessary.
2531
2532 --no-name-remapping
2533 DEPRECATED This option will be removed in OpenVPN 2.5
2534
2535 The --no-name-remapping option is an alias for --com‐
2536 pat-names no-remapping. It ensures compatibility with server
2537 configurations using the --no-name-remapping option.
2538
2539 Please note: This option is now deprecated. It will be removed
2540 in OpenVPN 2.5. So please make sure you support the new X.509
2541 name formatting described with the --compat-names option as soon
2542 as possible.
2543
2544 --port-share host port [dir]
2545 When run in TCP server mode, share the OpenVPN port with another
2546 application, such as an HTTPS server. If OpenVPN senses a con‐
2547 nection to its port which is using a non-OpenVPN protocol, it
2548 will proxy the connection to the server at host:port. Currently
2549 only designed to work with HTTP/HTTPS, though it would be theo‐
2550 retically possible to extend to other protocols such as ssh.
2551
2552 dir specifies an optional directory where a temporary file with
2553 name N containing content C will be dynamically generated for
2554 each proxy connection, where N is the source IP:port of the
2555 client connection and C is the source IP:port of the connection
2556 to the proxy receiver. This directory can be used as a dictio‐
2557 nary by the proxy receiver to determine the origin of the con‐
2558 nection. Each generated file will be automatically deleted when
2559 the proxied connection is torn down.
2560
2561 Not implemented on Windows.
2562
2563 Client Mode
2564 Use client mode when connecting to an OpenVPN server which has
2565 --server, --server-bridge, or --mode server in it's configuration.
2566
2567 --client
2568 A helper directive designed to simplify the configuration of
2569 OpenVPN's client mode. This directive is equivalent to:
2570
2571 pull
2572 tls-client
2573
2574 --pull This option must be used on a client which is connecting to a
2575 multi-client server. It indicates to OpenVPN that it should
2576 accept options pushed by the server, provided they are part of
2577 the legal set of pushable options (note that the --pull option
2578 is implied by --client ).
2579
2580 In particular, --pull allows the server to push routes to the
2581 client, so you should not use --pull or --client in situations
2582 where you don't trust the server to have control over the
2583 client's routing table.
2584
2585 --pull-filter accept|ignore|reject text
2586 Filter options received from the server if the option starts
2587 with text. Runs on client. The action flag accept allows the
2588 option, ignore removes it and reject flags an error and triggers
2589 a SIGUSR1 restart. The filters may be specified multiple times,
2590 and each filter is applied in the order it is specified. The
2591 filtering of each option stops as soon as a match is found.
2592 Unmatched options are accepted by default.
2593
2594 Prefix comparison is used to match text against the received
2595 option so that
2596
2597 --pull-filter ignore "route"
2598
2599 would remove all pushed options starting with route which would
2600 include, for example, route-gateway. Enclose text in quotes to
2601 embed spaces.
2602
2603 --pull-filter accept "route 192.168.1."
2604 --pull-filter ignore "route "
2605
2606 would remove all routes that do not start with 192.168.1.
2607
2608 This option may be used only on clients. Note that reject may
2609 result in a repeated cycle of failure and reconnect, unless mul‐
2610 tiple remotes are specified and connection to the next remote
2611 succeeds. To silently ignore an option pushed by the server, use
2612 ignore.
2613
2614 --auth-user-pass [up]
2615 Authenticate with server using username/password. up is a file
2616 containing username/password on 2 lines. If the password line is
2617 missing, OpenVPN will prompt for one.
2618
2619 If up is omitted, username/password will be prompted from the
2620 console.
2621
2622 The server configuration must specify an --auth-user-pass-verify
2623 script to verify the username/password provided by the client.
2624
2625 --auth-retry type
2626 Controls how OpenVPN responds to username/password verification
2627 errors such as the client-side response to an AUTH_FAILED mes‐
2628 sage from the server or verification failure of the private key
2629 password.
2630
2631 Normally used to prevent auth errors from being fatal on the
2632 client side, and to permit username/password requeries in case
2633 of error.
2634
2635 An AUTH_FAILED message is generated by the server if the client
2636 fails --auth-user-pass authentication, or if the server-side
2637 --client-connect script returns an error status when the client
2638 tries to connect.
2639
2640 type can be one of:
2641
2642 none -- Client will exit with a fatal error (this is the
2643 default).
2644 nointeract -- Client will retry the connection without requery‐
2645 ing for an --auth-user-pass username/password. Use this option
2646 for unattended clients.
2647 interact -- Client will requery for an --auth-user-pass user‐
2648 name/password and/or private key password before attempting a
2649 reconnection.
2650
2651 Note that while this option cannot be pushed, it can be con‐
2652 trolled from the management interface.
2653
2654 --static-challenge t e
2655 Enable static challenge/response protocol using challenge text
2656 t, with echo flag given by e (0|1).
2657
2658 The echo flag indicates whether or not the user's response to
2659 the challenge should be echoed.
2660
2661 See management-notes.txt in the OpenVPN distribution for a
2662 description of the OpenVPN challenge/response protocol.
2663
2664 --server-poll-timeout n, --connect-timeout n
2665 When connecting to a remote server do not wait for more than n
2666 seconds waiting for a response before trying the next server.
2667 The default value is 120s. This timeout includes proxy and TCP
2668 connect timeouts.
2669
2670 --explicit-exit-notify [n]
2671 In UDP client mode or point-to-point mode, send server/peer an
2672 exit notification if tunnel is restarted or OpenVPN process is
2673 exited. In client mode, on exit/restart, this option will tell
2674 the server to immediately close its client instance object
2675 rather than waiting for a timeout. The n parameter (default=1)
2676 controls the maximum number of attempts that the client will try
2677 to resend the exit notification message.
2678
2679 In UDP server mode, send RESTART control channel command to con‐
2680 nected clients. The n parameter (default=1) controls client
2681 behavior. With n = 1 client will attempt to reconnect to the
2682 same server, with n = 2 client will advance to the next server.
2683
2684 OpenVPN will not send any exit notifications unless this option
2685 is enabled.
2686
2687 --allow-recursive-routing
2688 When this option is set, OpenVPN will not drop incoming tun
2689 packets with same destination as host.
2690
2691 Data Channel Encryption Options:
2692 These options are meaningful for both Static & TLS-negotiated key modes
2693 (must be compatible between peers).
2694
2695 --secret file [direction]
2696 Enable Static Key encryption mode (non-TLS). Use pre-shared
2697 secret file which was generated with --genkey.
2698
2699 The optional direction parameter enables the use of 4 distinct
2700 keys (HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt),
2701 so that each data flow direction has a different set of HMAC and
2702 cipher keys. This has a number of desirable security properties
2703 including eliminating certain kinds of DoS and message replay
2704 attacks.
2705
2706 When the direction parameter is omitted, 2 keys are used bidi‐
2707 rectionally, one for HMAC and the other for encryption/decryp‐
2708 tion.
2709
2710 The direction parameter should always be complementary on either
2711 side of the connection, i.e. one side should use "0" and the
2712 other should use "1", or both sides should omit it altogether.
2713
2714 The direction parameter requires that file contains a 2048 bit
2715 key. While pre-1.5 versions of OpenVPN generate 1024 bit key
2716 files, any version of OpenVPN which supports the direction
2717 parameter, will also support 2048 bit key file generation using
2718 the --genkey option.
2719
2720 Static key encryption mode has certain advantages, the primary
2721 being ease of configuration.
2722
2723 There are no certificates or certificate authorities or compli‐
2724 cated negotiation handshakes and protocols. The only require‐
2725 ment is that you have a pre-existing secure channel with your
2726 peer (such as ssh ) to initially copy the key. This require‐
2727 ment, along with the fact that your key never changes unless you
2728 manually generate a new one, makes it somewhat less secure than
2729 TLS mode (see below). If an attacker manages to steal your key,
2730 everything that was ever encrypted with it is compromised. Con‐
2731 trast that to the perfect forward secrecy features of TLS mode
2732 (using Diffie Hellman key exchange), where even if an attacker
2733 was able to steal your private key, he would gain no information
2734 to help him decrypt past sessions.
2735
2736 Another advantageous aspect of Static Key encryption mode is
2737 that it is a handshake-free protocol without any distinguishing
2738 signature or feature (such as a header or protocol handshake
2739 sequence) that would mark the ciphertext packets as being gener‐
2740 ated by OpenVPN. Anyone eavesdropping on the wire would see
2741 nothing but random-looking data.
2742
2743 --key-direction
2744 Alternative way of specifying the optional direction parameter
2745 for the --tls-auth and --secret options. Useful when using
2746 inline files (See section on inline files).
2747
2748 --auth alg
2749 Authenticate data channel packets and (if enabled) tls-auth con‐
2750 trol channel packets with HMAC using message digest algorithm
2751 alg. (The default is SHA1 ). HMAC is a commonly used message
2752 authentication algorithm (MAC) that uses a data string, a secure
2753 hash algorithm, and a key, to produce a digital signature.
2754
2755 The OpenVPN data channel protocol uses encrypt-then-mac (i.e.
2756 first encrypt a packet, then HMAC the resulting ciphertext),
2757 which prevents padding oracle attacks.
2758
2759 If an AEAD cipher mode (e.g. GCM) is chosen, the specified
2760 --auth algorithm is ignored for the data channel, and the
2761 authentication method of the AEAD cipher is used instead. Note
2762 that alg still specifies the digest used for tls-auth.
2763
2764 In static-key encryption mode, the HMAC key is included in the
2765 key file generated by --genkey. In TLS mode, the HMAC key is
2766 dynamically generated and shared between peers via the TLS con‐
2767 trol channel. If OpenVPN receives a packet with a bad HMAC it
2768 will drop the packet. HMAC usually adds 16 or 20 bytes per
2769 packet. Set alg=none to disable authentication.
2770
2771 For more information on HMAC see
2772 http://www.cs.ucsd.edu/users/mihir/papers/hmac.html
2773
2774 --cipher alg
2775 Encrypt data channel packets with cipher algorithm alg.
2776
2777 The default is BF-CBC, an abbreviation for Blowfish in Cipher
2778 Block Chaining mode. When cipher negotiation (NCP) is allowed,
2779 OpenVPN 2.4 and newer on both client and server side will auto‐
2780 matically upgrade to AES-256-GCM. See --ncp-ciphers and
2781 --ncp-disable for more details on NCP.
2782
2783 Using BF-CBC is no longer recommended, because of its 64-bit
2784 block size. This small block size allows attacks based on col‐
2785 lisions, as demonstrated by SWEET32. See https://commu‐
2786 nity.openvpn.net/openvpn/wiki/SWEET32 for details. Due to this,
2787 support for BF-CBC, DES, CAST5, IDEA and RC2 ciphers will be
2788 removed in OpenVPN 2.6.
2789
2790 To see other ciphers that are available with OpenVPN, use the
2791 --show-ciphers option.
2792
2793 Set alg=none to disable encryption.
2794
2795
2796 --ncp-ciphers cipher_list
2797 Restrict the allowed ciphers to be negotiated to the ciphers in
2798 cipher_list. cipher_list is a colon-separated list of ciphers,
2799 and defaults to "AES-256-GCM:AES-128-GCM".
2800
2801 For servers, the first cipher from cipher_list will be pushed to
2802 clients that support cipher negotiation.
2803
2804 Cipher negotiation is enabled in client-server mode only. I.e.
2805 if --mode is set to 'server' (server-side, implied by setting
2806 --server ), or if --pull is specified (client-side, implied by
2807 setting --client).
2808
2809 If both peers support and do not disable NCP, the negotiated
2810 cipher will override the cipher specified by --cipher.
2811
2812 Additionally, to allow for more smooth transition, if NCP is
2813 enabled, OpenVPN will inherit the cipher of the peer if that
2814 cipher is different from the local --cipher setting, but the
2815 peer cipher is one of the ciphers specified in --ncp-ciphers.
2816 E.g. a non-NCP client (<=v2.3, or with --ncp-disabled set) con‐
2817 necting to a NCP server (v2.4+) with "--cipher BF-CBC" and
2818 "--ncp-ciphers AES-256-GCM:AES-256-CBC" set can either specify
2819 "--cipher BF-CBC" or "--cipher AES-256-CBC" and both will work.
2820
2821
2822 --ncp-disable
2823 Disable "negotiable crypto parameters". This completely dis‐
2824 ables cipher negotiation.
2825
2826 --keysize n
2827 DEPRECATED This option will be removed in OpenVPN 2.6.
2828
2829 Size of cipher key in bits (optional). If unspecified, defaults
2830 to cipher-specific default. The --show-ciphers option (see
2831 below) shows all available OpenSSL ciphers, their default key
2832 sizes, and whether the key size can be changed. Use care in
2833 changing a cipher's default key size. Many ciphers have not
2834 been extensively cryptanalyzed with non-standard key lengths,
2835 and a larger key may offer no real guarantee of greater secu‐
2836 rity, or may even reduce security.
