1OPENVPN(8)                  System Manager's Manual                 OPENVPN(8)
2
3
4

NAME

6       openvpn - Secure IP tunnel daemon
7

SYNOPSIS

9       openvpn [ options ... ]
10       openvpn  --help
11
12

INTRODUCTION

14       OpenVPN  is  an  open source VPN daemon by James Yonan. Because OpenVPN
15       tries to be a universal VPN tool offering a great deal of  flexibility,
16       there  are a lot of options on this manual page. If you're new to Open‐
17       VPN, you might want to skip ahead to the  examples  section  where  you
18       will  see how to construct simple VPNs on the command line without even
19       needing a configuration file.
20
21       Also note that there's more documentation and examples on  the  OpenVPN
22       web site: https://openvpn.net/
23
24       And  if you would like to see a shorter version of this manual, see the
25       openvpn usage message which can be obtained by running openvpn  without
26       any parameters.
27

DESCRIPTION

29       OpenVPN  is  a  robust and highly flexible VPN daemon. OpenVPN supports
30       SSL/TLS security,  ethernet  bridging,  TCP  or  UDP  tunnel  transport
31       through  proxies  or  NAT,  support  for dynamic IP addresses and DHCP,
32       scalability to hundreds or thousands of users, and portability to  most
33       major OS platforms.
34
35       OpenVPN  is  tightly  bound to the OpenSSL library, and derives much of
36       its crypto capabilities from it.
37
38       OpenVPN supports conventional encryption using a pre-shared secret  key
39       (Static  Key mode) or public key security (SSL/TLS mode) using client &
40       server certificates. OpenVPN also supports non-encrypted  TCP/UDP  tun‐
41       nels.
42
43       OpenVPN  is designed to work with the TUN/TAP virtual networking inter‐
44       face that exists on most platforms.
45
46       Overall, OpenVPN aims to offer many of the key features  of  IPSec  but
47       with a relatively lightweight footprint.
48

OPTIONS

50       OpenVPN allows any option to be placed either on the command line or in
51       a configuration file. Though all command line options are preceded by a
52       double-leading-dash  ("--"),  this prefix can be removed when an option
53       is placed in a configuration file.
54
55   Generic Options
56       This section covers generic options which are accessible regardless  of
57       which mode OpenVPN is configured as.
58
59       --help Show options.
60
61       --auth-nocache
62              Don't  cache --askpass or --auth-user-pass username/passwords in
63              virtual memory.
64
65              If specified, this directive will cause OpenVPN  to  immediately
66              forget  username/password  inputs  after they are used. As a re‐
67              sult, when OpenVPN needs a username/password, it will prompt for
68              input  from  stdin, which may be multiple times during the dura‐
69              tion of an OpenVPN session.
70
71              When using --auth-nocache in combination  with  a  user/password
72              file  and  --chroot  or  --daemon,  make sure to use an absolute
73              path.
74
75              This directive does not affect the  --http-proxy  username/pass‐
76              word.  It is always cached.
77
78       --cd dir
79              Change  directory to dir prior to reading any files such as con‐
80              figuration files, key files, scripts, etc. dir should be an  ab‐
81              solute  path,  with a leading "/", and without any references to
82              the current directory such as . or ...
83
84              This option is useful when you are running OpenVPN  in  --daemon
85              mode,  and  you  want to consolidate all of your OpenVPN control
86              files in one location.
87
88       --chroot dir
89              Chroot to dir after initialization. --chroot  essentially  rede‐
90              fines  dir  as  being  the top level directory tree (/). OpenVPN
91              will therefore be unable to access any files outside this  tree.
92              This can be desirable from a security standpoint.
93
94              Since  the  chroot  operation is delayed until after initializa‐
95              tion, most OpenVPN options that reference files will operate  in
96              a pre-chroot context.
97
98              In  many  cases,  the dir parameter can point to an empty direc‐
99              tory, however complications can result when scripts or  restarts
100              are executed after the chroot operation.
101
102              Note:  The  SSL  library  will  probably need /dev/urandom to be
103              available inside the chroot directory dir. This is  because  SSL
104              libraries  occasionally  need to collect fresh randomness. Newer
105              linux kernels and some BSDs implement a  getrandom()  or  geten‐
106              tropy()  syscall  that  removes  the need for /dev/urandom to be
107              available.
108
109       --compat-mode version
110              This option provides a convenient way to alter the  defaults  of
111              OpenVPN  to  be  more compatible with the version version speci‐
112              fied. All of  the  changes  this  option  applies  can  also  be
113              achieved using individual configuration options.
