1OPENVPN(8)                  System Manager's Manual                 OPENVPN(8)
2
3
4

NAME

6       openvpn - Secure IP tunnel daemon
7

SYNOPSIS

9       openvpn [ options ... ]
10       openvpn  --help
11
12

INTRODUCTION

14       OpenVPN  is  an  open source VPN daemon by James Yonan. Because OpenVPN
15       tries to be a universal VPN tool offering a great deal of  flexibility,
16       there  are a lot of options on this manual page. If you're new to Open‐
17       VPN, you might want to skip ahead to the  examples  section  where  you
18       will  see how to construct simple VPNs on the command line without even
19       needing a configuration file.
20
21       Also note that there's more documentation and examples on  the  OpenVPN
22       web site: https://openvpn.net/
23
24       And  if you would like to see a shorter version of this manual, see the
25       openvpn usage message which can be obtained by running openvpn  without
26       any parameters.
27

DESCRIPTION

29       OpenVPN  is  a  robust and highly flexible VPN daemon. OpenVPN supports
30       SSL/TLS security,  ethernet  bridging,  TCP  or  UDP  tunnel  transport
31       through  proxies  or  NAT,  support  for dynamic IP addresses and DHCP,
32       scalability to hundreds or thousands of users, and portability to  most
33       major OS platforms.
34
35       OpenVPN  is  tightly  bound to the OpenSSL library, and derives much of
36       its crypto capabilities from it.
37
38       OpenVPN supports conventional encryption using a pre-shared secret  key
39       (Static  Key mode) or public key security (SSL/TLS mode) using client &
40       server certificates. OpenVPN also supports non-encrypted  TCP/UDP  tun‐
41       nels.
42
43       OpenVPN  is designed to work with the TUN/TAP virtual networking inter‐
44       face that exists on most platforms.
45
46       Overall, OpenVPN aims to offer many of the key features  of  IPSec  but
47       with a relatively lightweight footprint.
48

OPTIONS

50       OpenVPN allows any option to be placed either on the command line or in
51       a configuration file. Though all command line options are preceded by a
52       double-leading-dash  ("--"),  this prefix can be removed when an option
53       is placed in a configuration file.
54
55   Generic Options
56       This section covers generic options which are accessible regardless  of
57       which mode OpenVPN is configured as.
58
59       --help Show options.
60
61       --auth-nocache
62              Don't  cache --askpass or --auth-user-pass username/passwords in
63              virtual memory.
64
65              If specified, this directive will cause OpenVPN  to  immediately
66              forget  username/password  inputs  after they are used. As a re‐
67              sult, when OpenVPN needs a username/password, it will prompt for
68              input  from  stdin, which may be multiple times during the dura‐
69              tion of an OpenVPN session.
70
71              When using --auth-nocache in combination  with  a  user/password
72              file  and  --chroot  or  --daemon,  make sure to use an absolute
73              path.
74
75              This directive does not affect the  --http-proxy  username/pass‐
76              word.  It is always cached.
77
78       --cd dir
79              Change  directory to dir prior to reading any files such as con‐
80              figuration files, key files, scripts, etc. dir should be an  ab‐
81              solute  path,  with a leading "/", and without any references to
82              the current directory such as . or ...
83
84              This option is useful when you are running OpenVPN  in  --daemon
85              mode,  and  you  want to consolidate all of your OpenVPN control
86              files in one location.
87
88       --chroot dir
89              Chroot to dir after initialization. --chroot  essentially  rede‐
90              fines  dir  as  being  the top level directory tree (/). OpenVPN
91              will therefore be unable to access any files outside this  tree.
92              This can be desirable from a security standpoint.
93
94              Since  the  chroot  operation is delayed until after initializa‐
95              tion, most OpenVPN options that reference files will operate  in
96              a pre-chroot context.
97
98              In  many  cases,  the dir parameter can point to an empty direc‐
99              tory, however complications can result when scripts or  restarts
100              are executed after the chroot operation.
101
102              Note:  The  SSL  library  will  probably need /dev/urandom to be
103              available inside the chroot directory dir. This is  because  SSL
104              libraries occasionally need to collect fresh random. Newer linux
105              kernels and some BSDs implement a  getrandom()  or  getentropy()
106              syscall that removes the need for /dev/urandom to be available.
107
108       --config file
109              Load  additional config options from file where each line corre‐
110              sponds to one command line option, but with the leading '--' re‐
111              moved.
112
113              If  --config file is the only option to the openvpn command, the
114              --config can be removed, and the command can be given as openvpn
115              file
116
117              Note  that  configuration  files  can  be nested to a reasonable
118              depth.
119
120              Double quotation or single quotation characters ("", '') can  be
121              used to enclose single parameters containing whitespace, and "#"
122              or ";" characters in the first column can be used to denote com‐
123              ments.
124
125              Note  that OpenVPN 2.0 and higher performs backslash-based shell
126              escaping for characters not in single quotations, so the follow‐
127              ing mappings should be observed:
128
129                 \\       Maps to a single backslash character (\).
130                 \"       Pass a literal doublequote character ("), don't
131                          interpret it as enclosing a parameter.
132                 \[SPACE] Pass a literal space or tab character, don't
133                          interpret it as a parameter delimiter.
134
135              For  example  on  Windows,  use  double backslashes to represent
136              pathnames:
137
138                 secret "c:\\OpenVPN\\secret.key"
139
140              For     examples      of      configuration      files,      see
141              https://openvpn.net/community-resources/how-to/
142
143              Here is an example configuration file:
144
145                 #
146                 # Sample OpenVPN configuration file for
147                 # using a pre-shared static key.
148                 #
149                 # '#' or ';' may be used to delimit comments.
150
151                 # Use a dynamic tun device.
152                 dev tun
153
154                 # Our remote peer
155                 remote mypeer.mydomain
156
157                 # 10.1.0.1 is our local VPN endpoint
158                 # 10.1.0.2 is our remote VPN endpoint
159                 ifconfig 10.1.0.1 10.1.0.2
160
161                 # Our pre-shared static key
162                 secret static.key
163
164       --daemon progname
165              Become  a  daemon  after  all  initialization functions are com‐
166              pleted. This option will cause all message and error  output  to
167              be  sent  to the syslog file (such as /var/log/messages), except
168              for the output of scripts and ifconfig commands, which  will  go
169              to /dev/null unless otherwise redirected. The syslog redirection
170              occurs immediately at the point that --daemon is parsed  on  the
171              command  line  even though the daemonization point occurs later.
172              If one of the --log options is present, it will supersede syslog
173              redirection.
174
175              The optional progname parameter will cause OpenVPN to report its
176              program name to the system logger as progname. This can be  use‐
177              ful in linking OpenVPN messages in the syslog file with specific
178              tunnels. When unspecified, progname defaults to "openvpn".
179
180              When OpenVPN is run with the --daemon option, it will try to de‐
181              lay daemonization until the majority of initialization functions
182              which are capable of generating fatal errors are complete.  This
183              means  that initialization scripts can test the return status of
184              the openvpn command for a fairly reliable indication of  whether
185              the  command  has  correctly  initialized and entered the packet
186              forwarding event loop.
187
188              In OpenVPN, the vast majority of errors which occur  after  ini‐
189              tialization are non-fatal.
190
191              Note:  as  soon  as  OpenVPN  has daemonized, it can not ask for
192              usernames, passwords, or key pass phrases anymore. This has cer‐
193              tain  consequences,  namely that using a password-protected pri‐
194              vate key will fail unless the --askpass option is used  to  tell
195              OpenVPN  to  ask for the pass phrase (this requirement is new in
196              v2.3.7, and is a consequence of calling daemon() before initial‐
197              izing the crypto layer).
198
199              Further,  using --daemon together with --auth-user-pass (entered
200              on console) and --auth-nocache will fail as soon as key  renego‐
201              tiation (and reauthentication) occurs.
202
203       --disable-occ
204              Don't output a warning message if option inconsistencies are de‐
205              tected between peers. An  example  of  an  option  inconsistency
206              would be where one peer uses --dev tun while the other peer uses
207              --dev tap.
208
209              Use of this option is discouraged, but is provided as  a  tempo‐
210              rary  fix  in  situations where a recent version of OpenVPN must
211              connect to an old version.
212
213       --engine engine-name
214              Enable OpenSSL hardware-based crypto engine functionality.
215
216              If engine-name is specified, use a specific crypto  engine.  Use
217              the  --show-engines standalone option to list the crypto engines
218              which are supported by OpenSSL.
219
220       --fast-io
221              (Experimental) Optimize TUN/TAP/UDP I/O  writes  by  avoiding  a
222              call to poll/epoll/select prior to the write operation. The pur‐
223              pose of such a call would normally be to block until the  device
224              or  socket is ready to accept the write. Such blocking is unnec‐
225              essary on some platforms which don't support write  blocking  on
226              UDP  sockets or TUN/TAP devices. In such cases, one can optimize
227              the event loop by avoiding the poll/epoll/select call, improving
228              CPU efficiency by 5% to 10%.
229
230              This  option  can  only  be  used  on  non-Windows systems, when
231              --proto udp is specified, and when --shaper is NOT specified.
232
233       --group group
234              Similar to the --user option, this option changes the  group  ID
235              of the OpenVPN process to group after initialization.
236
237       --ignore-unknown-option args
238              Valid syntax:
239
240                 ignore-unknown-options opt1 opt2 opt3 ... optN
241
242              When one of options opt1 ... optN is encountered in the configu‐
243              ration file the configuration file parsing does not fail if this
244              OpenVPN  version  does  not  support  the option. Multiple --ig‐
245              nore-unknown-option options can be given  to  support  a  larger
246              number of options to ignore.
247
248              This option should be used with caution, as there are good secu‐
249              rity reasons for having OpenVPN fail if it detects problems in a
250              config  file.   Having  said  that,  there are valid reasons for
251              wanting new software features to gracefully degrade when encoun‐
252              tered by older software versions.
253
254              --ignore-unknown-option is available since OpenVPN 2.3.3.
255
256       --iproute cmd
257              Set  alternate  command  to  execute instead of default iproute2
258              command.  May be used in order to execute  OpenVPN  in  unprivi‐
259              leged environment.
260
261       --keying-material-exporter args
262              Save  Exported  Keying  Material [RFC5705] of len bytes (must be
263              between 16 and 4095  bytes)  using  label  in  environment  (ex‐
264              ported_keying_material)    for   use   by   plugins   in   OPEN‐
265              VPN_PLUGIN_TLS_FINAL callback.
266
267              Valid syntax:
268
269                 keying-material-exporter label len
270
271              Note that exporter labels have the potential to collide with ex‐
272              isting  PRF  labels. In order to prevent this, labels MUST begin
273              with EXPORTER.
274
275       --mlock
276              Disable paging by calling the POSIX mlockall function.  Requires
277              that OpenVPN be initially run as root (though OpenVPN can subse‐
278              quently downgrade its UID using the --user option).
279
280              Using this option ensures that key material and tunnel data  are
281              never  written  to  disk due to virtual memory paging operations
282              which occur under most modern operating systems. It ensures that
283              even  if  an attacker was able to crack the box running OpenVPN,
284              he would not be able to scan the system  swap  file  to  recover
285              previously  used  ephemeral keys, which are used for a period of
286              time governed by the --reneg options (see below), then are  dis‐
287              carded.
288
289              The  downside of using --mlock is that it will reduce the amount
290              of physical memory available to other applications.
291
292              The limit on how much memory can be locked and how that limit is
293              enforced  are  OS-dependent.  On Linux the default limit that an
294              unprivileged process may lock (RLIMIT_MEMLOCK) is  low,  and  if
295              privileges  are  dropped  later,  future memory allocations will
296              very likely fail. The limit can be  increased  using  ulimit  or
297              systemd directives depending on how OpenVPN is started.
298
299       --nice n
300              Change  process  priority after initialization (n greater than 0
301              is lower priority, n less than zero is higher priority).
302
303       --persist-key
304              Don't re-read key files across SIGUSR1 or --ping-restart.
305
306              This option can be combined with --user nobody to allow restarts
307              triggered by the SIGUSR1 signal. Normally if you drop root priv‐
308              ileges in OpenVPN, the daemon cannot be restarted since it  will
309              now be unable to re-read protected key files.
310
311              This option solves the problem by persisting keys across SIGUSR1
312              resets, so they don't need to be re-read.
313
314       --remap-usr1 signal
315              Control whether internally or externally generated SIGUSR1  sig‐
316              nals  are  remapped to SIGHUP (restart without persisting state)
317              or SIGTERM (exit).
318
319              signal can be set to SIGHUP or SIGTERM. By default, no remapping
320              occurs.
321
322       --script-security level
323              This  directive offers policy-level control over OpenVPN's usage
324              of external programs and scripts. Lower level  values  are  more
325              restrictive,  higher  values  are  more permissive. Settings for
326              level:
327
328              0      Strictly no calling of external programs.
329
330              1      (Default) Only call built-in executables such  as  ifcon‐
331                     fig, ip, route, or netsh.
332
333              2      Allow  calling  of  built-in executables and user-defined
334                     scripts.
335
336              3      Allow passwords to be passed to scripts via environmental
337                     variables (potentially unsafe).
338
339              OpenVPN  releases before v2.3 also supported a method flag which
340              indicated how OpenVPN should call external commands and scripts.
341              This  could  be either execve or system. As of OpenVPN 2.3, this
342              flag is no longer accepted. In most *nix  environments  the  ex‐
343              ecve() approach has been used without any issues.
344
345              Some  directives  such as --up allow options to be passed to the
346              external script. In these cases make sure the script  name  does
347              not  contain  any  spaces or the configuration parser will choke
348              because it can't determine where the script name ends and script
349              options start.
350
351              To run scripts in Windows in earlier OpenVPN versions you needed
352              to either add a full path to the script  interpreter  which  can
353              parse the script or use the system flag to run these scripts. As
354              of OpenVPN 2.3 it is now a strict requirement to have full  path
355              to  the  script  interpreter when running non-executables files.
356              This is not needed for executable files,  such  as  .exe,  .com,
357              .bat  or  .cmd  files.  For  example, if you have a Visual Basic
358              script, you must use this syntax now:
359
360                 --up 'C:\\Windows\\System32\\wscript.exe C:\\Program\ Files\\OpenVPN\\config\\my-up-script.vbs'
361
362              Please note the single quote marks and the escaping of the back‐
363              slashes (\) and the space character.
364
365              The reason the support for the system flag was removed is due to
366              the security implications with shell expansions  when  executing
367              scripts via the system() call.
368
369       --setcon context
370              Apply  SELinux  context  after  initialization. This essentially
371              provides the ability to restrict OpenVPN's rights to  only  net‐
372              work  I/O  operations, thanks to SELinux. This goes further than
373              --user and --chroot in that those two, while being  great  secu‐
374              rity  features,  unfortunately  do not protect against privilege
375              escalation by exploitation of a vulnerable system call. You  can
376              of  course  combine all three, but please note that since setcon
377              requires access to /proc you will have to provide it inside  the
378              chroot directory (e.g. with mount --bind).
379
380              Since  the  setcon  operation is delayed until after initializa‐
381              tion, OpenVPN can be restricted to just  network-related  system
382              calls,  whereas  by applying the context before startup (such as
383              the OpenVPN one provided in the SELinux Reference Policies)  you
384              will  have to allow many things required only during initializa‐
385              tion.
