1OPENVPN(8)                  System Manager's Manual                 OPENVPN(8)
2
3
4

NAME

6       openvpn - Secure IP tunnel daemon
7

SYNOPSIS

9       openvpn [ options ... ]
10       openvpn  --help
11
12

INTRODUCTION

14       OpenVPN  is  an  open source VPN daemon by James Yonan. Because OpenVPN
15       tries to be a universal VPN tool offering a great deal of  flexibility,
16       there  are a lot of options on this manual page. If you're new to Open‐
17       VPN, you might want to skip ahead to the  examples  section  where  you
18       will  see how to construct simple VPNs on the command line without even
19       needing a configuration file.
20
21       Also note that there's more documentation and examples on  the  OpenVPN
22       web site: https://openvpn.net/
23
24       And  if you would like to see a shorter version of this manual, see the
25       openvpn usage message which can be obtained by running openvpn  without
26       any parameters.
27

DESCRIPTION

29       OpenVPN  is  a  robust and highly flexible VPN daemon. OpenVPN supports
30       SSL/TLS security,  ethernet  bridging,  TCP  or  UDP  tunnel  transport
31       through  proxies  or  NAT,  support  for dynamic IP addresses and DHCP,
32       scalability to hundreds or thousands of users, and portability to  most
33       major OS platforms.
34
35       OpenVPN  is  tightly  bound to the OpenSSL library, and derives much of
36       its crypto capabilities from it.
37
38       OpenVPN supports conventional encryption using a pre-shared secret  key
39       (Static  Key mode) or public key security (SSL/TLS mode) using client &
40       server certificates. OpenVPN also supports non-encrypted  TCP/UDP  tun‐
41       nels.
42
43       OpenVPN  is designed to work with the TUN/TAP virtual networking inter‐
44       face that exists on most platforms.
45
46       Overall, OpenVPN aims to offer many of the key features  of  IPSec  but
47       with a relatively lightweight footprint.
48

OPTIONS

50       OpenVPN allows any option to be placed either on the command line or in
51       a configuration file. Though all command line options are preceded by a
52       double-leading-dash  ("--"),  this prefix can be removed when an option
53       is placed in a configuration file.
54
55   Generic Options
56       This section covers generic options which are accessible regardless  of
57       which mode OpenVPN is configured as.
58
59       --help Show options.
60
61       --auth-nocache
62              Don't  cache --askpass or --auth-user-pass username/passwords in
63              virtual memory.
64
65              If specified, this directive will cause OpenVPN  to  immediately
66              forget  username/password  inputs  after they are used. As a re‐
67              sult, when OpenVPN needs a username/password, it will prompt for
68              input  from  stdin, which may be multiple times during the dura‐
69              tion of an OpenVPN session.
70
71              When using --auth-nocache in combination  with  a  user/password
72              file  and  --chroot  or  --daemon,  make sure to use an absolute
73              path.
74
75              This directive does not affect the  --http-proxy  username/pass‐
76              word.  It is always cached.
77
78       --cd dir
79              Change  directory to dir prior to reading any files such as con‐
80              figuration files, key files, scripts, etc. dir should be an  ab‐
81              solute  path,  with a leading "/", and without any references to
82              the current directory such as . or ...
83
84              This option is useful when you are running OpenVPN  in  --daemon
85              mode,  and  you  want to consolidate all of your OpenVPN control
86              files in one location.
87
88       --chroot dir
89              Chroot to dir after initialization. --chroot  essentially  rede‐
90              fines  dir  as  being  the top level directory tree (/). OpenVPN
91              will therefore be unable to access any files outside this  tree.
92              This can be desirable from a security standpoint.
93
94              Since  the  chroot  operation is delayed until after initializa‐
95              tion, most OpenVPN options that reference files will operate  in
96              a pre-chroot context.
97
98              In  many  cases,  the dir parameter can point to an empty direc‐
99              tory, however complications can result when scripts or  restarts
100              are executed after the chroot operation.
101
102              Note:  The  SSL  library  will  probably need /dev/urandom to be
103              available inside the chroot directory dir. This is  because  SSL
104              libraries occasionally need to collect fresh random. Newer linux
105              kernels and some BSDs implement a  getrandom()  or  getentropy()
106              syscall that removes the need for /dev/urandom to be available.
107
108       --config file
109              Load  additional config options from file where each line corre‐
110              sponds to one command line option, but with the leading '--' re‐
111              moved.
112
113              If  --config file is the only option to the openvpn command, the
114              --config can be removed, and the command can be given as openvpn
115              file
116
117              Note  that  configuration  files  can  be nested to a reasonable
118              depth.
119
120              Double quotation or single quotation characters ("", '') can  be
121              used to enclose single parameters containing whitespace, and "#"
122              or ";" characters in the first column can be used to denote com‐
123              ments.
124
125              Note  that OpenVPN 2.0 and higher performs backslash-based shell
126              escaping for characters not in single quotations, so the follow‐
127              ing mappings should be observed:
128
129                 \\       Maps to a single backslash character (\).
130                 \"       Pass a literal doublequote character ("), don't
131                          interpret it as enclosing a parameter.
132                 \[SPACE] Pass a literal space or tab character, don't
133                          interpret it as a parameter delimiter.
134
135              For  example  on  Windows,  use  double backslashes to represent
136              pathnames:
137
138                 secret "c:\\OpenVPN\\secret.key"
139
140              For     examples      of      configuration      files,      see
141              https://openvpn.net/community-resources/how-to/
142
143              Here is an example configuration file:
144
145                 #
146                 # Sample OpenVPN configuration file for
147                 # using a pre-shared static key.
148                 #
149                 # '#' or ';' may be used to delimit comments.
150
151                 # Use a dynamic tun device.
152                 dev tun
153
154                 # Our remote peer
155                 remote mypeer.mydomain
156
157                 # 10.1.0.1 is our local VPN endpoint
158                 # 10.1.0.2 is our remote VPN endpoint
159                 ifconfig 10.1.0.1 10.1.0.2
160
161                 # Our pre-shared static key
162                 secret static.key
163
164       --daemon progname
165              Become  a  daemon  after  all  initialization functions are com‐
166              pleted. This option will cause all message and error  output  to
167              be  sent  to the syslog file (such as /var/log/messages), except
168              for the output of scripts and ifconfig commands, which  will  go
169              to /dev/null unless otherwise redirected. The syslog redirection
170              occurs immediately at the point that --daemon is parsed  on  the
171              command  line  even though the daemonization point occurs later.
172              If one of the --log options is present, it will supersede syslog
173              redirection.
174
175              The optional progname parameter will cause OpenVPN to report its
176              program name to the system logger as progname. This can be  use‐
177              ful in linking OpenVPN messages in the syslog file with specific
178              tunnels. When unspecified, progname defaults to "openvpn".
179
180              When OpenVPN is run with the --daemon option, it will try to de‐
181              lay daemonization until the majority of initialization functions
182              which are capable of generating fatal errors are complete.  This
183              means  that initialization scripts can test the return status of
184              the openvpn command for a fairly reliable indication of  whether
185              the  command  has  correctly  initialized and entered the packet
186              forwarding event loop.
187
188              In OpenVPN, the vast majority of errors which occur  after  ini‐
189              tialization are non-fatal.
190
191              Note:  as  soon  as  OpenVPN  has daemonized, it can not ask for
192              usernames, passwords, or key pass phrases anymore. This has cer‐
193              tain  consequences,  namely that using a password-protected pri‐
194              vate key will fail unless the --askpass option is used  to  tell
195              OpenVPN  to  ask for the pass phrase (this requirement is new in
196              v2.3.7, and is a consequence of calling daemon() before initial‐
197              izing the crypto layer).
198
199              Further,  using --daemon together with --auth-user-pass (entered
200              on console) and --auth-nocache will fail as soon as key  renego‐
201              tiation (and reauthentication) occurs.
202
203       --disable-occ
204              Don't output a warning message if option inconsistencies are de‐
205              tected between peers. An  example  of  an  option  inconsistency
206              would be where one peer uses --dev tun while the other peer uses
207              --dev tap.
208
209              Use of this option is discouraged, but is provided as  a  tempo‐
210              rary  fix  in  situations where a recent version of OpenVPN must
211              connect to an old version.
212
213       --engine engine-name
214              Enable OpenSSL hardware-based crypto engine functionality.
215
216              If engine-name is specified, use a specific crypto  engine.  Use
217              the  --show-engines standalone option to list the crypto engines
218              which are supported by OpenSSL.
219
220       --fast-io
221              (Experimental) Optimize TUN/TAP/UDP I/O  writes  by  avoiding  a
222              call to poll/epoll/select prior to the write operation. The pur‐
223              pose of such a call would normally be to block until the  device
224              or  socket is ready to accept the write. Such blocking is unnec‐
225              essary on some platforms which don't support write  blocking  on
226              UDP  sockets or TUN/TAP devices. In such cases, one can optimize
227              the event loop by avoiding the poll/epoll/select call, improving
228              CPU efficiency by 5% to 10%.
229
230              This  option  can  only  be  used  on  non-Windows systems, when
231              --proto udp is specified, and when --shaper is NOT specified.
232
233       --group group
234              Similar to the --user option, this option changes the  group  ID
235              of the OpenVPN process to group after initialization.
236
237       --ignore-unknown-option args
238              Valid syntax:
239
240                 ignore-unknown-options opt1 opt2 opt3 ... optN
241
242              When one of options opt1 ... optN is encountered in the configu‐
243              ration file the configuration file parsing does not fail if this
244              OpenVPN  version  does  not  support  the option. Multiple --ig‐
245              nore-unknown-option options can be given  to  support  a  larger
246              number of options to ignore.
247
248              This option should be used with caution, as there are good secu‐
249              rity reasons for having OpenVPN fail if it detects problems in a
250              config  file.   Having  said  that,  there are valid reasons for
251              wanting new software features to gracefully degrade when encoun‐
252              tered by older software versions.
253
254              --ignore-unknown-option is available since OpenVPN 2.3.3.
255
256       --iproute cmd
257              Set  alternate  command  to  execute instead of default iproute2
258              command.  May be used in order to execute  OpenVPN  in  unprivi‐
259              leged environment.
260
261       --keying-material-exporter args
262              Save  Exported  Keying  Material [RFC5705] of len bytes (must be
263              between 16 and 4095  bytes)  using  label  in  environment  (ex‐
264              ported_keying_material)    for   use   by   plugins   in   OPEN‐
265              VPN_PLUGIN_TLS_FINAL callback.
266
267              Valid syntax:
268
269                 keying-material-exporter label len
270
271              Note that exporter labels have the potential to collide with ex‐
272              isting  PRF  labels. In order to prevent this, labels MUST begin
273              with EXPORTER.
274
275       --mlock
276              Disable paging by calling the POSIX mlockall function.  Requires
277              that OpenVPN be initially run as root (though OpenVPN can subse‐
278              quently downgrade its UID using the --user option).
279
280              Using this option ensures that key material and tunnel data  are
281              never  written  to  disk due to virtual memory paging operations
282              which occur under most modern operating systems. It ensures that
283              even  if  an attacker was able to crack the box running OpenVPN,
284              he would not be able to scan the system  swap  file  to  recover
285              previously  used  ephemeral keys, which are used for a period of
286              time governed by the --reneg options (see below), then are  dis‐
287              carded.
288
289              The  downside of using --mlock is that it will reduce the amount
290              of physical memory available to other applications.
291
292              The limit on how much memory can be locked and how that limit is
293              enforced  are  OS-dependent.  On Linux the default limit that an
294              unprivileged process may lock (RLIMIT_MEMLOCK) is  low,  and  if
295              privileges  are  dropped  later,  future memory allocations will
296              very likely fail. The limit can be  increased  using  ulimit  or
297              systemd directives depending on how OpenVPN is started.
298
299       --nice n
300              Change  process  priority after initialization (n greater than 0
301              is lower priority, n less than zero is higher priority).
302
303       --persist-key
304              Don't re-read key files across SIGUSR1 or --ping-restart.
305
306              This option can be combined with --user nobody to allow restarts
307              triggered by the SIGUSR1 signal. Normally if you drop root priv‐
308              ileges in OpenVPN, the daemon cannot be restarted since it  will
309              now be unable to re-read protected key files.
310
311              This option solves the problem by persisting keys across SIGUSR1
312              resets, so they don't need to be re-read.
313
314       --remap-usr1 signal
315              Control whether internally or externally generated SIGUSR1  sig‐
316              nals  are  remapped to SIGHUP (restart without persisting state)
317              or SIGTERM (exit).
318
319              signal can be set to SIGHUP or SIGTERM. By default, no remapping
320              occurs.
321
322       --script-security level
323              This  directive offers policy-level control over OpenVPN's usage
324              of external programs and scripts. Lower level  values  are  more
325              restrictive,  higher  values  are  more permissive. Settings for
326              level:
327
328              0      Strictly no calling of external programs.
329
330              1      (Default) Only call built-in executables such  as  ifcon‐
331                     fig, ip, route, or netsh.
332
333              2      Allow  calling  of  built-in executables and user-defined
334                     scripts.
335
336              3      Allow passwords to be passed to scripts via environmental
337                     variables (potentially unsafe).
338
339              OpenVPN  releases before v2.3 also supported a method flag which
340              indicated how OpenVPN should call external commands and scripts.
341              This  could  be either execve or system. As of OpenVPN 2.3, this
342              flag is no longer accepted. In most *nix  environments  the  ex‐
343              ecve() approach has been used without any issues.
344
345              Some  directives  such as --up allow options to be passed to the
346              external script. In these cases make sure the script  name  does
347              not  contain  any  spaces or the configuration parser will choke
348              because it can't determine where the script name ends and script
349              options start.
350
351              To run scripts in Windows in earlier OpenVPN versions you needed
352              to either add a full path to the script  interpreter  which  can
353              parse the script or use the system flag to run these scripts. As
354              of OpenVPN 2.3 it is now a strict requirement to have full  path
355              to  the  script  interpreter when running non-executables files.
356              This is not needed for executable files,  such  as  .exe,  .com,
357              .bat  or  .cmd  files.  For  example, if you have a Visual Basic
358              script, you must use this syntax now:
359
360                 --up 'C:\\Windows\\System32\\wscript.exe C:\\Program\ Files\\OpenVPN\\config\\my-up-script.vbs'
361
362              Please note the single quote marks and the escaping of the back‐
363              slashes (\) and the space character.
364
365              The reason the support for the system flag was removed is due to
366              the security implications with shell expansions  when  executing
367              scripts via the system() call.
368
369       --setcon context
370              Apply  SELinux  context  after  initialization. This essentially
371              provides the ability to restrict OpenVPN's rights to  only  net‐
372              work  I/O  operations, thanks to SELinux. This goes further than
373              --user and --chroot in that those two, while being  great  secu‐
374              rity  features,  unfortunately  do not protect against privilege
375              escalation by exploitation of a vulnerable system call. You  can
376              of  course  combine all three, but please note that since setcon
377              requires access to /proc you will have to provide it inside  the
378              chroot directory (e.g. with mount --bind).
379
380              Since  the  setcon  operation is delayed until after initializa‐
381              tion, OpenVPN can be restricted to just  network-related  system
382              calls,  whereas  by applying the context before startup (such as
383              the OpenVPN one provided in the SELinux Reference Policies)  you
384              will  have to allow many things required only during initializa‐
385              tion.