114
115              The version specified with this option is the version of OpenVPN
116              peer OpenVPN should try to be compatible with. In general  Open‐
117              VPN  should  be  compatible  with  the last two previous version
118              without this option. E.g.  OpenVPN 2.6.0  should  be  compatible
119              with  2.5.x and 2.4.x without this option.  However, there might
120              be some edge cases that still require this option even in  these
121              cases.
122
123              Note:  Using  this  option  reverts defaults to no longer recom‐
124              mended values and should be avoided if possible.
125
126              The following table details what defaults are changed  depending
127              on the version specified.
128
129              • 2.5.x  or  lower:  --allow-compression  asym  is automatically
130                added to the configuration if no other compression options are
131                present.
132
133              • 2.4.x  or  lower:  The  cipher  in  --cipher  is  appended  to
134                --data-ciphers.
135
136              • 2.3.x or lower: --data-cipher-fallback is automatically  added
137                with the same cipher as --cipher.
138
139              • 2.3.6 or lower: --tls-version-min 1.0 is added to the configu‐
140                ration when --tls-version-min is not explicitly set.
141
142              If not required, this is option should be avoided. Setting  this
143              option  can lower security or disable features like data-channel
144              offloading.
145
146       --config file
147              Load additional config options from file where each line  corre‐
148              sponds  to  one command line option, but with the leading -- re‐
149              moved.
150
151              If --config file is the only option to the openvpn command,  the
152              --config can be removed, and the command can be given as openvpn
153              file
154
155              Note that configuration files can  be  nested  to  a  reasonable
156              depth.
157
158              Double  quotation or single quotation characters ("", '') can be
159              used to enclose single parameters containing whitespace, and "#"
160              or ";" characters in the first column can be used to denote com‐
161              ments.
162
163              Note that OpenVPN 2.0 and higher performs backslash-based  shell
164              escaping for characters not in single quotations, so the follow‐
165              ing mappings should be observed:
166
167                 \\       Maps to a single backslash character (\).
168                 \"       Pass a literal doublequote character ("), don't
169                          interpret it as enclosing a parameter.
170                 \[SPACE] Pass a literal space or tab character, don't
171                          interpret it as a parameter delimiter.
172
173              For example on Windows,  use  double  backslashes  to  represent
174              pathnames:
175
176                 secret "c:\\OpenVPN\\secret.key"
177
178              For      examples      of      configuration      files,     see
179              https://openvpn.net/community-resources/how-to/
180
181              Here is an example configuration file:
182
183                 #
184                 # Sample OpenVPN configuration file for
185                 # using a pre-shared static key.
186                 #
187                 # '#' or ';' may be used to delimit comments.
188
189                 # Use a dynamic tun device.
190                 dev tun
191
192                 # Our remote peer
193                 remote mypeer.mydomain
194
195                 # 10.1.0.1 is our local VPN endpoint
196                 # 10.1.0.2 is our remote VPN endpoint
197                 ifconfig 10.1.0.1 10.1.0.2
198
199                 # Our pre-shared static key
200                 secret static.key
201
202       --daemon progname
203              Become a daemon after  all  initialization  functions  are  com‐
204              pleted.
205
206              Valid syntaxes:
207
208                 daemon
209                 daemon progname
210
211              This  option  will cause all message and error output to be sent
212              to the syslog file (such as /var/log/messages), except  for  the
213              output  of  scripts  and  ifconfig  commands,  which  will go to
214              /dev/null unless otherwise redirected.  The  syslog  redirection
215              occurs  immediately  at the point that --daemon is parsed on the
216              command line even though the daemonization point  occurs  later.
217              If one of the --log options is present, it will supersede syslog
218              redirection.
219
220              The optional progname parameter will cause OpenVPN to report its
221              program  name to the system logger as progname. This can be use‐
222              ful in linking OpenVPN messages in the syslog file with specific
223              tunnels. When unspecified, progname defaults to openvpn.
224
225              When OpenVPN is run with the --daemon option, it will try to de‐
226              lay daemonization until the majority of initialization functions
227              which  are capable of generating fatal errors are complete. This
228              means that initialization scripts can test the return status  of
229              the  openvpn command for a fairly reliable indication of whether
230              the command has correctly initialized  and  entered  the  packet
231              forwarding event loop.
232
233              In  OpenVPN,  the vast majority of errors which occur after ini‐
234              tialization are non-fatal.
235
236              Note: as soon as OpenVPN has daemonized,  it  can  not  ask  for
237              usernames, passwords, or key pass phrases anymore. This has cer‐
238              tain consequences, namely that using a  password-protected  pri‐
239              vate  key  will fail unless the --askpass option is used to tell
240              OpenVPN to ask for the pass phrase (this requirement is  new  in
241              v2.3.7, and is a consequence of calling daemon() before initial‐
242              izing the crypto layer).