2837
2838 --prng alg [nsl]
2839 (Advanced) For PRNG (Pseudo-random number generator), use digest
2840 algorithm alg (default=sha1), and set nsl (default=16) to the
2841 size in bytes of the nonce secret length (between 16 and 64).
2842
2843 Set alg=none to disable the PRNG and use the OpenSSL RAND_bytes
2844 function instead for all of OpenVPN's pseudo-random number
2845 needs.
2846
2847 --engine [engine-name]
2848 Enable OpenSSL hardware-based crypto engine functionality.
2849
2850 If engine-name is specified, use a specific crypto engine. Use
2851 the --show-engines standalone option to list the crypto engines
2852 which are supported by OpenSSL.
2853
2854 --no-replay
2855 DEPRECATED This option will be removed in OpenVPN 2.5.
2856
2857 (Advanced) Disable OpenVPN's protection against replay attacks.
2858 Don't use this option unless you are prepared to make a tradeoff
2859 of greater efficiency in exchange for less security.
2860
2861 OpenVPN provides datagram replay protection by default.
2862
2863 Replay protection is accomplished by tagging each outgoing data‐
2864 gram with an identifier that is guaranteed to be unique for the
2865 key being used. The peer that receives the datagram will check
2866 for the uniqueness of the identifier. If the identifier was
2867 already received in a previous datagram, OpenVPN will drop the
2868 packet. Replay protection is important to defeat attacks such
2869 as a SYN flood attack, where the attacker listens in the wire,
2870 intercepts a TCP SYN packet (identifying it by the context in
2871 which it occurs in relation to other packets), then floods the
2872 receiving peer with copies of this packet.
2873
2874 OpenVPN's replay protection is implemented in slightly different
2875 ways, depending on the key management mode you have selected.
2876
2877 In Static Key mode or when using an CFB or OFB mode cipher,
2878 OpenVPN uses a 64 bit unique identifier that combines a time
2879 stamp with an incrementing sequence number.
2880
2881 When using TLS mode for key exchange and a CBC cipher mode,
2882 OpenVPN uses only a 32 bit sequence number without a time stamp,
2883 since OpenVPN can guarantee the uniqueness of this value for
2884 each key. As in IPSec, if the sequence number is close to wrap‐
2885 ping back to zero, OpenVPN will trigger a new key exchange.
2886
2887 To check for replays, OpenVPN uses the sliding window algorithm
2888 used by IPSec.
2889
2890 --replay-window n [t]
2891 Use a replay protection sliding-window of size n and a time win‐
2892 dow of t seconds.
2893
2894 By default n is 64 (the IPSec default) and t is 15 seconds.
2895
2896 This option is only relevant in UDP mode, i.e. when either
2897 --proto udp is specified, or no --proto option is specified.
2898
2899 When OpenVPN tunnels IP packets over UDP, there is the possibil‐
2900 ity that packets might be dropped or delivered out of order.
2901 Because OpenVPN, like IPSec, is emulating the physical network
2902 layer, it will accept an out-of-order packet sequence, and will
2903 deliver such packets in the same order they were received to the
2904 TCP/IP protocol stack, provided they satisfy several con‐
2905 straints.
2906
2907 (a) The packet cannot be a replay (unless --no-replay is speci‐
2908 fied, which disables replay protection altogether).
2909
2910 (b) If a packet arrives out of order, it will only be accepted
2911 if the difference between its sequence number and the highest
2912 sequence number received so far is less than n.
2913
2914 (c) If a packet arrives out of order, it will only be accepted
2915 if it arrives no later than t seconds after any packet contain‐
2916 ing a higher sequence number.
2917
2918 If you are using a network link with a large pipeline (meaning
2919 that the product of bandwidth and latency is high), you may want
2920 to use a larger value for n. Satellite links in particular
2921 often require this.
2922
2923 If you run OpenVPN at --verb 4, you will see the message
2924 "Replay-window backtrack occurred [x]" every time the maximum
2925 sequence number backtrack seen thus far increases. This can be
2926 used to calibrate n.
2927
2928 There is some controversy on the appropriate method of handling
2929 packet reordering at the security layer.
2930
2931 Namely, to what extent should the security layer protect the
2932 encapsulated protocol from attacks which masquerade as the kinds
2933 of normal packet loss and reordering that occur over IP net‐
2934 works?
2935
2936 The IPSec and OpenVPN approach is to allow packet reordering
2937 within a certain fixed sequence number window.
2938
2939 OpenVPN adds to the IPSec model by limiting the window size in
2940 time as well as sequence space.
2941
2942 OpenVPN also adds TCP transport as an option (not offered by
2943 IPSec) in which case OpenVPN can adopt a very strict attitude
2944 towards message deletion and reordering: Don't allow it. Since
2945 TCP guarantees reliability, any packet loss or reordering event
2946 can be assumed to be an attack.
2947
2948 In this sense, it could be argued that TCP tunnel transport is
2949 preferred when tunneling non-IP or UDP application protocols
2950 which might be vulnerable to a message deletion or reordering
2951 attack which falls within the normal operational parameters of
2952 IP networks.
2953
2954 So I would make the statement that one should never tunnel a
2955 non-IP protocol or UDP application protocol over UDP, if the
2956 protocol might be vulnerable to a message deletion or reordering
2957 attack that falls within the normal operating parameters of what
2958 is to be expected from the physical IP layer. The problem is
2959 easily fixed by simply using TCP as the VPN transport layer.
2960
2961 --mute-replay-warnings
2962 Silence the output of replay warnings, which are a common false
2963 alarm on WiFi networks. This option preserves the security of
2964 the replay protection code without the verbosity associated with
2965 warnings about duplicate packets.
2966
2967 --replay-persist file
2968 Persist replay-protection state across sessions using file to
2969 save and reload the state.
2970
2971 This option will strengthen protection against replay attacks,
2972 especially when you are using OpenVPN in a dynamic context (such
2973 as with --inetd) when OpenVPN sessions are frequently started
2974 and stopped.
2975
2976 This option will keep a disk copy of the current replay protec‐
2977 tion state (i.e. the most recent packet timestamp and sequence
2978 number received from the remote peer), so that if an OpenVPN
2979 session is stopped and restarted, it will reject any replays of
2980 packets which were already received by the prior session.
2981
2982 This option only makes sense when replay protection is enabled
2983 (the default) and you are using either --secret (shared-secret
2984 key mode) or TLS mode with --tls-auth.
2985
2986 --no-iv
2987 DEPRECATED This option will be removed in OpenVPN 2.5.
2988
2989 (Advanced) Disable OpenVPN's use of IV (cipher initialization
2990 vector). Don't use this option unless you are prepared to make
2991 a tradeoff of greater efficiency in exchange for less security.
2992
2993 OpenVPN uses an IV by default, and requires it for CFB and OFB
2994 cipher modes (which are totally insecure without it). Using an
2995 IV is important for security when multiple messages are being
2996 encrypted/decrypted with the same key.
2997
2998 IV is implemented differently depending on the cipher mode used.
2999
3000 In CBC mode, OpenVPN uses a pseudo-random IV for each packet.
3001
3002 In CFB/OFB mode, OpenVPN uses a unique sequence number and time
3003 stamp as the IV. In fact, in CFB/OFB mode, OpenVPN uses a data‐
3004 gram space-saving optimization that uses the unique identifier
3005 for datagram replay protection as the IV.
3006
3007 --use-prediction-resistance
3008 Enable prediction resistance on mbed TLS's RNG.
3009
3010 Enabling prediction resistance causes the RNG to reseed in each
3011 call for random. Reseeding this often can quickly deplete the
3012 kernel entropy pool.
3013
3014 If you need this option, please consider running a daemon that
3015 adds entropy to the kernel pool.
3016
3017
3018 --test-crypto
3019 Do a self-test of OpenVPN's crypto options by encrypting and
3020 decrypting test packets using the data channel encryption
3021 options specified above. This option does not require a peer to
3022 function, and therefore can be specified without --dev or
3023 --remote.
3024
3025 The typical usage of --test-crypto would be something like this:
3026
3027 openvpn --test-crypto --secret key
3028
3029 or
3030
3031 openvpn --test-crypto --secret key --verb 9
3032
3033 This option is very useful to test OpenVPN after it has been
3034 ported to a new platform, or to isolate problems in the com‐
3035 piler, OpenSSL crypto library, or OpenVPN's crypto code. Since
3036 it is a self-test mode, problems with encryption and authentica‐
3037 tion can be debugged independently of network and tunnel issues.
3038
3039 TLS Mode Options:
3040 TLS mode is the most powerful crypto mode of OpenVPN in both security
3041 and flexibility. TLS mode works by establishing control and data chan‐
3042 nels which are multiplexed over a single TCP/UDP port. OpenVPN initi‐
3043 ates a TLS session over the control channel and uses it to exchange
3044 cipher and HMAC keys to protect the data channel. TLS mode uses a
3045 robust reliability layer over the UDP connection for all control chan‐
3046 nel communication, while the data channel, over which encrypted tunnel
3047 data passes, is forwarded without any mediation. The result is the
3048 best of both worlds: a fast data channel that forwards over UDP with
3049 only the overhead of encrypt, decrypt, and HMAC functions, and a con‐
3050 trol channel that provides all of the security features of TLS, includ‐
3051 ing certificate-based authentication and Diffie Hellman forward
3052 secrecy.
3053
3054 To use TLS mode, each peer that runs OpenVPN should have its own local
3055 certificate/key pair ( --cert and --key ), signed by the root certifi‐
3056 cate which is specified in --ca.
3057
3058 When two OpenVPN peers connect, each presents its local certificate to
3059 the other. Each peer will then check that its partner peer presented a
3060 certificate which was signed by the master root certificate as speci‐
3061 fied in --ca.
3062
3063 If that check on both peers succeeds, then the TLS negotiation will
3064 succeed, both OpenVPN peers will exchange temporary session keys, and
3065 the tunnel will begin passing data.
3066
3067 The OpenVPN project provides a set of scripts for managing RSA certifi‐
3068 cates & keys: https://github.com/OpenVPN/easy-rsa
3069
3070 --tls-server
3071 Enable TLS and assume server role during TLS handshake. Note
3072 that OpenVPN is designed as a peer-to-peer application. The
3073 designation of client or server is only for the purpose of nego‐
3074 tiating the TLS control channel.
3075
3076 --tls-client
3077 Enable TLS and assume client role during TLS handshake.
3078
3079 --ca file
3080 Certificate authority (CA) file in .pem format, also referred to
3081 as the root certificate. This file can have multiple certifi‐
3082 cates in .pem format, concatenated together. You can construct
3083 your own certificate authority certificate and private key by
3084 using a command such as:
3085
3086 openssl req -nodes -new -x509 -keyout ca.key -out ca.crt
3087
3088 Then edit your openssl.cnf file and edit the certificate vari‐
3089 able to point to your new root certificate ca.crt.
3090
3091 For testing purposes only, the OpenVPN distribution includes a
3092 sample CA certificate (ca.crt). Of course you should never use
3093 the test certificates and test keys distributed with OpenVPN in
3094 a production environment, since by virtue of the fact that they
3095 are distributed with OpenVPN, they are totally insecure.
3096
3097 --capath dir
3098 Directory containing trusted certificates (CAs and CRLs). Not
3099 available with mbed TLS.
3100
3101 CAs in the capath directory are expected to be named <hash>.<n>.
3102 CRLs are expected to be named <hash>.r<n>. See the -CApath
3103 option of openssl verify , and the -hash option of openssl x509
3104 , openssl crl and X509_LOOKUP_hash_dir(3) for more information.
3105
3106 Similarly to the --crl-verify option CRLs are not mandatory -
3107 OpenVPN will log the usual warning in the logs if the relevant
3108 CRL is missing, but the connection will be allowed.
3109
3110 --dh file
3111 File containing Diffie Hellman parameters in .pem format
3112 (required for --tls-server only).
3113
3114 Set file=none to disable Diffie Hellman key exchange (and use
3115 ECDH only). Note that this requires peers to be using an SSL
3116 library that supports ECDH TLS cipher suites (e.g. OpenSSL
3117 1.0.1+, or mbed TLS 2.0+).
3118
3119 Use openssl dhparam -out dh2048.pem 2048 to generate 2048-bit DH
3120 parameters. Diffie Hellman parameters may be considered public.
3121
3122 --ecdh-curve name
3123 Specify the curve to use for elliptic curve Diffie Hellman.
3124 Available curves can be listed with --show-curves. The speci‐
3125 fied curve will only be used for ECDH TLS-ciphers.
3126
3127 This option is not supported in mbed TLS builds of OpenVPN.
3128
3129 --cert file
3130 Local peer's signed certificate in .pem format -- must be signed
3131 by a certificate authority whose certificate is in --ca file.