386
387              Like with chroot,  complications  can  result  when  scripts  or
388              restarts  are  executed after the setcon operation, which is why
389              you should really consider using the  --persist-key  and  --per‐
390              sist-tun options.
391
392       --status args
393              Write operational status to file every n seconds.
394
395              Valid syntaxes:
396
397                 status file
398                 status file n
399
400              Status  can  also  be written to the syslog by sending a SIGUSR2
401              signal.
402
403              With multi-client capability enabled on  a  server,  the  status
404              file  includes a list of clients and a routing table. The output
405              format can be controlled by the --status-version option in  that
406              case.
407
408              For clients or instances running in point-to-point mode, it will
409              contain the traffic statistics.
410
411       --status-version n
412              Set the status file format version number to n.
413
414              This only affects the status file on servers  with  multi-client
415              capability enabled.  Valid status version values:
416
417              1      Traditional  format  (default).  The client list contains
418                     the following fields comma-separated: Common  Name,  Real
419                     Address, Bytes Received, Bytes Sent, Connected Since.
420
421              2      A  more reliable format for external processing. Compared
422                     to version 1, the client list  contains  some  additional
423                     fields:  Virtual Address, Virtual IPv6 Address, Username,
424                     Client ID, Peer ID, Data Channel Cipher. Future  versions
425                     may extend the number of fields.
426
427              3      Identical to 2, but fields are tab-separated.
428
429       --test-crypto
430              Do a self-test of OpenVPN's crypto options by encrypting and de‐
431              crypting test packets using the data channel encryption  options
432              specified  above.   This option does not require a peer to func‐
433              tion, and therefore can be specified without --dev or --remote.
434
435              The typical usage of --test-crypto would be something like this:
436
437                 openvpn --test-crypto --secret key
438
439              or
440
441                 openvpn --test-crypto --secret key --verb 9
442
443              This option is very useful to test OpenVPN  after  it  has  been
444              ported  to  a  new  platform, or to isolate problems in the com‐
445              piler, OpenSSL crypto library, or OpenVPN's crypto  code.  Since
446              it is a self-test mode, problems with encryption and authentica‐
447              tion can be debugged independently of network and tunnel issues.
448
449       --tmp-dir dir
450              Specify a directory dir for temporary files. This directory will
451              be used by openvpn processes and script to communicate temporary
452              data with openvpn main process. Note that the directory must  be
453              writable  by  the OpenVPN process after it has dropped it's root
454              privileges.
455
456              This directory will be used by in the following cases:
457
458              • --client-connect  scripts  and   OPENVPN_PLUGIN_CLIENT_CONNECT
459                plug-in  hook to dynamically generate client-specific configu‐
460                ration client_connect_config_file and  return  success/failure
461                via  client_connect_deferred_file  when  using deferred client
462                connect method
463
464              • OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY  plug-in  hooks   returns
465                success/failure via auth_control_file when using deferred auth
466                method
467
468              • OPENVPN_PLUGIN_ENABLE_PF plugin hook to pass  filtering  rules
469                via pf_file
470
471       --use-prediction-resistance
472              Enable prediction resistance on mbed TLS's RNG.
473
474              Enabling  prediction resistance causes the RNG to reseed in each
475              call for random. Reseeding this often can  quickly  deplete  the
476              kernel entropy pool.
477
478              If  you  need this option, please consider running a daemon that
479              adds entropy to the kernel pool.
480
481       --user user
482              Change the user ID of the OpenVPN process to user after initial‐
483              ization, dropping privileges in the process. This option is use‐
484              ful to protect the system in the event that some  hostile  party
485              was able to gain control of an OpenVPN session. Though OpenVPN's
486              security features make this unlikely, it is provided as a second
487              line of defense.
488
489              By  setting  user  to nobody or somebody similarly unprivileged,
490              the hostile party would be limited in  what  damage  they  could
491              cause.  Of  course once you take away privileges, you cannot re‐
492              turn them to an OpenVPN session. This means, for  example,  that
493              if  you  want  to  reset an OpenVPN daemon with a SIGUSR1 signal
494              (for example in response to a DHCP reset), you should  make  use
495              of  one  or more of the --persist options to ensure that OpenVPN
496              doesn't need to execute any privileged operations  in  order  to
497              restart (such as re-reading key files or running ifconfig on the
498              TUN device).
499
500       --writepid file
501              Write OpenVPN's main process ID to file.
502
503   Log options
504       --echo parms
505              Echo parms to log output.
506
507              Designed to be used to send messages to a  controlling  applica‐
508              tion which is receiving the OpenVPN log output.
509
510       --errors-to-stderr
511              Output  errors  to stderr instead of stdout unless log output is
512              redirected by one of the --log options.
513
514       --log file
515              Output logging  messages  to  file,  including  output  to  std‐
516              out/stderr which is generated by called scripts. If file already
517              exists it will be truncated. This option  takes  effect  immedi‐
518              ately  when  it is parsed in the command line and will supersede
519              syslog output if --daemon or --inetd is also specified. This op‐
520              tion  is persistent over the entire course of an OpenVPN instan‐
521              tiation  and  will  not  be  reset  by   SIGHUP,   SIGUSR1,   or
522              --ping-restart.
523
524              Note that on Windows, when OpenVPN is started as a service, log‐
525              ging occurs by default without the need to specify this option.
526
527       --log-append file
528              Append logging messages to file.  If file  does  not  exist,  it
529              will  be  created. This option behaves exactly like --log except
530              that it appends to rather than truncating the log file.
531
532       --machine-readable-output
533              Always write timestamps and message flags to log messages,  even
534              when  they  otherwise would not be prefixed. In particular, this
535              applies to log messages sent to stdout.
536
537       --mute n
538              Log at most n consecutive messages in the same category. This is
539              useful to limit repetitive logging of similar message types.
540
541       --mute-replay-warnings
542              Silence  the output of replay warnings, which are a common false
543              alarm on WiFi networks. This option preserves  the  security  of
544              the replay protection code without the verbosity associated with
545              warnings about duplicate packets.
546
547       --suppress-timestamps
548              Avoid writing timestamps to log messages, even when they  other‐
549              wise would be prepended. In particular, this applies to log mes‐
550              sages sent to stdout.
551
552       --syslog progname
553              Direct log output to system logger, but do not become a  daemon.
554              See --daemon directive above for description of progname parame‐
555              ter.
556
557       --verb n
558              Set output verbosity to n (default 1). Each level shows all info
559              from  the  previous levels. Level 3 is recommended if you want a
560              good summary of what's happening without being swamped  by  out‐
561              put.
562
563              0      No output except fatal errors.
564
565              1 to 4 Normal usage range.
566
567              5      Outputs R and W characters to the console for each packet
568                     read and write, uppercase is used for TCP/UDP packets and
569                     lowercase is used for TUN/TAP packets.
570
571              6 to 11
572                     Debug  info  range (see errlevel.h in the source code for
573                     additional information on debug levels).
574
575   Protocol options
576       Options in this section affect features available in the  OpenVPN  wire
577       protocol.   Many of these options also define the encryption options of
578       the data channel in the OpenVPN wire protocol.  These options  must  be
579       configured in a compatible way between both the local and remote side.
580
581       --allow-compression mode
582              As  described  in the --compress option, compression is a poten‐
583              tially dangerous option.  This option allows controlling the be‐
584              haviour of OpenVPN when compression is used and allowed.
585
586              Valid syntaxes:
587
588                 allow-compression
589                 allow-compression mode
590
591              The mode argument can be one of the following values:
592
593              asym (default)
594                     OpenVPN  will  only  decompress  downlink packets but not
595                     compress uplink packets.  This also allows  migrating  to
596                     disable  compression when changing both server and client
597                     configurations to remove compression at the same time  is
598                     not a feasible option.
599
600              no     OpenVPN will refuse any non-stub compression.
601
602              yes    OpenVPN will send and receive compressed packets.
603
604       --auth alg
605              Authenticate data channel packets and (if enabled) tls-auth con‐
606              trol channel packets with HMAC using  message  digest  algorithm
607              alg. (The default is SHA1 ). HMAC is a commonly used message au‐
608              thentication algorithm (MAC) that uses a data string,  a  secure
609              hash algorithm and a key to produce a digital signature.
610
611              The  OpenVPN  data  channel protocol uses encrypt-then-mac (i.e.
612              first encrypt a packet  then  HMAC  the  resulting  ciphertext),
613              which prevents padding oracle attacks.
614
615              If  an  AEAD cipher mode (e.g. GCM) is chosen then the specified
616              --auth algorithm is ignored for the data channel and the authen‐
617              tication  method  of  the AEAD cipher is used instead. Note that
618              alg still specifies the digest used for tls-auth.
619
620              In static-key encryption mode, the HMAC key is included  in  the
621              key file generated by --genkey. In TLS mode, the HMAC key is dy‐
622              namically generated and shared between peers via the TLS control
623              channel.  If  OpenVPN  receives a packet with a bad HMAC it will
624              drop the packet. HMAC usually adds 16 or 20  bytes  per  packet.
625              Set alg=none to disable authentication.
626
627              For        more        information       on       HMAC       see
628              http://www.cs.ucsd.edu/users/mihir/papers/hmac.html
629
630       --cipher alg
631              This option is deprecated for server-client mode. --data-ciphers
632              or possibly --data-ciphers-fallback` should be used instead.
633
634              Encrypt data channel packets with cipher algorithm alg.
635
636              The  default  is  BF-CBC, an abbreviation for Blowfish in Cipher
637              Block Chaining mode. When cipher negotiation (NCP)  is  allowed,
638              OpenVPN  2.4 and newer on both client and server side will auto‐
639              matically  upgrade  to  AES-256-GCM.   See  --data-ciphers   and
640              --ncp-disable for more details on NCP.
641
642              Using  BF-CBC  is  no  longer recommended, because of its 64-bit
643              block size. This small block size allows attacks based on colli‐
644              sions,       as      demonstrated      by      SWEET32.      See
645              https://community.openvpn.net/openvpn/wiki/SWEET32 for  details.
646              Due  to  this,  support for BF-CBC, DES, CAST5, IDEA and RC2 ci‐
647              phers will be removed in OpenVPN 2.6.
648
649              To see other ciphers that are available with  OpenVPN,  use  the
650              --show-ciphers option.
651
652              Set alg to none to disable encryption.
653
654       --compress algorithm
655              DEPRECATED  Enable a compression algorithm.  Compression is gen‐
656              erally not recommended.  VPN tunnels which use  compression  are
657              susceptible to the VORALCE attack vector.
658
659              The  algorithm  parameter may be lzo, lz4, lz4-v2, stub, stub-v2
660              or empty.  LZO and LZ4  are  different  compression  algorithms,
661              with  LZ4 generally offering the best performance with least CPU
662              usage.
663
664              The lz4-v2 and stub-v2 variants implement a better framing  that
665              does  not  add  overhead  when packets cannot be compressed. All
666              other variants always add one extra framing byte compared to  no
667              compression framing.
668
669              If  the  algorithm parameter is stub, stub-v2 or empty, compres‐
670              sion will be turned off, but the packet framing for  compression
671              will still be enabled, allowing a different setting to be pushed
672              later.  Additionally, stub and stub-v2  wil  disable  announcing
673              lzo and lz4 compression support via IV_ variables to the server.
674
675              Note:  the  stub  (or  empty)  option is NOT compatible with the
676              older option --comp-lzo no.
677
678              *Security Considerations*
679
680              Compression and encryption is a tricky combination.  If  an  at‐
681              tacker  knows or is able to control (parts of) the plain-text of
682              packets that contain secrets, the attacker might be able to  ex‐
683              tract  the  secret if compression is enabled. See e.g. the CRIME
684              and BREACH attacks on TLS and VORACLE on VPNs which also  lever‐
685              age  to  break encryption. If you are not entirely sure that the
686              above does not apply to your traffic, you are advised to not en‐
687              able compression.
688
689       --comp-lzo mode
690              DEPRECATED  Enable  LZO  compression  algorithm.  Compression is
691              generally not recommended.  VPN tunnels which  uses  compression
692              are suspectible to the VORALCE attack vector.
693
694              Use  LZO  compression -- may add up to 1 byte per packet for in‐
695              compressible data. mode may be yes, no, or adaptive (default).
696
697              In a server mode setup, it is possible to selectively turn  com‐
698              pression on or off for individual clients.
699
700              First,  make  sure the client-side config file enables selective
701              compression by having at least one --comp-lzo directive, such as
702              --comp-lzo  no.  This  will turn off compression by default, but
703              allow a future directive push from  the  server  to  dynamically
704              change the on/off/adaptive setting.
705
706              Next in a --client-config-dir file, specify the compression set‐
707              ting for the client, for example:
708
709                 comp-lzo yes
710                 push "comp-lzo yes"
711
712              The first line sets the comp-lzo setting for the server side  of
713              the link, the second sets the client side.
714
715       --comp-noadapt
716              DEPRECATED When used in conjunction with --comp-lzo, this option
717              will disable OpenVPN's adaptive compression algorithm. Normally,
718              adaptive compression is enabled with --comp-lzo.
719
720              Adaptive  compression  tries to optimize the case where you have
721              compression enabled, but you are  sending  predominantly  incom‐
722              pressible  (or  pre-compressed) packets over the tunnel, such as
723              an FTP or rsync transfer of a large, compressed file. With adap‐
724              tive  compression, OpenVPN will periodically sample the compres‐
725              sion process to measure its efficiency. If the data  being  sent
726              over  the  tunnel  is  already compressed, the compression effi‐
727              ciency will be very low, triggering openvpn to disable  compres‐
728              sion for a period of time until the next re-sample test.
729
730       --key-direction
731              Alternative  way  of specifying the optional direction parameter
732              for the --tls-auth and --secret options. Useful when  using  in‐
733              line files (See section on inline files).
734
735       --keysize n
736              DEPRECATED This option will be removed in OpenVPN 2.6.
737
738              Size  of cipher key in bits (optional). If unspecified, defaults
739              to cipher-specific default. The --show-ciphers option  (see  be‐
740              low)  shows  all  available  OpenSSL  ciphers, their default key
741              sizes, and whether the key size can  be  changed.  Use  care  in
742              changing a cipher's default key size. Many ciphers have not been
743              extensively cryptanalyzed with non-standard key lengths,  and  a
744              larger  key  may offer no real guarantee of greater security, or
745              may even reduce security.
746
747       --data-ciphers cipher-list
748              Restrict the allowed ciphers to be negotiated to the ciphers  in
749              cipher-list.  cipher-list  is a colon-separated list of ciphers,
750              and defaults to AES-256-GCM:AES-128-GCM.
751
752              For servers, the first cipher from cipher-list that is also sup‐
753              ported  by the client will be pushed to clients that support ci‐
754              pher negotiation.
755
756              Cipher negotiation is enabled in client-server mode  only.  I.e.
757              if  --mode  is  set to 'server' (server-side, implied by setting
758              --server ), or if --pull is specified (client-side,  implied  by
759              setting --client).
760
761              If no common cipher is found during cipher negotiation, the con‐
762              nection is terminated. To support old clients/old  servers  that
763              do  not  provide  any  cipher negotiation support see --data-ci‐
764              phers-fallback.
765
766              Additionally, to allow for more smooth transition, if NCP is en‐
767              abled,  OpenVPN  will inherit the cipher of the peer if that ci‐
768              pher is different from the local --cipher setting, but the  peer
769              cipher is one of the ciphers specified in --data-ciphers. E.g. a
770              non-NCP client (<=v2.3, or with --ncp-disabled  set)  connecting
771              to  a NCP server (v2.4+) with --cipher BF-CBC and --data-ciphers
772              AES-256-GCM:AES-256-CBC set can either specify  --cipher  BF-CBC
773              or --cipher AES-256-CBC and both will work.