243
244              Further, using --daemon together with --auth-user-pass  (entered
245              on  console) and --auth-nocache will fail as soon as key renego‐
246              tiation (and reauthentication) occurs.
247
248       --disable-dco
249              Disable "data channel offload" (DCO).
250
251              On Linux don't use the ovpn-dco device driver, but  rather  rely
252              on the legacy tun module.
253
254              You  may  want  to use this option if your server needs to allow
255              clients older than version 2.4 to connect.
256
257       --disable-occ
258              DEPRECATED Disable "options consistency check" (OCC) in configu‐
259              rations that do not use TLS.
260
261              Don't output a warning message if option inconsistencies are de‐
262              tected between peers. An  example  of  an  option  inconsistency
263              would be where one peer uses --dev tun while the other peer uses
264              --dev tap.
265
266              Use of this option is discouraged, but is provided as  a  tempo‐
267              rary  fix  in  situations where a recent version of OpenVPN must
268              connect to an old version.
269
270       --engine engine-name
271              Enable OpenSSL hardware-based crypto engine functionality.
272
273              Valid syntaxes:
274
275                 engine
276                 engine engine-name
277
278              If engine-name is specified, use a specific crypto  engine.  Use
279              the  --show-engines standalone option to list the crypto engines
280              which are supported by OpenSSL.
281
282       --fast-io
283              (Experimental) Optimize TUN/TAP/UDP I/O  writes  by  avoiding  a
284              call to poll/epoll/select prior to the write operation. The pur‐
285              pose of such a call would normally be to block until the  device
286              or  socket is ready to accept the write. Such blocking is unnec‐
287              essary on some platforms which don't support write  blocking  on
288              UDP  sockets or TUN/TAP devices. In such cases, one can optimize
289              the event loop by avoiding the poll/epoll/select call, improving
290              CPU efficiency by 5% to 10%.
291
292              This  option  can  only  be  used  on  non-Windows systems, when
293              --proto udp is specified, and when --shaper is NOT specified.
294
295       --group group
296              Similar to the --user option, this option changes the  group  ID
297              of the OpenVPN process to group after initialization.
298
299       --ignore-unknown-option args
300              Valid syntax:
301
302                 ignore-unknown-options opt1 opt2 opt3 ... optN
303
304              When one of options opt1 ... optN is encountered in the configu‐
305              ration file the configuration file parsing does not fail if this
306              OpenVPN  version  does  not  support  the option. Multiple --ig‐
307              nore-unknown-option options can be given  to  support  a  larger
308              number of options to ignore.
309
310              This option should be used with caution, as there are good secu‐
311              rity reasons for having OpenVPN fail if it detects problems in a
312              config  file.   Having  said  that,  there are valid reasons for
313              wanting new software features to gracefully degrade when encoun‐
314              tered by older software versions.
315
316              --ignore-unknown-option is available since OpenVPN 2.3.3.
317
318       --iproute cmd
319              Set  alternate  command  to  execute instead of default iproute2
320              command.  May be used in order to execute  OpenVPN  in  unprivi‐
321              leged environment.
322
323       --keying-material-exporter args
324              Save  Exported  Keying  Material [RFC5705] of len bytes (must be
325              between 16 and 4095  bytes)  using  label  in  environment  (ex‐
326              ported_keying_material)    for   use   by   plugins   in   OPEN‐
327              VPN_PLUGIN_TLS_FINAL callback.
328
329              Valid syntax:
330
331                 keying-material-exporter label len
332
333              Note that exporter labels have the potential to collide with ex‐
334              isting  PRF  labels. In order to prevent this, labels MUST begin
335              with EXPORTER.
336
337       --mlock
338              Disable paging by calling the POSIX mlockall function.  Requires
339              that OpenVPN be initially run as root (though OpenVPN can subse‐
340              quently downgrade its UID using the --user option).
341
342              Using this option ensures that key material and tunnel data  are
343              never  written  to  disk due to virtual memory paging operations
344              which occur under most modern operating systems. It ensures that
345              even  if  an attacker was able to crack the box running OpenVPN,
346              he would not be able to scan the system  swap  file  to  recover
347              previously  used  ephemeral keys, which are used for a period of
348              time governed by the --reneg options (see below), then are  dis‐
349              carded.
350
351              The  downside of using --mlock is that it will reduce the amount
352              of physical memory available to other applications.