386
387              Like with chroot,  complications  can  result  when  scripts  or
388              restarts  are  executed after the setcon operation, which is why
389              you should really consider using the  --persist-key  and  --per‐
390              sist-tun options.
391
392       --status args
393              Write operational status to file every n seconds.
394
395              Valid syntaxes:
396
397                 status file
398                 status file n
399
400              Status  can  also  be written to the syslog by sending a SIGUSR2
401              signal.
402
403              With multi-client capability enabled on  a  server,  the  status
404              file  includes a list of clients and a routing table. The output
405              format can be controlled by the --status-version option in  that
406              case.
407
408              For clients or instances running in point-to-point mode, it will
409              contain the traffic statistics.
410
411       --status-version n
412              Set the status file format version number to n.
413
414              This only affects the status file on servers  with  multi-client
415              capability enabled.  Valid status version values:
416
417              1      Traditional  format  (default).  The client list contains
418                     the following fields comma-separated: Common  Name,  Real
419                     Address, Bytes Received, Bytes Sent, Connected Since.
420
421              2      A  more reliable format for external processing. Compared
422                     to version 1, the client list  contains  some  additional
423                     fields:  Virtual Address, Virtual IPv6 Address, Username,
424                     Client ID, Peer ID, Data Channel Cipher. Future  versions
425                     may extend the number of fields.
426
427              3      Identical to 2, but fields are tab-separated.
428
429       --test-crypto
430              Do a self-test of OpenVPN's crypto options by encrypting and de‐
431              crypting test packets using the data channel encryption  options
432              specified  above.   This option does not require a peer to func‐
433              tion, and therefore can be specified without --dev or --remote.
434
435              The typical usage of --test-crypto would be something like this:
436
437                 openvpn --test-crypto --secret key
438
439              or
440
441                 openvpn --test-crypto --secret key --verb 9
442
443              This option is very useful to test OpenVPN  after  it  has  been
444              ported  to  a  new  platform, or to isolate problems in the com‐
445              piler, OpenSSL crypto library, or OpenVPN's crypto  code.  Since
446              it is a self-test mode, problems with encryption and authentica‐
447              tion can be debugged independently of network and tunnel issues.
448
449       --tmp-dir dir
450              Specify a directory dir for temporary files. This directory will
451              be used by openvpn processes and script to communicate temporary
452              data with openvpn main process. Note that the directory must  be
453              writable  by  the OpenVPN process after it has dropped it's root
454              privileges.
455
456              This directory will be used by in the following cases:
457
458              • --client-connect  scripts  and   OPENVPN_PLUGIN_CLIENT_CONNECT
459                plug-in  hook to dynamically generate client-specific configu‐
460                ration client_connect_config_file and  return  success/failure
461                via  client_connect_deferred_file  when  using deferred client
462                connect method
463
464              • OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY  plug-in  hooks   returns
465                success/failure via auth_control_file when using deferred auth
466                method
467
468              • OPENVPN_PLUGIN_ENABLE_PF plugin hook to pass  filtering  rules
469                via pf_file
470
471       --use-prediction-resistance
472              Enable prediction resistance on mbed TLS's RNG.
473
474              Enabling  prediction resistance causes the RNG to reseed in each
475              call for random. Reseeding this often can  quickly  deplete  the
476              kernel entropy pool.
477
478              If  you  need this option, please consider running a daemon that
479              adds entropy to the kernel pool.
480
481       --user user
482              Change the user ID of the OpenVPN process to user after initial‐
483              ization, dropping privileges in the process. This option is use‐
484              ful to protect the system in the event that some  hostile  party
485              was able to gain control of an OpenVPN session. Though OpenVPN's
486              security features make this unlikely, it is provided as a second
487              line of defense.
488
489              By  setting  user  to nobody or somebody similarly unprivileged,
490              the hostile party would be limited in  what  damage  they  could
491              cause.  Of  course once you take away privileges, you cannot re‐
492              turn them to an OpenVPN session. This means, for  example,  that
493              if  you  want  to  reset an OpenVPN daemon with a SIGUSR1 signal
494              (for example in response to a DHCP reset), you should  make  use
495              of  one  or more of the --persist options to ensure that OpenVPN
496              doesn't need to execute any privileged operations  in  order  to
497              restart (such as re-reading key files or running ifconfig on the
498              TUN device).
499
500       --writepid file
501              Write OpenVPN's main process ID to file.
502
503   Log options
504       --echo parms
505              Echo parms to log output.
506
507              Designed to be used to send messages to a  controlling  applica‐
508              tion which is receiving the OpenVPN log output.
509
510       --errors-to-stderr
511              Output  errors  to stderr instead of stdout unless log output is
512              redirected by one of the --log options.
513
514       --log file
515              Output logging  messages  to  file,  including  output  to  std‐
516              out/stderr which is generated by called scripts. If file already
517              exists it will be truncated. This option  takes  effect  immedi‐
518              ately  when  it is parsed in the command line and will supersede
519              syslog output if --daemon or --inetd is also specified. This op‐
520              tion  is persistent over the entire course of an OpenVPN instan‐
521              tiation  and  will  not  be  reset  by   SIGHUP,   SIGUSR1,   or
522              --ping-restart.
523
524              Note that on Windows, when OpenVPN is started as a service, log‐
525              ging occurs by default without the need to specify this option.
526
527       --log-append file
528              Append logging messages to file.  If file  does  not  exist,  it
529              will  be  created. This option behaves exactly like --log except
530              that it appends to rather than truncating the log file.
531
532       --machine-readable-output
533              Always write timestamps and message flags to log messages,  even
534              when  they  otherwise would not be prefixed. In particular, this
535              applies to log messages sent to stdout.
536
537       --mute n
538              Log at most n consecutive messages in the same category. This is
539              useful to limit repetitive logging of similar message types.
540
541       --mute-replay-warnings
542              Silence  the output of replay warnings, which are a common false
543              alarm on WiFi networks. This option preserves  the  security  of
544              the replay protection code without the verbosity associated with
545              warnings about duplicate packets.
546
547       --suppress-timestamps
548              Avoid writing timestamps to log messages, even when they  other‐
549              wise would be prepended. In particular, this applies to log mes‐
550              sages sent to stdout.
551
552       --syslog progname
553              Direct log output to system logger, but do not become a  daemon.
554              See --daemon directive above for description of progname parame‐
555              ter.
556
557       --verb n
558              Set output verbosity to n (default 1). Each level shows all info
559              from  the  previous levels. Level 3 is recommended if you want a
560              good summary of what's happening without being swamped  by  out‐
561              put.
562
563              0      No output except fatal errors.
564
565              1 to 4 Normal usage range.
566
567              5      Outputs R and W characters to the console for each packet
568                     read and write, uppercase is used for TCP/UDP packets and
569                     lowercase is used for TUN/TAP packets.
570
571              6 to 11
572                     Debug  info  range (see errlevel.h in the source code for
573                     additional information on debug levels).
574
575   Protocol options
576       Options in this section affect features available in the  OpenVPN  wire
577       protocol.   Many of these options also define the encryption options of
578       the data channel in the OpenVPN wire protocol.  These options  must  be
579       configured in a compatible way between both the local and remote side.
580
581       --allow-compression mode
582              As  described  in the --compress option, compression is a poten‐
583              tially dangerous option.  This option allows controlling the be‐
584              haviour of OpenVPN when compression is used and allowed.
585
586              Valid syntaxes:
587
588                 allow-compression
589                 allow-compression mode
590
591              The mode argument can be one of the following values:
592
593              asym (default)
594                     OpenVPN  will  only  decompress  downlink packets but not
595                     compress uplink packets.  This also allows  migrating  to
596                     disable  compression when changing both server and client
597                     configurations to remove compression at the same time  is
598                     not a feasible option.
599
600              no     OpenVPN will refuse any non-stub compression.
601
602              yes    OpenVPN will send and receive compressed packets.
603
604       --auth alg
605              Authenticate data channel packets and (if enabled) tls-auth con‐
606              trol channel packets with HMAC using  message  digest  algorithm
607              alg. (The default is SHA1 ). HMAC is a commonly used message au‐
608              thentication algorithm (MAC) that uses a data string,  a  secure
609              hash algorithm and a key to produce a digital signature.
610
611              The  OpenVPN  data  channel protocol uses encrypt-then-mac (i.e.
612              first encrypt a packet  then  HMAC  the  resulting  ciphertext),
613              which prevents padding oracle attacks.
614
615              If  an  AEAD cipher mode (e.g. GCM) is chosen then the specified
616              --auth algorithm is ignored for the data channel and the authen‐
617              tication  method  of  the AEAD cipher is used instead. Note that
618              alg still specifies the digest used for tls-auth.
619
620              In static-key encryption mode, the HMAC key is included  in  the
621              key file generated by --genkey. In TLS mode, the HMAC key is dy‐
622              namically generated and shared between peers via the TLS control
623              channel.  If  OpenVPN  receives a packet with a bad HMAC it will
624              drop the packet. HMAC usually adds 16 or 20  bytes  per  packet.
625              Set alg=none to disable authentication.
626
627              For        more        information       on       HMAC       see
628              http://www.cs.ucsd.edu/users/mihir/papers/hmac.html
629
630       --cipher alg
631              This option is deprecated for server-client mode. --data-ciphers
632              or possibly --data-ciphers-fallback` should be used instead.
633
634              Encrypt data channel packets with cipher algorithm alg.
635
636              The  default  is  BF-CBC, an abbreviation for Blowfish in Cipher
637              Block Chaining mode. When cipher negotiation (NCP)  is  allowed,
638              OpenVPN  2.4 and newer on both client and server side will auto‐
639              matically  upgrade  to  AES-256-GCM.   See  --data-ciphers   and
640              --ncp-disable for more details on NCP.
641
642              Using  BF-CBC  is  no  longer recommended, because of its 64-bit
643              block size. This small block size allows attacks based on colli‐
644              sions,       as      demonstrated      by      SWEET32.      See
645              https://community.openvpn.net/openvpn/wiki/SWEET32 for  details.
646              Due  to  this,  support for BF-CBC, DES, CAST5, IDEA and RC2 ci‐
647              phers will be removed in OpenVPN 2.6.
648
649              To see other ciphers that are available with  OpenVPN,  use  the
650              --show-ciphers option.
651
652              Set alg to none to disable encryption.
653
654       --compress algorithm
655              DEPRECATED  Enable a compression algorithm.  Compression is gen‐
656              erally not recommended.  VPN tunnels which use  compression  are
657              susceptible to the VORALCE attack vector.
658
659              The  algorithm  parameter may be lzo, lz4, lz4-v2, stub, stub-v2
660              or empty.  LZO and LZ4  are  different  compression  algorithms,
661              with  LZ4 generally offering the best performance with least CPU
662              usage.
663
664              The lz4-v2 and stub-v2 variants implement a better framing  that
665              does  not  add  overhead  when packets cannot be compressed. All
666              other variants always add one extra framing byte compared to  no
667              compression framing.
668
669              If  the  algorithm parameter is stub, stub-v2 or empty, compres‐
670              sion will be turned off, but the packet framing for  compression
671              will still be enabled, allowing a different setting to be pushed
672              later.  Additionally, stub and stub-v2  wil  disable  announcing
673              lzo and lz4 compression support via IV_ variables to the server.
674
675              Note:  the  stub  (or  empty)  option is NOT compatible with the
676              older option --comp-lzo no.
677
678              *Security Considerations*
679
680              Compression and encryption is a tricky combination.  If  an  at‐
681              tacker  knows or is able to control (parts of) the plain-text of
682              packets that contain secrets, the attacker might be able to  ex‐
683              tract  the  secret if compression is enabled. See e.g. the CRIME
684              and BREACH attacks on TLS and VORACLE on VPNs which also  lever‐
685              age  to  break encryption. If you are not entirely sure that the
686              above does not apply to your traffic, you are advised to not en‐
687              able compression.
688
689       --comp-lzo mode
690              DEPRECATED  Enable  LZO  compression  algorithm.  Compression is
691              generally not recommended.  VPN tunnels which  uses  compression
692              are suspectible to the VORALCE attack vector.
693
694              Use  LZO  compression -- may add up to 1 byte per packet for in‐
695              compressible data. mode may be yes, no, or adaptive (default).
696
697              In a server mode setup, it is possible to selectively turn  com‐
698              pression on or off for individual clients.
699
700              First,  make  sure the client-side config file enables selective
701              compression by having at least one --comp-lzo directive, such as
702              --comp-lzo  no.  This  will turn off compression by default, but
703              allow a future directive push from  the  server  to  dynamically
704              change the on/off/adaptive setting.
705
706              Next in a --client-config-dir file, specify the compression set‐
707              ting for the client, for example:
708
709                 comp-lzo yes
710                 push "comp-lzo yes"
711
712              The first line sets the comp-lzo setting for the server side  of
713              the link, the second sets the client side.
714
715       --comp-noadapt
716              DEPRECATED When used in conjunction with --comp-lzo, this option
717              will disable OpenVPN's adaptive compression algorithm. Normally,
718              adaptive compression is enabled with --comp-lzo.
719
720              Adaptive  compression  tries to optimize the case where you have
721              compression enabled, but you are  sending  predominantly  incom‐
722              pressible  (or  pre-compressed) packets over the tunnel, such as
723              an FTP or rsync transfer of a large, compressed file. With adap‐
724              tive  compression, OpenVPN will periodically sample the compres‐
725              sion process to measure its efficiency. If the data  being  sent
726              over  the  tunnel  is  already compressed, the compression effi‐
727              ciency will be very low, triggering openvpn to disable  compres‐
728              sion for a period of time until the next re-sample test.
729
730       --key-direction
731              Alternative  way  of specifying the optional direction parameter
732              for the --tls-auth and --secret options. Useful when  using  in‐
733              line files (See section on inline files).
734
735       --keysize n
736              DEPRECATED This option will be removed in OpenVPN 2.6.
737
738              Size  of cipher key in bits (optional). If unspecified, defaults
739              to cipher-specific default. The --show-ciphers option  (see  be‐
740              low)  shows  all  available  OpenSSL  ciphers, their default key
741              sizes, and whether the key size can  be  changed.  Use  care  in
742              changing a cipher's default key size. Many ciphers have not been
743              extensively cryptanalyzed with non-standard key lengths,  and  a
744              larger  key  may offer no real guarantee of greater security, or
745              may even reduce security.
746
747       --data-ciphers cipher-list
748              Restrict the allowed ciphers to be negotiated to the ciphers  in
749              cipher-list.  cipher-list  is a colon-separated list of ciphers,
750              and defaults to AES-256-GCM:AES-128-GCM.
751
752              For servers, the first cipher from cipher-list that is also sup‐
753              ported  by the client will be pushed to clients that support ci‐
754              pher negotiation.
755
756              Cipher negotiation is enabled in client-server mode  only.  I.e.
757              if  --mode  is  set to 'server' (server-side, implied by setting
758              --server ), or if --pull is specified (client-side,  implied  by
759              setting --client).
760
761              If no common cipher is found during cipher negotiation, the con‐
762              nection is terminated. To support old clients/old  servers  that
763              do  not  provide  any  cipher negotiation support see --data-ci‐
764              phers-fallback.