3132 Each peer in an OpenVPN link running in TLS mode should have its
3133 own certificate and private key file. In addition, each cer‐
3134 tificate should have been signed by the key of a certificate
3135 authority whose public key resides in the --ca certificate
3136 authority file. You can easily make your own certificate
3137 authority (see above) or pay money to use a commercial service
3138 such as thawte.com (in which case you will be helping to finance
3139 the world's second space tourist :). To generate a certificate,
3140 you can use a command such as:
3141
3142 openssl req -nodes -new -keyout mycert.key -out mycert.csr
3143
3144 If your certificate authority private key lives on another
3145 machine, copy the certificate signing request (mycert.csr) to
3146 this other machine (this can be done over an insecure channel
3147 such as email). Now sign the certificate with a command such
3148 as:
3149
3150 openssl ca -out mycert.crt -in mycert.csr
3151
3152 Now copy the certificate (mycert.crt) back to the peer which
3153 initially generated the .csr file (this can be over a public
3154 medium). Note that the openssl ca command reads the location of
3155 the certificate authority key from its configuration file such
3156 as /usr/share/ssl/openssl.cnf -- note also that for certificate
3157 authority functions, you must set up the files index.txt (may be
3158 empty) and serial (initialize to 01 ).
3159
3160 --extra-certs file
3161 Specify a file containing one or more PEM certs (concatenated
3162 together) that complete the local certificate chain.
3163
3164 This option is useful for "split" CAs, where the CA for server
3165 certs is different than the CA for client certs. Putting certs
3166 in this file allows them to be used to complete the local cer‐
3167 tificate chain without trusting them to verify the peer-submit‐
3168 ted certificate, as would be the case if the certs were placed
3169 in the ca file.
3170
3171 --key file
3172 Local peer's private key in .pem format. Use the private key
3173 which was generated when you built your peer's certificate (see
3174 --cert file above).
3175
3176 --tls-version-min version ['or-highest']
3177 Sets the minimum TLS version we will accept from the peer
3178 (default is "1.0"). Examples for version include "1.0", "1.1",
3179 or "1.2". If 'or-highest' is specified and version is not rec‐
3180 ognized, we will only accept the highest TLS version supported
3181 by the local SSL implementation.
3182
3183 --tls-version-max version
3184 Set the maximum TLS version we will use (default is the highest
3185 version supported). Examples for version include "1.0", "1.1",
3186 or "1.2".
3187
3188 --pkcs12 file
3189 Specify a PKCS #12 file containing local private key, local cer‐
3190 tificate, and root CA certificate. This option can be used
3191 instead of --ca, --cert, and --key. Not available with mbed
3192 TLS.
3193
3194 --verify-hash hash [algo]
3195 Specify SHA1 or SHA256 fingerprint for level-1 cert. The
3196 level-1 cert is the CA (or intermediate cert) that signs the
3197 leaf certificate, and is one removed from the leaf certificate
3198 in the direction of the root. When accepting a connection from
3199 a peer, the level-1 cert fingerprint must match hash or certifi‐
3200 cate verification will fail. Hash is specified as XX:XX:... For
3201 example:
3202
3203 AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16
3204
3205 The algo flag can be either SHA1 or SHA256. If not provided, it
3206 defaults to SHA1.
3207
3208 --pkcs11-cert-private [0|1]...
3209 Set if access to certificate object should be performed after
3210 login. Every provider has its own setting.
3211
3212 --pkcs11-id name
3213 Specify the serialized certificate id to be used. The id can be
3214 gotten by the standalone --show-pkcs11-ids option.
3215
3216 --pkcs11-id-management
3217 Acquire PKCS#11 id from management interface. In this case a
3218 NEED-STR 'pkcs11-id-request' real-time message will be trig‐
3219 gered, application may use pkcs11-id-count command to retrieve
3220 available number of certificates, and pkcs11-id-get command to
3221 retrieve certificate id and certificate body.
3222
3223 --pkcs11-pin-cache seconds
3224 Specify how many seconds the PIN can be cached, the default is
3225 until the token is removed.
3226
3227 --pkcs11-protected-authentication [0|1]...
3228 Use PKCS#11 protected authentication path, useful for biometric
3229 and external keypad devices. Every provider has its own set‐
3230 ting.
3231
3232 --pkcs11-providers provider...
3233 Specify a RSA Security Inc. PKCS #11 Cryptographic Token Inter‐
3234 face (Cryptoki) providers to load. This option can be used
3235 instead of --cert, --key, and --pkcs12.
3236
3237 If p11-kit is present on the system, its p11-kit-proxy.so module
3238 will be loaded by default if either the --pkcs11-id or
3239 --pkcs11-id-management options are specified without
3240 --pkcs11-provider being given.
3241
3242 --pkcs11-private-mode mode...
3243 Specify which method to use in order to perform private key
3244 operations. A different mode can be specified for each
3245 provider. Mode is encoded as hex number, and can be a mask one
3246 of the following:
3247
3248 0 (default) -- Try to determine automatically.
3249 1 -- Use sign.
3250 2 -- Use sign recover.
3251 4 -- Use decrypt.
3252 8 -- Use unwrap.
3253
3254 --cryptoapicert select-string
3255 Load the certificate and private key from the Windows Certifi‐
3256 cate System Store (Windows/OpenSSL Only).
3257
3258 Use this option instead of --cert and --key.
3259
3260 This makes it possible to use any smart card, supported by Win‐
3261 dows, but also any kind of certificate, residing in the Cert
3262 Store, where you have access to the private key. This option
3263 has been tested with a couple of different smart cards (GemSAFE,
3264 Cryptoflex, and Swedish Post Office eID) on the client side, and
3265 also an imported PKCS12 software certificate on the server side.
3266
3267 To select a certificate, based on a substring search in the cer‐
3268 tificate's subject:
3269
3270 cryptoapicert "SUBJ:Peter Runestig"
3271
3272 To select a certificate, based on certificate's thumbprint:
3273
3274 cryptoapicert "THUMB:f6 49 24 41 01 b4 ..."
3275
3276 The thumbprint hex string can easily be copy-and-pasted from the
3277 Windows Certificate Store GUI.
3278
3279
3280 --key-method m
3281 DEPRECATED This option will be removed in OpenVPN 2.5
3282
3283 Use data channel key negotiation method m. The key method must
3284 match on both sides of the connection.
3285
3286 After OpenVPN negotiates a TLS session, a new set of keys for
3287 protecting the tunnel data channel is generated and exchanged
3288 over the TLS session.
3289
3290 In method 1 (the default for OpenVPN 1.x), both sides generate
3291 random encrypt and HMAC-send keys which are forwarded to the
3292 other host over the TLS channel. Method 1 is deprecated in Open‐
3293 VPN 2.4 , and will be removed in OpenVPN 2.5.
3294
3295 In method 2, (the default for OpenVPN 2.0) the client generates
3296 a random key. Both client and server also generate some random
3297 seed material. All key source material is exchanged over the
3298 TLS channel. The actual keys are generated using the TLS PRF
3299 function, taking source entropy from both client and server.
3300 Method 2 is designed to closely parallel the key generation
3301 process used by TLS 1.0.
3302
3303 Note that in TLS mode, two separate levels of keying occur:
3304
3305 (1) The TLS connection is initially negotiated, with both sides
3306 of the connection producing certificates and verifying the cer‐
3307 tificate (or other authentication info provided) of the other
3308 side. The --key-method parameter has no effect on this process.
3309
3310 (2) After the TLS connection is established, the tunnel session
3311 keys are separately negotiated over the existing secure TLS
3312 channel. Here, --key-method determines the derivation of the
3313 tunnel session keys.
3314
3315 --tls-cipher l
3316 --tls-ciphersuites l
3317 A list l of allowable TLS ciphers delimited by a colon (":").
3318
3319 These setting can be used to ensure that certain cipher suites
3320 are used (or not used) for the TLS connection. OpenVPN uses TLS
3321 to secure the control channel, over which the keys that are used
3322 to protect the actual VPN traffic are exchanged.
3323
3324 The supplied list of ciphers is (after potential OpenSSL/IANA
3325 name translation) simply supplied to the crypto library. Please
3326 see the OpenSSL and/or mbed TLS documentation for details on the
3327 cipher list interpretation.
3328
3329 For OpenSSL, the --tls-cipher is used for TLS 1.2 and below. For
3330 TLS 1.3 and up, the --tls-ciphersuites setting is used. mbed TLS
3331 has no TLS 1.3 support yet and only the --tls-cipher setting is
3332 used.
3333
3334 Use --show-tls to see a list of TLS ciphers supported by your
3335 crypto library.
3336
3337 Warning! --tls-cipher and --tls-ciphersuites are expert fea‐
3338 tures, which - if used correcly - can improve the security of
3339 your VPN connection. But it is also easy to unwittingly use
3340 them to carefully align a gun with your foot, or just break your
3341 connection. Use with care!
3342
3343 The default for --tls-cipher is to use mbed TLS's default cipher
3344 list when using mbed TLS or
3345 "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA"
3346 when using OpenSSL.
3347
3348 The default for --tls-ciphersuites is to use the crypto
3349 library's default.
3350
3351 --tls-cert-profile profile
3352 Set the allowed cryptographic algorithms for certificates
3353 according to profile.
3354
3355 The following profiles are supported:
3356
3357 legacy (default): SHA1 and newer, RSA 2048-bit+, any elliptic
3358 curve.
3359
3360 preferred : SHA2 and newer, RSA 2048-bit+, any elliptic curve.
3361
3362 suiteb : SHA256/SHA384, ECDSA with P-256 or P-384.
3363
3364 This option is only fully supported for mbed TLS builds.
3365 OpenSSL builds use the following approximation:
3366
3367 legacy (default): sets "security level 1"
3368
3369 preferred : sets "security level 2"
3370
3371 suiteb : sets "security level 3" and --tls-cipher "SUITEB128".
3372
3373 OpenVPN will migrate to 'preferred' as default in the future.
3374 Please ensure that your keys already comply.
3375
3376 --tls-timeout n
3377 Packet retransmit timeout on TLS control channel if no acknowl‐
3378 edgment from remote within n seconds (default=2). When OpenVPN
3379 sends a control packet to its peer, it will expect to receive an
3380 acknowledgement within n seconds or it will retransmit the
3381 packet, subject to a TCP-like exponential backoff algorithm.
3382 This parameter only applies to control channel packets. Data
3383 channel packets (which carry encrypted tunnel data) are never
3384 acknowledged, sequenced, or retransmitted by OpenVPN because the
3385 higher level network protocols running on top of the tunnel such
3386 as TCP expect this role to be left to them.
3387
3388 --reneg-bytes n
3389 Renegotiate data channel key after n bytes sent or received
3390 (disabled by default with an exception, see below). OpenVPN
3391 allows the lifetime of a key to be expressed as a number of
3392 bytes encrypted/decrypted, a number of packets, or a number of
3393 seconds. A key renegotiation will be forced if any of these
3394 three criteria are met by either peer.
3395
3396 If using ciphers with cipher block sizes less than 128-bits,
3397 --reneg-bytes is set to 64MB by default, unless it is explicitly
3398 disabled by setting the value to 0, but this is HIGHLY DISCOUR‐
3399 AGED as this is designed to add some protection against the
3400 SWEET32 attack vector. For more information see the --cipher
3401 option.
3402
3403 --reneg-pkts n
3404 Renegotiate data channel key after n packets sent and received
3405 (disabled by default).
3406
3407 --reneg-sec n
3408 Renegotiate data channel key after n seconds (default=3600).
3409
3410 When using dual-factor authentication, note that this default
3411 value may cause the end user to be challenged to reauthorize
3412 once per hour.
3413
3414 Also, keep in mind that this option can be used on both the
3415 client and server, and whichever uses the lower value will be
3416 the one to trigger the renegotiation. A common mistake is to
3417 set --reneg-sec to a higher value on either the client or
3418 server, while the other side of the connection is still using
3419 the default value of 3600 seconds, meaning that the renegotia‐
3420 tion will still occur once per 3600 seconds. The solution is to
3421 increase --reneg-sec on both the client and server, or set it to
3422 0 on one side of the connection (to disable), and to your chosen
3423 value on the other side.
3424
3425 --hand-window n
3426 Handshake Window -- the TLS-based key exchange must finalize
3427 within n seconds of handshake initiation by any peer (default =
3428 60 seconds). If the handshake fails we will attempt to reset
3429 our connection with our peer and try again. Even in the event
3430 of handshake failure we will still use our expiring key for up
3431 to --tran-window seconds to maintain continuity of transmission
3432 of tunnel data.
3433
3434 --tran-window n
3435 Transition window -- our old key can live this many seconds
3436 after a new a key renegotiation begins (default = 3600 seconds).
3437 This feature allows for a graceful transition from old to new
3438 key, and removes the key renegotiation sequence from the criti‐
3439 cal path of tunnel data forwarding.