353
354              The limit on how much memory can be locked and how that limit is
355              enforced  are  OS-dependent.  On Linux the default limit that an
356              unprivileged process may lock (RLIMIT_MEMLOCK) is  low,  and  if
357              privileges  are  dropped  later,  future memory allocations will
358              very likely fail. The limit can be  increased  using  ulimit  or
359              systemd directives depending on how OpenVPN is started.
360
361              If  the  platform has the getrlimit(2) system call, OpenVPN will
362              check for the amount of mlock-able memory before calling  mlock‐
363              all(2),  and  tries to increase the limit to 100 MB if less than
364              this is configured.  100 Mb is somewhat arbitrary - it is enough
365              for  a moderately-sized OpenVPN deployment, but the memory usage
366              might go beyond that if the  number  of  concurrent  clients  is
367              high.
368
369       --nice n
370              Change  process  priority after initialization (n greater than 0
371              is lower priority, n less than zero is higher priority).
372
373       --persist-key
374              Don't re-read key files across SIGUSR1 or --ping-restart.
375
376              This option can be combined with --user to allow restarts  trig‐
377              gered  by  the  SIGUSR1 signal. Normally if you drop root privi‐
378              leges in OpenVPN, the daemon cannot be restarted since  it  will
379              now be unable to re-read protected key files.
380
381              This option solves the problem by persisting keys across SIGUSR1
382              resets, so they don't need to be re-read.
383
384       --providers providers
385              Load the list of (OpenSSL) providers. This is mainly useful  for
386              using  an external provider for key management like tpm2-openssl
387              or to load the legacy provider with
388
389                 --providers legacy default
390
391              Behaviour of changing this option between SIGHUP  might  not  be
392              well  behaving.   If  you need to change/add/remove this option,
393              fully restart OpenVPN.
394
395       --remap-usr1 signal
396              Control whether internally or externally generated SIGUSR1  sig‐
397              nals  are  remapped to SIGHUP (restart without persisting state)
398              or SIGTERM (exit).
399
400              signal can be set to SIGHUP or SIGTERM. By default, no remapping
401              occurs.
402
403       --script-security level
404              This  directive offers policy-level control over OpenVPN's usage
405              of external programs and scripts. Lower level  values  are  more
406              restrictive,  higher  values  are  more permissive. Settings for
407              level:
408
409              0      Strictly no calling of external programs.
410
411              1      (Default) Only call built-in executables such  as  ifcon‐
412                     fig, ip, route, or netsh.
413
414              2      Allow  calling  of  built-in executables and user-defined
415                     scripts.
416
417              3      Allow passwords to be passed to scripts via environmental
418                     variables (potentially unsafe).
419
420              OpenVPN  releases before v2.3 also supported a method flag which
421              indicated how OpenVPN should call external commands and scripts.
422              This  could  be either execve or system. As of OpenVPN 2.3, this
423              flag is no longer accepted. In most *nix  environments  the  ex‐
424              ecve() approach has been used without any issues.
425
426              Some  directives  such as --up allow options to be passed to the
427              external script. In these cases make sure the script  name  does
428              not  contain  any  spaces or the configuration parser will choke
429              because it can't determine where the script name ends and script
430              options start.
431
432              To run scripts in Windows in earlier OpenVPN versions you needed
433              to either add a full path to the script  interpreter  which  can
434              parse the script or use the system flag to run these scripts. As
435              of OpenVPN 2.3 it is now a strict requirement to have full  path
436              to  the  script  interpreter when running non-executables files.
437              This is not needed for executable files,  such  as  .exe,  .com,
438              .bat  or  .cmd  files.  For  example, if you have a Visual Basic
439              script, you must use this syntax now:
440
441                 --up 'C:\\Windows\\System32\\wscript.exe C:\\Program\ Files\\OpenVPN\\config\\my-up-script.vbs'
442
443              Please note the single quote marks and the escaping of the back‐
444              slashes (\) and the space character.
445
446              The reason the support for the system flag was removed is due to
447              the security implications with shell expansions  when  executing
448              scripts via the system() call.
449
450       --setcon context
451              Apply  SELinux  context  after  initialization. This essentially
452              provides the ability to restrict OpenVPN's rights to  only  net‐
453              work  I/O  operations, thanks to SELinux. This goes further than
454              --user and --chroot in that those two, while being  great  secu‐
455              rity  features,  unfortunately  do not protect against privilege
456              escalation by exploitation of a vulnerable system call. You  can
457              of  course  combine all three, but please note that since setcon
458              requires access to /proc you will have to provide it inside  the
459              chroot directory (e.g. with mount --bind).