774
775              Note  for using NCP with an OpenVPN 2.4 peer: This list must in‐
776              clude the AES-256-GCM and AES-128-GCM ciphers.
777
778              This list is restricted to be 127 chars long after conversion to
779              OpenVPN ciphers.
780
781              This option was called --ncp-ciphers in OpenVPN 2.4 but has been
782              renamed to --data-ciphers in OpenVPN 2.5 to more accurately  re‐
783              flect its meaning.
784
785       --data-ciphers-fallback alg
786              Configure  a cipher that is used to fall back to if we could not
787              determine which cipher the peer is willing to use.
788
789              This option should only be needed to connect to peers  that  are
790              running  OpenVPN 2.3 and older version, and have been configured
791              with --enable-small (typically used on routers or other embedded
792              devices).
793
794       --ncp-disable
795              DEPRECATED  Disable  "Negotiable  Crypto  Parameters". This com‐
796              pletely disables cipher negotiation.
797
798       --secret args
799              Enable Static Key encryption mode (non-TLS). Use pre-shared  se‐
800              cret file which was generated with --genkey.
801
802              Valid syntaxes:
803
804                 secret file
805                 secret file direction
806
807              The  optional  direction parameter enables the use of 4 distinct
808              keys (HMAC-send, cipher-encrypt, HMAC-receive,  cipher-decrypt),
809              so that each data flow direction has a different set of HMAC and
810              cipher keys. This has a number of desirable security  properties
811              including  eliminating  certain  kinds of DoS and message replay
812              attacks.
813
814              When the direction parameter is omitted, 2 keys are  used  bidi‐
815              rectionally,  one  for HMAC and the other for encryption/decryp‐
816              tion.
817
818              The direction parameter should always be complementary on either
819              side of the connection, i.e. one side should use 0 and the other
820              should use 1, or both sides should omit it altogether.
821
822              The direction parameter requires that file contains a  2048  bit
823              key.  While  pre-1.5  versions  of OpenVPN generate 1024 bit key
824              files, any version of OpenVPN which supports the  direction  pa‐
825              rameter,  will  also  support 2048 bit key file generation using
826              the --genkey option.
827
828              Static key encryption mode has certain advantages,  the  primary
829              being ease of configuration.
830
831              There  are no certificates or certificate authorities or compli‐
832              cated negotiation handshakes and protocols. The only requirement
833              is  that  you  have a pre-existing secure channel with your peer
834              (such as ssh) to initially copy the key. This requirement, along
835              with  the  fact  that your key never changes unless you manually
836              generate a new one, makes it somewhat less secure than TLS  mode
837              (see  below).  If  an attacker manages to steal your key, every‐
838              thing that was ever encrypted with it is  compromised.  Contrast
839              that  to the perfect forward secrecy features of TLS mode (using
840              Diffie Hellman key exchange), where even if an attacker was able
841              to  steal your private key, he would gain no information to help
842              him decrypt past sessions.
843
844              Another advantageous aspect of Static  Key  encryption  mode  is
845              that  it is a handshake-free protocol without any distinguishing
846              signature or feature (such as a header or protocol handshake se‐
847              quence)  that  would mark the ciphertext packets as being gener‐
848              ated by OpenVPN. Anyone eavesdropping  on  the  wire  would  see
849              nothing but random-looking data.
850
851       --tran-window n
852              Transition  window -- our old key can live this many seconds af‐
853              ter a new a key renegotiation  begins  (default  3600  seconds).
854              This  feature  allows  for a graceful transition from old to new
855              key, and removes the key renegotiation sequence from the  criti‐
856              cal path of tunnel data forwarding.
857
858   Client Options
859       The  client  options are used when connecting to an OpenVPN server con‐
860       figured to use --server, --server-bridge, or --mode server in its  con‐
861       figuration.
862
863       --allow-pull-fqdn
864              Allow  client  to  pull DNS names from server (rather than being
865              limited  to   IP   address)   for   --ifconfig,   --route,   and
866              --route-gateway.
867
868       --allow-recursive-routing
869              When  this  option  is  set,  OpenVPN will not drop incoming tun
870              packets with same destination as host.
871
872       --auth-token token
873              This is not an option to be used directly in  any  configuration
874              files,  but  rather  push  this  option  from a --client-connect
875              script   or   a   --plugin   which   hooks   into   the    OPEN‐
876              VPN_PLUGIN_CLIENT_CONNECT   or  OPENVPN_PLUGIN_CLIENT_CONNECT_V2
877              calls. This option provides a possibility to replace the clients
878              password with an authentication token during the lifetime of the
879              OpenVPN client.
880
881              Whenever   the    connection    is    renegotiated    and    the
882              --auth-user-pass-verify  script  or  --plugin  making use of the
883              OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is triggered, it  will
884              pass over this token as the password instead of the password the
885              user provided. The authentication token can only be reset  by  a
886              full  reconnect  where  the  server  can push new options to the
887              client. The password the user entered is never preserved once an
888              authentication  token  has  been set. If the OpenVPN server side
889              rejects the authentication token then the client will receive an
890              AUTH_FAILED and disconnect.
891
892              The purpose of this is to enable two factor authentication meth‐
893              ods, such as HOTP or TOTP, to be used  without  needing  to  re‐
894              trieve  a new OTP code each time the connection is renegotiated.
895              Another use case is to cache authentication data on  the  client
896              without needing to have the users password cached in memory dur‐
897              ing the life time of the session.
898
899              To make use of this  feature,  the  --client-connect  script  or
900              --plugin needs to put
901
902                 push "auth-token UNIQUE_TOKEN_VALUE"
903
904              into  the  file/buffer for dynamic configuration data. This will
905              then make the OpenVPN server to push this value to  the  client,
906              which replaces the local password with the UNIQUE_TOKEN_VALUE.
907
908              Newer  clients  (2.4.7+) will fall back to the original password
909              method after a failed auth. Older clients will  keep  using  the
910              token value and react according to --auth-retry
911
912       --auth-token-user base64username
913              Companion  option  to --auth-token. This options allows to over‐
914              ride the username used by the client when reauthenticating  with
915              the  auth-token.   It  also allows to use --auth-token in setups
916              that normally do not use username and password.
917
918              The username has to be base64 encoded.
919
920       --auth-user-pass
921              Authenticate with server using username/password.
922
923              Valid syntaxes:
924
925                 auth-user-pass
926                 auth-user-pass up
927
928              If up is present, it must be a file containing username/password
929              on 2 lines. If the password line is missing, OpenVPN will prompt
930              for one.
931
932              If up is omitted, username/password will be  prompted  from  the
933              console.
934
935              The server configuration must specify an --auth-user-pass-verify
936              script to verify the username/password provided by the client.
937
938       --auth-retry type
939              Controls how OpenVPN responds to username/password  verification
940              errors  such  as the client-side response to an AUTH_FAILED mes‐
941              sage from the server or verification failure of the private  key
942              password.
943
944              Normally  used  to  prevent  auth errors from being fatal on the
945              client side, and to permit username/password requeries  in  case
946              of error.
947
948              An  AUTH_FAILED message is generated by the server if the client
949              fails --auth-user-pass authentication,  or  if  the  server-side
950              --client-connect  script returns an error status when the client
951              tries to connect.
952
953              type can be one of:
954
955              none   Client will exit with a fatal  error  (this  is  the  de‐
956                     fault).
957
958              nointeract
959                     Client  will  retry the connection without requerying for
960                     an --auth-user-pass username/password.  Use  this  option
961                     for unattended clients.
962
963              interact
964                     Client   will   requery  for  an  --auth-user-pass  user‐
965                     name/password and/or private key password before attempt‐
966                     ing a reconnection.
967
968              Note  that  while  this  option cannot be pushed, it can be con‐
969              trolled from the management interface.
970
971       --client
972              A helper directive designed to  simplify  the  configuration  of
973              OpenVPN's client mode. This directive is equivalent to:
974
975                 pull
976                 tls-client
977
978       --client-nat args
979              This  pushable  client option sets up a stateless one-to-one NAT
980              rule on packet addresses (not ports), and  is  useful  in  cases
981              where  routes  or  ifconfig  settings pushed to the client would
982              create an IP numbering conflict.
983
984              Examples:
985
986                 client-nat snat 192.168.0.0/255.255.0.0
987                 client-nat dnat 10.64.0.0/255.255.0.0
988
989              network/netmask (for  example  192.168.0.0/255.255.0.0)  defines
990              the  local view of a resource from the client perspective, while
991              alias/netmask (for example  10.64.0.0/255.255.0.0)  defines  the
992              remote view from the server perspective.
993
994              Use snat (source NAT) for resources owned by the client and dnat
995              (destination NAT) for remote resources.
996
997              Set --verb 6 for debugging info showing  the  transformation  of
998              src/dest addresses in packets.
999
1000       --connect-retry n
1001              Wait  n  seconds  between  connection attempts (default 5).  Re‐
1002              peated reconnection attempts are slowed down after 5 retries per
1003              remote  by  doubling  the  wait time after each unsuccessful at‐
1004              tempt. An optional argument max specifies the maximum  value  of
1005              wait time in seconds at which it gets capped (default 300).
1006
1007       --connect-retry-max n
1008              n  specifies  the  number of times each --remote or <connection>
1009              entry is tried. Specifying n as 1 would try each  entry  exactly
1010              once.  A successful connection resets the counter.  (default un‐
1011              limited).
1012
1013       --connect-timeout n
1014              See --server-poll-timeout.
1015
1016       --explicit-exit-notify n
1017              In UDP client mode or point-to-point mode, send  server/peer  an
1018              exit  notification  if tunnel is restarted or OpenVPN process is
1019              exited. In client mode, on exit/restart, this option  will  tell
1020              the  server  to  immediately  close  its  client instance object
1021              rather than waiting for a timeout.
1022
1023              The n parameter (default 1 if not present) controls the  maximum
1024              number  of  attempts that the client will try to resend the exit
1025              notification message.
1026
1027              In UDP server mode, send RESTART control channel command to con‐
1028              nected  clients. The n parameter (default 1 if not present) con‐
1029              trols client behavior. With n = 1 client will attempt to  recon‐
1030              nect  to  the same server, with n = 2 client will advance to the
1031              next server.
1032
1033              OpenVPN will not send any exit notifications unless this  option
1034              is enabled.
1035
1036       --inactive args
1037              Causes  OpenVPN  to  exit  after  n seconds of inactivity on the
1038              TUN/TAP device. The time length of inactivity is measured  since
1039              the  last  incoming or outgoing tunnel packet. The default value
1040              is 0 seconds, which disables this feature.
1041
1042              Valid syntaxes:
1043
1044                 inactive n
1045                 inactive n bytes
1046
1047              If the optional bytes parameter is included, exit if  less  than
1048              bytes of combined in/out traffic are produced on the tun/tap de‐
1049              vice in n seconds.
1050
1051              In any case, OpenVPN's internal ping  packets  (which  are  just
1052              keepalives)  and  TLS control packets are not considered "activ‐
1053              ity", nor are they counted as traffic, as they are  used  inter‐
1054              nally by OpenVPN and are not an indication of actual user activ‐
1055              ity.
1056
1057       --proto-force p
1058              When iterating through connection profiles, only  consider  pro‐
1059              files using protocol p (tcp | udp).
1060
1061       --pull This  option  must  be used on a client which is connecting to a
1062              multi-client server. It indicates to OpenVPN that it should  ac‐
1063              cept options pushed by the server, provided they are part of the
1064              legal set of pushable options (note that the  --pull  option  is
1065              implied by --client ).
1066
1067              In  particular,  --pull  allows the server to push routes to the
1068              client, so you should not use --pull or --client  in  situations
1069              where  you  don't  trust  the  server  to  have control over the
1070              client's routing table.
1071
1072       --pull-filter args
1073              Filter options on the client pushed by the server to the client.
1074
1075              Valid syntaxes:
1076
1077                 pull-filter accept text
1078                 pull-filter ignore text
1079                 pull-filter reject text
1080
1081              Filter options received from the server  if  the  option  starts
1082              with text.  The action flag accept allows the option, ignore re‐
1083              moves it and reject  flags  an  error  and  triggers  a  SIGUSR1
1084              restart.  The  filters may be specified multiple times, and each
1085              filter is applied in the order it is specified. The filtering of
1086              each option stops as soon as a match is found. Unmatched options
1087              are accepted by default.
1088
1089              Prefix comparison is used to match text against the received op‐
1090              tion so that
1091
1092                 pull-filter ignore "route"
1093
1094              would  remove all pushed options starting with route which would
1095              include, for example, route-gateway. Enclose text in  quotes  to
1096              embed spaces.
1097
1098                 pull-filter accept "route 192.168.1."
1099                 pull-filter ignore "route "
1100
1101              would remove all routes that do not start with 192.168.1.
1102
1103              Note  that  reject may result in a repeated cycle of failure and
1104              reconnect, unless multiple remotes are specified and  connection
1105              to the next remote succeeds. To silently ignore an option pushed
1106              by the server, use ignore.
1107
1108       --remote args
1109              Remote host name or IP address, port and protocol.
1110
1111              Valid syntaxes:
1112
1113                 remote host
1114                 remote host port
1115                 remote host port proto
1116
1117              The port and proto arguments are optional.  The  OpenVPN  client
1118              will  try  to connect to a server at host:port.  The proto argu‐
1119              ment indicates the protocol to use when connecting with the  re‐
1120              mote,  and  may  be tcp or udp.  To enforce IPv4 or IPv6 connec‐
1121              tions add a 4 or 6 suffix; like udp4 / udp6 / tcp4 / tcp6.
1122
1123              On the client, multiple --remote options may  be  specified  for
1124              redundancy, each referring to a different OpenVPN server, in the
1125              order specified by the list of --remote options. Specifying mul‐
1126              tiple --remote options for this purpose is a special case of the
1127              more general connection-profile feature.  See  the  <connection>
1128              documentation below.
1129
1130              The  client  will  move  on to the next host in the list, in the
1131              event of connection failure. Note that at any  given  time,  the
1132              OpenVPN client will at most be connected to one server.
1133
1134              Examples:
1135
1136                 remote server1.example.net
1137                 remote server1.example.net 1194
1138                 remote server2.example.net 1194 tcp
1139
1140              Note:  Since  UDP  is  connectionless, connection failure is de‐
1141                     fined by the --ping and --ping-restart options.
1142
1143                     Also, if you use multiple --remote options, AND  you  are
1144                     dropping root privileges on the client with --user and/or
1145                     --group AND the client is running a  non-Windows  OS,  if
1146                     the  client  needs  to  switch to a different server, and
1147                     that server pushes back different TUN/TAP or  route  set‐
1148                     tings,  the  client  may lack the necessary privileges to
1149                     close and reopen the TUN/TAP interface. This could  cause
1150                     the client to exit with a fatal error.
1151
1152              If --remote is unspecified, OpenVPN will listen for packets from
1153              any IP address, but will not act on those  packets  unless  they
1154              pass  all authentication tests. This requirement for authentica‐
1155              tion is binding on all potential peers, even  those  from  known
1156              and  supposedly trusted IP addresses (it is very easy to forge a
1157              source IP address on a UDP packet).
1158
1159              When used in TCP mode, --remote will act as a filter,  rejecting
1160              connections from any host which does not match host.