3440
3441 --single-session
3442 After initially connecting to a remote peer, disallow any new
3443 connections. Using this option means that a remote peer cannot
3444 connect, disconnect, and then reconnect.
3445
3446 If the daemon is reset by a signal or --ping-restart, it will
3447 allow one new connection.
3448
3449 --single-session can be used with --ping-exit or --inactive to
3450 create a single dynamic session that will exit when finished.
3451
3452 --tls-exit
3453 Exit on TLS negotiation failure.
3454
3455 --tls-auth file [direction]
3456 Add an additional layer of HMAC authentication on top of the TLS
3457 control channel to mitigate DoS attacks and attacks on the TLS
3458 stack.
3459
3460 In a nutshell, --tls-auth enables a kind of "HMAC firewall" on
3461 OpenVPN's TCP/UDP port, where TLS control channel packets bear‐
3462 ing an incorrect HMAC signature can be dropped immediately with‐
3463 out response.
3464
3465 file (required) is a file in OpenVPN static key format which can
3466 be generated by --genkey
3467
3468 Older versions (up to OpenVPN 2.3) supported a freeform
3469 passphrase file. This is no longer supported in newer versions
3470 (v2.4+).
3471
3472 See the --secret option for more information on the optional
3473 direction parameter.
3474
3475 --tls-auth is recommended when you are running OpenVPN in a mode
3476 where it is listening for packets from any IP address, such as
3477 when --remote is not specified, or --remote is specified with
3478 --float.
3479
3480 The rationale for this feature is as follows. TLS requires a
3481 multi-packet exchange before it is able to authenticate a peer.
3482 During this time before authentication, OpenVPN is allocating
3483 resources (memory and CPU) to this potential peer. The poten‐
3484 tial peer is also exposing many parts of OpenVPN and the OpenSSL
3485 library to the packets it is sending. Most successful network
3486 attacks today seek to either exploit bugs in programs (such as
3487 buffer overflow attacks) or force a program to consume so many
3488 resources that it becomes unusable. Of course the first line of
3489 defense is always to produce clean, well-audited code. OpenVPN
3490 has been written with buffer overflow attack prevention as a top
3491 priority. But as history has shown, many of the most widely
3492 used network applications have, from time to time, fallen to
3493 buffer overflow attacks.
3494
3495 So as a second line of defense, OpenVPN offers this special
3496 layer of authentication on top of the TLS control channel so
3497 that every packet on the control channel is authenticated by an
3498 HMAC signature and a unique ID for replay protection. This sig‐
3499 nature will also help protect against DoS (Denial of Service)
3500 attacks. An important rule of thumb in reducing vulnerability
3501 to DoS attacks is to minimize the amount of resources a poten‐
3502 tial, but as yet unauthenticated, client is able to consume.
3503
3504 --tls-auth does this by signing every TLS control channel packet
3505 with an HMAC signature, including packets which are sent before
3506 the TLS level has had a chance to authenticate the peer. The
3507 result is that packets without the correct signature can be
3508 dropped immediately upon reception, before they have a chance to
3509 consume additional system resources such as by initiating a TLS
3510 handshake. --tls-auth can be strengthened by adding the
3511 --replay-persist option which will keep OpenVPN's replay protec‐
3512 tion state in a file so that it is not lost across restarts.
3513
3514 It should be emphasized that this feature is optional and that
3515 the key file used with --tls-auth gives a peer nothing more than
3516 the power to initiate a TLS handshake. It is not used to
3517 encrypt or authenticate any tunnel data.
3518
3519 Use --tls-crypt instead if you want to use the key file to not
3520 only authenticate, but also encrypt the TLS control channel.
3521
3522 --tls-crypt keyfile
3523
3524 Encrypt and authenticate all control channel packets with the
3525 key from keyfile. (See --tls-auth for more background.)
3526
3527 Encrypting (and authenticating) control channel packets:
3528
3529 · provides more privacy by hiding the certificate used for the
3530 TLS connection,
3531
3532 · makes it harder to identify OpenVPN traffic as such,
3533
3534 · provides "poor-man's" post-quantum security, against attackers
3535 who will never know the pre-shared key (i.e. no forward
3536 secrecy).
3537
3538
3539 In contrast to --tls-auth, --tls-crypt does *not* require the
3540 user to set --key-direction.
3541
3542 Security Considerations
3543
3544 All peers use the same --tls-crypt pre-shared group key to
3545 authenticate and encrypt control channel messages. To ensure
3546 that IV collisions remain unlikely, this key should not be used
3547 to encrypt more than 2^48 client-to-server or 2^48
3548 server-to-client control channel messages. A typical initial
3549 negotiation is about 10 packets in each direction. Assuming
3550 both initial negotiation and renegotiations are at most 2^16
3551 (65536) packets (to be conservative), and (re)negotiations hap‐
3552 pen each minute for each user (24/7), this limits the tls-crypt
3553 key lifetime to 8171 years divided by the number of users. So a
3554 setup with 1000 users should rotate the key at least once each
3555 eight years. (And a setup with 8000 users each year.)
3556
3557 If IV collisions were to occur, this could result in the secu‐
3558 rity of --tls-crypt degrading to the same security as using
3559 --tls-auth. That is, the control channel still benefits from
3560 the extra protection against active man-in-the-middle-attacks
3561 and DoS attacks, but may no longer offer extra privacy and
3562 post-quantum security on top of what TLS itself offers.
3563
3564 --askpass [file]
3565 Get certificate password from console or file before we daemo‐
3566 nize.
3567
3568 For the extremely security conscious, it is possible to protect
3569 your private key with a password. Of course this means that
3570 every time the OpenVPN daemon is started you must be there to
3571 type the password. The --askpass option allows you to start
3572 OpenVPN from the command line. It will query you for a password
3573 before it daemonizes. To protect a private key with a password
3574 you should omit the -nodes option when you use the openssl com‐
3575 mand line tool to manage certificates and private keys.
3576
3577 If file is specified, read the password from the first line of
3578 file. Keep in mind that storing your password in a file to a
3579 certain extent invalidates the extra security provided by using
3580 an encrypted key.
3581
3582 --auth-nocache
3583 Don't cache --askpass or --auth-user-pass username/passwords in
3584 virtual memory.
3585
3586 If specified, this directive will cause OpenVPN to immediately
3587 forget username/password inputs after they are used. As a
3588 result, when OpenVPN needs a username/password, it will prompt
3589 for input from stdin, which may be multiple times during the
3590 duration of an OpenVPN session.
3591
3592 When using --auth-nocache in combination with a user/password
3593 file and --chroot or --daemon, make sure to use an absolute
3594 path.
3595
3596 This directive does not affect the --http-proxy username/pass‐
3597 word. It is always cached.
3598
3599 --auth-token token
3600 This is not an option to be used directly in any configuration
3601 files, but rather push this option from a --client-connect
3602 script or a --plugin which hooks into the OPENVPN_PLUG‐
3603 IN_CLIENT_CONNECT or OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls.
3604 This option provides a possibility to replace the clients pass‐
3605 word with an authentication token during the lifetime of the
3606 OpenVPN client.
3607
3608 Whenever the connection is renegotiated and the
3609 --auth-user-pass-verify script or --plugin making use of the
3610 OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is triggered, it will
3611 pass over this token as the password instead of the password the
3612 user provided. The authentication token can only be reset by a
3613 full reconnect where the server can push new options to the
3614 client. The password the user entered is never preserved once
3615 an authentication token have been set. If the OpenVPN server
3616 side rejects the authentication token, the client will receive
3617 an AUTH_FAIL and disconnect.
3618
3619 The purpose of this is to enable two factor authentication meth‐
3620 ods, such as HOTP or TOTP, to be used without needing to
3621 retrieve a new OTP code each time the connection is renegoti‐
3622 ated. Another use case is to cache authentication data on the
3623 client without needing to have the users password cached in mem‐
3624 ory during the life time of the session.
3625
3626 To make use of this feature, the --client-connect script or
3627 --plugin needs to put
3628
3629 push "auth-token UNIQUE_TOKEN_VALUE"
3630
3631 into the file/buffer for dynamic configuration data. This will
3632 then make the OpenVPN server to push this value to the client,
3633 which replaces the local password with the UNIQUE_TOKEN_VALUE.
3634
3635 Newer clients (2.4.7+) will fall back to the original password
3636 method after a failed auth. Older clients will keep using the
3637 token value and react acording to --auth-retry
3638
3639 --tls-verify cmd
3640 Run command cmd to verify the X509 name of a pending TLS connec‐
3641 tion that has otherwise passed all other tests of certification
3642 (except for revocation via --crl-verify directive; the revoca‐
3643 tion test occurs after the --tls-verify test).
3644
3645 cmd should return 0 to allow the TLS handshake to proceed, or 1
3646 to fail.
3647
3648 cmd consists of a path to script (or executable program),
3649 optionally followed by arguments. The path and arguments may be
3650 single- or double-quoted and/or escaped using a backslash, and
3651 should be separated by one or more spaces.
3652
3653 When cmd is executed two arguments are appended after any argu‐
3654 ments specified in cmd , as follows:
3655
3656 cmd certificate_depth subject
3657
3658 These arguments are, respectively, the current certificate depth
3659 and the X509 subject distinguished name (dn) of the peer.
3660
3661 This feature is useful if the peer you want to trust has a cer‐
3662 tificate which was signed by a certificate authority who also
3663 signed many other certificates, where you don't necessarily want
3664 to trust all of them, but rather be selective about which peer
3665 certificate you will accept. This feature allows you to write a
3666 script which will test the X509 name on a certificate and decide
3667 whether or not it should be accepted. For a simple perl script
3668 which will test the common name field on the certificate, see
3669 the file verify-cn in the OpenVPN distribution.
3670
3671 See the "Environmental Variables" section below for additional
3672 parameters passed as environmental variables.
3673
3674 --tls-export-cert directory
3675 Store the certificates the clients uses upon connection to this
3676 directory. This will be done before --tls-verify is called. The
3677 certificates will use a temporary name and will be deleted when
3678 the tls-verify script returns. The file name used for the cer‐
3679 tificate is available via the peer_cert environment variable.
3680
3681 --x509-username-field [ext:]fieldname
3682 Field in the X.509 certificate subject to be used as the user‐
3683 name (default=CN). Typically, this option is specified with
3684 fieldname as either of the following:
3685
3686 --x509-username-field emailAddress
3687 --x509-username-field ext:subjectAltName
3688
3689 The first example uses the value of the "emailAddress" attribute
3690 in the certificate's Subject field as the username. The second
3691 example uses the ext: prefix to signify that the X.509 extension
3692 fieldname "subjectAltName" be searched for an rfc822Name (email)
3693 field to be used as the username. In cases where there are mul‐
3694 tiple email addresses in ext:fieldname, the last occurrence is
3695 chosen.
3696
3697 When this option is used, the --verify-x509-name option will
3698 match against the chosen fieldname instead of the Common Name.
3699
3700 Only the subjectAltName and issuerAltName X.509 extensions are
3701 supported.
3702
3703 Please note: This option has a feature which will convert an
3704 all-lowercase fieldname to uppercase characters, e.g., ou -> OU.
3705 A mixed-case fieldname or one having the ext: prefix will be
3706 left as-is. This automatic upcasing feature is deprecated and
3707 will be removed in a future release.
3708
3709 --verify-x509-name name type
3710 Accept connections only if a host's X.509 name is equal to name.
3711 The remote host must also pass all other tests of verification.
3712
3713 Which X.509 name is compared to name depends on the setting of
3714 type. type can be "subject" to match the complete subject DN
3715 (default), "name" to match a subject RDN or "name-prefix" to
3716 match a subject RDN prefix. Which RDN is verified as name
3717 depends on the --x509-username-field option. But it defaults to
3718 the common name (CN), e.g. a certificate with a subject DN
3719 "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by:
3720
3721 --verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' and
3722 --verify-x509-name Server-1 name or you could use --ver‐
3723 ify-x509-name Server- name-prefix if you want a client to only
3724 accept connections to "Server-1", "Server-2", etc.
3725
3726 --verify-x509-name is a useful replacement for the --tls-verify
3727 option to verify the remote host, because --verify-x509-name
3728 works in a --chroot environment without any dependencies.
3729
3730 Using a name prefix is a useful alternative to managing a CRL
3731 (Certificate Revocation List) on the client, since it allows the
3732 client to refuse all certificates except for those associated
3733 with designated servers.
3734
3735 NOTE: Test against a name prefix only when you are using OpenVPN
3736 with a custom CA certificate that is under your control. Never
3737 use this option with type "name-prefix" when your client cer‐
3738 tificates are signed by a third party, such as a commercial web
3739 CA.
3740
3741 --x509-track attribute
3742 Save peer X509 attribute value in environment for use by plugins
3743 and management interface. Prepend a '+' to attribute to save
3744 values from full cert chain. Values will be encoded as
3745 X509_<depth>_<attribute>=<value>. Multiple --x509-track options
3746 can be defined to track multiple attributes.