460
461              Since  the  setcon  operation is delayed until after initializa‐
462              tion, OpenVPN can be restricted to just  network-related  system
463              calls,  whereas  by applying the context before startup (such as
464              the OpenVPN one provided in the SELinux Reference Policies)  you
465              will  have to allow many things required only during initializa‐
466              tion.
467
468              Like with chroot,  complications  can  result  when  scripts  or
469              restarts  are  executed after the setcon operation, which is why
470              you should really consider using the  --persist-key  and  --per‐
471              sist-tun options.
472
473       --status args
474              Write  operational status to file every n seconds. n defaults to
475              60 if not specified.
476
477              Valid syntaxes:
478
479                 status file
480                 status file n
481
482              Status can also be written to the syslog by  sending  a  SIGUSR2
483              signal.
484
485              With  multi-client  capability  enabled  on a server, the status
486              file includes a list of clients and a routing table. The  output
487              format  can be controlled by the --status-version option in that
488              case.
489
490              For clients or instances running in point-to-point mode, it will
491              contain the traffic statistics.
492
493       --status-version n
494              Set the status file format version number to n.
495
496              This  only  affects the status file on servers with multi-client
497              capability enabled.  Valid status version values:
498
499              1      Traditional format (default). The  client  list  contains
500                     the  following  fields comma-separated: Common Name, Real
501                     Address, Bytes Received, Bytes Sent, Connected Since.
502
503              2      A more reliable format for external processing.  Compared
504                     to  version  1,  the client list contains some additional
505                     fields: Virtual Address, Virtual IPv6 Address,  Username,
506                     Client  ID, Peer ID, Data Channel Cipher. Future versions
507                     may extend the number of fields.
508
509              3      Identical to 2, but fields are tab-separated.
510
511       --test-crypto
512              Do a self-test of OpenVPN's crypto options by encrypting and de‐
513              crypting  test packets using the data channel encryption options
514              specified above.  This option does not require a peer  to  func‐
515              tion, and therefore can be specified without --dev or --remote.
516
517              The typical usage of --test-crypto would be something like this:
518
519                 openvpn --test-crypto --secret key
520
521              or
522
523                 openvpn --test-crypto --secret key --verb 9
524
525              This  option  is  very  useful to test OpenVPN after it has been
526              ported to a new platform, or to isolate  problems  in  the  com‐
527              piler,  OpenSSL  crypto library, or OpenVPN's crypto code. Since
528              it is a self-test mode, problems with encryption and authentica‐
529              tion can be debugged independently of network and tunnel issues.
530
531       --tmp-dir dir
532              Specify a directory dir for temporary files. This directory will
533              be used by openvpn processes and script to communicate temporary
534              data  with openvpn main process. Note that the directory must be
535              writable by the OpenVPN process after it has dropped  it's  root
536              privileges.
537
538              This directory will be used by in the following cases:
539
540--client-connect   scripts  and  OPENVPN_PLUGIN_CLIENT_CONNECT
541                plug-in hook to dynamically generate client-specific  configu‐
542                ration  client_connect_config_file  and return success/failure
543                via client_connect_deferred_file when  using  deferred  client
544                connect method
545
546OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY   plug-in  hooks  returns
547                success/failure via auth_control_file when using deferred auth
548                method and pending authentication via pending_auth_file.
549
550       --use-prediction-resistance
551              Enable prediction resistance on mbed TLS's RNG.
552
553              Enabling  prediction resistance causes the RNG to reseed in each
554              call for random. Reseeding this often can  quickly  deplete  the
555              kernel entropy pool.
556
557              If  you  need this option, please consider running a daemon that
558              adds entropy to the kernel pool.
559
560       --user user
561              Change the user ID of the OpenVPN process to user after initial‐
562              ization, dropping privileges in the process. This option is use‐
563              ful to protect the system in the event that some  hostile  party
564              was able to gain control of an OpenVPN session. Though OpenVPN's
565              security features make this unlikely, it is provided as a second
566              line of defense.
567
568              By  setting  user to an unprivileged user dedicated to run open‐
569              vpn, the hostile party would be  limited  in  what  damage  they
570              could cause. Of course once you take away privileges, you cannot
571              return them to an OpenVPN session. This means, for example, that
572              if  you  want  to  reset an OpenVPN daemon with a SIGUSR1 signal
573              (for example in response to a DHCP reset), you should  make  use
574              of  one  or more of the --persist options to ensure that OpenVPN
575              doesn't need to execute any privileged operations  in  order  to
576              restart (such as re-reading key files or running ifconfig on the
577              TUN device).
578
579              NOTE: Previous versions of openvpn used nobody  as  the  example
580              unpriviledged  user.  It is not recommended to actually use that
581              user since it is usually used by other system services  already.