765
766              Additionally, to allow for more smooth transition, if NCP is en‐
767              abled,  OpenVPN  will inherit the cipher of the peer if that ci‐
768              pher is different from the local --cipher setting, but the  peer
769              cipher is one of the ciphers specified in --data-ciphers. E.g. a
770              non-NCP client (<=v2.3, or with --ncp-disabled  set)  connecting
771              to  a NCP server (v2.4+) with --cipher BF-CBC and --data-ciphers
772              AES-256-GCM:AES-256-CBC set can either specify  --cipher  BF-CBC
773              or --cipher AES-256-CBC and both will work.
774
775              Note  for using NCP with an OpenVPN 2.4 peer: This list must in‐
776              clude the AES-256-GCM and AES-128-GCM ciphers.
777
778              This list is restricted to be 127 chars long after conversion to
779              OpenVPN ciphers.
780
781              This option was called --ncp-ciphers in OpenVPN 2.4 but has been
782              renamed to --data-ciphers in OpenVPN 2.5 to more accurately  re‐
783              flect its meaning.
784
785       --data-ciphers-fallback alg
786              Configure  a cipher that is used to fall back to if we could not
787              determine which cipher the peer is willing to use.
788
789              This option should only be needed to connect to peers  that  are
790              running  OpenVPN 2.3 and older version, and have been configured
791              with --enable-small (typically used on routers or other embedded
792              devices).
793
794       --ncp-disable
795              DEPRECATED  Disable  "Negotiable  Crypto  Parameters". This com‐
796              pletely disables cipher negotiation.
797
798       --secret args
799              Enable Static Key encryption mode (non-TLS). Use pre-shared  se‐
800              cret file which was generated with --genkey.
801
802              Valid syntaxes:
803
804                 secret file
805                 secret file direction
806
807              The  optional  direction parameter enables the use of 4 distinct
808              keys (HMAC-send, cipher-encrypt, HMAC-receive,  cipher-decrypt),
809              so that each data flow direction has a different set of HMAC and
810              cipher keys. This has a number of desirable security  properties
811              including  eliminating  certain  kinds of DoS and message replay
812              attacks.
813
814              When the direction parameter is omitted, 2 keys are  used  bidi‐
815              rectionally,  one  for HMAC and the other for encryption/decryp‐
816              tion.
817
818              The direction parameter should always be complementary on either
819              side of the connection, i.e. one side should use 0 and the other
820              should use 1, or both sides should omit it altogether.
821
822              The direction parameter requires that file contains a  2048  bit
823              key.  While  pre-1.5  versions  of OpenVPN generate 1024 bit key
824              files, any version of OpenVPN which supports the  direction  pa‐
825              rameter,  will  also  support 2048 bit key file generation using
826              the --genkey option.
827
828              Static key encryption mode has certain advantages,  the  primary
829              being ease of configuration.
830
831              There  are no certificates or certificate authorities or compli‐
832              cated negotiation handshakes and protocols. The only requirement
833              is  that  you  have a pre-existing secure channel with your peer
834              (such as ssh) to initially copy the key. This requirement, along
835              with  the  fact  that your key never changes unless you manually
836              generate a new one, makes it somewhat less secure than TLS  mode
837              (see  below).  If  an attacker manages to steal your key, every‐
838              thing that was ever encrypted with it is  compromised.  Contrast
839              that  to the perfect forward secrecy features of TLS mode (using
840              Diffie Hellman key exchange), where even if an attacker was able
841              to  steal your private key, he would gain no information to help
842              him decrypt past sessions.
843
844              Another advantageous aspect of Static  Key  encryption  mode  is
845              that  it is a handshake-free protocol without any distinguishing
846              signature or feature (such as a header or protocol handshake se‐
847              quence)  that  would mark the ciphertext packets as being gener‐
848              ated by OpenVPN. Anyone eavesdropping  on  the  wire  would  see
849              nothing but random-looking data.
850
851       --tran-window n
852              Transition  window -- our old key can live this many seconds af‐
853              ter a new a key renegotiation  begins  (default  3600  seconds).
854              This  feature  allows  for a graceful transition from old to new
855              key, and removes the key renegotiation sequence from the  criti‐
856              cal path of tunnel data forwarding.
857
858   Client Options
859       The  client  options are used when connecting to an OpenVPN server con‐
860       figured to use --server, --server-bridge, or --mode server in its  con‐
861       figuration.
862
863       --allow-pull-fqdn
864              Allow  client  to  pull DNS names from server (rather than being
865              limited  to   IP   address)   for   --ifconfig,   --route,   and
866              --route-gateway.
867
868       --allow-recursive-routing
869              When  this  option  is  set,  OpenVPN will not drop incoming tun
870              packets with same destination as host.
871
872       --auth-token token
873              This is not an option to be used directly in  any  configuration
874              files,  but  rather  push  this  option  from a --client-connect
875              script   or   a   --plugin   which   hooks   into   the    OPEN‐
876              VPN_PLUGIN_CLIENT_CONNECT   or  OPENVPN_PLUGIN_CLIENT_CONNECT_V2
877              calls. This option provides a possibility to replace the clients
878              password with an authentication token during the lifetime of the
879              OpenVPN client.
880
881              Whenever   the    connection    is    renegotiated    and    the
882              --auth-user-pass-verify  script  or  --plugin  making use of the
883              OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is triggered, it  will
884              pass over this token as the password instead of the password the
885              user provided. The authentication token can only be reset  by  a
886              full  reconnect  where  the  server  can push new options to the
887              client. The password the user entered is never preserved once an
888              authentication  token  has  been set. If the OpenVPN server side
889              rejects the authentication token then the client will receive an
890              AUTH_FAILED and disconnect.
891
892              The purpose of this is to enable two factor authentication meth‐
893              ods, such as HOTP or TOTP, to be used  without  needing  to  re‐
894              trieve  a new OTP code each time the connection is renegotiated.
895              Another use case is to cache authentication data on  the  client
896              without needing to have the users password cached in memory dur‐
897              ing the life time of the session.
898
899              To make use of this  feature,  the  --client-connect  script  or
900              --plugin needs to put
901
902                 push "auth-token UNIQUE_TOKEN_VALUE"
903
904              into  the  file/buffer for dynamic configuration data. This will
905              then make the OpenVPN server to push this value to  the  client,
906              which replaces the local password with the UNIQUE_TOKEN_VALUE.
907
908              Newer  clients  (2.4.7+) will fall back to the original password
909              method after a failed auth. Older clients will  keep  using  the
910              token value and react according to --auth-retry
911
912       --auth-user-pass
913              Authenticate with server using username/password.
914
915              Valid syntaxes:
916
917                 auth-user-pass
918                 auth-user-pass up
919
920              If up is present, it must be a file containing username/password
921              on 2 lines. If the password line is missing, OpenVPN will prompt
922              for one.
923
924              If  up  is  omitted, username/password will be prompted from the
925              console.
926
927              The server configuration must specify an --auth-user-pass-verify
928              script to verify the username/password provided by the client.
929
930       --auth-retry type
931              Controls  how OpenVPN responds to username/password verification
932              errors such as the client-side response to an  AUTH_FAILED  mes‐
933              sage  from the server or verification failure of the private key
934              password.
935
936              Normally used to prevent auth errors from  being  fatal  on  the
937              client  side,  and to permit username/password requeries in case
938              of error.
939
940              An AUTH_FAILED message is generated by the server if the  client
941              fails  --auth-user-pass  authentication,  or  if the server-side
942              --client-connect script returns an error status when the  client
943              tries to connect.
944
945              type can be one of:
946
947              none   Client  will  exit  with  a  fatal error (this is the de‐
948                     fault).
949
950              nointeract
951                     Client will retry the connection without  requerying  for
952                     an  --auth-user-pass  username/password.  Use this option
953                     for unattended clients.
954
955              interact
956                     Client  will  requery  for  an   --auth-user-pass   user‐
957                     name/password and/or private key password before attempt‐
958                     ing a reconnection.
959
960              Note that while this option cannot be pushed,  it  can  be  con‐
961              trolled from the management interface.
962
963       --client
964              A  helper  directive  designed  to simplify the configuration of
965              OpenVPN's client mode. This directive is equivalent to:
966
967                 pull
968                 tls-client
969
970       --client-nat args
971              This pushable client option sets up a stateless  one-to-one  NAT
972              rule  on  packet  addresses  (not ports), and is useful in cases
973              where routes or ifconfig settings pushed  to  the  client  would
974              create an IP numbering conflict.
975
976              Examples:
977
978                 client-nat snat 192.168.0.0/255.255.0.0
979                 client-nat dnat 10.64.0.0/255.255.0.0
980
981              network/netmask  (for  example  192.168.0.0/255.255.0.0) defines
982              the local view of a resource from the client perspective,  while
983              alias/netmask  (for  example  10.64.0.0/255.255.0.0) defines the
984              remote view from the server perspective.
985
986              Use snat (source NAT) for resources owned by the client and dnat
987              (destination NAT) for remote resources.
988
989              Set  --verb  6  for debugging info showing the transformation of
990              src/dest addresses in packets.
991
992       --connect-retry n
993              Wait n seconds between connection  attempts  (default  5).   Re‐
994              peated reconnection attempts are slowed down after 5 retries per
995              remote by doubling the wait time  after  each  unsuccessful  at‐
996              tempt.  An  optional argument max specifies the maximum value of
997              wait time in seconds at which it gets capped (default 300).
998
999       --connect-retry-max n
1000              n specifies the number of times each  --remote  or  <connection>
1001              entry  is  tried. Specifying n as 1 would try each entry exactly
1002              once. A successful connection resets the counter.  (default  un‐
1003              limited).
1004
1005       --connect-timeout n
1006              See --server-poll-timeout.
1007
1008       --explicit-exit-notify n
1009              In  UDP  client mode or point-to-point mode, send server/peer an
1010              exit notification if tunnel is restarted or OpenVPN  process  is
1011              exited.  In  client mode, on exit/restart, this option will tell
1012              the server to  immediately  close  its  client  instance  object
1013              rather than waiting for a timeout.
1014
1015              The  n parameter (default 1 if not present) controls the maximum
1016              number of attempts that the client will try to resend  the  exit
1017              notification message.
1018
1019              In UDP server mode, send RESTART control channel command to con‐
1020              nected clients. The n parameter (default 1 if not present)  con‐
1021              trols  client behavior. With n = 1 client will attempt to recon‐
1022              nect to the same server, with n = 2 client will advance  to  the
1023              next server.
1024
1025              OpenVPN  will not send any exit notifications unless this option
1026              is enabled.
1027
1028       --inactive args
1029              Causes OpenVPN to exit after n  seconds  of  inactivity  on  the
1030              TUN/TAP  device. The time length of inactivity is measured since
1031              the last incoming or outgoing tunnel packet. The  default  value
1032              is 0 seconds, which disables this feature.
1033
1034              Valid syntaxes:
1035
1036                 inactive n
1037                 inactive n bytes
1038
1039              If  the  optional bytes parameter is included, exit if less than
1040              bytes of combined in/out traffic are produced on the tun/tap de‐
1041              vice in n seconds.
1042
1043              In  any  case,  OpenVPN's  internal ping packets (which are just
1044              keepalives) and TLS control packets are not  considered  "activ‐
1045              ity",  nor  are they counted as traffic, as they are used inter‐
1046              nally by OpenVPN and are not an indication of actual user activ‐
1047              ity.
1048
1049       --proto-force p
1050              When  iterating  through connection profiles, only consider pro‐
1051              files using protocol p (tcp | udp).
1052
1053       --pull This option must be used on a client which is  connecting  to  a
1054              multi-client  server. It indicates to OpenVPN that it should ac‐
1055              cept options pushed by the server, provided they are part of the
1056              legal  set  of  pushable options (note that the --pull option is
1057              implied by --client ).
1058
1059              In particular, --pull allows the server to push  routes  to  the
1060              client,  so  you should not use --pull or --client in situations
1061              where you don't trust  the  server  to  have  control  over  the
1062              client's routing table.
1063
1064       --pull-filter args
1065              Filter options on the client pushed by the server to the client.
1066
1067              Valid syntaxes:
1068
1069                 pull-filter accept text
1070                 pull-filter ignore text
1071                 pull-filter reject text
1072
1073              Filter  options  received  from  the server if the option starts
1074              with text.  The action flag accept allows the option, ignore re‐
1075              moves  it  and  reject  flags  an  error  and triggers a SIGUSR1
1076              restart. The filters may be specified multiple times,  and  each
1077              filter is applied in the order it is specified. The filtering of
1078              each option stops as soon as a match is found. Unmatched options
1079              are accepted by default.
1080
1081              Prefix comparison is used to match text against the received op‐
1082              tion so that
1083
1084                 pull-filter ignore "route"
1085
1086              would remove all pushed options starting with route which  would
1087              include,  for  example, route-gateway. Enclose text in quotes to
1088              embed spaces.
1089
1090                 pull-filter accept "route 192.168.1."
1091                 pull-filter ignore "route "
1092
1093              would remove all routes that do not start with 192.168.1.
1094
1095              Note that reject may result in a repeated cycle of  failure  and
1096              reconnect,  unless multiple remotes are specified and connection
1097              to the next remote succeeds. To silently ignore an option pushed
1098              by the server, use ignore.
1099
1100       --remote args
1101              Remote host name or IP address, port and protocol.
1102
1103              Valid syntaxes:
1104
1105                 remote host
1106                 remote host port
1107                 remote host port proto
1108
1109              The  port  and  proto arguments are optional. The OpenVPN client
1110              will try to connect to a server at host:port.  The  proto  argu‐
1111              ment  indicates the protocol to use when connecting with the re‐
1112              mote, and may be tcp or udp.  To enforce IPv4  or  IPv6  connec‐
1113              tions add a 4 or 6 suffix; like udp4 / udp6 / tcp4 / tcp6.
1114
1115              On  the  client,  multiple --remote options may be specified for
1116              redundancy, each referring to a different OpenVPN server, in the
1117              order specified by the list of --remote options. Specifying mul‐
1118              tiple --remote options for this purpose is a special case of the
1119              more  general  connection-profile  feature. See the <connection>
1120              documentation below.
1121
1122              The client will move on to the next host in  the  list,  in  the
1123              event  of  connection  failure. Note that at any given time, the
1124              OpenVPN client will at most be connected to one server.
1125
1126              Examples:
1127
1128                 remote server1.example.net
1129                 remote server1.example.net 1194
1130                 remote server2.example.net 1194 tcp
1131
1132              Note:  Since UDP is connectionless, connection  failure  is  de‐
1133                     fined by the --ping and --ping-restart options.
1134
1135                     Also,  if  you use multiple --remote options, AND you are
1136                     dropping root privileges on the client with --user and/or
1137                     --group  AND  the  client is running a non-Windows OS, if
1138                     the client needs to switch to  a  different  server,  and
1139                     that  server  pushes back different TUN/TAP or route set‐
1140                     tings, the client may lack the  necessary  privileges  to
1141                     close  and reopen the TUN/TAP interface. This could cause
1142                     the client to exit with a fatal error.
1143
1144              If --remote is unspecified, OpenVPN will listen for packets from
1145              any  IP  address,  but will not act on those packets unless they
1146              pass all authentication tests. This requirement for  authentica‐
1147              tion  is  binding  on all potential peers, even those from known
1148              and supposedly trusted IP addresses (it is very easy to forge  a
1149              source IP address on a UDP packet).
1150
1151              When  used in TCP mode, --remote will act as a filter, rejecting
1152              connections from any host which does not match host.