3747
3748 --ns-cert-type client|server
3749 DEPRECATED This option will be removed in OpenVPN 2.5. Use the
3750 more modern equivalent --remote-cert-tls instead. This option
3751 will be removed in OpenVPN 2.5.
3752
3753 Require that peer certificate was signed with an explicit
3754 nsCertType designation of "client" or "server".
3755
3756 This is a useful security option for clients, to ensure that the
3757 host they connect with is a designated server.
3758
3759 See the easy-rsa/build-key-server script for an example of how
3760 to generate a certificate with the nsCertType field set to
3761 "server".
3762
3763 If the server certificate's nsCertType field is set to "server",
3764 then the clients can verify this with --ns-cert-type server.
3765
3766 This is an important security precaution to protect against a
3767 man-in-the-middle attack where an authorized client attempts to
3768 connect to another client by impersonating the server. The
3769 attack is easily prevented by having clients verify the server
3770 certificate using any one of --ns-cert-type, --verify-x509-name,
3771 or --tls-verify.
3772
3773 --remote-cert-ku [v...]
3774 Require that peer certificate was signed with an explicit key
3775 usage.
3776
3777 If present in the certificate, the keyUsage value is validated
3778 by the TLS library during the TLS handshake. Specifying this
3779 option without arguments requires this extension to be present
3780 (so the TLS library will verify it).
3781
3782 If the list v... is also supplied, the keyUsage field must have
3783 at least the same bits set as the bits in one of the values sup‐
3784 plied in the list v...
3785
3786 The key usage values in the list must be encoded in hex, e.g.
3787 "--remote-cert-ku a0"
3788
3789 --remote-cert-eku oid
3790 Require that peer certificate was signed with an explicit
3791 extended key usage.
3792
3793 This is a useful security option for clients, to ensure that the
3794 host they connect to is a designated server.
3795
3796 The extended key usage should be encoded in oid notation, or
3797 OpenSSL symbolic representation.
3798
3799 --remote-cert-tls client|server
3800 Require that peer certificate was signed with an explicit key
3801 usage and extended key usage based on RFC3280 TLS rules.
3802
3803 This is a useful security option for clients, to ensure that the
3804 host they connect to is a designated server. Or the other way
3805 around; for a server to verify that only hosts with a client
3806 certificate can connect.
3807
3808 The --remote-cert-tls client option is equivalent to
3809 --remote-cert-ku --remote-cert-eku "TLS Web Client Authentica‐
3810 tion"
3811
3812 The --remote-cert-tls server option is equivalent to
3813 --remote-cert-ku --remote-cert-eku "TLS Web Server Authentica‐
3814 tion"
3815
3816 This is an important security precaution to protect against a
3817 man-in-the-middle attack where an authorized client attempts to
3818 connect to another client by impersonating the server. The
3819 attack is easily prevented by having clients verify the server
3820 certificate using any one of --remote-cert-tls, --ver‐
3821 ify-x509-name, or --tls-verify.
3822
3823 --crl-verify crl ['dir']
3824 Check peer certificate against the file crl in PEM format.
3825
3826 A CRL (certificate revocation list) is used when a particular
3827 key is compromised but when the overall PKI is still intact.
3828
3829 Suppose you had a PKI consisting of a CA, root certificate, and
3830 a number of client certificates. Suppose a laptop computer con‐
3831 taining a client key and certificate was stolen. By adding the
3832 stolen certificate to the CRL file, you could reject any connec‐
3833 tion which attempts to use it, while preserving the overall
3834 integrity of the PKI.
3835
3836 The only time when it would be necessary to rebuild the entire
3837 PKI from scratch would be if the root certificate key itself was
3838 compromised.
3839
3840 The option is not mandatory - if the relevant CRL is missing,
3841 OpenVPN will log a warning in the logs - e.g. "VERIFY WARNING:
3842 depth=0, unable to get certificate CRL" - but the connection
3843 will be allowed.
3844
3845 If the optional dir flag is specified, enable a different mode
3846 where crl is a directory containing files named as revoked
3847 serial numbers (the files may be empty, the contents are never
3848 read). If a client requests a connection, where the client cer‐
3849 tificate serial number (decimal string) is the name of a file
3850 present in the directory, it will be rejected.
3851
3852 Note: As the crl file (or directory) is read every time a peer
3853 connects, if you are dropping root privileges with --user, make
3854 sure that this user has sufficient privileges to read the file.
3855
3856 SSL Library information:
3857 --show-ciphers
3858 (Standalone) Show all cipher algorithms to use with the --cipher
3859 option.
3860
3861 --show-digests
3862 (Standalone) Show all message digest algorithms to use with the
3863 --auth option.
3864
3865 --show-tls
3866 (Standalone) Show all TLS ciphers supported by the crypto
3867 library. OpenVPN uses TLS to secure the control channel, over
3868 which the keys that are used to protect the actual VPN traffic
3869 are exchanged. The TLS ciphers will be sorted from highest
3870 preference (most secure) to lowest.
3871
3872 Be aware that whether a cipher suite in this list can actually
3873 work depends on the specific setup of both peers (e.g. both
3874 peers must support the cipher, and an ECDSA cipher suite will
3875 not work if you are using an RSA certificate, etc.).
3876
3877 --show-engines
3878 (Standalone) Show currently available hardware-based crypto
3879 acceleration engines supported by the OpenSSL library.
3880
3881 --show-curves
3882 (Standalone) Show all available elliptic curves to use with the
3883 --ecdh-curve option.
3884
3885 Generate a random key:
3886 Used only for non-TLS static key encryption mode.
3887
3888 --genkey
3889 (Standalone) Generate a random key to be used as a shared
3890 secret, for use with the --secret option. This file must be
3891 shared with the peer over a pre-existing secure channel such as
3892 scp(1)
3893
3894 --secret file
3895 Write key to file.
3896
3897 TUN/TAP persistent tunnel config mode:
3898 Available with Linux 2.4.7+. These options comprise a standalone mode
3899 of OpenVPN which can be used to create and delete persistent tunnels.
3900
3901 --mktun
3902 (Standalone) Create a persistent tunnel on platforms which sup‐
3903 port them such as Linux. Normally TUN/TAP tunnels exist only
3904 for the period of time that an application has them open. This
3905 option takes advantage of the TUN/TAP driver's ability to build
3906 persistent tunnels that live through multiple instantiations of
3907 OpenVPN and die only when they are deleted or the machine is
3908 rebooted.
3909
3910 One of the advantages of persistent tunnels is that they elimi‐
3911 nate the need for separate --up and --down scripts to run the
3912 appropriate ifconfig(8) and route(8) commands. These commands
3913 can be placed in the the same shell script which starts or ter‐
3914 minates an OpenVPN session.
3915
3916 Another advantage is that open connections through the
3917 TUN/TAP-based tunnel will not be reset if the OpenVPN peer
3918 restarts. This can be useful to provide uninterrupted connec‐
3919 tivity through the tunnel in the event of a DHCP reset of the
3920 peer's public IP address (see the --ipchange option above).
3921
3922 One disadvantage of persistent tunnels is that it is harder to
3923 automatically configure their MTU value (see --link-mtu and
3924 --tun-mtu above).
3925
3926 On some platforms such as Windows, TAP-Win32 tunnels are persis‐
3927 tent by default.
3928
3929 --rmtun
3930 (Standalone) Remove a persistent tunnel.
3931
3932 --dev tunX | tapX
3933 TUN/TAP device
3934
3935 --user user
3936 Optional user to be owner of this tunnel.
3937
3938 --group group
3939 Optional group to be owner of this tunnel.
3940
3941 Windows-Specific Options:
3942 --win-sys path
3943 Set the Windows system directory pathname to use when looking
3944 for system executables such as route.exe and netsh.exe. By
3945 default, if this directive is not specified, OpenVPN will use
3946 the SystemRoot environment variable.
3947
3948 This option have changed behaviour in OpenVPN 2.3. Earlier you
3949 had to define --win-sys env to use the SystemRoot environment
3950 variable, otherwise it defaulted to C:\WINDOWS. It is not
3951 needed to use the env keyword any more, and it will just be
3952 ignored. A warning is logged when this is found in the configu‐
3953 ration file.
3954
3955 --ip-win32 method
3956 When using --ifconfig on Windows, set the TAP-Win32 adapter IP
3957 address and netmask using method. Don't use this option unless
3958 you are also using --ifconfig.
3959
3960 manual -- Don't set the IP address or netmask automatically.
3961 Instead output a message to the console telling the user to con‐
3962 figure the adapter manually and indicating the IP/netmask which
3963 OpenVPN expects the adapter to be set to.
3964
3965 dynamic [offset] [lease-time] -- Automatically set the IP
3966 address and netmask by replying to DHCP query messages generated
3967 by the kernel. This mode is probably the "cleanest" solution
3968 for setting the TCP/IP properties since it uses the well-known
3969 DHCP protocol. There are, however, two prerequisites for using
3970 this mode: (1) The TCP/IP properties for the TAP-Win32 adapter
3971 must be set to "Obtain an IP address automatically," and (2)
3972 OpenVPN needs to claim an IP address in the subnet for use as
3973 the virtual DHCP server address. By default in --dev tap mode,
3974 OpenVPN will take the normally unused first address in the sub‐
3975 net. For example, if your subnet is 192.168.4.0 netmask
3976 255.255.255.0, then OpenVPN will take the IP address 192.168.4.0
3977 to use as the virtual DHCP server address. In --dev tun mode,
3978 OpenVPN will cause the DHCP server to masquerade as if it were
3979 coming from the remote endpoint. The optional offset parameter
3980 is an integer which is > -256 and < 256 and which defaults to
3981 -1. If offset is positive, the DHCP server will masquerade as
3982 the IP address at network address + offset. If offset is nega‐
3983 tive, the DHCP server will masquerade as the IP address at
3984 broadcast address + offset. The Windows ipconfig /all command
3985 can be used to show what Windows thinks the DHCP server address
3986 is. OpenVPN will "claim" this address, so make sure to use a
3987 free address. Having said that, different OpenVPN instantia‐
3988 tions, including different ends of the same connection, can
3989 share the same virtual DHCP server address. The lease-time
3990 parameter controls the lease time of the DHCP assignment given
3991 to the TAP-Win32 adapter, and is denoted in seconds. Normally a
3992 very long lease time is preferred because it prevents routes
3993 involving the TAP-Win32 adapter from being lost when the system
3994 goes to sleep. The default lease time is one year.
3995
3996 netsh -- Automatically set the IP address and netmask using the
3997 Windows command-line "netsh" command. This method appears to
3998 work correctly on Windows XP but not Windows 2000.
3999
4000 ipapi -- Automatically set the IP address and netmask using the
4001 Windows IP Helper API. This approach does not have ideal seman‐
4002 tics, though testing has indicated that it works okay in prac‐
4003 tice. If you use this option, it is best to leave the TCP/IP
4004 properties for the TAP-Win32 adapter in their default state,
4005 i.e. "Obtain an IP address automatically."
4006
4007 adaptive -- (Default) Try dynamic method initially and fail over
4008 to netsh if the DHCP negotiation with the TAP-Win32 adapter does
4009 not succeed in 20 seconds. Such failures have been known to
4010 occur when certain third-party firewall packages installed on
4011 the client machine block the DHCP negotiation used by the
4012 TAP-Win32 adapter. Note that if the netsh failover occurs, the
4013 TAP-Win32 adapter TCP/IP properties will be reset from DHCP to
4014 static, and this will cause future OpenVPN startups using the
4015 adaptive mode to use netsh immediately, rather than trying
4016 dynamic first. To "unstick" the adaptive mode from using netsh,
4017 run OpenVPN at least once using the dynamic mode to restore the
4018 TAP-Win32 adapter TCP/IP properties to a DHCP configuration.
4019
4020 --route-method m
4021 Which method m to use for adding routes on Windows?
4022
4023 adaptive (default) -- Try IP helper API first. If that fails,
4024 fall back to the route.exe shell command.
4025 ipapi -- Use IP helper API.
4026 exe -- Call the route.exe shell command.
4027
4028 --dhcp-option type [parm]
4029 Set extended TAP-Win32 TCP/IP properties, must be used with
4030 --ip-win32 dynamic or --ip-win32 adaptive. This option can be
4031 used to set additional TCP/IP properties on the TAP-Win32
4032 adapter, and is particularly useful for configuring an OpenVPN
4033 client to access a Samba server across the VPN.
4034
4035 DOMAIN name -- Set Connection-specific DNS Suffix.
4036
4037 DNS addr -- Set primary domain name server IPv4 or IPv6 address.
4038 Repeat this option to set secondary DNS server addresses.
4039
4040 Note: DNS IPv6 servers are currently set using netsh (the exist‐
4041 ing DHCP code can only do IPv4 DHCP, and that protocol only per‐
4042 mits IPv4 addresses anywhere). The option will be put into the
4043 environment, so an --up script could act upon it if needed.