582              Always create a dedicated user for openvpn.
583
584       --writepid file
585              Write OpenVPN's main process ID to file.
586
587   Log options
588       --echo parms
589              Echo parms to log output.
590
591              Designed  to  be used to send messages to a controlling applica‐
592              tion which is receiving the OpenVPN log output.
593
594       --errors-to-stderr
595              Output errors to stderr instead of stdout unless log  output  is
596              redirected by one of the --log options.
597
598       --log file
599              Output  logging  messages  to  file,  including  output  to std‐
600              out/stderr which is generated by called scripts. If file already
601              exists  it  will  be truncated. This option takes effect immedi‐
602              ately when it is parsed in the command line and  will  supersede
603              syslog output if --daemon is also specified. This option is per‐
604              sistent over the entire course of an OpenVPN  instantiation  and
605              will not be reset by SIGHUP, SIGUSR1, or --ping-restart.
606
607              Note that on Windows, when OpenVPN is started as a service, log‐
608              ging occurs by default without the need to specify this option.
609
610       --log-append file
611              Append logging messages to file.  If file  does  not  exist,  it
612              will  be  created. This option behaves exactly like --log except
613              that it appends to rather than truncating the log file.
614
615       --machine-readable-output
616              Always write timestamps and message flags to log messages,  even
617              when  they  otherwise would not be prefixed. In particular, this
618              applies to log messages sent to stdout.
619
620       --mute n
621              Log at most n consecutive messages in the same category. This is
622              useful to limit repetitive logging of similar message types.
623
624       --mute-replay-warnings
625              Silence  the output of replay warnings, which are a common false
626              alarm on WiFi networks. This option preserves  the  security  of
627              the replay protection code without the verbosity associated with
628              warnings about duplicate packets.
629
630       --suppress-timestamps
631              Avoid writing timestamps to log messages, even when they  other‐
632              wise would be prepended. In particular, this applies to log mes‐
633              sages sent to stdout.
634
635       --syslog progname
636              Direct log output to system logger, but do not become a  daemon.
637              See --daemon directive above for description of progname parame‐
638              ter.
639
640       --verb n
641              Set output verbosity to n (default 1). Each level shows all info
642              from  the  previous levels. Level 3 is recommended if you want a
643              good summary of what's happening without being swamped  by  out‐
644              put.
645
646              0      No output except fatal errors.
647
648              1 to 4 Normal usage range.
649
650              5      Outputs R and W characters to the console for each packet
651                     read and write, uppercase is used for TCP/UDP packets and
652                     lowercase is used for TUN/TAP packets.
653
654              6 to 11
655                     Debug  info  range (see errlevel.h in the source code for
656                     additional information on debug levels).
657
658   Protocol options
659       Options in this section affect features available in the  OpenVPN  wire
660       protocol.   Many of these options also define the encryption options of
661       the data channel in the OpenVPN wire protocol.  These options  must  be
662       configured in a compatible way between both the local and remote side.
663
664       --allow-compression mode
665              As  described  in the --compress option, compression is a poten‐
666              tially dangerous option.  This option allows controlling the be‐
667              haviour of OpenVPN when compression is used and allowed.
668
669              Valid syntaxes:
670
671                 allow-compression
672                 allow-compression mode
673
674              The mode argument can be one of the following values:
675
676              asym   OpenVPN  will  only  decompress  downlink packets but not
677                     compress uplink packets.  This also allows  migrating  to
678                     disable  compression when changing both server and client
679                     configurations to remove compression at the same time  is
680                     not a feasible option.
681
682              no (default)
683                     OpenVPN will refuse any compression.  If data-channel of‐
684                     floading  is  enabled,  OpenVPN  will  additionally  also
685                     refuse compression framing (stub).
686
687              yes    OpenVPN will send and receive compressed packets.
688
689       --auth alg
690              Authenticate data channel packets and (if enabled) tls-auth con‐
691              trol channel packets with HMAC using  message  digest  algorithm
692              alg. (The default is SHA1 ). HMAC is a commonly used message au‐
693              thentication algorithm (MAC) that uses a data string,  a  secure
694              hash algorithm and a key to produce a digital signature.
695
696              The  OpenVPN  data  channel protocol uses encrypt-then-mac (i.e.
697              first encrypt a packet  then  HMAC  the  resulting  ciphertext),
698              which prevents padding oracle attacks.
699
700              If  an  AEAD cipher mode (e.g. GCM) is chosen then the specified
701              --auth algorithm is ignored for the data channel and the authen‐
702              tication  method  of  the AEAD cipher is used instead. Note that
703              alg still specifies the digest used for tls-auth.