1161
1162              If  host  is a DNS name which resolves to multiple IP addresses,
1163              OpenVPN will try them in the order that the system getaddrinfo()
1164              presents  them, so priorization and DNS randomization is done by
1165              the system library. Unless an IP version is forced by the proto‐
1166              col  specification  (4/6 suffix), OpenVPN will try both IPv4 and
1167              IPv6 addresses, in the order getaddrinfo() returns them.
1168
1169       --remote-random
1170              When multiple --remote address/ports are specified, or  if  con‐
1171              nection  profiles  are being used, initially randomize the order
1172              of the list as a kind of basic load-balancing measure.
1173
1174       --remote-random-hostname
1175              Prepend a random string (6 bytes, 12 hex characters) to hostname
1176              to prevent DNS caching. For example, "foo.bar.gov" would be mod‐
1177              ified to "<random-chars>.foo.bar.gov".
1178
1179       --resolv-retry n
1180              If hostname resolve fails for --remote, retry resolve for n sec‐
1181              onds before failing.
1182
1183              Set n to "infinite" to retry indefinitely.
1184
1185              By  default, --resolv-retry infinite is enabled. You can disable
1186              by setting n=0.
1187
1188       --single-session
1189              After initially connecting to a remote peer,  disallow  any  new
1190              connections.  Using  this option means that a remote peer cannot
1191              connect, disconnect, and then reconnect.
1192
1193              If the daemon is reset by a signal or  --ping-restart,  it  will
1194              allow one new connection.
1195
1196              --single-session  can  be used with --ping-exit or --inactive to
1197              create a single dynamic session that will exit when finished.
1198
1199       --server-poll-timeout n
1200              When connecting to a remote server do not wait for more  than  n
1201              seconds  for  a  response before trying the next server. The de‐
1202              fault value is 120s. This timeout includes proxy and TCP connect
1203              timeouts.
1204
1205       --static-challenge args
1206              Enable static challenge/response protocol
1207
1208              Valid syntax:
1209
1210                 static-challenge text echo
1211
1212              The text challenge text is presented to the user which describes
1213              what information is requested.  The echo flag indicates  if  the
1214              user's  input should be echoed on the screen.  Valid echo values
1215              are 0 or 1.
1216
1217              See management-notes.txt in the OpenVPN distribution for  a  de‐
1218              scription of the OpenVPN challenge/response protocol.
1219
1220       --show-proxy-settings
1221              Show  sensed  HTTP or SOCKS proxy settings. Currently, only Win‐
1222              dows clients support this option.
1223
1224       --http-proxy args
1225              Connect to remote host through an HTTP proxy.  This requires  at
1226              least  an  address  server and port argument.  If HTTP Proxy-Au‐
1227              thenticate is required, a file name to an authfile file contain‐
1228              ing a username and password on 2 lines can be given, or stdin to
1229              prompt from console. Its content can also be  specified  in  the
1230              config file with the --http-proxy-user-pass option. (See section
1231              on inline files)
1232
1233              The last optional argument is an auth-method which should be one
1234              of none, basic, or ntlm.
1235
1236              HTTP  Digest  authentication  is supported as well, but only via
1237              the auto or auto-nct flags (below).  This must replace the auth‐
1238              file argument.
1239
1240              The  auto  flag  causes  OpenVPN  to automatically determine the
1241              auth-method and query stdin  or  the  management  interface  for
1242              username/password  credentials, if required. This flag exists on
1243              OpenVPN 2.1 or higher.
1244
1245              The auto-nct flag (no clear-text auth) instructs OpenVPN to  au‐
1246              tomatically  determine  the authentication method, but to reject
1247              weak authentication protocols such as HTTP Basic Authentication.
1248
1249              Examples:
1250
1251                 http-proxy proxy.example.net 3128
1252                 http-proxy proxy.example.net 3128 authfile.txt
1253                 http-proxy proxy.example.net 3128 stdin
1254                 http-proxy proxy.example.net 3128 auto basic
1255                 http-proxy proxy.example.net 3128 auto-nct ntlm
1256
1257       --http-proxy-option args
1258              Set extended HTTP proxy options. Requires an option type as  ar‐
1259              gument  and  an  optional  parameter to the type.  Repeat to set
1260              multiple options.
1261
1262              VERSION version
1263                     Set HTTP version number to version (default 1.0).
1264
1265              AGENT user-agent
1266                     Set HTTP "User-Agent" string to user-agent.
1267
1268              CUSTOM-HEADER name content
1269                     Adds the custom Header with name as name and  content  as
1270                     the content of the custom HTTP header.
1271
1272              Examples:
1273
1274                 http-proxy-option VERSION 1.1
1275                 http-proxy-option AGENT OpenVPN/2.4
1276                 http-proxy-option X-Proxy-Flag some-flags
1277
1278       --socks-proxy args
1279              Connect  to  remote  host  through  a  Socks5 proxy.  A required
1280              server argument is needed.  Optionally a port (default 1080) and
1281              authfile  can  be  given.   The  authfile is a file containing a
1282              username and password on 2 lines, or stdin can be used to prompt
1283              from console.
1284
1285   Server Options
1286       Starting  with  OpenVPN 2.0, a multi-client TCP/UDP server mode is sup‐
1287       ported, and can be enabled with the --mode  server  option.  In  server
1288       mode,  OpenVPN will listen on a single port for incoming client connec‐
1289       tions. All client connections will be routed through a  single  tun  or
1290       tap interface. This mode is designed for scalability and should be able
1291       to support hundreds or even thousands of clients on  sufficiently  fast
1292       hardware. SSL/TLS authentication must be used in this mode.
1293
1294       --auth-gen-token args
1295              Returns  an  authentication  token to successfully authenticated
1296              clients.
1297
1298              Valid syntax:
1299
1300                 auth-gen-token [lifetime] [external-auth]
1301
1302              After  successful  user/password  authentication,  the   OpenVPN
1303              server will with this option generate a temporary authentication
1304              token and push that to the client. On the  following  renegotia‐
1305              tions,  the  OpenVPN  client will pass this token instead of the
1306              users password. On the server side the server will do the  token
1307              authentication  internally and it will NOT do any additional au‐
1308              thentications against configured external user/password  authen‐
1309              tication mechanisms.
1310
1311              The  tokens  implemented  by  this  mechanism include an initial
1312              timestamp and a renew timestamp and are secured by HMAC.
1313
1314              The lifetime argument defines how long the  generated  token  is
1315              valid.   The  lifetime is defined in seconds. If lifetime is not
1316              set or it is set to 0, the token will never expire.
1317
1318              The token will expire either after the  configured  lifetime  of
1319              the  token is reached or after not being renewed for more than 2
1320              * reneg-sec seconds. Clients will be sent renewed tokens on  ev‐
1321              ery  TLS renogiation to keep the client's token updated. This is
1322              done to invalidate a token if a client  is  disconnected  for  a
1323              sufficently  long  time,  while at the same time permitting much
1324              longer token lifetimes for active clients.
1325
1326              This feature is useful for environments which are configured  to
1327              use  One  Time  Passwords (OTP) as part of the user/password au‐
1328              thentications and that authentication mechanism does not  imple‐
1329              ment any auth-token support.
1330
1331              When the external-auth keyword is present the normal authentica‐
1332              tion method will always be called even if  auth-token  succeeds.
1333              Normally  other authentications method are skipped if auth-token
1334              verification suceeds or fails.
1335
1336              This option postpones this decision to the external  authentica‐
1337              tion methods and checks the validity of the account and do other
1338              checks.
1339
1340              In this mode the environment will  have  a  session_id  variable
1341              that  holds the session id from auth-gen-token. Also an environ‐
1342              ment variable session_state is present. This variable  indicates
1343              whether  the  auth-token  has  succeeded or not. It can have the
1344              following values:
1345
1346              Initial
1347                     No token from client.
1348
1349              Authenticated
1350                     Token is valid and not expired.
1351
1352              Expired
1353                     Token is valid but has expired.
1354
1355              Invalid
1356                     Token is invalid (failed HMAC or wrong length)
1357
1358              AuthenticatedEmptyUser / ExpiredEmptyUser
1359                     The token is not valid with the username  sent  from  the
1360                     client  but  would  be valid (or expired) if we assume an
1361                     empty username was used instead.  These two cases  are  a
1362                     workaround  for  behaviour  in  OpenVPN 3.  If this work‐
1363                     around is not needed these two cases should be handled in
1364                     the same way as Invalid.
1365
1366              Warning:  Use  this feature only if you want your authentication
1367              method called on every verification. Since the external  authen‐
1368              tication  is called it needs to also indicate a success or fail‐
1369              ure of the authentication. It is strongly recommended to  return
1370              an  authentication  failure  in  the case of the Invalid/Expired
1371              auth-token with the external-auth option unless the client could
1372              authenticate  in  another  acceptable  way (e.g. client certifi‐
1373              cate), otherwise returning success will lead  to  authentication
1374              bypass  (as  does  returning  success on a wrong password from a
1375              script).
1376
1377       --auth-gen-token-secret file
1378              Specifies a file that holds  a  secret  for  the  HMAC  used  in
1379              --auth-gen-token  If file is not present OpenVPN will generate a
1380              random secret on startup. This file should be used if auth-token
1381              should validate after restarting a server or if client should be
1382              able  to  roam  between  multiple  OpenVPN  servers  with  their
1383              auth-token.
1384
1385       --auth-user-pass-optional
1386              Allow  connections  by  clients  that  do  not  specify  a user‐
1387              name/password.  Normally, when --auth-user-pass-verify or --man‐
1388              agement-client-auth  are  specified (or an authentication plugin
1389              module), the  OpenVPN  server  daemon  will  require  connecting
1390              clients  to  specify  a username and password. This option makes
1391              the submission of a username/password by clients optional, pass‐
1392              ing  the  responsibility to the user-defined authentication mod‐
1393              ule/script to accept or deny the client based on  other  factors
1394              (such as the setting of X509 certificate fields).  When this op‐
1395              tion is used, and a connecting client does not  submit  a  user‐
1396              name/password,  the  user-defined  authentication  module/script
1397              will see the username and password as being set to empty strings
1398              (""). The authentication module/script MUST have logic to detect
1399              this condition and respond accordingly.
1400
1401       --ccd-exclusive
1402              Require, as a condition of  authentication,  that  a  connecting
1403              client has a --client-config-dir file.
1404
1405       --client-config-dir dir
1406              Specify  a directory dir for custom client config files. After a
1407              connecting client has been authenticated, OpenVPN will  look  in
1408              this  directory  for a file having the same name as the client's
1409              X509 common name. If a matching file exists, it will  be  opened
1410              and  parsed  for  client-specific  configuration  options. If no
1411              matching file is found, OpenVPN will instead  try  to  open  and
1412              parse a default file called "DEFAULT", which may be provided but
1413              is not required. Note that the configuration files must be read‐
1414              able by the OpenVPN process after it has dropped it's root priv‐
1415              ileges.
1416
1417              This file can specify a fixed IP address for a given client  us‐
1418              ing  --ifconfig-push,  as  well  as  fixed  subnets owned by the
1419              client using --iroute.
1420
1421              One of the useful properties of this option is  that  it  allows
1422              client  configuration  files to be conveniently created, edited,
1423              or removed while the server is live, without needing to  restart
1424              the server.
1425
1426              The  following  options  are legal in a client-specific context:
1427              --push, --push-reset, --push-remove, --iroute,  --ifconfig-push,
1428              --vlan-pvid and --config.
1429
1430       --client-to-client
1431              Because the OpenVPN server mode handles multiple clients through
1432              a single tun or tap interface, it is effectively a  router.  The
1433              --client-to-client   flag  tells  OpenVPN  to  internally  route
1434              client-to-client traffic rather than pushing  all  client-origi‐
1435              nating traffic to the TUN/TAP interface.
1436
1437              When  this  option  is  used,  each  client will "see" the other
1438              clients which are currently connected.  Otherwise,  each  client
1439              will  only  see the server. Don't use this option if you want to
1440              firewall tunnel traffic using custom, per-client rules.
1441
1442       --disable
1443              Disable a particular client (based on the common name) from con‐
1444              necting.   Don't  use this option to disable a client due to key
1445              or password compromise. Use a CRL (certificate revocation  list)
1446              instead (see the --crl-verify option).
1447
1448              This  option must be associated with a specific client instance,
1449              which means that it must be specified either  in  a  client  in‐
1450              stance config file using --client-config-dir or dynamically gen‐
1451              erated using a --client-connect script.
1452
1453       --connect-freq args
1454              Allow a maximum of  n  new  connections  per  sec  seconds  from
1455              clients.
1456
1457              Valid syntax:
1458
1459                 connect-freq n sec
1460
1461              This  is  designed to contain DoS attacks which flood the server
1462              with connection requests using  certificates  which  will  ulti‐
1463              mately fail to authenticate.
1464
1465              This  is  an  imperfect  solution however, because in a real DoS
1466              scenario, legitimate connections might also be refused.
1467
1468              For the best protection against DoS attacks in server mode,  use
1469              --proto udp and either --tls-auth or --tls-crypt.
1470
1471       --duplicate-cn
1472              Allow multiple clients with the same common name to concurrently
1473              connect. In the absence of this option, OpenVPN will  disconnect
1474              a  client  instance  upon  connection of a new client having the
1475              same common name.
1476
1477       --ifconfig-pool args
1478              Set aside a pool of subnets to be dynamically allocated to  con‐
1479              necting clients, similar to a DHCP server.
1480
1481              Valid syntax:
1482
1483                 ifconfig-pool start-IP end-IP [netmask]
1484
1485              For  tun-style  tunnels,  each client will be given a /30 subnet
1486              (for interoperability with Windows clients).  For tap-style tun‐
1487              nels,  individual  addresses will be allocated, and the optional
1488              netmask parameter will also be pushed to clients.
1489
1490       --ifconfig-ipv6-pool args
1491              Specify an IPv6 address pool for dynamic assignment to clients.
1492
1493              Valid args:
1494
1495                 ifconfig-ipv6-pool ipv6addr/bits
1496
1497              The pool starts at ipv6addr and matches  the  offset  determined
1498              from  the start of the IPv4 pool.  If the host part of the given
1499              IPv6 address is 0, the pool starts at ipv6addr +1.
1500
1501       --ifconfig-pool-persist args
1502              Persist/unpersist ifconfig-pool data to file, at seconds  inter‐
1503              vals (default 600), as well as on program startup and shutdown.
1504
1505              Valid syntax:
1506
1507                 ifconfig-pool-persist file [seconds]
1508
1509              The  goal  of  this option is to provide a long-term association
1510              between clients (denoted by their common name) and  the  virtual
1511              IP  address assigned to them from the ifconfig-pool. Maintaining
1512              a long-term association is good for clients  because  it  allows
1513              them to effectively use the --persist-tun option.
1514
1515              file  is  a  comma-delimited  ASCII  file,  formatted  as  <Com‐
1516              mon-Name>,<IP-address>.
1517
1518              If seconds = 0, file will be treated as read-only. This is  use‐
1519              ful if you would like to treat file as a configuration file.
1520
1521              Note  that  the  entries  in this file are treated by OpenVPN as
1522              suggestions only, based on past associations  between  a  common
1523              name  and IP address.  They do not guarantee that the given com‐
1524              mon name will always receive the given IP address. If  you  want
1525              guaranteed assignment, use --ifconfig-push
1526
1527       --ifconfig-push args
1528              Push  virtual  IP  endpoints  for  client tunnel, overriding the
1529              --ifconfig-pool dynamic allocation.