4044
4045 WINS addr -- Set primary WINS server address (NetBIOS over
4046 TCP/IP Name Server). Repeat this option to set secondary WINS
4047 server addresses.
4048
4049 NBDD addr -- Set primary NBDD server address (NetBIOS over
4050 TCP/IP Datagram Distribution Server) Repeat this option to set
4051 secondary NBDD server addresses.
4052
4053 NTP addr -- Set primary NTP server address (Network Time Proto‐
4054 col). Repeat this option to set secondary NTP server addresses.
4055
4056 NBT type -- Set NetBIOS over TCP/IP Node type. Possible
4057 options: 1 = b-node (broadcasts), 2 = p-node (point-to-point
4058 name queries to a WINS server), 4 = m-node (broadcast then query
4059 name server), and 8 = h-node (query name server, then broad‐
4060 cast).
4061
4062 NBS scope-id -- Set NetBIOS over TCP/IP Scope. A NetBIOS Scope
4063 ID provides an extended naming service for the NetBIOS over
4064 TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS
4065 scope ID is to isolate NetBIOS traffic on a single network to
4066 only those nodes with the same NetBIOS scope ID. The NetBIOS
4067 scope ID is a character string that is appended to the NetBIOS
4068 name. The NetBIOS scope ID on two hosts must match, or the two
4069 hosts will not be able to communicate. The NetBIOS Scope ID also
4070 allows computers to use the same computer name, as they have
4071 different scope IDs. The Scope ID becomes a part of the NetBIOS
4072 name, making the name unique. (This description of NetBIOS
4073 scopes courtesy of NeonSurge@abyss.com)
4074
4075 DISABLE-NBT -- Disable Netbios-over-TCP/IP.
4076
4077 Note that if --dhcp-option is pushed via --push to a non-windows
4078 client, the option will be saved in the client's environment
4079 before the up script is called, under the name "for‐
4080 eign_option_{n}".
4081
4082 --tap-sleep n
4083 Cause OpenVPN to sleep for n seconds immediately after the
4084 TAP-Win32 adapter state is set to "connected".
4085
4086 This option is intended to be used to troubleshoot problems with
4087 the --ifconfig and --ip-win32 options, and is used to give the
4088 TAP-Win32 adapter time to come up before Windows IP Helper API
4089 operations are applied to it.
4090
4091 --show-net-up
4092 Output OpenVPN's view of the system routing table and network
4093 adapter list to the syslog or log file after the TUN/TAP adapter
4094 has been brought up and any routes have been added.
4095
4096 --block-outside-dns
4097 Block DNS servers on other network adapters to prevent DNS
4098 leaks. This option prevents any application from accessing TCP
4099 or UDP port 53 except one inside the tunnel. It uses Windows
4100 Filtering Platform (WFP) and works on Windows Vista or later.
4101
4102 This option is considered unknown on non-Windows platforms and
4103 unsupported on Windows XP, resulting in fatal error. You may
4104 want to use --setenv opt or --ignore-unknown-option (not suit‐
4105 able for Windows XP) to ignore said error. Note that pushing
4106 unknown options from server does not trigger fatal errors.
4107
4108 --dhcp-renew
4109 Ask Windows to renew the TAP adapter lease on startup. This
4110 option is normally unnecessary, as Windows automatically trig‐
4111 gers a DHCP renegotiation on the TAP adapter when it comes up,
4112 however if you set the TAP-Win32 adapter Media Status property
4113 to "Always Connected", you may need this flag.
4114
4115 --dhcp-release
4116 Ask Windows to release the TAP adapter lease on shutdown. This
4117 option has no effect now, as it is enabled by default starting
4118 with OpenVPN 2.4.1.
4119
4120 --register-dns
4121 Run ipconfig /flushdns and ipconfig /registerdns on connection
4122 initiation. This is known to kick Windows into recognizing
4123 pushed DNS servers.
4124
4125 --pause-exit
4126 Put up a "press any key to continue" message on the console
4127 prior to OpenVPN program exit. This option is automatically
4128 used by the Windows explorer when OpenVPN is run on a configura‐
4129 tion file using the right-click explorer menu.
4130
4131 --service exit-event [0|1]
4132 Should be used when OpenVPN is being automatically executed by
4133 another program in such a context that no interaction with the
4134 user via display or keyboard is possible. In general, end-users
4135 should never need to explicitly use this option, as it is auto‐
4136 matically added by the OpenVPN service wrapper when a given
4137 OpenVPN configuration is being run as a service.
4138
4139 exit-event is the name of a Windows global event object, and
4140 OpenVPN will continuously monitor the state of this event object
4141 and exit when it becomes signaled.
4142
4143 The second parameter indicates the initial state of exit-event
4144 and normally defaults to 0.
4145
4146 Multiple OpenVPN processes can be simultaneously executed with
4147 the same exit-event parameter. In any case, the controlling
4148 process can signal exit-event, causing all such OpenVPN pro‐
4149 cesses to exit.
4150
4151 When executing an OpenVPN process using the --service directive,
4152 OpenVPN will probably not have a console window to output sta‐
4153 tus/error messages, therefore it is useful to use --log or
4154 --log-append to write these messages to a file.
4155
4156 --show-adapters
4157 (Standalone) Show available TAP-Win32 adapters which can be
4158 selected using the --dev-node option. On non-Windows systems,
4159 the ifconfig(8) command provides similar functionality.
4160
4161 --allow-nonadmin [TAP-adapter]
4162 (Standalone) Set TAP-adapter to allow access from non-adminis‐
4163 trative accounts. If TAP-adapter is omitted, all TAP adapters
4164 on the system will be configured to allow non-admin access. The
4165 non-admin access setting will only persist for the length of
4166 time that the TAP-Win32 device object and driver remain loaded,
4167 and will need to be re-enabled after a reboot, or if the driver
4168 is unloaded and reloaded. This directive can only be used by an
4169 administrator.
4170
4171 --show-valid-subnets
4172 (Standalone) Show valid subnets for --dev tun emulation. Since
4173 the TAP-Win32 driver exports an ethernet interface to Windows,
4174 and since TUN devices are point-to-point in nature, it is neces‐
4175 sary for the TAP-Win32 driver to impose certain constraints on
4176 TUN endpoint address selection.
4177
4178 Namely, the point-to-point endpoints used in TUN device emula‐
4179 tion must be the middle two addresses of a /30 subnet (netmask
4180 255.255.255.252).
4181
4182 --show-net
4183 (Standalone) Show OpenVPN's view of the system routing table and
4184 network adapter list.
4185
4186 PKCS#11 Standalone Options:
4187 --show-pkcs11-ids [provider] [cert_private]
4188 (Standalone) Show PKCS#11 token object list. Specify cert_pri‐
4189 vate as 1 if certificates are stored as private objects.
4190
4191 If p11-kit is present on the system, the provider argument is
4192 optional; if omitted the default p11-kit-proxy.so module will be
4193 queried.
4194
4195 --verb option can be used BEFORE this option to produce debug‐
4196 ging information.
4197
4198 Standalone Debug Options:
4199 --show-gateway [v6target]
4200 (Standalone) Show current IPv4 and IPv6 default gateway and
4201 interface towards the gateway (if the protocol in question is
4202 enabled). If an IPv6 address is passed as argument, the IPv6
4203 route for this host is reported.
4204
4205 IPv6 Related Options
4206 The following options exist to support IPv6 tunneling in peer-to-peer
4207 and client-server mode. All options are modeled after their IPv4 coun‐
4208 terparts, so more detailed explanations given there apply here as well
4209 (except for --topology , which has no effect on IPv6).
4210
4211 --ifconfig-ipv6 ipv6addr/bits ipv6remote
4212 configure IPv6 address ipv6addr/bits on the ``tun'' device. The
4213 second parameter is used as route target for --route-ipv6 if no
4214 gateway is specified.
4215
4216 --route-ipv6 ipv6addr/bits [gateway] [metric]
4217 setup IPv6 routing in the system to send the specified IPv6 net‐
4218 work into OpenVPN's ``tun''. The gateway parameter is only used
4219 for IPv6 routes across ``tap'' devices, and if missing, the
4220 ``ipv6remote'' field from --ifconfig-ipv6 is used.
4221
4222 --server-ipv6 ipv6addr/bits
4223 convenience-function to enable a number of IPv6 related options
4224 at once, namely --ifconfig-ipv6, --ifconfig-ipv6-pool and --push
4225 tun-ipv6 Is only accepted if ``--mode server'' or ``--server''
4226 is set. Pushing of the --tun-ipv6 directive is done for older
4227 clients which require an explicit ``--tun-ipv6'' in their con‐
4228 figuration.
4229
4230 --ifconfig-ipv6-pool ipv6addr/bits
4231 Specify an IPv6 address pool for dynamic assignment to clients.
4232 The pool starts at ipv6addr and matches the offset determined
4233 from the start of the IPv4 pool.
4234
4235 --ifconfig-ipv6-push ipv6addr/bits ipv6remote
4236 for ccd/ per-client static IPv6 interface configuration, see
4237 --client-config-dir and --ifconfig-push for more details.
4238
4239 --iroute-ipv6 ipv6addr/bits
4240 for ccd/ per-client static IPv6 route configuration, see
4241 --iroute for more details how to setup and use this, and how
4242 --iroute and --route interact.
4243
4244
4246 OpenVPN exports a series of environmental variables for use by
4247 user-defined scripts.
4248
4249 Script Order of Execution
4250 --up Executed after TCP/UDP socket bind and TUN/TAP open.
4251
4252 --tls-verify
4253 Executed when we have a still untrusted remote peer.
4254
4255 --ipchange
4256 Executed after connection authentication, or remote IP address
4257 change.
4258
4259 --client-connect
4260 Executed in --mode server mode immediately after client authen‐
4261 tication.
4262
4263 --route-up
4264 Executed after connection authentication, either immediately
4265 after, or some number of seconds after as defined by the
4266 --route-delay option.
4267
4268 --route-pre-down
4269 Executed right before the routes are removed.
4270
4271 --client-disconnect
4272 Executed in --mode server mode on client instance shutdown.
4273
4274 --down Executed after TCP/UDP and TUN/TAP close.
4275
4276 --learn-address
4277 Executed in --mode server mode whenever an IPv4 address/route or
4278 MAC address is added to OpenVPN's internal routing table.
4279
4280 --auth-user-pass-verify
4281 Executed in --mode server mode on new client connections, when
4282 the client is still untrusted.
4283
4284 String Types and Remapping
4285 In certain cases, OpenVPN will perform remapping of characters in
4286 strings. Essentially, any characters outside the set of permitted
4287 characters for each string type will be converted to underbar ('_').
4288
4289 Q: Why is string remapping necessary?
4290
4291 A: It's an important security feature to prevent the malicious coding
4292 of strings from untrusted sources to be passed as parameters to
4293 scripts, saved in the environment, used as a common name, translated to
4294 a filename, etc.
4295
4296 Q: Can string remapping be disabled?
4297
4298 A: Yes, by using the --no-name-remapping option, however this should be
4299 considered an advanced option.
4300
4301 Here is a brief rundown of OpenVPN's current string types and the per‐
4302 mitted character class for each string:
4303
4304 X509 Names: Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), at
4305 ('@'), colon (':'), slash ('/'), and equal ('='). Alphanumeric is
4306 defined as a character which will cause the C library isalnum() func‐
4307 tion to return true.
4308
4309 Common Names: Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and
4310 at ('@').
4311
4312 --auth-user-pass username: Same as Common Name, with one exception:
4313 starting with OpenVPN 2.0.1, the username is passed to the OPEN‐
4314 VPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin in its raw form, without string
4315 remapping.
4316
4317 --auth-user-pass password: Any "printable" character except CR or LF.
4318 Printable is defined to be a character which will cause the C library
4319 isprint() function to return true.
4320
4321 --client-config-dir filename as derived from common name or username:
4322 Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "."
4323 or ".." as standalone strings. As of v2.0.1-rc6, the at ('@') charac‐
4324 ter has been added as well for compatibility with the common name char‐
4325 acter class.
4326
4327 Environmental variable names: Alphanumeric or underbar ('_').
4328
4329 Environmental variable values: Any printable character.
4330
4331 For all cases, characters in a string which are not members of the
4332 legal character class for that string type will be remapped to underbar
4333 ('_').
4334
4335 Environmental Variables
4336 Once set, a variable is persisted indefinitely until it is reset by a
4337 new value or a restart,
4338
4339 As of OpenVPN 2.0-beta12, in server mode, environmental variables set
4340 by OpenVPN are scoped according to the client objects they are associ‐
4341 ated with, so there should not be any issues with scripts having access
4342 to stale, previously set variables which refer to different client
4343 instances.