1153
1154              If host is a DNS name which resolves to multiple  IP  addresses,
1155              OpenVPN will try them in the order that the system getaddrinfo()
1156              presents them, so priorization and DNS randomization is done  by
1157              the system library. Unless an IP version is forced by the proto‐
1158              col specification (4/6 suffix), OpenVPN will try both  IPv4  and
1159              IPv6 addresses, in the order getaddrinfo() returns them.
1160
1161       --remote-random
1162              When  multiple  --remote address/ports are specified, or if con‐
1163              nection profiles are being used, initially randomize  the  order
1164              of the list as a kind of basic load-balancing measure.
1165
1166       --remote-random-hostname
1167              Prepend a random string (6 bytes, 12 hex characters) to hostname
1168              to prevent DNS caching. For example, "foo.bar.gov" would be mod‐
1169              ified to "<random-chars>.foo.bar.gov".
1170
1171       --resolv-retry n
1172              If hostname resolve fails for --remote, retry resolve for n sec‐
1173              onds before failing.
1174
1175              Set n to "infinite" to retry indefinitely.
1176
1177              By default, --resolv-retry infinite is enabled. You can  disable
1178              by setting n=0.
1179
1180       --single-session
1181              After  initially  connecting  to a remote peer, disallow any new
1182              connections. Using this option means that a remote  peer  cannot
1183              connect, disconnect, and then reconnect.
1184
1185              If  the  daemon  is reset by a signal or --ping-restart, it will
1186              allow one new connection.
1187
1188              --single-session can be used with --ping-exit or  --inactive  to
1189              create a single dynamic session that will exit when finished.
1190
1191       --server-poll-timeout n
1192              When  connecting  to a remote server do not wait for more than n
1193              seconds for a response before trying the next  server.  The  de‐
1194              fault value is 120s. This timeout includes proxy and TCP connect
1195              timeouts.
1196
1197       --static-challenge args
1198              Enable static challenge/response protocol
1199
1200              Valid syntax:
1201
1202                 static-challenge text echo
1203
1204              The text challenge text is presented to the user which describes
1205              what  information  is requested.  The echo flag indicates if the
1206              user's input should be echoed on the screen.  Valid echo  values
1207              are 0 or 1.
1208
1209              See  management-notes.txt  in the OpenVPN distribution for a de‐
1210              scription of the OpenVPN challenge/response protocol.
1211
1212       --show-proxy-settings
1213              Show sensed HTTP or SOCKS proxy settings. Currently,  only  Win‐
1214              dows clients support this option.
1215
1216       --http-proxy args
1217              Connect  to remote host through an HTTP proxy.  This requires at
1218              least an address server and port argument.   If  HTTP  Proxy-Au‐
1219              thenticate is required, a file name to an authfile file contain‐
1220              ing a username and password on 2 lines can be given, or stdin to
1221              prompt  from  console.  Its content can also be specified in the
1222              config file with the --http-proxy-user-pass option. (See section
1223              on inline files)
1224
1225              The last optional argument is an auth-method which should be one
1226              of none, basic, or ntlm.
1227
1228              HTTP Digest authentication is supported as well,  but  only  via
1229              the auto or auto-nct flags (below).  This must replace the auth‐
1230              file argument.
1231
1232              The auto flag causes  OpenVPN  to  automatically  determine  the
1233              auth-method  and  query  stdin  or  the management interface for
1234              username/password credentials, if required. This flag exists  on
1235              OpenVPN 2.1 or higher.
1236
1237              The  auto-nct flag (no clear-text auth) instructs OpenVPN to au‐
1238              tomatically determine the authentication method, but  to  reject
1239              weak authentication protocols such as HTTP Basic Authentication.
1240
1241              Examples:
1242
1243                 http-proxy proxy.example.net 3128
1244                 http-proxy proxy.example.net 3128 authfile.txt
1245                 http-proxy proxy.example.net 3128 stdin
1246                 http-proxy proxy.example.net 3128 auto basic
1247                 http-proxy proxy.example.net 3128 auto-nct ntlm
1248
1249       --http-proxy-option args
1250              Set  extended HTTP proxy options. Requires an option type as ar‐
1251              gument and an optional parameter to the  type.   Repeat  to  set
1252              multiple options.
1253
1254              VERSION version
1255                     Set HTTP version number to version (default 1.0).
1256
1257              AGENT user-agent
1258                     Set HTTP "User-Agent" string to user-agent.
1259
1260              CUSTOM-HEADER name content
1261                     Adds  the  custom Header with name as name and content as
1262                     the content of the custom HTTP header.
1263
1264              Examples:
1265
1266                 http-proxy-option VERSION 1.1
1267                 http-proxy-option AGENT OpenVPN/2.4
1268                 http-proxy-option X-Proxy-Flag some-flags
1269
1270       --socks-proxy args
1271              Connect to remote host  through  a  Socks5  proxy.   A  required
1272              server argument is needed.  Optionally a port (default 1080) and
1273              authfile can be given.  The authfile  is  a  file  containing  a
1274              username and password on 2 lines, or stdin can be used to prompt
1275              from console.
1276
1277   Server Options
1278       Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode  is  sup‐
1279       ported,  and  can  be  enabled with the --mode server option. In server
1280       mode, OpenVPN will listen on a single port for incoming client  connec‐
1281       tions.  All  client  connections will be routed through a single tun or
1282       tap interface. This mode is designed for scalability and should be able
1283       to  support  hundreds or even thousands of clients on sufficiently fast
1284       hardware. SSL/TLS authentication must be used in this mode.
1285
1286       --auth-gen-token args
1287              Returns an authentication token  to  successfully  authenticated
1288              clients.
1289
1290              Valid syntax:
1291
1292                 auth-gen-token [lifetime] [external-auth]
1293
1294              After   successful  user/password  authentication,  the  OpenVPN
1295              server will with this option generate a temporary authentication
1296              token  and  push that to the client. On the following renegotia‐
1297              tions, the OpenVPN client will pass this token  instead  of  the
1298              users  password. On the server side the server will do the token
1299              authentication internally and it will NOT do any additional  au‐
1300              thentications  against configured external user/password authen‐
1301              tication mechanisms.
1302
1303              The tokens implemented by  this  mechanism  include  an  initial
1304              timestamp and a renew timestamp and are secured by HMAC.
1305
1306              The  lifetime  argument  defines how long the generated token is
1307              valid.  The lifetime is defined in seconds. If lifetime  is  not
1308              set or it is set to 0, the token will never expire.
1309
1310              The  token  will  expire either after the configured lifetime of
1311              the token is reached or after not being renewed for more than  2
1312              *  reneg-sec seconds. Clients will be sent renewed tokens on ev‐
1313              ery TLS renogiation to keep the client's token updated. This  is
1314              done  to  invalidate  a  token if a client is disconnected for a
1315              sufficently long time, while at the same  time  permitting  much
1316              longer token lifetimes for active clients.
1317
1318              This  feature is useful for environments which are configured to
1319              use One Time Passwords (OTP) as part of  the  user/password  au‐
1320              thentications  and that authentication mechanism does not imple‐
1321              ment any auth-token support.
1322
1323              When the external-auth keyword is present the normal authentica‐
1324              tion  method  will always be called even if auth-token succeeds.
1325              Normally other authentications method are skipped if  auth-token
1326              verification suceeds or fails.
1327
1328              This  option postpones this decision to the external authentica‐
1329              tion methods and checks the validity of the account and do other
1330              checks.
1331
1332              In  this  mode  the  environment will have a session_id variable
1333              that holds the session id from auth-gen-token. Also an  environ‐
1334              ment  variable session_state is present. This variable indicates
1335              whether the auth-token has succeeded or not.  It  can  have  the
1336              following values:
1337
1338              Initial
1339                     No token from client.
1340
1341              Authenticated
1342                     Token is valid and not expired.
1343
1344              Expired
1345                     Token is valid but has expired.
1346
1347              Invalid
1348                     Token is invalid (failed HMAC or wrong length)
1349
1350              AuthenticatedEmptyUser / ExpiredEmptyUser
1351                     The  token  is  not valid with the username sent from the
1352                     client but would be valid (or expired) if  we  assume  an
1353                     empty  username  was used instead.  These two cases are a
1354                     workaround for behaviour in OpenVPN  3.   If  this  work‐
1355                     around is not needed these two cases should be handled in
1356                     the same way as Invalid.
1357
1358              Warning: Use this feature only if you want  your  authentication
1359              method  called on every verification. Since the external authen‐
1360              tication is called it needs to also indicate a success or  fail‐
1361              ure  of the authentication. It is strongly recommended to return
1362              an authentication failure in the  case  of  the  Invalid/Expired
1363              auth-token with the external-auth option unless the client could
1364              authenticate in another acceptable  way  (e.g.  client  certifi‐
1365              cate),  otherwise  returning success will lead to authentication
1366              bypass (as does returning success on a  wrong  password  from  a
1367              script).
1368
1369       --auth-gen-token-secret file
1370              Specifies  a  file  that  holds  a  secret  for the HMAC used in
1371              --auth-gen-token If file is not present OpenVPN will generate  a
1372              random secret on startup. This file should be used if auth-token
1373              should validate after restarting a server or if client should be
1374              able  to  roam  between  multiple  OpenVPN  servers  with  their
1375              auth-token.
1376
1377       --auth-user-pass-optional
1378              Allow connections  by  clients  that  do  not  specify  a  user‐
1379              name/password.  Normally, when --auth-user-pass-verify or --man‐
1380              agement-client-auth are specified (or an  authentication  plugin
1381              module),  the  OpenVPN  server  daemon  will  require connecting
1382              clients to specify a username and password.  This  option  makes
1383              the submission of a username/password by clients optional, pass‐
1384              ing the responsibility to the user-defined  authentication  mod‐
1385              ule/script  to  accept or deny the client based on other factors
1386              (such as the setting of X509 certificate fields).  When this op‐
1387              tion  is  used,  and a connecting client does not submit a user‐
1388              name/password,  the  user-defined  authentication  module/script
1389              will see the username and password as being set to empty strings
1390              (""). The authentication module/script MUST have logic to detect
1391              this condition and respond accordingly.
1392
1393       --ccd-exclusive
1394              Require,  as  a  condition  of authentication, that a connecting
1395              client has a --client-config-dir file.
1396
1397       --client-config-dir dir
1398              Specify a directory dir for custom client config files. After  a
1399              connecting  client  has been authenticated, OpenVPN will look in
1400              this directory for a file having the same name as  the  client's
1401              X509  common  name. If a matching file exists, it will be opened
1402              and parsed for  client-specific  configuration  options.  If  no
1403              matching  file  is  found,  OpenVPN will instead try to open and
1404              parse a default file called "DEFAULT", which may be provided but
1405              is not required. Note that the configuration files must be read‐
1406              able by the OpenVPN process after it has dropped it's root priv‐
1407              ileges.
1408
1409              This  file can specify a fixed IP address for a given client us‐
1410              ing --ifconfig-push, as well  as  fixed  subnets  owned  by  the
1411              client using --iroute.
1412
1413              One  of  the  useful properties of this option is that it allows
1414              client configuration files to be conveniently  created,  edited,
1415              or  removed while the server is live, without needing to restart
1416              the server.
1417
1418              The following options are legal in  a  client-specific  context:
1419              --push,  --push-reset, --push-remove, --iroute, --ifconfig-push,
1420              --vlan-pvid and --config.
1421
1422       --client-to-client
1423              Because the OpenVPN server mode handles multiple clients through
1424              a  single  tun or tap interface, it is effectively a router. The
1425              --client-to-client  flag  tells  OpenVPN  to  internally   route
1426              client-to-client  traffic  rather than pushing all client-origi‐
1427              nating traffic to the TUN/TAP interface.
1428
1429              When this option is used,  each  client  will  "see"  the  other
1430              clients  which  are  currently connected. Otherwise, each client
1431              will only see the server. Don't use this option if you  want  to
1432              firewall tunnel traffic using custom, per-client rules.
1433
1434       --disable
1435              Disable a particular client (based on the common name) from con‐
1436              necting.  Don't use this option to disable a client due  to  key
1437              or  password compromise. Use a CRL (certificate revocation list)
1438              instead (see the --crl-verify option).
1439
1440              This option must be associated with a specific client  instance,
1441              which  means  that  it  must be specified either in a client in‐
1442              stance config file using --client-config-dir or dynamically gen‐
1443              erated using a --client-connect script.
1444
1445       --connect-freq args
1446              Allow  a  maximum  of  n  new  connections  per sec seconds from
1447              clients.
1448
1449              Valid syntax:
1450
1451                 connect-freq n sec
1452
1453              This is designed to contain DoS attacks which flood  the  server
1454              with  connection  requests  using  certificates which will ulti‐
1455              mately fail to authenticate.
1456
1457              This is an imperfect solution however, because  in  a  real  DoS
1458              scenario, legitimate connections might also be refused.
1459
1460              For  the best protection against DoS attacks in server mode, use
1461              --proto udp and either --tls-auth or --tls-crypt.
1462
1463       --duplicate-cn
1464              Allow multiple clients with the same common name to concurrently
1465              connect.  In the absence of this option, OpenVPN will disconnect
1466              a client instance upon connection of a  new  client  having  the
1467              same common name.
1468
1469       --ifconfig-pool args
1470              Set  aside a pool of subnets to be dynamically allocated to con‐
1471              necting clients, similar to a DHCP server.
1472
1473              Valid syntax:
1474
1475                 ifconfig-pool start-IP end-IP [netmask]
1476
1477              For tun-style tunnels, each client will be given  a  /30  subnet
1478              (for interoperability with Windows clients).  For tap-style tun‐
1479              nels, individual addresses will be allocated, and  the  optional
1480              netmask parameter will also be pushed to clients.
1481
1482       --ifconfig-ipv6-pool args
1483              Specify an IPv6 address pool for dynamic assignment to clients.
1484
1485              Valid args:
1486
1487                 ifconfig-ipv6-pool ipv6addr/bits
1488
1489              The  pool  starts  at ipv6addr and matches the offset determined
1490              from the start of the IPv4 pool.  If the host part of the  given
1491              IPv6 address is 0, the pool starts at ipv6addr +1.
1492
1493       --ifconfig-pool-persist args
1494              Persist/unpersist  ifconfig-pool data to file, at seconds inter‐
1495              vals (default 600), as well as on program startup and shutdown.
1496
1497              Valid syntax:
1498
1499                 ifconfig-pool-persist file [seconds]
1500
1501              The goal of this option is to provide  a  long-term  association
1502              between  clients  (denoted by their common name) and the virtual
1503              IP address assigned to them from the ifconfig-pool.  Maintaining
1504              a  long-term  association  is good for clients because it allows
1505              them to effectively use the --persist-tun option.
1506
1507              file  is  a  comma-delimited  ASCII  file,  formatted  as  <Com‐
1508              mon-Name>,<IP-address>.
1509
1510              If  seconds = 0, file will be treated as read-only. This is use‐
1511              ful if you would like to treat file as a configuration file.
1512
1513              Note that the entries in this file are  treated  by  OpenVPN  as
1514              suggestions  only,  based  on past associations between a common
1515              name and IP address.  They do not guarantee that the given  com‐
1516              mon  name  will always receive the given IP address. If you want
1517              guaranteed assignment, use --ifconfig-push
1518
1519       --ifconfig-push args
1520              Push virtual IP endpoints  for  client  tunnel,  overriding  the
1521              --ifconfig-pool dynamic allocation.