704
705              In static-key encryption mode, the HMAC key is included  in  the
706              key file generated by --genkey. In TLS mode, the HMAC key is dy‐
707              namically generated and shared between peers via the TLS control
708              channel.  If  OpenVPN  receives a packet with a bad HMAC it will
709              drop the packet. HMAC usually adds 16 or 20  bytes  per  packet.
710              Set alg=none to disable authentication.
711
712              For        more        information       on       HMAC       see
713              http://www.cs.ucsd.edu/users/mihir/papers/hmac.html
714
715       --cipher alg
716              This option should not be used any longer in TLS mode and  still
717              exists for two reasons:
718
719              • compatibility   with  old  configurations  still  carrying  it
720                around;
721
722              • allow users connecting to OpenVPN peers older  than  2.6.0  to
723                have  --cipher  configured the same way as the remote counter‐
724                part. This can avoid MTU/frame size warnings.
725
726              Before 2.4.0, this option was used to select the  cipher  to  be
727              configured  on the data channel, however, later versions usually
728              ignored this directive in favour of a negotiated cipher.  Start‐
729              ing  with  2.6.0, this option is always ignored in TLS mode when
730              it comes to configuring the cipher and will only control the ci‐
731              pher for --secret pre-shared-key mode (note: this mode is depre‐
732              cated and strictly not recommended).
733
734              If you wish to specify the cipher to use on  the  data  channel,
735              please   see   --data-ciphers   (for  regular  negotiation)  and
736              --data-ciphers-fallback (for a fallback option when the negotia‐
737              tion  cannot take place because the other peer is old or has ne‐
738              gotiation disabled).
739
740              To  see  ciphers  that  are  available  with  OpenVPN,  use  the
741              --show-ciphers option.
742
743              Set alg to none to disable encryption.
744
745       --compress algorithm
746              DEPRECATED Enable a compression algorithm. Compression is gener‐
747              ally not recommended. VPN tunnels which use compression are sus‐
748              ceptible  to the VORALCE attack vector. See also the migrate pa‐
749              rameter below.
750
751              The algorithm parameter may be lzo, lz4, lz4-v2, stub,  stub-v2,
752              migrate  or  empty.  LZO and LZ4 are different compression algo‐
753              rithms, with LZ4 generally offering the  best  performance  with
754              least CPU usage.
755
756              The  lz4-v2 and stub-v2 variants implement a better framing that
757              does not add overhead when packets  cannot  be  compressed.  All
758              other  variants always add one extra framing byte compared to no
759              compression framing.
760
761              Especially stub-v2 is essentially identical  to  no  compression
762              and  no compression framing as its header indicates IP version 5
763              in a tun setup and can (ab)used to complete disable  compression
764              to clients. (See the migrate option below)
765
766              If  the  algorithm parameter is stub, stub-v2 or empty, compres‐
767              sion will be turned off, but the packet framing for  compression
768              will still be enabled, allowing a different setting to be pushed
769              later.  Additionally, stub and stub-v2  wil  disable  announcing
770              lzo and lz4 compression support via IV_ variables to the server.
771
772              Note:  the  stub  (or  empty)  option is NOT compatible with the
773              older option --comp-lzo no.
774
775              Using migrate as compression algorithm enables a special  migra‐
776              tion   mode.    It   allows   migration  away  from  the  --com‐
777              press/--comp-lzo options to no compression.   This  option  sets
778              the server to no compression mode and the server behaves identi‐
779              cal to a server without a compression  option  for  all  clients
780              without  a  compression in their config. However, if a client is
781              detected that indicates that compression is used (via OCC),  the
782              server  will  automatically  add  --push compress stub-v2 to the
783              client specific configuration if supported  by  the  client  and
784              otherwise  switch  to comp-lzo no and add --push comp-lzo to the
785              client specific configuration.
786
787              *Security Considerations*
788
789              Compression and encryption is a tricky combination.  If  an  at‐
790              tacker  knows or is able to control (parts of) the plain-text of
791              packets that contain secrets, the attacker might be able to  ex‐
792              tract  the  secret if compression is enabled. See e.g. the CRIME
793              and BREACH attacks on TLS and VORACLE on VPNs which also  lever‐
794              age  to  break encryption. If you are not entirely sure that the
795              above does not apply to your traffic, you are advised to not en‐
796              able compression.
797
798       --comp-lzo mode
799              DEPRECATED  Enable  LZO  compression  algorithm.  Compression is
800              generally not recommended.  VPN tunnels which  uses  compression
801              are suspectible to the VORALCE attack vector.