1530
1531              Valid syntax:
1532
1533                 ifconfig-push local remote-netmask [alias]
1534
1535              The parameters local and remote-netmask are set according to the
1536              --ifconfig directive which you want to execute on the client ma‐
1537              chine to configure the remote end of the tunnel. Note  that  the
1538              parameters  local and remote-netmask are from the perspective of
1539              the client, not the server. They may be DNS names rather than IP
1540              addresses,  in which case they will be resolved on the server at
1541              the time of client connection.
1542
1543              The optional alias parameter may be  used  in  cases  where  NAT
1544              causes  the client view of its local endpoint to differ from the
1545              server view. In this case local/remote-netmask will refer to the
1546              server  view while alias/remote-netmask will refer to the client
1547              view.
1548
1549              This option must be associated with a specific client  instance,
1550              which  means  that  it  must be specified either in a client in‐
1551              stance config file using --client-config-dir or dynamically gen‐
1552              erated using a --client-connect script.
1553
1554              Remember also to include a --route directive in the main OpenVPN
1555              config file which encloses local, so that the kernel  will  know
1556              to route it to the server's TUN/TAP interface.
1557
1558              OpenVPN's  internal  client IP address selection algorithm works
1559              as follows:
1560
1561              1. Use --client-connect script  generated  file  for  static  IP
1562                 (first choice).
1563
1564              2. Use --client-config-dir file for static IP (next choice).
1565
1566              3. Use --ifconfig-pool allocation for dynamic IP (last choice).
1567
1568       --ifconfig-ipv6-push args
1569              for --client-config-dir per-client static IPv6 interface config‐
1570              uration, see --client-config-dir and  --ifconfig-push  for  more
1571              details.
1572
1573              Valid syntax:
1574
1575                 ifconfig-ipv6-push ipv6addr/bits ipv6remote
1576
1577       --inetd args
1578              Valid syntaxes:
1579
1580                 inetd
1581                 inetd wait
1582                 inetd nowait
1583                 inetd wait progname
1584
1585              Use  this  option  when  OpenVPN  is being run from the inetd or
1586              xinetd(8) server.
1587
1588              The wait and nowait option must match what is specified  in  the
1589              inetd/xinetd  config file. The nowait mode can only be used with
1590              --proto tcp-server The default is wait.  The nowait mode can  be
1591              used  to instantiate the OpenVPN daemon as a classic TCP server,
1592              where client connection requests are serviced on a  single  port
1593              number.  For  additional  information on this kind of configura‐
1594              tion,          see          the           OpenVPN           FAQ:
1595              https://community.openvpn.net/openvpn/wiki/325-openvpn-as-a--forking-tcp-server-which-can-service-multiple-clients-over-a-single-tcp-port
1596
1597              This option precludes the use of --daemon, --local or  --remote.
1598              Note that this option causes message and error output to be han‐
1599              dled in the same way as the --daemon option. The optional  prog‐
1600              name parameter is also handled exactly as in --daemon.
1601
1602              Also note that in wait mode, each OpenVPN tunnel requires a sep‐
1603              arate TCP/UDP port and a separate inetd or xinetd entry. See the
1604              OpenVPN  1.x  HOWTO for an example on using OpenVPN with xinetd:
1605              https://openvpn.net/community-resources/1xhowto/
1606
1607       --multihome
1608              Configure a multi-homed UDP server. This option needs to be used
1609              when a server has more than one IP address (e.g. multiple inter‐
1610              faces, or secondary IP addresses), and is not using  --local  to
1611              force binding to one specific address only. This option will add
1612              some extra lookups to the packet path to ensure that the UDP re‐
1613              ply  packets are always sent from the address that the client is
1614              talking to. This is not supported on all platforms, and it  adds
1615              more processing, so it's not enabled by default.
1616
1617              Notes:
1618
1619                     • This option is only relevant for UDP servers.
1620
1621                     • If  you  do an IPv6+IPv4 dual-stack bind on a Linux ma‐
1622                       chine with multiple IPv4 address, connections  to  IPv4
1623                       addresses  will  not work right on kernels before 3.15,
1624                       due to missing kernel support for the IPv4-mapped  case
1625                       (some  distributions have ported this to earlier kernel
1626                       versions, though).
1627
1628       --iroute args
1629              Generate an internal route to a specific client. The netmask pa‐
1630              rameter, if omitted, defaults to 255.255.255.255.
1631
1632              Valid syntax:
1633
1634                 iroute network [netmask]
1635
1636              This  directive  can  be  used  to route a fixed subnet from the
1637              server to a particular client, regardless of where the client is
1638              connecting  from.   Remember that you must also add the route to
1639              the system routing table as well (such as by using  the  --route
1640              directive).  The  reason  why  two routes are needed is that the
1641              --route directive routes the packet from the kernel to  OpenVPN.
1642              Once  in  OpenVPN, the --iroute directive routes to the specific
1643              client.
1644
1645              This option must be specified either in a client instance config
1646              file  using --client-config-dir or dynamically generated using a
1647              --client-connect script.
1648
1649              The --iroute directive also has an  important  interaction  with
1650              --push  "route ...". --iroute essentially defines a subnet which
1651              is owned by a particular client (we will call this client A). If
1652              you would like other clients to be able to reach A's subnet, you
1653              can use --push "route ..." together with  --client-to-client  to
1654              effect this. In order for all clients to see A's subnet, OpenVPN
1655              must push this route to all clients EXCEPT for A, since the sub‐
1656              net  is already owned by A. OpenVPN accomplishes this by not not
1657              pushing a route to a client if it matches one  of  the  client's
1658              iroutes.
1659
1660       --iroute-ipv6 args
1661              for  --client-config-dir per-client static IPv6 route configura‐
1662              tion, see --iroute for more details how to setup and  use  this,
1663              and how --iroute and --route interact.
1664
1665              Valid syntax:
1666
1667                 iroute-ipv6 ipv6addr/bits
1668
1669       --max-clients n
1670              Limit server to a maximum of n concurrent clients.
1671
1672       --max-routes-per-client n
1673              Allow  a  maximum of n internal routes per client (default 256).
1674              This is designed to help contain DoS attacks where an  authenti‐
1675              cated  client  floods  the server with packets appearing to come
1676              from many unique MAC addresses, forcing the  server  to  deplete
1677              virtual  memory  as its internal routing table expands. This di‐
1678              rective can be used in a --client-config-dir file or auto-gener‐
1679              ated  by  a --client-connect script to override the global value
1680              for a particular client.
1681
1682              Note that this directive affects OpenVPN's internal routing  ta‐
1683              ble, not the kernel routing table.
1684
1685       --opt-verify
1686              Clients  that  connect  with  options that are incompatible with
1687              those of the server will be disconnected.
1688
1689              Options  that  will  be  compared  for   compatibility   include
1690              dev-type,  link-mtu,  tun-mtu,  proto, ifconfig, comp-lzo, frag‐
1691              ment,  keydir,  cipher,  auth,   keysize,   secret,   no-replay,
1692              tls-auth, key-method, tls-server and tls-client.
1693
1694              This option requires that --disable-occ NOT be used.
1695
1696       --port-share args
1697              Share OpenVPN TCP with another service
1698
1699              Valid syntax:
1700
1701                 port-share host port [dir]
1702
1703              When run in TCP server mode, share the OpenVPN port with another
1704              application, such as an HTTPS server. If OpenVPN senses  a  con‐
1705              nection  to  its  port which is using a non-OpenVPN protocol, it
1706              will proxy the connection to the server at host:port.  Currently
1707              only  designed to work with HTTP/HTTPS, though it would be theo‐
1708              retically possible to extend to other protocols such as ssh.
1709
1710              dir specifies an optional directory where a temporary file  with
1711              name  N  containing  content C will be dynamically generated for
1712              each proxy connection, where N is  the  source  IP:port  of  the
1713              client  connection and C is the source IP:port of the connection
1714              to the proxy receiver. This directory can be used as  a  dictio‐
1715              nary  by  the proxy receiver to determine the origin of the con‐
1716              nection. Each generated file will be automatically deleted  when
1717              the proxied connection is torn down.
1718
1719              Not implemented on Windows.
1720
1721       --push option
1722              Push  a  config file option back to the client for remote execu‐
1723              tion. Note that option must be enclosed in double  quotes  ("").
1724              The  client  must  specify --pull in its config file. The set of
1725              options which can be pushed is limited by both  feasibility  and
1726              security. Some options such as those which would execute scripts
1727              are banned, since they would  effectively  allow  a  compromised
1728              server  to  execute  arbitrary code on the client. Other options
1729              such as TLS or MTU  parameters  cannot  be  pushed  because  the
1730              client  needs  to  know them before the connection to the server
1731              can be initiated.
1732
1733              This is a partial list of options which can currently be pushed:
1734              --route,   --route-gateway,  --route-delay,  --redirect-gateway,
1735              --ip-win32,  --dhcp-option,  --inactive,  --ping,   --ping-exit,
1736              --ping-restart,  --setenv,  --auth-token,  --persist-key, --per‐
1737              sist-tun, --echo, --comp-lzo, --socket-flags, --sndbuf, --rcvbuf
1738
1739       --push-peer-info
1740              Push additional information about the client to server. The fol‐
1741              lowing data is always pushed to the server:
1742
1743              IV_VER=<version>
1744                     The client OpenVPN version
1745
1746              IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]
1747                     The client OS platform
1748
1749              IV_LZO_STUB=1
1750                     If client was built with LZO stub capability
1751
1752              IV_LZ4=1
1753                     If the client supports LZ4 compressions.
1754
1755              IV_PROTO
1756                     Details about protocol extensions that the peer supports.
1757                     The variable is a bitfield and the bits  are  defined  as
1758                     follows (starting a bit 0 for the first (unused) bit:
1759
1760                     • bit 1: The peer supports peer-id floating mechanism
1761
1762                     • bit  2:  The client expects a push-reply and the server
1763                       may send this reply without waiting for a  push-request
1764                       first.
1765
1766              IV_NCP=2
1767                     Negotiable  ciphers,  client  supports --cipher pushed by
1768                     the server, a value of 2 or greater indicates client sup‐
1769                     ports AES-GCM-128 and AES-GCM-256.
1770
1771              IV_CIPHERS=<ncp-ciphers>
1772                     The  client  announces the list of supported ciphers con‐
1773                     figured with the --data-ciphers option to the server.
1774
1775              IV_GUI_VER=<gui_id> <version>
1776                     The UI version of a UI if one  is  running,  for  example
1777                     de.blinkt.openvpn 0.5.47 for the Android app.
1778
1779              IV_SSO=[crtext,][openurl,][proxy_url]
1780                     Additional   authentication   methods  supported  by  the
1781                     client.  This may be  set  by  the  client  UI/GUI  using
1782                     --setenv
1783
1784              When --push-peer-info is enabled the additional information con‐
1785              sists of the following data:
1786
1787              IV_HWADDR=<string>
1788                     This is intended to be a unique and persistent ID of  the
1789                     client.   The  string  value  can  be  any readable ASCII
1790                     string up to 64 bytes.  OpenVPN 2.x and some other imple‐
1791                     mentations  use the MAC address of the client's interface
1792                     used to reach the default gateway. If this string is gen‐
1793                     erated  by  the  client, it should be consistent and pre‐
1794                     served across independent session and  preferably  re-in‐
1795                     stallations and upgrades.
1796
1797              IV_SSL=<version string>
1798                     The  ssl version used by the client, e.g.  OpenSSL 1.0.2f
1799                     28 Jan 2016.
1800
1801              IV_PLAT_VER=x.y
1802                     The version of the operating system, e.g. 6.1 for Windows
1803                     7.
1804
1805              UV_<name>=<value>
1806                     Client environment variables whose names start with UV_
1807
1808       --push-remove opt
1809              Selectively  remove  all  --push options matching "opt" from the
1810              option list for a client. opt is matched as a substring  against
1811              the   whole   option  string  to-be-pushed  to  the  client,  so
1812              --push-remove route would remove all --push route ... and --push
1813              route-ipv6  ...   statements,  while  --push-remove  "route-ipv6
1814              2001:" would only remove IPv6 routes for 2001:... networks.
1815
1816              --push-remove can only be used  in  a  client-specific  context,
1817              like  in  a --client-config-dir file, or --client-connect script
1818              or plugin -- similar to --push-reset, just more selective.
1819
1820              NOTE: to change an option, --push-remove can be  used  to  first
1821              remove  the old value, and then add a new --push option with the
1822              new value.
1823
1824              NOTE 2: due to implementation details,  'ifconfig'  and  'ifcon‐
1825              fig-ipv6'  can only be removed with an exact match on the option
1826              ( push-remove ifconfig), no substring matching and  no  matching
1827              on the IPv4/IPv6 address argument is possible.
1828
1829       --push-reset
1830              Don't  inherit  the  global  push list for a specific client in‐
1831              stance.  Specify this option in a client-specific  context  such
1832              as  with  a  --client-config-dir configuration file. This option
1833              will ignore --push options at the global config file level.
1834
1835              NOTE: --push-reset is very thorough: it will remove  almost  all
1836              options  from  the list of to-be-pushed options.  In many cases,
1837              some of these options will need to be re-configured afterwards -
1838              specifically,  --topology  subnet  and  --route-gateway will get
1839              lost and this will break client configs in  many  cases.   Thus,
1840              for most purposes, --push-remove is better suited to selectively
1841              remove push options for individual clients.
1842
1843       --server args
1844              A helper directive designed to  simplify  the  configuration  of
1845              OpenVPN's  server  mode.  This  directive will set up an OpenVPN
1846              server which will allocate addresses to clients out of the given
1847              network/netmask.  The  server itself will take the .1 address of
1848              the given network for use as the server-side endpoint of the lo‐
1849              cal  TUN/TAP interface. If the optional nopool flag is given, no
1850              dynamic IP address pool will prepared for VPN clients.
1851
1852              Valid syntax:
1853
1854                 server network netmask [nopool]
1855
1856              For example, --server 10.8.0.0 255.255.255.0 expands as follows:
1857
1858                 mode server
1859                 tls-server
1860                 push "topology [topology]"
1861
1862                 if dev tun AND (topology == net30 OR topology == p2p):
1863                   ifconfig 10.8.0.1 10.8.0.2
1864                   if !nopool:
1865                     ifconfig-pool 10.8.0.4 10.8.0.251
1866                   route 10.8.0.0 255.255.255.0
1867                   if client-to-client:
1868                     push "route 10.8.0.0 255.255.255.0"
1869                   else if topology == net30:
1870                     push "route 10.8.0.1"
1871
1872                 if dev tap OR (dev tun AND topology == subnet):
1873                   ifconfig 10.8.0.1 255.255.255.0
1874                   if !nopool:
1875                     ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
1876                   push "route-gateway 10.8.0.1"
1877                   if route-gateway unset:
1878                     route-gateway 10.8.0.2
1879
1880              Don't  use  --server  if  you   are   ethernet   bridging.   Use
1881              --server-bridge instead.
1882
1883       --server-bridge args
1884              A helper directive similar to --server which is designed to sim‐
1885              plify the configuration of OpenVPN's  server  mode  in  ethernet
1886              bridging configurations.