1522
1523              Valid syntax:
1524
1525                 ifconfig-push local remote-netmask [alias]
1526
1527              The parameters local and remote-netmask are set according to the
1528              --ifconfig directive which you want to execute on the client ma‐
1529              chine  to  configure the remote end of the tunnel. Note that the
1530              parameters local and remote-netmask are from the perspective  of
1531              the client, not the server. They may be DNS names rather than IP
1532              addresses, in which case they will be resolved on the server  at
1533              the time of client connection.
1534
1535              The  optional  alias  parameter  may  be used in cases where NAT
1536              causes the client view of its local endpoint to differ from  the
1537              server view. In this case local/remote-netmask will refer to the
1538              server view while alias/remote-netmask will refer to the  client
1539              view.
1540
1541              This  option must be associated with a specific client instance,
1542              which means that it must be specified either  in  a  client  in‐
1543              stance config file using --client-config-dir or dynamically gen‐
1544              erated using a --client-connect script.
1545
1546              Remember also to include a --route directive in the main OpenVPN
1547              config  file  which encloses local, so that the kernel will know
1548              to route it to the server's TUN/TAP interface.
1549
1550              OpenVPN's internal client IP address selection  algorithm  works
1551              as follows:
1552
1553              1. Use  --client-connect  script  generated  file  for static IP
1554                 (first choice).
1555
1556              2. Use --client-config-dir file for static IP (next choice).
1557
1558              3. Use --ifconfig-pool allocation for dynamic IP (last choice).
1559
1560       --ifconfig-ipv6-push args
1561              for --client-config-dir per-client static IPv6 interface config‐
1562              uration,  see  --client-config-dir  and --ifconfig-push for more
1563              details.
1564
1565              Valid syntax:
1566
1567                 ifconfig-ipv6-push ipv6addr/bits ipv6remote
1568
1569       --inetd args
1570              Valid syntaxes:
1571
1572                 inetd
1573                 inetd wait
1574                 inetd nowait
1575                 inetd wait progname
1576
1577              Use this option when OpenVPN is being  run  from  the  inetd  or
1578              xinetd(8) server.
1579
1580              The  wait  and nowait option must match what is specified in the
1581              inetd/xinetd config file. The nowait mode can only be used  with
1582              --proto  tcp-server The default is wait.  The nowait mode can be
1583              used to instantiate the OpenVPN daemon as a classic TCP  server,
1584              where  client  connection requests are serviced on a single port
1585              number. For additional information on this  kind  of  configura‐
1586              tion,           see           the          OpenVPN          FAQ:
1587              https://community.openvpn.net/openvpn/wiki/325-openvpn-as-a--forking-tcp-server-which-can-service-multiple-clients-over-a-single-tcp-port
1588
1589              This  option precludes the use of --daemon, --local or --remote.
1590              Note that this option causes message and error output to be han‐
1591              dled  in the same way as the --daemon option. The optional prog‐
1592              name parameter is also handled exactly as in --daemon.
1593
1594              Also note that in wait mode, each OpenVPN tunnel requires a sep‐
1595              arate TCP/UDP port and a separate inetd or xinetd entry. See the
1596              OpenVPN 1.x HOWTO for an example on using OpenVPN  with  xinetd:
1597              https://openvpn.net/community-resources/1xhowto/
1598
1599       --multihome
1600              Configure a multi-homed UDP server. This option needs to be used
1601              when a server has more than one IP address (e.g. multiple inter‐
1602              faces,  or  secondary IP addresses), and is not using --local to
1603              force binding to one specific address only. This option will add
1604              some extra lookups to the packet path to ensure that the UDP re‐
1605              ply packets are always sent from the address that the client  is
1606              talking  to. This is not supported on all platforms, and it adds
1607              more processing, so it's not enabled by default.
1608
1609              Notes:
1610
1611                     • This option is only relevant for UDP servers.
1612
1613                     • If you do an IPv6+IPv4 dual-stack bind on a  Linux  ma‐
1614                       chine  with  multiple IPv4 address, connections to IPv4
1615                       addresses will not work right on kernels  before  3.15,
1616                       due  to missing kernel support for the IPv4-mapped case
1617                       (some distributions have ported this to earlier  kernel
1618                       versions, though).
1619
1620       --iroute args
1621              Generate an internal route to a specific client. The netmask pa‐
1622              rameter, if omitted, defaults to 255.255.255.255.
1623
1624              Valid syntax:
1625
1626                 iroute network [netmask]
1627
1628              This directive can be used to route  a  fixed  subnet  from  the
1629              server to a particular client, regardless of where the client is
1630              connecting from.  Remember that you must also add the  route  to
1631              the  system  routing table as well (such as by using the --route
1632              directive). The reason why two routes are  needed  is  that  the
1633              --route  directive routes the packet from the kernel to OpenVPN.
1634              Once in OpenVPN, the --iroute directive routes to  the  specific
1635              client.
1636
1637              This option must be specified either in a client instance config
1638              file using --client-config-dir or dynamically generated using  a
1639              --client-connect script.
1640
1641              The  --iroute  directive  also has an important interaction with
1642              --push "route ...". --iroute essentially defines a subnet  which
1643              is owned by a particular client (we will call this client A). If
1644              you would like other clients to be able to reach A's subnet, you
1645              can  use  --push "route ..." together with --client-to-client to
1646              effect this. In order for all clients to see A's subnet, OpenVPN
1647              must push this route to all clients EXCEPT for A, since the sub‐
1648              net is already owned by A. OpenVPN accomplishes this by not  not
1649              pushing  a  route  to a client if it matches one of the client's
1650              iroutes.
1651
1652       --iroute-ipv6 args
1653              for --client-config-dir per-client static IPv6 route  configura‐
1654              tion,  see  --iroute for more details how to setup and use this,
1655              and how --iroute and --route interact.
1656
1657              Valid syntax:
1658
1659                 iroute-ipv6 ipv6addr/bits
1660
1661       --max-clients n
1662              Limit server to a maximum of n concurrent clients.
1663
1664       --max-routes-per-client n
1665              Allow a maximum of n internal routes per client  (default  256).
1666              This  is designed to help contain DoS attacks where an authenti‐
1667              cated client floods the server with packets  appearing  to  come
1668              from  many  unique  MAC addresses, forcing the server to deplete
1669              virtual memory as its internal routing table expands.  This  di‐
1670              rective can be used in a --client-config-dir file or auto-gener‐
1671              ated by a --client-connect script to override the  global  value
1672              for a particular client.
1673
1674              Note  that this directive affects OpenVPN's internal routing ta‐
1675              ble, not the kernel routing table.
1676
1677       --opt-verify
1678              Clients that connect with options  that  are  incompatible  with
1679              those of the server will be disconnected.
1680
1681              Options   that   will  be  compared  for  compatibility  include
1682              dev-type, link-mtu, tun-mtu, proto,  ifconfig,  comp-lzo,  frag‐
1683              ment,   keydir,   cipher,   auth,  keysize,  secret,  no-replay,
1684              tls-auth, key-method, tls-server and tls-client.
1685
1686              This option requires that --disable-occ NOT be used.
1687
1688       --port-share args
1689              Share OpenVPN TCP with another service
1690
1691              Valid syntax:
1692
1693                 port-share host port [dir]
1694
1695              When run in TCP server mode, share the OpenVPN port with another
1696              application,  such  as an HTTPS server. If OpenVPN senses a con‐
1697              nection to its port which is using a  non-OpenVPN  protocol,  it
1698              will  proxy the connection to the server at host:port. Currently
1699              only designed to work with HTTP/HTTPS, though it would be  theo‐
1700              retically possible to extend to other protocols such as ssh.
1701
1702              dir  specifies an optional directory where a temporary file with
1703              name N containing content C will be  dynamically  generated  for
1704              each  proxy  connection,  where  N  is the source IP:port of the
1705              client connection and C is the source IP:port of the  connection
1706              to  the  proxy receiver. This directory can be used as a dictio‐
1707              nary by the proxy receiver to determine the origin of  the  con‐
1708              nection.  Each generated file will be automatically deleted when
1709              the proxied connection is torn down.
1710
1711              Not implemented on Windows.
1712
1713       --push option
1714              Push a config file option back to the client for  remote  execu‐
1715              tion.  Note  that option must be enclosed in double quotes ("").
1716              The client must specify --pull in its config file.  The  set  of
1717              options  which  can be pushed is limited by both feasibility and
1718              security. Some options such as those which would execute scripts
1719              are  banned,  since  they  would effectively allow a compromised
1720              server to execute arbitrary code on the  client.  Other  options
1721              such  as  TLS  or  MTU  parameters  cannot be pushed because the
1722              client needs to know them before the connection  to  the  server
1723              can be initiated.
1724
1725              This is a partial list of options which can currently be pushed:
1726              --route,  --route-gateway,  --route-delay,   --redirect-gateway,
1727              --ip-win32,   --dhcp-option,  --inactive,  --ping,  --ping-exit,
1728              --ping-restart, --setenv,  --auth-token,  --persist-key,  --per‐
1729              sist-tun, --echo, --comp-lzo, --socket-flags, --sndbuf, --rcvbuf
1730
1731       --push-peer-info
1732              Push additional information about the client to server. The fol‐
1733              lowing data is always pushed to the server:
1734
1735              IV_VER=<version>
1736                     The client OpenVPN version
1737
1738              IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]
1739                     The client OS platform
1740
1741              IV_LZO_STUB=1
1742                     If client was built with LZO stub capability
1743
1744              IV_LZ4=1
1745                     If the client supports LZ4 compressions.
1746
1747              IV_PROTO
1748                     Details about protocol extensions that the peer supports.
1749                     The  variable  is  a bitfield and the bits are defined as
1750                     follows (starting a bit 0 for the first (unused) bit:
1751
1752                     • bit 1: The peer supports peer-id floating mechanism
1753
1754                     • bit 2: The client expects a push-reply and  the  server
1755                       may  send this reply without waiting for a push-request
1756                       first.
1757
1758              IV_NCP=2
1759                     Negotiable ciphers, client supports  --cipher  pushed  by
1760                     the server, a value of 2 or greater indicates client sup‐
1761                     ports AES-GCM-128 and AES-GCM-256.
1762
1763              IV_CIPHERS=<ncp-ciphers>
1764                     The client announces the list of supported  ciphers  con‐
1765                     figured with the --data-ciphers option to the server.
1766
1767              IV_GUI_VER=<gui_id> <version>
1768                     The  UI  version  of  a UI if one is running, for example
1769                     de.blinkt.openvpn 0.5.47 for the Android app.
1770
1771              When --push-peer-info is enabled the additional information con‐
1772              sists of the following data:
1773
1774              IV_HWADDR=<mac address>
1775                     The MAC address of clients default gateway
1776
1777              IV_SSL=<version string>
1778                     The  ssl version used by the client, e.g.  OpenSSL 1.0.2f
1779                     28 Jan 2016.
1780
1781              IV_PLAT_VER=x.y
1782                     The version of the operating system, e.g. 6.1 for Windows
1783                     7.
1784
1785              UV_<name>=<value>
1786                     Client environment variables whose names start with UV_
1787
1788       --push-remove opt
1789              Selectively  remove  all  --push options matching "opt" from the
1790              option list for a client. opt is matched as a substring  against
1791              the   whole   option  string  to-be-pushed  to  the  client,  so
1792              --push-remove route would remove all --push route ... and --push
1793              route-ipv6  ...   statements,  while  --push-remove  "route-ipv6
1794              2001:" would only remove IPv6 routes for 2001:... networks.
1795
1796              --push-remove can only be used  in  a  client-specific  context,
1797              like  in  a --client-config-dir file, or --client-connect script
1798              or plugin -- similar to --push-reset, just more selective.
1799
1800              NOTE: to change an option, --push-remove can be  used  to  first
1801              remove  the old value, and then add a new --push option with the
1802              new value.
1803
1804              NOTE 2: due to implementation details,  'ifconfig'  and  'ifcon‐
1805              fig-ipv6'  can only be removed with an exact match on the option
1806              ( push-remove ifconfig), no substring matching and  no  matching
1807              on the IPv4/IPv6 address argument is possible.
1808
1809       --push-reset
1810              Don't  inherit  the  global  push list for a specific client in‐
1811              stance.  Specify this option in a client-specific  context  such
1812              as  with  a  --client-config-dir configuration file. This option
1813              will ignore --push options at the global config file level.
1814
1815              NOTE: --push-reset is very thorough: it will remove  almost  all
1816              options  from  the list of to-be-pushed options.  In many cases,
1817              some of these options will need to be re-configured afterwards -
1818              specifically,  --topology  subnet  and  --route-gateway will get
1819              lost and this will break client configs in  many  cases.   Thus,
1820              for most purposes, --push-remove is better suited to selectively
1821              remove push options for individual clients.
1822
1823       --server args
1824              A helper directive designed to  simplify  the  configuration  of
1825              OpenVPN's  server  mode.  This  directive will set up an OpenVPN
1826              server which will allocate addresses to clients out of the given
1827              network/netmask.  The  server itself will take the .1 address of
1828              the given network for use as the server-side endpoint of the lo‐
1829              cal  TUN/TAP interface. If the optional nopool flag is given, no
1830              dynamic IP address pool will prepared for VPN clients.
1831
1832              Valid syntax:
1833
1834                 server network netmask [nopool]
1835
1836              For example, --server 10.8.0.0 255.255.255.0 expands as follows:
1837
1838                 mode server
1839                 tls-server
1840                 push "topology [topology]"
1841
1842                 if dev tun AND (topology == net30 OR topology == p2p):
1843                   ifconfig 10.8.0.1 10.8.0.2
1844                   if !nopool:
1845                     ifconfig-pool 10.8.0.4 10.8.0.251
1846                   route 10.8.0.0 255.255.255.0
1847                   if client-to-client:
1848                     push "route 10.8.0.0 255.255.255.0"
1849                   else if topology == net30:
1850                     push "route 10.8.0.1"
1851
1852                 if dev tap OR (dev tun AND topology == subnet):
1853                   ifconfig 10.8.0.1 255.255.255.0
1854                   if !nopool:
1855                     ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
1856                   push "route-gateway 10.8.0.1"
1857                   if route-gateway unset:
1858                     route-gateway 10.8.0.2
1859
1860              Don't  use  --server  if  you   are   ethernet   bridging.   Use
1861              --server-bridge instead.
1862
1863       --server-bridge args
1864              A helper directive similar to --server which is designed to sim‐
1865              plify the configuration of OpenVPN's  server  mode  in  ethernet
1866              bridging configurations.
1867
1868              Valid syntaxes:
1869
1870                 server-bridge gateway netmask pool-start-IP pool-end-IP
1871                 server-bridge [nogw]
1872
1873              If  --server-bridge  is used without any parameters, it will en‐
1874              able a DHCP-proxy mode, where connecting  OpenVPN  clients  will
1875              receive an IP address for their TAP adapter from the DHCP server
1876              running on the OpenVPN server-side LAN. Note that  only  clients
1877              that  support  the binding of a DHCP client with the TAP adapter
1878              (such as Windows) can support this mode. The optional nogw  flag
1879              (advanced)  indicates  that  gateway  information  should not be
1880              pushed to the client.