4344
4345 bytes_received
4346 Total number of bytes received from client during VPN session.
4347 Set prior to execution of the --client-disconnect script.
4348
4349 bytes_sent
4350 Total number of bytes sent to client during VPN session. Set
4351 prior to execution of the --client-disconnect script.
4352
4353 common_name
4354 The X509 common name of an authenticated client. Set prior to
4355 execution of --client-connect, --client-disconnect, and
4356 --auth-user-pass-verify scripts.
4357
4358 config Name of first --config file. Set on program initiation and
4359 reset on SIGHUP.
4360
4361 daemon Set to "1" if the --daemon directive is specified, or "0" other‐
4362 wise. Set on program initiation and reset on SIGHUP.
4363
4364 daemon_log_redirect
4365 Set to "1" if the --log or --log-append directives are speci‐
4366 fied, or "0" otherwise. Set on program initiation and reset on
4367 SIGHUP.
4368
4369 dev The actual name of the TUN/TAP device, including a unit number
4370 if it exists. Set prior to --up or --down script execution.
4371
4372 dev_idx
4373 On Windows, the device index of the TUN/TAP adapter (to be used
4374 in netsh.exe calls which sometimes just do not work right with
4375 interface names). Set prior to --up or --down script execution.
4376
4377 foreign_option_{n}
4378 An option pushed via --push to a client which does not natively
4379 support it, such as --dhcp-option on a non-Windows system, will
4380 be recorded to this environmental variable sequence prior to
4381 --up script execution.
4382
4383 ifconfig_broadcast
4384 The broadcast address for the virtual ethernet segment which is
4385 derived from the --ifconfig option when --dev tap is used. Set
4386 prior to OpenVPN calling the ifconfig or netsh (windows version
4387 of ifconfig) commands which normally occurs prior to --up script
4388 execution.
4389
4390 ifconfig_ipv6_local
4391 The local VPN endpoint IPv6 address specified in the --ifcon‐
4392 fig-ipv6 option (first parameter). Set prior to OpenVPN calling
4393 the ifconfig or netsh (windows version of ifconfig) commands
4394 which normally occurs prior to --up script execution.
4395
4396 ifconfig_ipv6_netbits
4397 The prefix length of the IPv6 network on the VPN interface.
4398 Derived from the /nnn parameter of the IPv6 address in the
4399 --ifconfig-ipv6 option (first parameter). Set prior to OpenVPN
4400 calling the ifconfig or netsh (windows version of ifconfig) com‐
4401 mands which normally occurs prior to --up script execution.
4402
4403 ifconfig_ipv6_remote
4404 The remote VPN endpoint IPv6 address specified in the --ifcon‐
4405 fig-ipv6 option (second parameter). Set prior to OpenVPN call‐
4406 ing the ifconfig or netsh (windows version of ifconfig) commands
4407 which normally occurs prior to --up script execution.
4408
4409 ifconfig_local
4410 The local VPN endpoint IP address specified in the --ifconfig
4411 option (first parameter). Set prior to OpenVPN calling the
4412 ifconfig or netsh (windows version of ifconfig) commands which
4413 normally occurs prior to --up script execution.
4414
4415 ifconfig_remote
4416 The remote VPN endpoint IP address specified in the --ifconfig
4417 option (second parameter) when --dev tun is used. Set prior to
4418 OpenVPN calling the ifconfig or netsh (windows version of ifcon‐
4419 fig) commands which normally occurs prior to --up script execu‐
4420 tion.
4421
4422 ifconfig_netmask
4423 The subnet mask of the virtual ethernet segment that is speci‐
4424 fied as the second parameter to --ifconfig when --dev tap is
4425 being used. Set prior to OpenVPN calling the ifconfig or netsh
4426 (windows version of ifconfig) commands which normally occurs
4427 prior to --up script execution.
4428
4429 ifconfig_pool_local_ip
4430 The local virtual IP address for the TUN/TAP tunnel taken from
4431 an --ifconfig-push directive if specified, or otherwise from the
4432 ifconfig pool (controlled by the --ifconfig-pool config file
4433 directive). Only set for --dev tun tunnels. This option is set
4434 on the server prior to execution of the --client-connect and
4435 --client-disconnect scripts.
4436
4437 ifconfig_pool_netmask
4438 The virtual IP netmask for the TUN/TAP tunnel taken from an
4439 --ifconfig-push directive if specified, or otherwise from the
4440 ifconfig pool (controlled by the --ifconfig-pool config file
4441 directive). Only set for --dev tap tunnels. This option is set
4442 on the server prior to execution of the --client-connect and
4443 --client-disconnect scripts.
4444
4445 ifconfig_pool_remote_ip
4446 The remote virtual IP address for the TUN/TAP tunnel taken from
4447 an --ifconfig-push directive if specified, or otherwise from the
4448 ifconfig pool (controlled by the --ifconfig-pool config file
4449 directive). This option is set on the server prior to execution
4450 of the --client-connect and --client-disconnect scripts.
4451
4452 link_mtu
4453 The maximum packet size (not including the IP header) of tunnel
4454 data in UDP tunnel transport mode. Set prior to --up or --down
4455 script execution.
4456
4457 local The --local parameter. Set on program initiation and reset on
4458 SIGHUP.
4459
4460 local_port
4461 The local port number or name, specified by --port or --lport.
4462 Set on program initiation and reset on SIGHUP.
4463
4464 password
4465 The password provided by a connecting client. Set prior to
4466 --auth-user-pass-verify script execution only when the via-env
4467 modifier is specified, and deleted from the environment after
4468 the script returns.
4469
4470 proto The --proto parameter. Set on program initiation and reset on
4471 SIGHUP.
4472
4473 remote_{n}
4474 The --remote parameter. Set on program initiation and reset on
4475 SIGHUP.
4476
4477 remote_port_{n}
4478 The remote port number, specified by --port or --rport. Set on
4479 program initiation and reset on SIGHUP.
4480
4481 route_net_gateway
4482 The pre-existing default IP gateway in the system routing table.
4483 Set prior to --up script execution.
4484
4485 route_vpn_gateway
4486 The default gateway used by --route options, as specified in
4487 either the --route-gateway option or the second parameter to
4488 --ifconfig when --dev tun is specified. Set prior to --up
4489 script execution.
4490
4491 route_{parm}_{n}
4492 A set of variables which define each route to be added, and are
4493 set prior to --up script execution.
4494
4495 parm will be one of "network", "netmask", "gateway", or "met‐
4496 ric".
4497
4498 n is the OpenVPN route number, starting from 1.
4499
4500 If the network or gateway are resolvable DNS names, their IP
4501 address translations will be recorded rather than their names as
4502 denoted on the command line or configuration file.
4503
4504 route_ipv6_{parm}_{n}
4505 A set of variables which define each IPv6 route to be added, and
4506 are set prior to --up script execution.
4507
4508 parm will be one of "network" or "gateway" ("netmask" is con‐
4509 tained as "/nnn" in the route_ipv6_network_{n}, unlike IPv4
4510 where it is passed in a separate environment variable).
4511
4512 n is the OpenVPN route number, starting from 1.
4513
4514 If the network or gateway are resolvable DNS names, their IP
4515 address translations will be recorded rather than their names as
4516 denoted on the command line or configuration file.
4517
4518 peer_cert
4519 Temporary file name containing the client certificate upon con‐
4520 nection. Useful in conjunction with --tls-verify
4521
4522 script_context
4523 Set to "init" or "restart" prior to up/down script execution.
4524 For more information, see documentation for --up.
4525
4526 script_type
4527 Prior to execution of any script, this variable is set to the
4528 type of script being run. It can be one of the following: up,
4529 down, ipchange, route-up, tls-verify, auth-user-pass-verify,
4530 client-connect, client-disconnect, or learn-address. Set prior
4531 to execution of any script.
4532
4533 signal The reason for exit or restart. Can be one of sigusr1, sighup,
4534 sigterm, sigint, inactive (controlled by --inactive option),
4535 ping-exit (controlled by --ping-exit option), ping-restart (con‐
4536 trolled by --ping-restart option), connection-reset (triggered
4537 on TCP connection reset), error, or unknown (unknown signal).
4538 This variable is set just prior to down script execution.
4539
4540 time_ascii
4541 Client connection timestamp, formatted as a human-readable time
4542 string. Set prior to execution of the --client-connect script.
4543
4544 time_duration
4545 The duration (in seconds) of the client session which is now
4546 disconnecting. Set prior to execution of the --client-discon‐
4547 nect script.
4548
4549 time_unix
4550 Client connection timestamp, formatted as a unix integer
4551 date/time value. Set prior to execution of the --client-connect
4552 script.
4553
4554 tls_digest_{n} / tls_digest_sha256_{n}
4555 Contains the certificate SHA1 / SHA256 fingerprint, where n is
4556 the verification level. Only set for TLS connections. Set
4557 prior to execution of --tls-verify script.
4558
4559 tls_id_{n}
4560 A series of certificate fields from the remote peer, where n is
4561 the verification level. Only set for TLS connections. Set
4562 prior to execution of --tls-verify script.
4563
4564 tls_serial_{n}
4565 The serial number of the certificate from the remote peer, where
4566 n is the verification level. Only set for TLS connections. Set
4567 prior to execution of --tls-verify script. This is in the form
4568 of a decimal string like "933971680", which is suitable for
4569 doing serial-based OCSP queries (with OpenSSL, do not prepend
4570 "0x" to the string) If something goes wrong while reading the
4571 value from the certificate it will be an empty string, so your
4572 code should check that. See the con‐
4573 trib/OCSP_check/OCSP_check.sh script for an example.
4574
4575 tls_serial_hex_{n}
4576 Like tls_serial_{n}, but in hex form (e.g. "12:34:56:78:9A").
4577
4578 tun_mtu
4579 The MTU of the TUN/TAP device. Set prior to --up or --down
4580 script execution.
4581
4582 trusted_ip (or trusted_ip6)
4583 Actual IP address of connecting client or peer which has been
4584 authenticated. Set prior to execution of --ipchange,
4585 --client-connect, and --client-disconnect scripts. If using
4586 ipv6 endpoints (udp6, tcp6), trusted_ip6 will be set instead.
4587
4588 trusted_port
4589 Actual port number of connecting client or peer which has been
4590 authenticated. Set prior to execution of --ipchange,
4591 --client-connect, and --client-disconnect scripts.
4592
4593 untrusted_ip (or untrusted_ip6)
4594 Actual IP address of connecting client or peer which has not
4595 been authenticated yet. Sometimes used to nmap the connecting
4596 host in a --tls-verify script to ensure it is firewalled prop‐
4597 erly. Set prior to execution of --tls-verify and
4598 --auth-user-pass-verify scripts. If using ipv6 endpoints (udp6,
4599 tcp6), untrusted_ip6 will be set instead.
4600
4601 untrusted_port
4602 Actual port number of connecting client or peer which has not
4603 been authenticated yet. Set prior to execution of --tls-verify
4604 and --auth-user-pass-verify scripts.
4605
4606 username
4607 The username provided by a connecting client. Set prior to
4608 --auth-user-pass-verify script execution only when the via-env
4609 modifier is specified.
4610
4611 X509_{n}_{subject_field}
4612 An X509 subject field from the remote peer certificate, where n
4613 is the verification level. Only set for TLS connections. Set
4614 prior to execution of --tls-verify script. This variable is
4615 similar to tls_id_{n} except the component X509 subject fields
4616 are broken out, and no string remapping occurs on these field
4617 values (except for remapping of control characters to "_"). For
4618 example, the following variables would be set on the OpenVPN
4619 server using the sample client certificate in sample-keys
4620 (client.crt). Note that the verification level is 0 for the
4621 client certificate and 1 for the CA certificate.
4622
4623 X509_0_emailAddress=me@myhost.mydomain
4624 X509_0_CN=Test-Client
4625 X509_0_O=OpenVPN-TEST
4626 X509_0_ST=NA
4627 X509_0_C=KG
4628 X509_1_emailAddress=me@myhost.mydomain
4629 X509_1_O=OpenVPN-TEST
4630 X509_1_L=BISHKEK
4631 X509_1_ST=NA
4632 X509_1_C=KG
4633
4635 OpenVPN allows including files in the main configuration for the --ca,
4636 --cert, --dh, --extra-certs, --key, --pkcs12, --secret, --crl-verify,
4637 --http-proxy-user-pass, --tls-auth and --tls-crypt options.
4638
4639 Each inline file started by the line <option> and ended by the line
4640 </option>
4641
4642 Here is an example of an inline file usage
4643
4644 <cert>
4645 -----BEGIN CERTIFICATE-----
4646 [...]