1887
1888              Valid syntaxes:
1889
1890                 server-bridge gateway netmask pool-start-IP pool-end-IP
1891                 server-bridge [nogw]
1892
1893              If  --server-bridge  is used without any parameters, it will en‐
1894              able a DHCP-proxy mode, where connecting  OpenVPN  clients  will
1895              receive an IP address for their TAP adapter from the DHCP server
1896              running on the OpenVPN server-side LAN. Note that  only  clients
1897              that  support  the binding of a DHCP client with the TAP adapter
1898              (such as Windows) can support this mode. The optional nogw  flag
1899              (advanced)  indicates  that  gateway  information  should not be
1900              pushed to the client.
1901
1902              To configure ethernet bridging, you must  first  use  your  OS's
1903              bridging  capability to bridge the TAP interface with the ether‐
1904              net NIC interface.  For example, on Linux this is done with  the
1905              brctl  tool,  and with Windows XP it is done in the Network Con‐
1906              nections Panel by selecting the ethernet and  TAP  adapters  and
1907              right-clicking on "Bridge Connections".
1908
1909              Next  you you must manually set the IP/netmask on the bridge in‐
1910              terface.  The gateway and netmask parameters to  --server-bridge
1911              can  be set to either the IP/netmask of the bridge interface, or
1912              the IP/netmask of the default gateway/router on the bridged sub‐
1913              net.
1914
1915              Finally,  set aside a IP range in the bridged subnet, denoted by
1916              pool-start-IP and pool-end-IP, for OpenVPN to allocate  to  con‐
1917              necting clients.
1918
1919              For  example,  server-bridge  10.8.0.4  255.255.255.0 10.8.0.128
1920              10.8.0.254 expands as follows:
1921
1922                 mode server
1923                 tls-server
1924
1925                 ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
1926                 push "route-gateway 10.8.0.4"
1927
1928              In another example, --server-bridge (without parameters) expands
1929              as follows:
1930
1931                 mode server
1932                 tls-server
1933
1934                 push "route-gateway dhcp"
1935
1936              Or --server-bridge nogw expands as follows:
1937
1938                 mode server
1939                 tls-server
1940
1941       --server-ipv6 args
1942              Convenience-function  to enable a number of IPv6 related options
1943              at once, namely --ifconfig-ipv6, --ifconfig-ipv6-pool and --push
1944              tun-ipv6.
1945
1946              Valid syntax:
1947
1948                 server-ipv6 ipv6addr/bits
1949
1950              Pushing  of  the  --tun-ipv6 directive is done for older clients
1951              which require an explicit --tun-ipv6 in their configuration.
1952
1953       --stale-routes-check args
1954              Remove routes which haven't had activity for n seconds (i.e. the
1955              ageing time).  This check is run every t seconds (i.e. check in‐
1956              terval).
1957
1958              Valid syntax:
1959
1960                 stale-routes-check n [t]
1961
1962              If t is not present it defaults to n.
1963
1964              This option helps to keep the dynamic routing table  small.  See
1965              also --max-routes-per-client
1966
1967       --username-as-common-name
1968              Use  the  authenticated username as the common-name, rather than
1969              the common-name from the client certificate. Requires that  some
1970              form  of  --auth-user-pass verification is in effect. As the re‐
1971              placement happens after --auth-user-pass verification, the veri‐
1972              fication  script  or  plugin  will still receive the common-name
1973              from the certificate.
1974
1975              The common_name environment variable passed to scripts and plug‐
1976              ins  invoked  after  authentication (e.g, client-connect script)
1977              and file names parsed in client-config directory will match  the
1978              username.
1979
1980       --verify-client-cert mode
1981              Specify  whether  the  client is required to supply a valid cer‐
1982              tificate.
1983
1984              Possible mode options are:
1985
1986              none   A client certificate is not required. the client needs to
1987                     authenticate  using username/password only. Be aware that
1988                     using this directive is less secure than  requiring  cer‐
1989                     tificates from all clients.
1990
1991                     If  you  use this directive, the entire responsibility of
1992                     authentication will rest on your  --auth-user-pass-verify
1993                     script,  so  keep  in mind that bugs in your script could
1994                     potentially compromise the security of your VPN.
1995
1996                     --verify-client-cert none is functionally  equivalent  to
1997                     --client-cert-not-required.
1998
1999              optional
2000                     A client may present a certificate but it is not required
2001                     to do so.  When using this directive, you should also use
2002                     a  --auth-user-pass-verify  script to ensure that clients
2003                     are authenticated using a  certificate,  a  username  and
2004                     password, or possibly even both.
2005
2006                     Again,  the  entire responsibility of authentication will
2007                     rest on your --auth-user-pass-verify script, so  keep  in
2008                     mind  that  bugs in your script could potentially compro‐
2009                     mise the security of your VPN.
2010
2011              require
2012                     This is the default  option.  A  client  is  required  to
2013                     present a certificate, otherwise VPN access is refused.
2014
2015              If you don't use this directive (or use --verify-client-cert re‐
2016              quire) but you also specify an  --auth-user-pass-verify  script,
2017              then OpenVPN will perform double authentication. The client cer‐
2018              tificate verification  AND  the  --auth-user-pass-verify  script
2019              will  need  to succeed in order for a client to be authenticated
2020              and accepted onto the VPN.
2021
2022       --vlan-tagging
2023              Server-only option. Turns the OpenVPN  server  instance  into  a
2024              switch that understands VLAN-tagging, based on IEEE 802.1Q.
2025
2026              The server TAP device and each of the connecting clients is seen
2027              as a port of the switch. All client ports are in  untagged  mode
2028              and  the  server  TAP device is VLAN-tagged, untagged or accepts
2029              both, depending on the --vlan-accept setting.
2030
2031              Ethernet frames with a prepended 802.1Q tag are called "tagged".
2032              If  the  VLAN  Identifier (VID) field in such a tag is non-zero,
2033              the frame is called "VLAN-tagged". If the VID is zero,  but  the
2034              Priority  Control  Point  (PCP)  field is non-zero, the frame is
2035              called "prio-tagged". If there is no 802.1Q tag,  the  frame  is
2036              "untagged".
2037
2038              Using   the   --vlan-pvid   v   option   once  per  client  (see
2039              --client-config-dir), each port can be associated with a certain
2040              VID.   Packets  can  only  be forwarded between ports having the
2041              same VID.  Therefore, clients with differing VIDs are completely
2042              separated  from one-another, even if --client-to-client is acti‐
2043              vated.
2044
2045              The packet filtering takes place in the OpenVPN server.  Clients
2046              should not have any VLAN tagging configuration applied.
2047
2048              The  --vlan-tagging  option is off by default. While turned off,
2049              OpenVPN accepts any Ethernet frame and does not perform any spe‐
2050              cial processing for VLAN-tagged packets.
2051
2052              This option can only be activated in --dev tap mode.
2053
2054       --vlan-accept args
2055              Configure the VLAN tagging policy for the server TAP device.
2056
2057              Valid syntax:
2058
2059                 vlan-accept  all|tagged|untagged
2060
2061              The following modes are available:
2062
2063              tagged Admit  only  VLAN-tagged frames. Only VLAN-tagged packets
2064                     are accepted, while untagged or  priority-tagged  packets
2065                     are dropped when entering the server TAP device.
2066
2067              untagged
2068                     Admit  only untagged and prio-tagged frames.  VLAN-tagged
2069                     packets  are  not  accepted,  while  untagged  or  prior‐
2070                     ity-tagged  packets  entering  the  server TAP device are
2071                     tagged  with  the  value  configured   for   the   global
2072                     --vlan-pvid setting.
2073
2074              all (default)
2075                     Admit  all  frames.   All  packets  are admitted and then
2076                     treated like untagged or tagged mode respectively.
2077
2078              Note:  Some vendors refer to switch ports running in tagged mode
2079                     as  "trunk  ports"  and  switch ports running in untagged
2080                     mode as "access ports".
2081
2082              Packets forwarded from clients to  the  server  are  VLAN-tagged
2083              with  the  originating client's PVID, unless the VID matches the
2084              global --vlan-pvid, in which case the tag is removed.
2085
2086              If no PVID is configured for a given  client  (see  --vlan-pvid)
2087              packets are tagged with 1 by default.
2088
2089       --vlan-pvid v
2090              Specifies  which  VLAN  identifier  a "port" is associated with.
2091              Only valid when --vlan-tagging is speficied.
2092
2093              In the client context, the setting specifies  which  VLAN  ID  a
2094              client is associated with. In the global context, the VLAN ID of
2095              the server TAP device is set. The latter only  makes  sense  for
2096              --vlan-accept untagged and --vlan-accept all modes.
2097
2098              Valid  values  for v go from 1 through to 4094. The global value
2099              defaults to 1. If no --vlan-pvid is specified in the client con‐
2100              text, the global value is inherited.
2101
2102              In  some switch implementations, the PVID is also referred to as
2103              "Native VLAN".
2104

ENCRYPTION OPTIONS

2106   SSL Library information
2107       --show-ciphers
2108              (Standalone) Show all cipher algorithms to use with the --cipher
2109              option.
2110
2111       --show-digests
2112              (Standalone)  Show all message digest algorithms to use with the
2113              --auth option.
2114
2115       --show-tls
2116              (Standalone) Show all TLS ciphers supported by  the  crypto  li‐
2117              brary.   OpenVPN  uses  TLS  to secure the control channel, over
2118              which the keys that are used to protect the actual  VPN  traffic
2119              are exchanged. The TLS ciphers will be sorted from highest pref‐
2120              erence (most secure) to lowest.
2121
2122              Be aware that whether a cipher suite in this list  can  actually
2123              work  depends  on  the  specific  setup of both peers (e.g. both
2124              peers must support the cipher, and an ECDSA  cipher  suite  will
2125              not work if you are using an RSA certificate, etc.).
2126
2127       --show-engines
2128              (Standalone)  Show currently available hardware-based crypto ac‐
2129              celeration engines supported by the OpenSSL library.
2130
2131       --show-groups
2132              (Standalone) Show all available elliptic  curves/groups  to  use
2133              with the --ecdh-curve and tls-groups options.
2134
2135   Generating key material
2136       --genkey args
2137              (Standalone)  Generate  a key to be used of the type keytype. if
2138              keyfile is left out or empty the key will be output  on  stdout.
2139              See the following sections for the different keytypes.
2140
2141              Valid syntax:
2142
2143                 --genkey keytype keyfile
2144
2145              Valid keytype arguments are:
2146
2147              secret                Standard OpenVPN shared secret keys
2148
2149              tls-crypt             Alias for secret
2150
2151              tls-auth              Alias for secret
2152
2153              auth-token            Key used for --auth-gen-token-key
2154
2155              tls-crypt-v2-server   TLS Crypt v2 server key
2156
2157              tls-crypt-v2-client   TLS Crypt v2 client key
2158
2159              Examples:
2160
2161                 $ openvpn --genkey secret shared.key
2162                 $ openvpn --genkey tls-crypt shared.key
2163                 $ openvpn --genkey tls-auth shared.key
2164                 $ openvpn --genkey tls-crypt-v2-server v2crypt-server.key
2165                 $ openvpn --tls-crypt-v2 v2crypt-server.key --genkey tls-crypt-v2-client v2crypt-client-1.key
2166
2167              • Generating  Shared  Secret  Keys Generate a shared secret, for
2168                use with the --secret, --tls-auth or --tls-crypt options.
2169
2170                Syntax:
2171
2172                   $ openvpn --genkey secret|tls-crypt|tls-auth keyfile
2173
2174                The key is saved in keyfile.  All  three  variants  (--secret,
2175                tls-crypt  and  tls-auth)  generate  the same type of key. The
2176                aliases are added for convenience.
2177
2178                If using this for --secret, this file must be shared with  the
2179                peer over a pre-existing secure channel such as scp(1).
2180
2181              • Generating  TLS  Crypt v2 Server key Generate a --tls-crypt-v2
2182                key to be used by an OpenVPN server.  The  key  is  stored  in
2183                keyfile.
2184
2185                Syntax:
2186
2187                   --genkey tls-crypt-v2-server keyfile
2188
2189              • Generating  TLS  Crypt v2 Client key Generate a --tls-crypt-v2
2190                key to be used by OpenVPN clients.  The key is stored in  key‐
2191                file.
2192
2193                Syntax
2194
2195                   --genkey tls-crypt-v2-client keyfile [metadata]
2196
2197                If  supplied,  include  the  supplied  metadata in the wrapped
2198                client key. This metadata must be supplied  in  base64-encoded
2199                form.  The  metadata must be at most 735 bytes long (980 bytes
2200                in base64).
2201
2202                If no metadata is supplied, OpenVPN will  use  a  64-bit  unix
2203                timestamp  representing  the  current  time in UTC, encoded in
2204                network order, as metadata for the generated key.
2205
2206                A tls-crypt-v2 client key is wrapped using a  server  key.  To
2207                generate  a  client  key,  the  user must therefore supply the
2208                server key using the --tls-crypt-v2 option.
2209
2210                Servers can use --tls-crypt-v2-verify to  specify  a  metadata
2211                verification command.
2212
2213              • Generate  Authentication  Token key Generate a new secret that
2214                can be used with --auth-gen-token-secret
2215
2216                Syntax:
2217
2218                   --genkey auth-token [keyfile]
2219
2220                Note:  This file should be kept secret to the server as anyone
2221                       that  has  access to this file will be able to generate
2222                       auth tokens that the  OpenVPN  server  will  accept  as
2223                       valid.
2224
2225   Data Channel Renegotiation
2226       When running OpenVPN in client/server mode, the data channel will use a
2227       separate ephemeral encryption key which is rotated  at  regular  inter‐
2228       vals.
2229
2230       --reneg-bytes n
2231              Renegotiate  data  channel  key  after  n bytes sent or received
2232              (disabled by default with an exception, see below). OpenVPN  al‐
2233              lows  the lifetime of a key to be expressed as a number of bytes
2234              encrypted/decrypted, a number of packets, or a  number  of  sec‐
2235              onds.  A  key renegotiation will be forced if any of these three
2236              criteria are met by either peer.
2237
2238              If using ciphers with cipher block  sizes  less  than  128-bits,
2239              --reneg-bytes is set to 64MB by default, unless it is explicitly
2240              disabled by setting the value to 0, but this is HIGHLY  DISCOUR‐
2241              AGED  as  this  is  designed  to add some protection against the
2242              SWEET32 attack vector. For more information see the --cipher op‐
2243              tion.
2244
2245       --reneg-pkts n
2246              Renegotiate  data  channel key after n packets sent and received
2247              (disabled by default).
2248
2249       --reneg-sec args
2250              Renegotiate data channel key after at most max seconds  (default
2251              3600)  and  at  least  min  seconds  (default  is 90% of max for
2252              servers, and equal to max for clients).
2253
2254                 reneg-sec max [min]
2255
2256              The effective --reneg-sec value used is per session  pseudo-uni‐
2257              form-randomized between min and max.
2258
2259              With  the default value of 3600 this results in an effective per
2260              session value in the range of 3240 .. 3600 seconds for  servers,
2261              or just 3600 for clients.
2262
2263              When  using  dual-factor  authentication, note that this default
2264              value may cause the end user to  be  challenged  to  reauthorize
2265              once per hour.
2266
2267              Also,  keep  in  mind  that  this option can be used on both the
2268              client and server, and whichever uses the lower  value  will  be
2269              the one to trigger the renegotiation. A common mistake is to set
2270              --reneg-sec to a higher value on either the  client  or  server,
2271              while  the  other  side of the connection is still using the de‐
2272              fault value of 3600 seconds, meaning that the renegotiation will
2273              still  occur  once per 3600 seconds. The solution is to increase
2274              --reneg-sec on both the client and server, or set it to 0 on one
2275              side of the connection (to disable), and to your chosen value on
2276              the other side.