1881
1882              To configure ethernet bridging, you must  first  use  your  OS's
1883              bridging  capability to bridge the TAP interface with the ether‐
1884              net NIC interface.  For example, on Linux this is done with  the
1885              brctl  tool,  and with Windows XP it is done in the Network Con‐
1886              nections Panel by selecting the ethernet and  TAP  adapters  and
1887              right-clicking on "Bridge Connections".
1888
1889              Next  you you must manually set the IP/netmask on the bridge in‐
1890              terface.  The gateway and netmask parameters to  --server-bridge
1891              can  be set to either the IP/netmask of the bridge interface, or
1892              the IP/netmask of the default gateway/router on the bridged sub‐
1893              net.
1894
1895              Finally,  set aside a IP range in the bridged subnet, denoted by
1896              pool-start-IP and pool-end-IP, for OpenVPN to allocate  to  con‐
1897              necting clients.
1898
1899              For  example,  server-bridge  10.8.0.4  255.255.255.0 10.8.0.128
1900              10.8.0.254 expands as follows:
1901
1902                 mode server
1903                 tls-server
1904
1905                 ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
1906                 push "route-gateway 10.8.0.4"
1907
1908              In another example, --server-bridge (without parameters) expands
1909              as follows:
1910
1911                 mode server
1912                 tls-server
1913
1914                 push "route-gateway dhcp"
1915
1916              Or --server-bridge nogw expands as follows:
1917
1918                 mode server
1919                 tls-server
1920
1921       --server-ipv6 args
1922              Convenience-function  to enable a number of IPv6 related options
1923              at once, namely --ifconfig-ipv6, --ifconfig-ipv6-pool and --push
1924              tun-ipv6.
1925
1926              Valid syntax:
1927
1928                 server-ipv6 ipv6addr/bits
1929
1930              Pushing  of  the  --tun-ipv6 directive is done for older clients
1931              which require an explicit --tun-ipv6 in their configuration.
1932
1933       --stale-routes-check args
1934              Remove routes which haven't had activity for n seconds (i.e. the
1935              ageing time).  This check is run every t seconds (i.e. check in‐
1936              terval).
1937
1938              Valid syntax:
1939
1940                 stale-routes-check n [t]
1941
1942              If t is not present it defaults to n.
1943
1944              This option helps to keep the dynamic routing table  small.  See
1945              also --max-routes-per-client
1946
1947       --username-as-common-name
1948              Use  the  authenticated username as the common-name, rather than
1949              the common-name from the client certificate. Requires that  some
1950              form  of  --auth-user-pass verification is in effect. As the re‐
1951              placement happens after --auth-user-pass verification, the veri‐
1952              fication  script  or  plugin  will still receive the common-name
1953              from the certificate.
1954
1955              The common_name environment variable passed to scripts and plug‐
1956              ins  invoked  after  authentication (e.g, client-connect script)
1957              and file names parsed in client-config directory will match  the
1958              username.
1959
1960       --verify-client-cert mode
1961              Specify  whether  the  client is required to supply a valid cer‐
1962              tificate.
1963
1964              Possible mode options are:
1965
1966              none   A client certificate is not required. the client needs to
1967                     authenticate  using username/password only. Be aware that
1968                     using this directive is less secure than  requiring  cer‐
1969                     tificates from all clients.
1970
1971                     If  you  use this directive, the entire responsibility of
1972                     authentication will rest on your  --auth-user-pass-verify
1973                     script,  so  keep  in mind that bugs in your script could
1974                     potentially compromise the security of your VPN.
1975
1976                     --verify-client-cert none is functionally  equivalent  to
1977                     --client-cert-not-required.
1978
1979              optional
1980                     A client may present a certificate but it is not required
1981                     to do so.  When using this directive, you should also use
1982                     a  --auth-user-pass-verify  script to ensure that clients
1983                     are authenticated using a  certificate,  a  username  and
1984                     password, or possibly even both.
1985
1986                     Again,  the  entire responsibility of authentication will
1987                     rest on your --auth-user-pass-verify script, so  keep  in
1988                     mind  that  bugs in your script could potentially compro‐
1989                     mise the security of your VPN.
1990
1991              require
1992                     This is the default  option.  A  client  is  required  to
1993                     present a certificate, otherwise VPN access is refused.
1994
1995              If you don't use this directive (or use --verify-client-cert re‐
1996              quire) but you also specify an  --auth-user-pass-verify  script,
1997              then OpenVPN will perform double authentication. The client cer‐
1998              tificate verification  AND  the  --auth-user-pass-verify  script
1999              will  need  to succeed in order for a client to be authenticated
2000              and accepted onto the VPN.
2001
2002       --vlan-tagging
2003              Server-only option. Turns the OpenVPN  server  instance  into  a
2004              switch that understands VLAN-tagging, based on IEEE 802.1Q.
2005
2006              The server TAP device and each of the connecting clients is seen
2007              as a port of the switch. All client ports are in  untagged  mode
2008              and  the  server  TAP device is VLAN-tagged, untagged or accepts
2009              both, depending on the --vlan-accept setting.
2010
2011              Ethernet frames with a prepended 802.1Q tag are called "tagged".
2012              If  the  VLAN  Identifier (VID) field in such a tag is non-zero,
2013              the frame is called "VLAN-tagged". If the VID is zero,  but  the
2014              Priority  Control  Point  (PCP)  field is non-zero, the frame is
2015              called "prio-tagged". If there is no 802.1Q tag,  the  frame  is
2016              "untagged".
2017
2018              Using   the   --vlan-pvid   v   option   once  per  client  (see
2019              --client-config-dir), each port can be associated with a certain
2020              VID.   Packets  can  only  be forwarded between ports having the
2021              same VID.  Therefore, clients with differing VIDs are completely
2022              separated  from one-another, even if --client-to-client is acti‐
2023              vated.
2024
2025              The packet filtering takes place in the OpenVPN server.  Clients
2026              should not have any VLAN tagging configuration applied.
2027
2028              The  --vlan-tagging  option is off by default. While turned off,
2029              OpenVPN accepts any Ethernet frame and does not perform any spe‐
2030              cial processing for VLAN-tagged packets.
2031
2032              This option can only be activated in --dev tap mode.
2033
2034       --vlan-accept args
2035              Configure the VLAN tagging policy for the server TAP device.
2036
2037              Valid syntax:
2038
2039                 vlan-accept  all|tagged|untagged
2040
2041              The following modes are available:
2042
2043              tagged Admit  only  VLAN-tagged frames. Only VLAN-tagged packets
2044                     are accepted, while untagged or  priority-tagged  packets
2045                     are dropped when entering the server TAP device.
2046
2047              untagged
2048                     Admit  only untagged and prio-tagged frames.  VLAN-tagged
2049                     packets  are  not  accepted,  while  untagged  or  prior‐
2050                     ity-tagged  packets  entering  the  server TAP device are
2051                     tagged  with  the  value  configured   for   the   global
2052                     --vlan-pvid setting.
2053
2054              all (default)
2055                     Admit  all  frames.   All  packets  are admitted and then
2056                     treated like untagged or tagged mode respectively.
2057
2058              Note:  Some vendors refer to switch ports running in tagged mode
2059                     as  "trunk  ports"  and  switch ports running in untagged
2060                     mode as "access ports".
2061
2062              Packets forwarded from clients to  the  server  are  VLAN-tagged
2063              with  the  originating client's PVID, unless the VID matches the
2064              global --vlan-pvid, in which case the tag is removed.
2065
2066              If no PVID is configured for a given  client  (see  --vlan-pvid)
2067              packets are tagged with 1 by default.
2068
2069       --vlan-pvid v
2070              Specifies  which  VLAN  identifier  a "port" is associated with.
2071              Only valid when --vlan-tagging is speficied.
2072
2073              In the client context, the setting specifies  which  VLAN  ID  a
2074              client is associated with. In the global context, the VLAN ID of
2075              the server TAP device is set. The latter only  makes  sense  for
2076              --vlan-accept untagged and --vlan-accept all modes.
2077
2078              Valid  values  for v go from 1 through to 4094. The global value
2079              defaults to 1. If no --vlan-pvid is specified in the client con‐
2080              text, the global value is inherited.
2081
2082              In  some switch implementations, the PVID is also referred to as
2083              "Native VLAN".
2084

ENCRYPTION OPTIONS

2086   SSL Library information
2087       --show-ciphers
2088              (Standalone) Show all cipher algorithms to use with the --cipher
2089              option.
2090
2091       --show-digests
2092              (Standalone)  Show all message digest algorithms to use with the
2093              --auth option.
2094
2095       --show-tls
2096              (Standalone) Show all TLS ciphers supported by  the  crypto  li‐
2097              brary.   OpenVPN  uses  TLS  to secure the control channel, over
2098              which the keys that are used to protect the actual  VPN  traffic
2099              are exchanged. The TLS ciphers will be sorted from highest pref‐
2100              erence (most secure) to lowest.
2101
2102              Be aware that whether a cipher suite in this list  can  actually
2103              work  depends  on  the  specific  setup of both peers (e.g. both
2104              peers must support the cipher, and an ECDSA  cipher  suite  will
2105              not work if you are using an RSA certificate, etc.).
2106
2107       --show-engines
2108              (Standalone)  Show currently available hardware-based crypto ac‐
2109              celeration engines supported by the OpenSSL library.
2110
2111       --show-groups
2112              (Standalone) Show all available elliptic  curves/groups  to  use
2113              with the --ecdh-curve and tls-groups options.
2114
2115   Generating key material
2116       --genkey args
2117              (Standalone)  Generate  a key to be used of the type keytype. if
2118              keyfile is left out or empty the key will be output  on  stdout.
2119              See the following sections for the different keytypes.
2120
2121              Valid syntax:
2122
2123                 --genkey keytype keyfile
2124
2125              Valid keytype arguments are:
2126
2127              secret                Standard OpenVPN shared secret keys
2128
2129              tls-crypt             Alias for secret
2130
2131              tls-auth              Alias for secret
2132
2133              auth-token            Key used for --auth-gen-token-key
2134
2135              tls-crypt-v2-server   TLS Crypt v2 server key
2136
2137              tls-crypt-v2-client   TLS Crypt v2 client key
2138
2139              Examples:
2140
2141                 $ openvpn --genkey secret shared.key
2142                 $ openvpn --genkey tls-crypt shared.key
2143                 $ openvpn --genkey tls-auth shared.key
2144                 $ openvpn --genkey tls-crypt-v2-server v2crypt-server.key
2145                 $ openvpn --tls-crypt-v2 v2crypt-server.key --genkey tls-crypt-v2-client v2crypt-client-1.key
2146
2147              • Generating  Shared  Secret  Keys Generate a shared secret, for
2148                use with the --secret, --tls-auth or --tls-crypt options.
2149
2150                Syntax:
2151
2152                   $ openvpn --genkey secret|tls-crypt|tls-auth keyfile
2153
2154                The key is saved in keyfile.  All  three  variants  (--secret,
2155                tls-crypt  and  tls-auth)  generate  the same type of key. The
2156                aliases are added for convenience.
2157
2158                If using this for --secret, this file must be shared with  the
2159                peer over a pre-existing secure channel such as scp(1).
2160
2161              • Generating  TLS  Crypt v2 Server key Generate a --tls-crypt-v2
2162                key to be used by an OpenVPN server.  The  key  is  stored  in
2163                keyfile.
2164
2165                Syntax:
2166
2167                   --genkey tls-crypt-v2-server keyfile
2168
2169              • Generating  TLS  Crypt v2 Client key Generate a --tls-crypt-v2
2170                key to be used by OpenVPN clients.  The key is stored in  key‐
2171                file.
2172
2173                Syntax
2174
2175                   --genkey tls-crypt-v2-client keyfile [metadata]
2176
2177                If  supplied,  include  the  supplied  metadata in the wrapped
2178                client key. This metadata must be supplied  in  base64-encoded
2179                form.  The  metadata must be at most 735 bytes long (980 bytes
2180                in base64).
2181
2182                If no metadata is supplied, OpenVPN will  use  a  64-bit  unix
2183                timestamp  representing  the  current  time in UTC, encoded in
2184                network order, as metadata for the generated key.
2185
2186                A tls-crypt-v2 client key is wrapped using a  server  key.  To
2187                generate  a  client  key,  the  user must therefore supply the
2188                server key using the --tls-crypt-v2 option.
2189
2190                Servers can use --tls-crypt-v2-verify to  specify  a  metadata
2191                verification command.
2192
2193              • Generate  Authentication  Token key Generate a new secret that
2194                can be used with --auth-gen-token-secret
2195
2196                Syntax:
2197
2198                   --genkey auth-token [keyfile]
2199
2200                Note:  This file should be kept secret to the server as anyone
2201                       that  has  access to this file will be able to generate
2202                       auth tokens that the  OpenVPN  server  will  accept  as
2203                       valid.
2204
2205   Data Channel Renegotiation
2206       When running OpenVPN in client/server mode, the data channel will use a
2207       separate ephemeral encryption key which is rotated  at  regular  inter‐
2208       vals.
2209
2210       --reneg-bytes n
2211              Renegotiate  data  channel  key  after  n bytes sent or received
2212              (disabled by default with an exception, see below). OpenVPN  al‐
2213              lows  the lifetime of a key to be expressed as a number of bytes
2214              encrypted/decrypted, a number of packets, or a  number  of  sec‐
2215              onds.  A  key renegotiation will be forced if any of these three
2216              criteria are met by either peer.
2217
2218              If using ciphers with cipher block  sizes  less  than  128-bits,
2219              --reneg-bytes is set to 64MB by default, unless it is explicitly
2220              disabled by setting the value to 0, but this is HIGHLY  DISCOUR‐
2221              AGED  as  this  is  designed  to add some protection against the
2222              SWEET32 attack vector. For more information see the --cipher op‐
2223              tion.
2224
2225       --reneg-pkts n
2226              Renegotiate  data  channel key after n packets sent and received
2227              (disabled by default).
2228
2229       --reneg-sec args
2230              Renegotiate data channel key after at most max seconds  (default
2231              3600)  and  at  least  min  seconds  (default  is 90% of max for
2232              servers, and equal to max for clients).
2233
2234                 reneg-sec max [min]
2235
2236              The effective --reneg-sec value used is per session  pseudo-uni‐
2237              form-randomized between min and max.
2238
2239              With  the default value of 3600 this results in an effective per
2240              session value in the range of 3240 .. 3600 seconds for  servers,
2241              or just 3600 for clients.
2242
2243              When  using  dual-factor  authentication, note that this default
2244              value may cause the end user to  be  challenged  to  reauthorize
2245              once per hour.
2246
2247              Also,  keep  in  mind  that  this option can be used on both the
2248              client and server, and whichever uses the lower  value  will  be
2249              the one to trigger the renegotiation. A common mistake is to set
2250              --reneg-sec to a higher value on either the  client  or  server,
2251              while  the  other  side of the connection is still using the de‐
2252              fault value of 3600 seconds, meaning that the renegotiation will
2253              still  occur  once per 3600 seconds. The solution is to increase
2254              --reneg-sec on both the client and server, or set it to 0 on one
2255              side of the connection (to disable), and to your chosen value on
2256              the other side.