4647 -----END CERTIFICATE-----
4648 </cert>
4649
4650 When using the inline file feature with --pkcs12 the inline file has to
4651 be base64 encoded. Encoding of a .p12 file into base64 can be done for
4652 example with OpenSSL by running openssl base64 -in input.p12
4653
4654
4656 SIGHUP Cause OpenVPN to close all TUN/TAP and network connections,
4657 restart, re-read the configuration file (if any), and reopen
4658 TUN/TAP and network connections.
4659
4660 SIGUSR1
4661 Like SIGHUP, except don't re-read configuration file, and possi‐
4662 bly don't close and reopen TUN/TAP device, re-read key files,
4663 preserve local IP address/port, or preserve most recently
4664 authenticated remote IP address/port based on --persist-tun,
4665 --persist-key, --persist-local-ip, and --persist-remote-ip
4666 options respectively (see above).
4667
4668 This signal may also be internally generated by a timeout condi‐
4669 tion, governed by the --ping-restart option.
4670
4671 This signal, when combined with --persist-remote-ip, may be sent
4672 when the underlying parameters of the host's network interface
4673 change such as when the host is a DHCP client and is assigned a
4674 new IP address. See --ipchange above for more information.
4675
4676 SIGUSR2
4677 Causes OpenVPN to display its current statistics (to the syslog
4678 file if --daemon is used, or stdout otherwise).
4679
4680 SIGINT, SIGTERM
4681 Causes OpenVPN to exit gracefully.
4682
4684 If you are running Linux 2.4.7 or higher, you probably have the TUN/TAP
4685 driver already installed. If so, there are still a few things you need
4686 to do:
4687
4688 Make device: mknod /dev/net/tun c 10 200
4689
4690 Load driver: modprobe tun
4691
4693 Prior to running these examples, you should have OpenVPN installed on
4694 two machines with network connectivity between them. If you have not
4695 yet installed OpenVPN, consult the INSTALL file included in the OpenVPN
4696 distribution.
4697
4698 TUN/TAP Setup:
4699 If you are using Linux 2.4 or higher, make the tun device node and load
4700 the tun module:
4701
4702 mknod /dev/net/tun c 10 200
4703
4704 modprobe tun
4705
4706 If you installed from RPM, the mknod step may be omitted, because the
4707 RPM install does that for you.
4708
4709 Only Linux 2.4 and newer are supported.
4710
4711 For other platforms, consult the INSTALL file at http://open‐
4712 vpn.net/install.html for more information.
4713
4714 Firewall Setup:
4715 If firewalls exist between the two machines, they should be set to for‐
4716 ward UDP port 1194 in both directions. If you do not have control over
4717 the firewalls between the two machines, you may still be able to use
4718 OpenVPN by adding --ping 15 to each of the openvpn commands used below
4719 in the examples (this will cause each peer to send out a UDP ping to
4720 its remote peer once every 15 seconds which will cause many stateful
4721 firewalls to forward packets in both directions without an explicit
4722 firewall rule).
4723
4724 If you are using a Linux iptables-based firewall, you may need to enter
4725 the following command to allow incoming packets on the TUN device:
4726
4727 iptables -A INPUT -i tun+ -j ACCEPT
4728
4729 See the firewalls section below for more information on configuring
4730 firewalls for use with OpenVPN.
4731
4732 VPN Address Setup:
4733 For purposes of our example, our two machines will be called bob.exam‐
4734 ple.com and alice.example.com. If you are constructing a VPN over the
4735 internet, then replace bob.example.com and alice.example.com with the
4736 internet hostname or IP address that each machine will use to contact
4737 the other over the internet.
4738
4739 Now we will choose the tunnel endpoints. Tunnel endpoints are private
4740 IP addresses that only have meaning in the context of the VPN. Each
4741 machine will use the tunnel endpoint of the other machine to access it
4742 over the VPN. In our example, the tunnel endpoint for bob.example.com
4743 will be 10.4.0.1 and for alice.example.com, 10.4.0.2.
4744
4745 Once the VPN is established, you have essentially created a secure
4746 alternate path between the two hosts which is addressed by using the
4747 tunnel endpoints. You can control which network traffic passes between
4748 the hosts (a) over the VPN or (b) independently of the VPN, by choosing
4749 whether to use (a) the VPN endpoint address or (b) the public internet
4750 address, to access the remote host. For example if you are on bob.exam‐
4751 ple.com and you wish to connect to alice.example.com via ssh without
4752 using the VPN (since ssh has its own built-in security) you would use
4753 the command ssh alice.example.com. However in the same scenario, you
4754 could also use the command telnet 10.4.0.2 to create a telnet session
4755 with alice.example.com over the VPN, that would use the VPN to secure
4756 the session rather than ssh.
4757
4758 You can use any address you wish for the tunnel endpoints but make sure
4759 that they are private addresses (such as those that begin with 10 or
4760 192.168) and that they are not part of any existing subnet on the net‐
4761 works of either peer, unless you are bridging. If you use an address
4762 that is part of your local subnet for either of the tunnel endpoints,
4763 you will get a weird feedback loop.
4764
4765 Example 1: A simple tunnel without security
4766 On bob:
4767
4768 openvpn --remote alice.example.com --dev tun1 --ifconfig
4769 10.4.0.1 10.4.0.2 --verb 9
4770
4771 On alice:
4772
4773 openvpn --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2
4774 10.4.0.1 --verb 9
4775
4776 Now verify the tunnel is working by pinging across the tunnel.
4777
4778 On bob:
4779
4780 ping 10.4.0.2
4781
4782 On alice:
4783
4784 ping 10.4.0.1
4785
4786 The --verb 9 option will produce verbose output, similar to the tcp‐
4787 dump(8) program. Omit the --verb 9 option to have OpenVPN run quietly.
4788
4789 Example 2: A tunnel with static-key security (i.e. using a pre-shared
4790 secret)
4791 First build a static key on bob.
4792
4793 openvpn --genkey --secret key
4794
4795 This command will build a random key file called key (in ascii format).
4796 Now copy key to alice over a secure medium such as by using the scp(1)
4797 program.
4798
4799 On bob:
4800
4801 openvpn --remote alice.example.com --dev tun1 --ifconfig
4802 10.4.0.1 10.4.0.2 --verb 5 --secret key
4803
4804 On alice:
4805
4806 openvpn --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2
4807 10.4.0.1 --verb 5 --secret key
4808
4809 Now verify the tunnel is working by pinging across the tunnel.
4810
4811 On bob:
4812
4813 ping 10.4.0.2
4814
4815 On alice:
4816
4817 ping 10.4.0.1
4818
4819 Example 3: A tunnel with full TLS-based security
4820 For this test, we will designate bob as the TLS client and alice as the
4821 TLS server. Note that client or server designation only has meaning
4822 for the TLS subsystem. It has no bearing on OpenVPN's peer-to-peer,
4823 UDP-based communication model.
4824
4825 First, build a separate certificate/key pair for both bob and alice
4826 (see above where --cert is discussed for more info). Then construct
4827 Diffie Hellman parameters (see above where --dh is discussed for more
4828 info). You can also use the included test files client.crt,
4829 client.key, server.crt, server.key and ca.crt. The .crt files are cer‐
4830 tificates/public-keys, the .key files are private keys, and ca.crt is a
4831 certification authority who has signed both client.crt and server.crt.
4832 For Diffie Hellman parameters you can use the included file dh1024.pem.
4833 Note that all client, server, and certificate authority certificates
4834 and keys included in the OpenVPN distribution are totally insecure and
4835 should be used for testing only.
4836
4837 On bob:
4838
4839 openvpn --remote alice.example.com --dev tun1 --ifconfig
4840 10.4.0.1 10.4.0.2 --tls-client --ca ca.crt --cert client.crt
4841 --key client.key --reneg-sec 60 --verb 5
4842
4843 On alice:
4844
4845 openvpn --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2
4846 10.4.0.1 --tls-server --dh dh1024.pem --ca ca.crt --cert
4847 server.crt --key server.key --reneg-sec 60 --verb 5
4848
4849 Now verify the tunnel is working by pinging across the tunnel.
4850
4851 On bob:
4852
4853 ping 10.4.0.2
4854
4855 On alice:
4856
4857 ping 10.4.0.1
4858
4859 Notice the --reneg-sec 60 option we used above. That tells OpenVPN to
4860 renegotiate the data channel keys every minute. Since we used --verb 5
4861 above, you will see status information on each new key negotiation.
4862
4863 For production operations, a key renegotiation interval of 60 seconds
4864 is probably too frequent. Omit the --reneg-sec 60 option to use Open‐
4865 VPN's default key renegotiation interval of one hour.
4866
4867 Routing:
4868 Assuming you can ping across the tunnel, the next step is to route a
4869 real subnet over the secure tunnel. Suppose that bob and alice have
4870 two network interfaces each, one connected to the internet, and the
4871 other to a private network. Our goal is to securely connect both pri‐
4872 vate networks. We will assume that bob's private subnet is 10.0.0.0/24
4873 and alice's is 10.0.1.0/24.
4874
4875 First, ensure that IP forwarding is enabled on both peers. On Linux,
4876 enable routing:
4877
4878 echo 1 > /proc/sys/net/ipv4/ip_forward
4879
4880 and enable TUN packet forwarding through the firewall:
4881
4882 iptables -A FORWARD -i tun+ -j ACCEPT
4883
4884 On bob:
4885
4886 route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
4887
4888 On alice:
4889
4890 route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
4891
4892 Now any machine on the 10.0.0.0/24 subnet can access any machine on the
4893 10.0.1.0/24 subnet over the secure tunnel (or vice versa).
4894
4895 In a production environment, you could put the route command(s) in a
4896 script and execute with the --up option.
4897
4899 OpenVPN's usage of a single UDP port makes it fairly firewall-friendly.
4900 You should add an entry to your firewall rules to allow incoming Open‐
4901 VPN packets. On Linux 2.4+:
4902
4903 iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT
4904
4905 This will allow incoming packets on UDP port 1194 (OpenVPN's default
4906 UDP port) from an OpenVPN peer at 1.2.3.4.
4907
4908 If you are using HMAC-based packet authentication (the default in any
4909 of OpenVPN's secure modes), having the firewall filter on source
4910 address can be considered optional, since HMAC packet authentication is
4911 a much more secure method of verifying the authenticity of a packet
4912 source. In that case:
4913
4914 iptables -A INPUT -p udp --dport 1194 -j ACCEPT
4915
4916 would be adequate and would not render the host inflexible with respect
4917 to its peer having a dynamic IP address.
4918
4919 OpenVPN also works well on stateful firewalls. In some cases, you may
4920 not need to add any static rules to the firewall list if you are using
4921 a stateful firewall that knows how to track UDP connections. If you
4922 specify --ping n, OpenVPN will be guaranteed to send a packet to its
4923 peer at least once every n seconds. If n is less than the stateful
4924 firewall connection timeout, you can maintain an OpenVPN connection
4925 indefinitely without explicit firewall rules.
4926
4927 You should also add firewall rules to allow incoming IP traffic on TUN
4928 or TAP devices such as:
4929
4930 iptables -A INPUT -i tun+ -j ACCEPT
4931
4932 to allow input packets from tun devices,
4933
4934 iptables -A FORWARD -i tun+ -j ACCEPT
4935
4936 to allow input packets from tun devices to be forwarded to other hosts
4937 on the local network,
4938
4939 iptables -A INPUT -i tap+ -j ACCEPT
4940
4941 to allow input packets from tap devices, and
4942
4943 iptables -A FORWARD -i tap+ -j ACCEPT
4944
4945 to allow input packets from tap devices to be forwarded to other hosts
4946 on the local network.
4947
4948 These rules are secure if you use packet authentication, since no
4949 incoming packets will arrive on a TUN or TAP virtual device unless they
4950 first pass an HMAC authentication test.
4951
4953 http://openvpn.net/faq.html
4954
4956 For a more comprehensive guide to setting up OpenVPN in a production
4957 setting, see the OpenVPN HOWTO at http://openvpn.net/howto.html
4958
4960 For a description of OpenVPN's underlying protocol, see http://open‐
4961 vpn.net/security.html
4962
4964 OpenVPN's web site is at http://openvpn.net/
4965
4966 Go here to download the latest version of OpenVPN, subscribe to the
4967 mailing lists, read the mailing list archives, or browse the SVN repos‐
4968 itory.
4969
4971 Report all bugs to the OpenVPN team <info@openvpn.net>.
4972
4974 dhcpcd(8), ifconfig(8), openssl(1), route(8), scp(1) ssh(1)
4975
4977 This product includes software developed by the OpenSSL Project (
4978 http://www.openssl.org/ )
4979
4980 For more information on the TLS protocol, see
4981 http://www.ietf.org/rfc/rfc2246.txt
4982
4983 For more information on the LZO real-time compression library see
4984 http://www.oberhumer.com/opensource/lzo/
4985
4987 Copyright (C) 2002-2018 OpenVPN Inc This program is free software; you
4988 can redistribute it and/or modify it under the terms of the GNU General
4989 Public License version 2 as published by the Free Software Foundation.
4990
4992 James Yonan <jim@yonan.net>
4993
4994
4995
4996 28 February 2018 openvpn(8)