2277
2278   TLS Mode Options
2279       TLS mode is the most powerful crypto mode of OpenVPN in  both  security
2280       and  flexibility. TLS mode works by establishing control and data chan‐
2281       nels which are multiplexed over a single TCP/UDP port.  OpenVPN  initi‐
2282       ates a TLS session over the control channel and uses it to exchange ci‐
2283       pher and HMAC keys to protect the data channel. TLS mode uses a  robust
2284       reliability  layer over the UDP connection for all control channel com‐
2285       munication, while the data channel, over which  encrypted  tunnel  data
2286       passes,  is  forwarded without any mediation. The result is the best of
2287       both worlds: a fast data channel that forwards over UDP with  only  the
2288       overhead of encrypt, decrypt, and HMAC functions, and a control channel
2289       that provides all of the security features of TLS,  including  certifi‐
2290       cate-based authentication and Diffie Hellman forward secrecy.
2291
2292       To  use TLS mode, each peer that runs OpenVPN should have its own local
2293       certificate/key pair (--cert and --key), signed by the root certificate
2294       which is specified in --ca.
2295
2296       When  two OpenVPN peers connect, each presents its local certificate to
2297       the other. Each peer will then check that its partner peer presented  a
2298       certificate  which  was signed by the master root certificate as speci‐
2299       fied in --ca.
2300
2301       If that check on both peers succeeds, then  the  TLS  negotiation  will
2302       succeed,  both  OpenVPN peers will exchange temporary session keys, and
2303       the tunnel will begin passing data.
2304
2305       The OpenVPN project provides a set of scripts for managing RSA certifi‐
2306       cates and keys: https://github.com/OpenVPN/easy-rsa
2307
2308       --askpass file
2309              Get  certificate  password from console or file before we daemo‐
2310              nize.
2311
2312              Valid syntaxes:
2313
2314                 askpass
2315                 askpass file
2316
2317              For the extremely security conscious, it is possible to  protect
2318              your  private key with a password. Of course this means that ev‐
2319              ery time the OpenVPN daemon is started you must be there to type
2320              the  password.  The --askpass option allows you to start OpenVPN
2321              from the command line.  It will query you for a password  before
2322              it  daemonizes.  To  protect  a  private key with a password you
2323              should omit the -nodes option when you use the  openssl  command
2324              line tool to manage certificates and private keys.
2325
2326              If  file  is specified, read the password from the first line of
2327              file. Keep in mind that storing your password in  a  file  to  a
2328              certain  extent invalidates the extra security provided by using
2329              an encrypted key.
2330
2331       --ca file
2332              Certificate authority (CA) file in .pem format, also referred to
2333              as  the  root  certificate. This file can have multiple certifi‐
2334              cates in .pem format, concatenated together. You  can  construct
2335              your  own  certificate  authority certificate and private key by
2336              using a command such as:
2337
2338                 openssl req -nodes -new -x509 -keyout ca.key -out ca.crt
2339
2340              Then edit your openssl.cnf file and edit the  certificate  vari‐
2341              able to point to your new root certificate ca.crt.
2342
2343              For  testing  purposes only, the OpenVPN distribution includes a
2344              sample CA certificate (ca.crt). Of course you should  never  use
2345              the  test certificates and test keys distributed with OpenVPN in
2346              a production environment, since by virtue of the fact that  they
2347              are distributed with OpenVPN, they are totally insecure.
2348
2349       --capath dir
2350              Directory  containing  trusted  certificates (CAs and CRLs). Not
2351              available with mbed TLS.
2352
2353              CAs in the capath directory are expected to be named <hash>.<n>.
2354              CRLs  are  expected to be named <hash>.r<n>. See the -CApath op‐
2355              tion of openssl verify, and the -hash option  of  openssl  x509,
2356              openssl crl and X509_LOOKUP_hash_dir()(3) for more information.
2357
2358              Similar  to  the  --crl-verify  option, CRLs are not mandatory -
2359              OpenVPN will log the usual warning in the logs if  the  relevant
2360              CRL is missing, but the connection will be allowed.
2361
2362       --cert file
2363              Local peer's signed certificate in .pem format -- must be signed
2364              by a certificate authority whose certificate is  in  --ca  file.
2365              Each peer in an OpenVPN link running in TLS mode should have its
2366              own certificate and private key file. In addition, each certifi‐
2367              cate should have been signed by the key of a certificate author‐
2368              ity whose public key resides in the --ca  certificate  authority
2369              file.  You  can  easily make your own certificate authority (see
2370              above) or  pay  money  to  use  a  commercial  service  such  as
2371              thawte.com  (in  which  case  you will be helping to finance the
2372              world's second space tourist :). To generate a certificate,  you
2373              can use a command such as:
2374
2375                 openssl req -nodes -new -keyout mycert.key -out mycert.csr
2376
2377              If  your  certificate authority private key lives on another ma‐
2378              chine, copy the certificate signing request (mycert.csr) to this
2379              other machine (this can be done over an insecure channel such as
2380              email). Now sign the certificate with a command such as:
2381
2382                 openssl ca -out mycert.crt -in mycert.csr
2383
2384              Now copy the certificate (mycert.crt) back  to  the  peer  which
2385              initially  generated  the  .csr  file (this can be over a public
2386              medium). Note that the openssl ca command reads the location  of
2387              the  certificate  authority key from its configuration file such
2388              as /usr/share/ssl/openssl.cnf -- note also that for  certificate
2389              authority functions, you must set up the files index.txt (may be
2390              empty) and serial (initialize to 01).
2391
2392       --crl-verify args
2393              Check peer certificate against a Certificate Revocation List.
2394
2395              Valid syntax:
2396
2397                 crl-verify file/directory flag
2398
2399              Examples:
2400
2401                 crl-verify crl-file.pem
2402                 crl-verify /etc/openvpn/crls dir
2403
2404              A CRL (certificate revocation list) is used  when  a  particular
2405              key is compromised but when the overall PKI is still intact.
2406
2407              Suppose  you had a PKI consisting of a CA, root certificate, and
2408              a number of client certificates. Suppose a laptop computer  con‐
2409              taining  a  client key and certificate was stolen. By adding the
2410              stolen certificate to the CRL file, you could reject any connec‐
2411              tion  which attempts to use it, while preserving the overall in‐
2412              tegrity of the PKI.
2413
2414              The only time when it would be necessary to rebuild  the  entire
2415              PKI from scratch would be if the root certificate key itself was
2416              compromised.
2417
2418              The option is not mandatory - if the relevant  CRL  is  missing,
2419              OpenVPN will log a warning in the logs - e.g.
2420
2421                 VERIFY WARNING: depth=0, unable to get certificate CRL
2422
2423              but the connection will be allowed.  If the optional dir flag is
2424              specified, enable a  different  mode  where  the  crl-verify  is
2425              pointed  at a directory containing files named as revoked serial
2426              numbers (the files may be empty, the contents are  never  read).
2427              If  a client requests a connection, where the client certificate
2428              serial number (decimal string) is the name of a file present  in
2429              the directory, it will be rejected.
2430
2431              Note:  As  the crl file (or directory) is read every time a peer
2432                     connects,  if  you  are  dropping  root  privileges  with
2433                     --user,  make  sure  that this user has sufficient privi‐
2434                     leges to read the file.
2435
2436       --dh file
2437              File containing Diffie Hellman parameters in  .pem  format  (re‐
2438              quired for --tls-server only).
2439
2440              Set file to none to disable Diffie Hellman key exchange (and use
2441              ECDH only). Note that this requires peers to be using an SSL li‐
2442              brary that supports ECDH TLS cipher suites (e.g. OpenSSL 1.0.1+,
2443              or mbed TLS 2.0+).
2444
2445              Use openssl dhparam -out dh2048.pem 2048 to generate 2048-bit DH
2446              parameters. Diffie Hellman parameters may be considered public.
2447
2448       --ecdh-curve name
2449              Specify  the  curve  to  use  for elliptic curve Diffie Hellman.
2450              Available curves can be listed with --show-curves. The specified
2451              curve will only be used for ECDH TLS-ciphers.
2452
2453              This option is not supported in mbed TLS builds of OpenVPN.
2454
2455       --extra-certs file
2456              Specify  a  file  containing one or more PEM certs (concatenated
2457              together) that complete the local certificate chain.
2458
2459              This option is useful for "split" CAs, where the CA  for  server
2460              certs  is  different than the CA for client certs. Putting certs
2461              in this file allows them to be used to complete the  local  cer‐
2462              tificate  chain without trusting them to verify the peer-submit‐
2463              ted certificate, as would be the case if the certs  were  placed
2464              in the ca file.
2465
2466       --hand-window n
2467              Handshake  Window  --  the  TLS-based key exchange must finalize
2468              within n seconds of handshake initiation by any peer (default 60
2469              seconds).  If  the  handshake fails we will attempt to reset our
2470              connection with our peer and try again. Even  in  the  event  of
2471              handshake  failure  we will still use our expiring key for up to
2472              --tran-window seconds to maintain continuity of transmission  of
2473              tunnel data.
2474
2475       --key file
2476              Local  peer's  private  key  in .pem format. Use the private key
2477              which was generated when you built your peer's certificate  (see
2478              --cert file above).
2479
2480       --pkcs12 file
2481              Specify a PKCS #12 file containing local private key, local cer‐
2482              tificate, and root CA certificate. This option can be  used  in‐
2483              stead of --ca, --cert, and --key.  Not available with mbed TLS.
2484
2485       --remote-cert-eku oid
2486              Require  that  peer  certificate was signed with an explicit ex‐
2487              tended key usage.
2488
2489              This is a useful security option for clients, to ensure that the
2490              host they connect to is a designated server.
2491
2492              The  extended  key  usage  should be encoded in oid notation, or
2493              OpenSSL symbolic representation.
2494
2495       --remote-cert-ku key-usage
2496              Require that  peer  certificate  was  signed  with  an  explicit
2497              key-usage.
2498
2499              If  present  in the certificate, the keyUsage value is validated
2500              by the TLS library during the TLS handshake. Specifying this op‐
2501              tion without arguments requires this extension to be present (so
2502              the TLS library will verify it).
2503
2504              If key-usage is a list of usage bits, the  keyUsage  field  must
2505              have at least the same bits set as the bits in one of the values
2506              supplied in the key-usage list.
2507
2508              The key-usage values in the list must be encoded in hex, e.g.
2509
2510                 remote-cert-ku a0
2511
2512       --remote-cert-tls type
2513              Require that peer certificate was signed with  an  explicit  key
2514              usage and extended key usage based on RFC3280 TLS rules.
2515
2516              Valid syntaxes:
2517
2518                 remote-cert-tls server
2519                 remote-cert-tls client
2520
2521              This is a useful security option for clients, to ensure that the
2522              host they connect to is a designated server. Or  the  other  way
2523              around;  for  a  server  to verify that only hosts with a client
2524              certificate can connect.
2525
2526              The --remote-cert-tls client option is equivalent to
2527
2528                 remote-cert-ku
2529                 remote-cert-eku "TLS Web Client Authentication"
2530
2531              The --remote-cert-tls server option is equivalent to
2532
2533                 remote-cert-ku
2534                 remote-cert-eku "TLS Web Server Authentication"
2535
2536              This is an important security precaution to  protect  against  a
2537              man-in-the-middle  attack where an authorized client attempts to
2538              connect to another client by impersonating the server.  The  at‐
2539              tack  is  easily  prevented  by having clients verify the server
2540              certificate  using  any   one   of   --remote-cert-tls,   --ver‐
2541              ify-x509-name, or --tls-verify.
2542
2543       --tls-auth args
2544              Add an additional layer of HMAC authentication on top of the TLS
2545              control channel to mitigate DoS attacks and attacks on  the  TLS
2546              stack.
2547
2548              Valid syntaxes:
2549
2550                 tls-auth file
2551                 tls-auth file 0
2552                 tls-auth file 1
2553
2554              In  a  nutshell, --tls-auth enables a kind of "HMAC firewall" on
2555              OpenVPN's TCP/UDP port, where TLS control channel packets  bear‐
2556              ing an incorrect HMAC signature can be dropped immediately with‐
2557              out response.
2558
2559              file (required) is a file in OpenVPN static key format which can
2560              be generated by --genkey.
2561
2562              Older   versions  (up  to  OpenVPN  2.3)  supported  a  freeform
2563              passphrase file.  This is no longer supported in newer  versions
2564              (v2.4+).
2565
2566              See the --secret option for more information on the optional di‐
2567              rection parameter.
2568
2569              --tls-auth is recommended when you are running OpenVPN in a mode
2570              where  it  is listening for packets from any IP address, such as
2571              when --remote is not specified, or --remote  is  specified  with
2572              --float.
2573
2574              The  rationale  for  this  feature is as follows. TLS requires a
2575              multi-packet exchange before it is able to authenticate a  peer.
2576              During  this  time  before authentication, OpenVPN is allocating
2577              resources (memory and CPU) to this potential peer. The potential
2578              peer  is also exposing many parts of OpenVPN and the OpenSSL li‐
2579              brary to the packets it is sending. Most successful network  at‐
2580              tacks  today  seek  to  either exploit bugs in programs (such as
2581              buffer overflow attacks) or force a program to consume  so  many
2582              resources  that it becomes unusable. Of course the first line of
2583              defense is always to produce clean, well-audited  code.  OpenVPN
2584              has been written with buffer overflow attack prevention as a top
2585              priority. But as history has shown, many of the most widely used
2586              network  applications  have, from time to time, fallen to buffer
2587              overflow attacks.
2588
2589              So as a second line of  defense,  OpenVPN  offers  this  special
2590              layer  of  authentication  on  top of the TLS control channel so
2591              that every packet on the control channel is authenticated by  an
2592              HMAC  signature and a unique ID for replay protection. This sig‐
2593              nature will also help protect against DoS  (Denial  of  Service)
2594              attacks. An important rule of thumb in reducing vulnerability to
2595              DoS attacks is to minimize the amount of resources a  potential,
2596              but as yet unauthenticated, client is able to consume.
2597
2598              --tls-auth does this by signing every TLS control channel packet
2599              with an HMAC signature, including packets which are sent  before
2600              the TLS level has had a chance to authenticate the peer. The re‐
2601              sult is that  packets  without  the  correct  signature  can  be
2602              dropped immediately upon reception, before they have a chance to
2603              consume additional system resources such as by initiating a  TLS
2604              handshake.  --tls-auth  can  be strengthened by adding the --re‐
2605              play-persist option which will keep OpenVPN's replay  protection
2606              state in a file so that it is not lost across restarts.
2607
2608              It  should  be emphasized that this feature is optional and that
2609              the key file used with --tls-auth gives a peer nothing more than
2610              the power to initiate a TLS handshake. It is not used to encrypt
2611              or authenticate any tunnel data.
2612
2613              Use --tls-crypt instead if you want to use the key file  to  not
2614              only authenticate, but also encrypt the TLS control channel.
2615
2616       --tls-groups list
2617              A list of allowable groups/curves in order of preference.
2618
2619              Set  the  allowed  elliptic  curves/groups  for the TLS session.
2620              These groups are allowed to be used in signatures  and  key  ex‐
2621              change.
2622
2623              mbedTLS currently allows all known curves per default.
2624
2625              OpenSSL 1.1+ restricts the list per default to
2626
2627                 "X25519:secp256r1:X448:secp521r1:secp384r1".