2257
2258   TLS Mode Options
2259       TLS mode is the most powerful crypto mode of OpenVPN in  both  security
2260       and  flexibility. TLS mode works by establishing control and data chan‐
2261       nels which are multiplexed over a single TCP/UDP port.  OpenVPN  initi‐
2262       ates a TLS session over the control channel and uses it to exchange ci‐
2263       pher and HMAC keys to protect the data channel. TLS mode uses a  robust
2264       reliability  layer over the UDP connection for all control channel com‐
2265       munication, while the data channel, over which  encrypted  tunnel  data
2266       passes,  is  forwarded without any mediation. The result is the best of
2267       both worlds: a fast data channel that forwards over UDP with  only  the
2268       overhead of encrypt, decrypt, and HMAC functions, and a control channel
2269       that provides all of the security features of TLS,  including  certifi‐
2270       cate-based authentication and Diffie Hellman forward secrecy.
2271
2272       To  use TLS mode, each peer that runs OpenVPN should have its own local
2273       certificate/key pair (--cert and --key), signed by the root certificate
2274       which is specified in --ca.
2275
2276       When  two OpenVPN peers connect, each presents its local certificate to
2277       the other. Each peer will then check that its partner peer presented  a
2278       certificate  which  was signed by the master root certificate as speci‐
2279       fied in --ca.
2280
2281       If that check on both peers succeeds, then  the  TLS  negotiation  will
2282       succeed,  both  OpenVPN peers will exchange temporary session keys, and
2283       the tunnel will begin passing data.
2284
2285       The OpenVPN project provides a set of scripts for managing RSA certifi‐
2286       cates and keys: https://github.com/OpenVPN/easy-rsa
2287
2288       --askpass file
2289              Get  certificate  password from console or file before we daemo‐
2290              nize.
2291
2292              Valid syntaxes:
2293
2294                 askpass
2295                 askpass file
2296
2297              For the extremely security conscious, it is possible to  protect
2298              your  private key with a password. Of course this means that ev‐
2299              ery time the OpenVPN daemon is started you must be there to type
2300              the  password.  The --askpass option allows you to start OpenVPN
2301              from the command line.  It will query you for a password  before
2302              it  daemonizes.  To  protect  a  private key with a password you
2303              should omit the -nodes option when you use the  openssl  command
2304              line tool to manage certificates and private keys.
2305
2306              If  file  is specified, read the password from the first line of
2307              file. Keep in mind that storing your password in  a  file  to  a
2308              certain  extent invalidates the extra security provided by using
2309              an encrypted key.
2310
2311       --ca file
2312              Certificate authority (CA) file in .pem format, also referred to
2313              as  the  root  certificate. This file can have multiple certifi‐
2314              cates in .pem format, concatenated together. You  can  construct
2315              your  own  certificate  authority certificate and private key by
2316              using a command such as:
2317
2318                 openssl req -nodes -new -x509 -keyout ca.key -out ca.crt
2319
2320              Then edit your openssl.cnf file and edit the  certificate  vari‐
2321              able to point to your new root certificate ca.crt.
2322
2323              For  testing  purposes only, the OpenVPN distribution includes a
2324              sample CA certificate (ca.crt). Of course you should  never  use
2325              the  test certificates and test keys distributed with OpenVPN in
2326              a production environment, since by virtue of the fact that  they
2327              are distributed with OpenVPN, they are totally insecure.
2328
2329       --capath dir
2330              Directory  containing  trusted  certificates (CAs and CRLs). Not
2331              available with mbed TLS.
2332
2333              CAs in the capath directory are expected to be named <hash>.<n>.
2334              CRLs  are  expected to be named <hash>.r<n>. See the -CApath op‐
2335              tion of openssl verify, and the -hash option  of  openssl  x509,
2336              openssl crl and X509_LOOKUP_hash_dir()(3) for more information.
2337
2338              Similar  to  the  --crl-verify  option, CRLs are not mandatory -
2339              OpenVPN will log the usual warning in the logs if  the  relevant
2340              CRL is missing, but the connection will be allowed.
2341
2342       --cert file
2343              Local peer's signed certificate in .pem format -- must be signed
2344              by a certificate authority whose certificate is  in  --ca  file.
2345              Each peer in an OpenVPN link running in TLS mode should have its
2346              own certificate and private key file. In addition, each certifi‐
2347              cate should have been signed by the key of a certificate author‐
2348              ity whose public key resides in the --ca  certificate  authority
2349              file.  You  can  easily make your own certificate authority (see
2350              above) or  pay  money  to  use  a  commercial  service  such  as
2351              thawte.com  (in  which  case  you will be helping to finance the
2352              world's second space tourist :). To generate a certificate,  you
2353              can use a command such as:
2354
2355                 openssl req -nodes -new -keyout mycert.key -out mycert.csr
2356
2357              If  your  certificate authority private key lives on another ma‐
2358              chine, copy the certificate signing request (mycert.csr) to this
2359              other machine (this can be done over an insecure channel such as
2360              email). Now sign the certificate with a command such as:
2361
2362                 openssl ca -out mycert.crt -in mycert.csr
2363
2364              Now copy the certificate (mycert.crt) back  to  the  peer  which
2365              initially  generated  the  .csr  file (this can be over a public
2366              medium). Note that the openssl ca command reads the location  of
2367              the  certificate  authority key from its configuration file such
2368              as /usr/share/ssl/openssl.cnf -- note also that for  certificate
2369              authority functions, you must set up the files index.txt (may be
2370              empty) and serial (initialize to 01).
2371
2372       --crl-verify args
2373              Check peer certificate against a Certificate Revocation List.
2374
2375              Valid syntax:
2376
2377                 crl-verify file/directory flag
2378
2379              Examples:
2380
2381                 crl-verify crl-file.pem
2382                 crl-verify /etc/openvpn/crls dir
2383
2384              A CRL (certificate revocation list) is used  when  a  particular
2385              key is compromised but when the overall PKI is still intact.
2386
2387              Suppose  you had a PKI consisting of a CA, root certificate, and
2388              a number of client certificates. Suppose a laptop computer  con‐
2389              taining  a  client key and certificate was stolen. By adding the
2390              stolen certificate to the CRL file, you could reject any connec‐
2391              tion  which attempts to use it, while preserving the overall in‐
2392              tegrity of the PKI.
2393
2394              The only time when it would be necessary to rebuild  the  entire
2395              PKI from scratch would be if the root certificate key itself was
2396              compromised.
2397
2398              The option is not mandatory - if the relevant  CRL  is  missing,
2399              OpenVPN will log a warning in the logs - e.g.
2400
2401                 VERIFY WARNING: depth=0, unable to get certificate CRL
2402
2403              but the connection will be allowed.  If the optional dir flag is
2404              specified, enable a  different  mode  where  the  crl-verify  is
2405              pointed  at a directory containing files named as revoked serial
2406              numbers (the files may be empty, the contents are  never  read).
2407              If  a client requests a connection, where the client certificate
2408              serial number (decimal string) is the name of a file present  in
2409              the directory, it will be rejected.
2410
2411              Note:  As  the crl file (or directory) is read every time a peer
2412                     connects,  if  you  are  dropping  root  privileges  with
2413                     --user,  make  sure  that this user has sufficient privi‐
2414                     leges to read the file.
2415
2416       --dh file
2417              File containing Diffie Hellman parameters in  .pem  format  (re‐
2418              quired for --tls-server only).
2419
2420              Set file to none to disable Diffie Hellman key exchange (and use
2421              ECDH only). Note that this requires peers to be using an SSL li‐
2422              brary that supports ECDH TLS cipher suites (e.g. OpenSSL 1.0.1+,
2423              or mbed TLS 2.0+).
2424
2425              Use openssl dhparam -out dh2048.pem 2048 to generate 2048-bit DH
2426              parameters. Diffie Hellman parameters may be considered public.
2427
2428       --ecdh-curve name
2429              Specify  the  curve  to  use  for elliptic curve Diffie Hellman.
2430              Available curves can be listed with --show-curves. The specified
2431              curve will only be used for ECDH TLS-ciphers.
2432
2433              This option is not supported in mbed TLS builds of OpenVPN.
2434
2435       --extra-certs file
2436              Specify  a  file  containing one or more PEM certs (concatenated
2437              together) that complete the local certificate chain.
2438
2439              This option is useful for "split" CAs, where the CA  for  server
2440              certs  is  different than the CA for client certs. Putting certs
2441              in this file allows them to be used to complete the  local  cer‐
2442              tificate  chain without trusting them to verify the peer-submit‐
2443              ted certificate, as would be the case if the certs  were  placed
2444              in the ca file.
2445
2446       --hand-window n
2447              Handshake  Window  --  the  TLS-based key exchange must finalize
2448              within n seconds of handshake initiation by any peer (default 60
2449              seconds).  If  the  handshake fails we will attempt to reset our
2450              connection with our peer and try again. Even  in  the  event  of
2451              handshake  failure  we will still use our expiring key for up to
2452              --tran-window seconds to maintain continuity of transmission  of
2453              tunnel data.
2454
2455       --key file
2456              Local  peer's  private  key  in .pem format. Use the private key
2457              which was generated when you built your peer's certificate  (see
2458              --cert file above).
2459
2460       --pkcs12 file
2461              Specify a PKCS #12 file containing local private key, local cer‐
2462              tificate, and root CA certificate. This option can be  used  in‐
2463              stead of --ca, --cert, and --key.  Not available with mbed TLS.
2464
2465       --remote-cert-eku oid
2466              Require  that  peer  certificate was signed with an explicit ex‐
2467              tended key usage.
2468
2469              This is a useful security option for clients, to ensure that the
2470              host they connect to is a designated server.
2471
2472              The  extended  key  usage  should be encoded in oid notation, or
2473              OpenSSL symbolic representation.
2474
2475       --remote-cert-ku key-usage
2476              Require that  peer  certificate  was  signed  with  an  explicit
2477              key-usage.
2478
2479              If  present  in the certificate, the keyUsage value is validated
2480              by the TLS library during the TLS handshake. Specifying this op‐
2481              tion without arguments requires this extension to be present (so
2482              the TLS library will verify it).
2483
2484              If key-usage is a list of usage bits, the  keyUsage  field  must
2485              have at least the same bits set as the bits in one of the values
2486              supplied in the key-usage list.
2487
2488              The key-usage values in the list must be encoded in hex, e.g.
2489
2490                 remote-cert-ku a0
2491
2492       --remote-cert-tls type
2493              Require that peer certificate was signed with  an  explicit  key
2494              usage and extended key usage based on RFC3280 TLS rules.
2495
2496              Valid syntaxes:
2497
2498                 remote-cert-tls server
2499                 remote-cert-tls client
2500
2501              This is a useful security option for clients, to ensure that the
2502              host they connect to is a designated server. Or  the  other  way
2503              around;  for  a  server  to verify that only hosts with a client
2504              certificate can connect.
2505
2506              The --remote-cert-tls client option is equivalent to
2507
2508                 remote-cert-ku
2509                 remote-cert-eku "TLS Web Client Authentication"
2510
2511              The --remote-cert-tls server option is equivalent to
2512
2513                 remote-cert-ku
2514                 remote-cert-eku "TLS Web Server Authentication"
2515
2516              This is an important security precaution to  protect  against  a
2517              man-in-the-middle  attack where an authorized client attempts to
2518              connect to another client by impersonating the server.  The  at‐
2519              tack  is  easily  prevented  by having clients verify the server
2520              certificate  using  any   one   of   --remote-cert-tls,   --ver‐
2521              ify-x509-name, or --tls-verify.
2522
2523       --tls-auth args
2524              Add an additional layer of HMAC authentication on top of the TLS
2525              control channel to mitigate DoS attacks and attacks on  the  TLS
2526              stack.
2527
2528              Valid syntaxes:
2529
2530                 tls-auth file
2531                 tls-auth file 0
2532                 tls-auth file 1
2533
2534              In  a  nutshell, --tls-auth enables a kind of "HMAC firewall" on
2535              OpenVPN's TCP/UDP port, where TLS control channel packets  bear‐
2536              ing an incorrect HMAC signature can be dropped immediately with‐
2537              out response.
2538
2539              file (required) is a file in OpenVPN static key format which can
2540              be generated by --genkey.
2541
2542              Older   versions  (up  to  OpenVPN  2.3)  supported  a  freeform
2543              passphrase file.  This is no longer supported in newer  versions
2544              (v2.4+).
2545
2546              See the --secret option for more information on the optional di‐
2547              rection parameter.
2548
2549              --tls-auth is recommended when you are running OpenVPN in a mode
2550              where  it  is listening for packets from any IP address, such as
2551              when --remote is not specified, or --remote  is  specified  with
2552              --float.
2553
2554              The  rationale  for  this  feature is as follows. TLS requires a
2555              multi-packet exchange before it is able to authenticate a  peer.
2556              During  this  time  before authentication, OpenVPN is allocating
2557              resources (memory and CPU) to this potential peer. The potential
2558              peer  is also exposing many parts of OpenVPN and the OpenSSL li‐
2559              brary to the packets it is sending. Most successful network  at‐
2560              tacks  today  seek  to  either exploit bugs in programs (such as
2561              buffer overflow attacks) or force a program to consume  so  many
2562              resources  that it becomes unusable. Of course the first line of
2563              defense is always to produce clean, well-audited  code.  OpenVPN
2564              has been written with buffer overflow attack prevention as a top
2565              priority. But as history has shown, many of the most widely used
2566              network  applications  have, from time to time, fallen to buffer
2567              overflow attacks.
2568
2569              So as a second line of  defense,  OpenVPN  offers  this  special
2570              layer  of  authentication  on  top of the TLS control channel so
2571              that every packet on the control channel is authenticated by  an
2572              HMAC  signature and a unique ID for replay protection. This sig‐
2573              nature will also help protect against DoS  (Denial  of  Service)
2574              attacks. An important rule of thumb in reducing vulnerability to
2575              DoS attacks is to minimize the amount of resources a  potential,
2576              but as yet unauthenticated, client is able to consume.
2577
2578              --tls-auth does this by signing every TLS control channel packet
2579              with an HMAC signature, including packets which are sent  before
2580              the TLS level has had a chance to authenticate the peer. The re‐
2581              sult is that  packets  without  the  correct  signature  can  be
2582              dropped immediately upon reception, before they have a chance to
2583              consume additional system resources such as by initiating a  TLS
2584              handshake.  --tls-auth  can  be strengthened by adding the --re‐
2585              play-persist option which will keep OpenVPN's replay  protection
2586              state in a file so that it is not lost across restarts.
2587
2588              It  should  be emphasized that this feature is optional and that
2589              the key file used with --tls-auth gives a peer nothing more than
2590              the power to initiate a TLS handshake. It is not used to encrypt
2591              or authenticate any tunnel data.
2592
2593              Use --tls-crypt instead if you want to use the key file  to  not
2594              only authenticate, but also encrypt the TLS control channel.
2595
2596       --tls-groups list
2597              A list of allowable groups/curves in order of preference.
2598
2599              Set  the  allowed  elliptic  curves/groups  for the TLS session.
2600              These groups are allowed to be used in signatures  and  key  ex‐
2601              change.
2602
2603              mbedTLS currently allows all known curves per default.
2604
2605              OpenSSL 1.1+ restricts the list per default to
2606
2607                 "X25519:secp256r1:X448:secp521r1:secp384r1".
2608
2609              If  you use certificates that use non-standard curves, you might
2610              need to add them here. If you do not force the ecdh curve by us‐
2611              ing  --ecdh-curve,  the groups for ecdh will also be picked from
2612              this list.
2613
2614              OpenVPN maps the curve name secp256r1  to  prime256v1  to  allow
2615              specifying the same tls-groups option for mbedTLS and OpenSSL.
2616
2617              Warning:  this  option  not only affects elliptic curve certifi‐
2618              cates but also the key exchange in TLS 1.3 and using this option
2619              improperly will disable TLS 1.3.
2620
2621       --tls-cert-profile profile
2622              Set  the  allowed  cryptographic algorithms for certificates ac‐
2623              cording to profile.
2624
2625              The following profiles are supported:
2626
2627              legacy (default)
2628                     SHA1 and newer, RSA 2048-bit+, any elliptic curve.
2629
2630              preferred
2631                     SHA2 and newer, RSA 2048-bit+, any elliptic curve.
2632
2633              suiteb SHA256/SHA384, ECDSA with P-256 or P-384.
2634
2635              This option is only fully supported for mbed TLS builds. OpenSSL
2636              builds use the following approximation:
2637
2638              legacy (default)
2639                     sets "security level 1"
2640
2641              preferred
2642                     sets "security level 2"
2643
2644              suiteb sets "security level 3" and --tls-cipher "SUITEB128".
2645
2646              OpenVPN  will  migrate  to 'preferred' as default in the future.
2647              Please ensure that your keys already comply.
2648
2649       WARNING: --tls-ciphers, --tls-ciphersuites and tls-groups
2650              These options are expert features, which - if used  correctly  -
2651              can  improve the security of your VPN connection. But it is also
2652              easy to unwittingly use them to carefully align a gun with  your
2653              foot, or just break your connection. Use with care!
2654
2655       --tls-cipher l
2656              A list l of allowable TLS ciphers delimited by a colon (":").
2657
2658              These  setting  can be used to ensure that certain cipher suites
2659              are used (or not used) for the TLS connection. OpenVPN uses  TLS
2660              to secure the control channel, over which the keys that are used
2661              to protect the actual VPN traffic are exchanged.
2662
2663              The supplied list of ciphers is  (after  potential  OpenSSL/IANA
2664              name  translation) simply supplied to the crypto library. Please
2665              see the OpenSSL and/or mbed TLS documentation for details on the
2666              cipher list interpretation.
2667
2668              For OpenSSL, the --tls-cipher is used for TLS 1.2 and below.
2669
2670              Use  --show-tls  to  see a list of TLS ciphers supported by your
2671              crypto library.
2672
2673              The default for --tls-cipher is to use mbed TLS's default cipher
2674              list       when       using       mbed      TLS      or      DE‐
2675              FAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA    when
2676              using OpenSSL.
2677
2678       --tls-ciphersuites l
2679              Same as --tls-cipher but for TLS 1.3 and up. mbed TLS has no TLS
2680              1.3 support yet and only the --tls-cipher setting is used.
2681
2682              The default for --tls-ciphersuites is  to  use  the  crypto  li‐
2683              brary's default.
2684
2685       --tls-client
2686              Enable TLS and assume client role during TLS handshake.
2687
2688       --tls-crypt keyfile
2689              Encrypt  and  authenticate  all control channel packets with the
2690              key from keyfile. (See --tls-auth for more background.)
2691
2692              Encrypting (and authenticating) control channel packets:
2693
2694              • provides more privacy by hiding the certificate used  for  the
2695                TLS connection,
2696
2697              • makes it harder to identify OpenVPN traffic as such,
2698
2699              • provides "poor-man's" post-quantum security, against attackers
2700                who will never know the pre-shared key (i.e.  no  forward  se‐
2701                crecy).
2702
2703              In contrast to --tls-auth, --tls-crypt does not require the user
2704              to set --key-direction.
2705
2706              Security Considerations
2707
2708              All peers use the same --tls-crypt pre-shared group key  to  au‐
2709              thenticate  and encrypt control channel messages. To ensure that
2710              IV collisions remain unlikely, this key should not  be  used  to
2711              encrypt more than 2^48 client-to-server or 2^48 server-to-client
2712              control channel messages. A typical initial negotiation is about
2713              10  packets in each direction. Assuming both initial negotiation
2714              and renegotiations are at most 2^16 (65536) packets (to be  con‐
2715              servative),  and  (re)negotiations  happen  each minute for each
2716              user (24/7), this limits the  tls-crypt  key  lifetime  to  8171
2717              years divided by the number of users. So a setup with 1000 users
2718              should rotate the key at least once each  eight  years.  (And  a
2719              setup with 8000 users each year.)
2720
2721              If  IV  collisions were to occur, this could result in the secu‐
2722              rity of --tls-crypt degrading to  the  same  security  as  using
2723              --tls-auth.   That  is,  the control channel still benefits from
2724              the extra protection  against  active  man-in-the-middle-attacks
2725              and  DoS  attacks,  but  may  no  longer offer extra privacy and
2726              post-quantum security on top of what TLS itself offers.
2727
2728              For large setups or setups where clients are not  trusted,  con‐
2729              sider  using --tls-crypt-v2 instead. That uses per-client unique
2730              keys, and thereby improves the bounds to 'rotate a client key at
2731              least once per 8000 years'.
2732
2733       --tls-crypt-v2 keyfile
2734              Use client-specific tls-crypt keys.
2735
2736              For  clients, keyfile is a client-specific tls-crypt key. Such a
2737              key can be generated using the --genkey tls-crypt-v2-client  op‐
2738              tion.
2739
2740              For servers, keyfile is used to unwrap client-specific keys sup‐
2741              plied by the client during connection setup. This  key  must  be
2742              the  same  as  the  key used to generate the client-specific key
2743              (see --genkey tls-crypt-v2-client).
2744
2745              On servers, this option can be used together with the --tls-auth
2746              or  --tls-crypt  option.  In  that  case, the server will detect
2747              whether the client is using client-specific keys, and  automati‐
2748              cally select the right mode.
2749
2750       --tls-crypt-v2-verify cmd
2751              Run  command  cmd  to verify the metadata of the client-specific
2752              tls-crypt-v2 key of a connecting client. This allows server  ad‐
2753              ministrators  to  reject client connections, before exposing the
2754              TLS stack (including the notoriously dangerous X.509  and  ASN.1
2755              stacks) to the connecting client.
2756
2757              OpenVPN supplies the following environment variables to the com‐
2758              mand:
2759
2760              • script_type is set to tls-crypt-v2-verify
2761
2762              • metadata_type is set to 0 if the metadata was  user  supplied,
2763                or 1 if it's a 64-bit unix timestamp representing the key cre‐
2764                ation time.
2765
2766              • metadata_file contains the filename of a temporary  file  that
2767                contains the client metadata.
2768
2769              The command can reject the connection by exiting with a non-zero
2770              exit code.
2771
2772       --tls-exit
2773              Exit on TLS negotiation failure.
2774
2775       --tls-export-cert directory
2776              Store the certificates the clients use upon connection  to  this
2777              directory.  This will be done before --tls-verify is called. The
2778              certificates will use a temporary name and will be deleted  when
2779              the  tls-verify  script returns. The file name used for the cer‐
2780              tificate is available via the peer_cert environment variable.
2781
2782       --tls-server
2783              Enable TLS and assume server role  during  TLS  handshake.  Note
2784              that OpenVPN is designed as a peer-to-peer application. The des‐
2785              ignation of client or server is only for the purpose of  negoti‐
2786              ating the TLS control channel.
2787
2788       --tls-timeout n
2789              Packet  retransmit timeout on TLS control channel if no acknowl‐
2790              edgment from remote within n seconds (default 2).  When  OpenVPN
2791              sends a control packet to its peer, it will expect to receive an
2792              acknowledgement within n  seconds  or  it  will  retransmit  the
2793              packet,  subject  to  a  TCP-like exponential backoff algorithm.
2794              This parameter only applies to  control  channel  packets.  Data
2795              channel  packets  (which  carry encrypted tunnel data) are never
2796              acknowledged, sequenced, or retransmitted by OpenVPN because the
2797              higher level network protocols running on top of the tunnel such
2798              as TCP expect this role to be left to them.
2799
2800       --tls-version-min args
2801              Sets the minimum TLS version we will accept from the  peer  (de‐
2802              fault is "1.0").
2803
2804              Valid syntax:
2805
2806                 tls-version-min version ['or-highest']
2807
2808              Examples  for version include 1.0, 1.1, or 1.2. If or-highest is
2809              specified and version is not recognized, we will only accept the
2810              highest TLS version supported by the local SSL implementation.
2811
2812       --tls-version-max version
2813              Set  the maximum TLS version we will use (default is the highest
2814              version supported). Examples for version include  1.0,  1.1,  or
2815              1.2.
2816
2817       --verify-hash args
2818              Specify SHA1 or SHA256 fingerprint for level-1 cert.
2819
2820              Valid syntax:
2821
2822                 verify-hash hash [algo]
2823
2824              The level-1 cert is the CA (or intermediate cert) that signs the
2825              leaf certificate, and is one removed from the  leaf  certificate
2826              in the direction of the root. When accepting a connection from a
2827              peer, the level-1 cert fingerprint must match hash  or  certifi‐
2828              cate  verification will fail. Hash is specified as XX:XX:... For
2829              example:
2830
2831                 AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16
2832
2833              The algo flag can be either SHA1 or SHA256. If not provided,  it
2834              defaults to SHA1.
2835
2836       --verify-x509-name args
2837              Accept connections only if a host's X.509 name is equal to name.
2838              The remote host must also pass all other tests of verification.
2839
2840              Valid syntax:
2841
2842                 verify-x509 name type
2843
2844              Which X.509 name is compared to name depends on the  setting  of
2845              type.  type can be subject to match the complete subject DN (de‐
2846              fault), name to match a subject RDN or name-prefix  to  match  a
2847              subject RDN prefix. Which RDN is verified as name depends on the
2848              --x509-username-field option. But it defaults to the common name
2849              (CN), e.g. a certificate with a subject DN
2850
2851                 C=KG, ST=NA, L=Bishkek, CN=Server-1
2852
2853              would be matched by:
2854
2855                 verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'
2856                 verify-x509-name Server-1 name
2857                 verify-x509-name Server- name-prefix
2858
2859              The  last  example is useful if you want a client to only accept
2860              connections to Server-1, Server-2, etc.
2861
2862              --verify-x509-name is a useful replacement for the  --tls-verify
2863              option  to  verify  the  remote host, because --verify-x509-name
2864              works in a --chroot environment without any dependencies.
2865
2866              Using a name prefix is a useful alternative to  managing  a  CRL
2867              (Certificate Revocation List) on the client, since it allows the
2868              client to refuse all certificates except  for  those  associated
2869              with designated servers.
2870
2871              NOTE:  Test  against a name prefix only when you are using Open‐
2872                     VPN with a custom CA certificate that is under your  con‐
2873                     trol.  Never  use  this option with type name-prefix when
2874                     your client certificates are signed  by  a  third  party,
2875                     such as a commercial web CA.
2876
2877       --x509-track attribute
2878              Save peer X509 attribute value in environment for use by plugins
2879              and management interface. Prepend a + to attribute to save  val‐
2880              ues   from   full   cert   chain.  Values  will  be  encoded  as
2881              X509_<depth>_<attribute>=<value>. Multiple --x509-track  options
2882              can be defined to track multiple attributes.
2883
2884       --x509-username-field args
2885              Field  in  the X.509 certificate subject to be used as the user‐
2886              name (default CN).
2887
2888              Valid syntax:
2889
2890                 x509-username-field [ext:]fieldname
2891
2892              Typically, this option is specified with fieldname as either  of
2893              the following:
2894
2895                 x509-username-field emailAddress
2896                 x509-username-field ext:subjectAltName
2897
2898              The  first  example uses the value of the emailAddress attribute
2899              in the certificate's Subject field as the username.  The  second
2900              example uses the ext: prefix to signify that the X.509 extension
2901              fieldname subjectAltName be searched for an  rfc822Name  (email)
2902              field  to be used as the username. In cases where there are mul‐
2903              tiple email addresses in ext:fieldname, the last  occurrence  is
2904              chosen.
2905
2906              When  this  option  is  used, the --verify-x509-name option will
2907              match against the chosen fieldname instead of the Common Name.
2908
2909              Only the subjectAltName and issuerAltName X.509  extensions  are
2910              supported.
2911
2912              Please  note:  This  option  has a feature which will convert an
2913              all-lowercase fieldname to uppercase characters, e.g., ou -> OU.
2914              A  mixed-case  fieldname  or  one having the ext: prefix will be
2915              left as-is. This automatic upcasing feature  is  deprecated  and
2916              will be removed in a future release.
2917
2918   PKCS#11 / SmartCard options
2919       --pkcs11-cert-private args
2920              Set  if  access  to certificate object should be performed after
2921              login.  Every provider has its own setting.
2922
2923              Valid syntaxes:
2924
2925                 pkcs11-cert-private 0
2926                 pkcs11-cert-private 1
2927
2928       --pkcs11-id name
2929              Specify the serialized certificate id to be used. The id can  be
2930              gotten by the standalone --show-pkcs11-ids option.
2931
2932       --pkcs11-id-management
2933              Acquire  PKCS#11  id  from  management interface. In this case a
2934              NEED-STR 'pkcs11-id-request' real-time  message  will  be  trig‐
2935              gered,  application  may use pkcs11-id-count command to retrieve
2936              available number of certificates, and pkcs11-id-get  command  to
2937              retrieve certificate id and certificate body.
2938
2939       --pkcs11-pin-cache seconds
2940              Specify  how  many seconds the PIN can be cached, the default is
2941              until the token is removed.
2942
2943       --pkcs11-private-mode mode
2944              Specify which method to use in order to perform private key  op‐
2945              erations.   A different mode can be specified for each provider.
2946              Mode is encoded as hex number, and can be a mask one of the fol‐
2947              lowing:
2948
2949              0 (default)   Try to determine automatically.
2950
2951              1             Use sign.
2952
2953              2             Use sign recover.
2954
2955              4             Use decrypt.
2956
2957              8             Use unwrap.
2958
2959       --pkcs11-protected-authentication args
2960              Use  PKCS#11 protected authentication path, useful for biometric
2961              and external keypad devices. Every provider has its own setting.
2962
2963              Valid syntaxes:
2964
2965                 pkcs11-protected-authentication 0
2966                 pkcs11-protected-authentication 1
2967
2968       --pkcs11-providers provider
2969              Specify an RSA Security Inc. PKCS #11 Cryptographic Token Inter‐
2970              face  (Cryptoki)  providers to load. This option can be used in‐
2971              stead of --cert, --key and --pkcs12.
2972
2973              If p11-kit is present on the system, its p11-kit-proxy.so module
2974              will   be  loaded  by  default  if  either  the  --pkcs11-id  or
2975              --pkcs11-id-management    options    are    specified    without
2976              --pkcs11-provider being given.
2977
2978       --show-pkcs11-ids args
2979              (Standalone) Show PKCS#11 token object list.
2980
2981              Valid syntax:
2982
2983                 show-pkcs11 [provider] [cert_private]
2984
2985              Specify  cert_private as 1 if certificates are stored as private
2986              objects.
2987
2988              If p11-kit is present on the system, the  provider  argument  is
2989              optional; if omitted the default p11-kit-proxy.so module will be
2990              queried.
2991
2992              --verb option can be used BEFORE this option to  produce  debug‐
2993              ging information.
2994