2628
2629              If  you use certificates that use non-standard curves, you might
2630              need to add them here. If you do not force the ecdh curve by us‐
2631              ing  --ecdh-curve,  the groups for ecdh will also be picked from
2632              this list.
2633
2634              OpenVPN maps the curve name secp256r1  to  prime256v1  to  allow
2635              specifying the same tls-groups option for mbedTLS and OpenSSL.
2636
2637              Warning:  this  option  not only affects elliptic curve certifi‐
2638              cates but also the key exchange in TLS 1.3 and using this option
2639              improperly will disable TLS 1.3.
2640
2641       --tls-cert-profile profile
2642              Set  the  allowed  cryptographic algorithms for certificates ac‐
2643              cording to profile.
2644
2645              The following profiles are supported:
2646
2647              legacy (default)
2648                     SHA1 and newer, RSA 2048-bit+, any elliptic curve.
2649
2650              preferred
2651                     SHA2 and newer, RSA 2048-bit+, any elliptic curve.
2652
2653              suiteb SHA256/SHA384, ECDSA with P-256 or P-384.
2654
2655              This option is only fully supported for mbed TLS builds. OpenSSL
2656              builds use the following approximation:
2657
2658              legacy (default)
2659                     sets "security level 1"
2660
2661              preferred
2662                     sets "security level 2"
2663
2664              suiteb sets "security level 3" and --tls-cipher "SUITEB128".
2665
2666              OpenVPN  will  migrate  to 'preferred' as default in the future.
2667              Please ensure that your keys already comply.
2668
2669       WARNING: --tls-ciphers, --tls-ciphersuites and tls-groups
2670              These options are expert features, which - if used  correctly  -
2671              can  improve the security of your VPN connection. But it is also
2672              easy to unwittingly use them to carefully align a gun with  your
2673              foot, or just break your connection. Use with care!
2674
2675       --tls-cipher l
2676              A list l of allowable TLS ciphers delimited by a colon (":").
2677
2678              These  setting  can be used to ensure that certain cipher suites
2679              are used (or not used) for the TLS connection. OpenVPN uses  TLS
2680              to secure the control channel, over which the keys that are used
2681              to protect the actual VPN traffic are exchanged.
2682
2683              The supplied list of ciphers is  (after  potential  OpenSSL/IANA
2684              name  translation) simply supplied to the crypto library. Please
2685              see the OpenSSL and/or mbed TLS documentation for details on the
2686              cipher list interpretation.
2687
2688              For OpenSSL, the --tls-cipher is used for TLS 1.2 and below.
2689
2690              Use  --show-tls  to  see a list of TLS ciphers supported by your
2691              crypto library.
2692
2693              The default for --tls-cipher is to use mbed TLS's default cipher
2694              list       when       using       mbed      TLS      or      DE‐
2695              FAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA    when
2696              using OpenSSL.
2697
2698       --tls-ciphersuites l
2699              Same as --tls-cipher but for TLS 1.3 and up. mbed TLS has no TLS
2700              1.3 support yet and only the --tls-cipher setting is used.
2701
2702              The default for --tls-ciphersuites is  to  use  the  crypto  li‐
2703              brary's default.
2704
2705       --tls-client
2706              Enable TLS and assume client role during TLS handshake.
2707
2708       --tls-crypt keyfile
2709              Encrypt  and  authenticate  all control channel packets with the
2710              key from keyfile. (See --tls-auth for more background.)
2711
2712              Encrypting (and authenticating) control channel packets:
2713
2714              • provides more privacy by hiding the certificate used  for  the
2715                TLS connection,
2716
2717              • makes it harder to identify OpenVPN traffic as such,
2718
2719              • provides "poor-man's" post-quantum security, against attackers
2720                who will never know the pre-shared key (i.e.  no  forward  se‐
2721                crecy).
2722
2723              In contrast to --tls-auth, --tls-crypt does not require the user
2724              to set --key-direction.
2725
2726              Security Considerations
2727
2728              All peers use the same --tls-crypt pre-shared group key  to  au‐
2729              thenticate  and encrypt control channel messages. To ensure that
2730              IV collisions remain unlikely, this key should not  be  used  to
2731              encrypt more than 2^48 client-to-server or 2^48 server-to-client
2732              control channel messages. A typical initial negotiation is about
2733              10  packets in each direction. Assuming both initial negotiation
2734              and renegotiations are at most 2^16 (65536) packets (to be  con‐
2735              servative),  and  (re)negotiations  happen  each minute for each
2736              user (24/7), this limits the  tls-crypt  key  lifetime  to  8171
2737              years divided by the number of users. So a setup with 1000 users
2738              should rotate the key at least once each  eight  years.  (And  a
2739              setup with 8000 users each year.)
2740
2741              If  IV  collisions were to occur, this could result in the secu‐
2742              rity of --tls-crypt degrading to  the  same  security  as  using
2743              --tls-auth.   That  is,  the control channel still benefits from
2744              the extra protection  against  active  man-in-the-middle-attacks
2745              and  DoS  attacks,  but  may  no  longer offer extra privacy and
2746              post-quantum security on top of what TLS itself offers.
2747
2748              For large setups or setups where clients are not  trusted,  con‐
2749              sider  using --tls-crypt-v2 instead. That uses per-client unique
2750              keys, and thereby improves the bounds to 'rotate a client key at
2751              least once per 8000 years'.
2752
2753       --tls-crypt-v2 keyfile
2754              Use client-specific tls-crypt keys.
2755
2756              For  clients, keyfile is a client-specific tls-crypt key. Such a
2757              key can be generated using the --genkey tls-crypt-v2-client  op‐
2758              tion.
2759
2760              For servers, keyfile is used to unwrap client-specific keys sup‐
2761              plied by the client during connection setup. This  key  must  be
2762              the  same  as  the  key used to generate the client-specific key
2763              (see --genkey tls-crypt-v2-client).
2764
2765              On servers, this option can be used together with the --tls-auth
2766              or  --tls-crypt  option.  In  that  case, the server will detect
2767              whether the client is using client-specific keys, and  automati‐
2768              cally select the right mode.
2769
2770       --tls-crypt-v2-verify cmd
2771              Run  command  cmd  to verify the metadata of the client-specific
2772              tls-crypt-v2 key of a connecting client. This allows server  ad‐
2773              ministrators  to  reject client connections, before exposing the
2774              TLS stack (including the notoriously dangerous X.509  and  ASN.1
2775              stacks) to the connecting client.
2776
2777              OpenVPN supplies the following environment variables to the com‐
2778              mand:
2779
2780              • script_type is set to tls-crypt-v2-verify
2781
2782              • metadata_type is set to 0 if the metadata was  user  supplied,
2783                or 1 if it's a 64-bit unix timestamp representing the key cre‐
2784                ation time.
2785
2786              • metadata_file contains the filename of a temporary  file  that
2787                contains the client metadata.
2788
2789              The command can reject the connection by exiting with a non-zero
2790              exit code.
2791
2792       --tls-exit
2793              Exit on TLS negotiation failure.
2794
2795       --tls-export-cert directory
2796              Store the certificates the clients use upon connection  to  this
2797              directory.  This will be done before --tls-verify is called. The
2798              certificates will use a temporary name and will be deleted  when
2799              the  tls-verify  script returns. The file name used for the cer‐
2800              tificate is available via the peer_cert environment variable.
2801
2802       --tls-server
2803              Enable TLS and assume server role  during  TLS  handshake.  Note
2804              that OpenVPN is designed as a peer-to-peer application. The des‐
2805              ignation of client or server is only for the purpose of  negoti‐
2806              ating the TLS control channel.
2807
2808       --tls-timeout n
2809              Packet  retransmit timeout on TLS control channel if no acknowl‐
2810              edgment from remote within n seconds (default 2).  When  OpenVPN
2811              sends a control packet to its peer, it will expect to receive an
2812              acknowledgement within n  seconds  or  it  will  retransmit  the
2813              packet,  subject  to  a  TCP-like exponential backoff algorithm.
2814              This parameter only applies to  control  channel  packets.  Data
2815              channel  packets  (which  carry encrypted tunnel data) are never
2816              acknowledged, sequenced, or retransmitted by OpenVPN because the
2817              higher level network protocols running on top of the tunnel such
2818              as TCP expect this role to be left to them.
2819
2820       --tls-version-min args
2821              Sets the minimum TLS version we will accept from the  peer  (de‐
2822              fault is "1.0").
2823
2824              Valid syntax:
2825
2826                 tls-version-min version ['or-highest']
2827
2828              Examples  for version include 1.0, 1.1, or 1.2. If or-highest is
2829              specified and version is not recognized, we will only accept the
2830              highest TLS version supported by the local SSL implementation.
2831
2832       --tls-version-max version
2833              Set  the maximum TLS version we will use (default is the highest
2834              version supported). Examples for version include  1.0,  1.1,  or
2835              1.2.
2836
2837       --verify-hash args
2838              Specify SHA1 or SHA256 fingerprint for level-1 cert.
2839
2840              Valid syntax:
2841
2842                 verify-hash hash [algo]
2843
2844              The level-1 cert is the CA (or intermediate cert) that signs the
2845              leaf certificate, and is one removed from the  leaf  certificate
2846              in the direction of the root. When accepting a connection from a
2847              peer, the level-1 cert fingerprint must match hash  or  certifi‐
2848              cate  verification will fail. Hash is specified as XX:XX:... For
2849              example:
2850
2851                 AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16
2852
2853              The algo flag can be either SHA1 or SHA256. If not provided,  it
2854              defaults to SHA1.
2855
2856       --verify-x509-name args
2857              Accept connections only if a host's X.509 name is equal to name.
2858              The remote host must also pass all other tests of verification.
2859
2860              Valid syntax:
2861
2862                 verify-x509 name type
2863
2864              Which X.509 name is compared to name depends on the  setting  of
2865              type.  type can be subject to match the complete subject DN (de‐
2866              fault), name to match a subject RDN or name-prefix  to  match  a
2867              subject RDN prefix. Which RDN is verified as name depends on the
2868              --x509-username-field option. But it defaults to the common name
2869              (CN), e.g. a certificate with a subject DN
2870
2871                 C=KG, ST=NA, L=Bishkek, CN=Server-1
2872
2873              would be matched by:
2874
2875                 verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'
2876                 verify-x509-name Server-1 name
2877                 verify-x509-name Server- name-prefix
2878
2879              The  last  example is useful if you want a client to only accept
2880              connections to Server-1, Server-2, etc.
2881
2882              --verify-x509-name is a useful replacement for the  --tls-verify
2883              option  to  verify  the  remote host, because --verify-x509-name
2884              works in a --chroot environment without any dependencies.
2885
2886              Using a name prefix is a useful alternative to  managing  a  CRL
2887              (Certificate Revocation List) on the client, since it allows the
2888              client to refuse all certificates except  for  those  associated
2889              with designated servers.
2890
2891              NOTE:  Test  against a name prefix only when you are using Open‐
2892                     VPN with a custom CA certificate that is under your  con‐
2893                     trol.  Never  use  this option with type name-prefix when
2894                     your client certificates are signed  by  a  third  party,
2895                     such as a commercial web CA.
2896
2897       --x509-track attribute
2898              Save peer X509 attribute value in environment for use by plugins
2899              and management interface. Prepend a + to attribute to save  val‐
2900              ues   from   full   cert   chain.  Values  will  be  encoded  as
2901              X509_<depth>_<attribute>=<value>. Multiple --x509-track  options
2902              can be defined to track multiple attributes.
2903
2904       --x509-username-field args
2905              Field  in  the X.509 certificate subject to be used as the user‐
2906              name (default CN).
2907
2908              Valid syntax:
2909
2910                 x509-username-field [ext:]fieldname
2911
2912              Typically, this option is specified with fieldname as either  of
2913              the following:
2914
2915                 x509-username-field emailAddress
2916                 x509-username-field ext:subjectAltName
2917
2918              The  first  example uses the value of the emailAddress attribute
2919              in the certificate's Subject field as the username.  The  second
2920              example uses the ext: prefix to signify that the X.509 extension
2921              fieldname subjectAltName be searched for an  rfc822Name  (email)
2922              field  to be used as the username. In cases where there are mul‐
2923              tiple email addresses in ext:fieldname, the last  occurrence  is
2924              chosen.
2925
2926              When  this  option  is  used, the --verify-x509-name option will
2927              match against the chosen fieldname instead of the Common Name.
2928
2929              Only the subjectAltName and issuerAltName X.509  extensions  are
2930              supported.
2931
2932              Please  note:  This  option  has a feature which will convert an
2933              all-lowercase fieldname to uppercase characters, e.g., ou -> OU.
2934              A  mixed-case  fieldname  or  one having the ext: prefix will be
2935              left as-is. This automatic upcasing feature  is  deprecated  and
2936              will be removed in a future release.
2937
2938   PKCS#11 / SmartCard options
2939       --pkcs11-cert-private args
2940              Set  if  access  to certificate object should be performed after
2941              login.  Every provider has its own setting.
2942
2943              Valid syntaxes:
2944
2945                 pkcs11-cert-private 0
2946                 pkcs11-cert-private 1
2947
2948       --pkcs11-id name
2949              Specify the serialized certificate id to be used. The id can  be
2950              gotten by the standalone --show-pkcs11-ids option.
2951
2952       --pkcs11-id-management
2953              Acquire  PKCS#11  id  from  management interface. In this case a
2954              NEED-STR 'pkcs11-id-request' real-time  message  will  be  trig‐
2955              gered,  application  may use pkcs11-id-count command to retrieve
2956              available number of certificates, and pkcs11-id-get  command  to
2957              retrieve certificate id and certificate body.
2958
2959       --pkcs11-pin-cache seconds
2960              Specify  how  many seconds the PIN can be cached, the default is
2961              until the token is removed.
2962
2963       --pkcs11-private-mode mode
2964              Specify which method to use in order to perform private key  op‐
2965              erations.   A different mode can be specified for each provider.
2966              Mode is encoded as hex number, and can be a mask one of the fol‐
2967              lowing:
2968
2969              0 (default)   Try to determine automatically.
2970
2971              1             Use sign.
2972
2973              2             Use sign recover.
2974
2975              4             Use decrypt.
2976
2977              8             Use unwrap.
2978
2979       --pkcs11-protected-authentication args
2980              Use  PKCS#11 protected authentication path, useful for biometric
2981              and external keypad devices. Every provider has its own setting.
2982
2983              Valid syntaxes:
2984
2985                 pkcs11-protected-authentication 0
2986                 pkcs11-protected-authentication 1
2987
2988       --pkcs11-providers provider
2989              Specify an RSA Security Inc. PKCS #11 Cryptographic Token Inter‐
2990              face  (Cryptoki)  providers to load. This option can be used in‐
2991              stead of --cert, --key and --pkcs12.
2992
2993              If p11-kit is present on the system, its p11-kit-proxy.so module
2994              will   be  loaded  by  default  if  either  the  --pkcs11-id  or
2995              --pkcs11-id-management    options    are    specified    without
2996              --pkcs11-provider being given.
2997
2998       --show-pkcs11-ids args
2999              (Standalone) Show PKCS#11 token object list.
3000
3001              Valid syntax:
3002
3003                 show-pkcs11 [provider] [cert_private]
3004
3005              Specify  cert_private as 1 if certificates are stored as private
3006              objects.
3007
3008              If p11-kit is present on the system, the  provider  argument  is
3009              optional; if omitted the default p11-kit-proxy.so module will be
3010              queried.
3011
3012              --verb option can be used BEFORE this option to  produce  debug‐
3013              ging information.
3014