802
803              Use  LZO  compression -- may add up to 1 byte per packet for in‐
804              compressible data. mode may be yes, no, or adaptive (default).
805
806              In a server mode setup, it is possible to selectively turn  com‐
807              pression on or off for individual clients.
808
809              First,  make  sure the client-side config file enables selective
810              compression by having at least one --comp-lzo directive, such as
811              --comp-lzo  no.  This  will turn off compression by default, but
812              allow a future directive push from  the  server  to  dynamically
813              change the on/off/adaptive setting.
814
815              Next in a --client-config-dir file, specify the compression set‐
816              ting for the client, for example:
817
818                 comp-lzo yes
819                 push "comp-lzo yes"
820
821              The first line sets the comp-lzo setting for the server side  of
822              the link, the second sets the client side.
823
824       --comp-noadapt
825              DEPRECATED When used in conjunction with --comp-lzo, this option
826              will disable OpenVPN's adaptive compression algorithm. Normally,
827              adaptive compression is enabled with --comp-lzo.
828
829              Adaptive  compression  tries to optimize the case where you have
830              compression enabled, but you are  sending  predominantly  incom‐
831              pressible  (or  pre-compressed) packets over the tunnel, such as
832              an FTP or rsync transfer of a large, compressed file. With adap‐
833              tive  compression, OpenVPN will periodically sample the compres‐
834              sion process to measure its efficiency. If the data  being  sent
835              over  the  tunnel  is  already compressed, the compression effi‐
836              ciency will be very low, triggering openvpn to disable  compres‐
837              sion for a period of time until the next re-sample test.
838
839       --key-direction
840              Alternative  way  of specifying the optional direction parameter
841              for the --tls-auth and --secret options. Useful when  using  in‐
842              line files (See section on inline files).
843
844       --data-ciphers cipher-list
845              Restrict  the allowed ciphers to be negotiated to the ciphers in
846              cipher-list. cipher-list is a colon-separated list  of  ciphers,
847              and  defaults  to AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 when
848              Chacha20-Poly1305      is      available      and      otherwise
849              AES-256-GCM:AES-128-GCM.
850
851              For servers, the first cipher from cipher-list that is also sup‐
852              ported by the client will be pushed to clients that support  ci‐
853              pher negotiation.
854
855              For more details see the chapter on Data channel cipher negotia‐
856              tion.  Especially if you need to support  clients  with  OpenVPN
857              versions older than 2.4!
858
859              Starting  with  OpenVPN 2.6 a cipher can be prefixed with a ? to
860              mark it as optional. This allows including ciphers in  the  list
861              that   may   not   be   available   on   all   platforms.   E.g.
862              AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305  would  only   enable
863              Chacha20-Poly1305 if the underlying SSL library (and its config‐
864              uration) supports it.
865
866              Cipher negotiation is enabled in client-server mode  only.  I.e.
867              if  --mode  is  set  to  server (server-side, implied by setting
868              --server ), or if --pull is specified (client-side,  implied  by
869              setting --client).
870
871              If no common cipher is found during cipher negotiation, the con‐
872              nection is terminated. To support old clients/old  servers  that
873              do  not  provide  any  cipher negotiation support see --data-ci‐
874              phers-fallback.
875
876              If --compat-mode is set to a version older than 2.5.0 the cipher
877              specified  by --cipher will be appended to --data-ciphers if not
878              already present.
879
880              This list is restricted to be 127 chars long after conversion to
881              OpenVPN ciphers.
882
883              This option was called --ncp-ciphers in OpenVPN 2.4 but has been
884              renamed to --data-ciphers in OpenVPN 2.5 to more accurately  re‐
885              flect its meaning.
886
887       --data-ciphers-fallback alg
888              Configure  a cipher that is used to fall back to if we could not
889              determine which cipher the peer is willing to use.
890
891              This option should only be needed to connect to peers  that  are
892              running  OpenVPN 2.3 or older versions, and have been configured
893              with --enable-small (typically used on routers or other embedded
894              devices).
895
896       --secret args
897              DEPRECATED  Enable  Static  Key  encryption  mode (non-TLS). Use
898              pre-shared secret file which was generated with --genkey.
899
900              Valid syntaxes:
901
902                 secret file
903                 secret file direction
904
905              The optional direction parameter enables the use of  4  distinct
906              keys  (HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt),
907              so that each data flow direction has a different set of HMAC and
908              cipher  keys. This has a number of desirable security properties
909              including eliminating certain kinds of DoS  and  message  replay
910              attacks.
911
912              When  the  direction parameter is omitted, 2 keys are used bidi‐
913              rectionally, one for HMAC and the other  for  encryption/decryp‐
914              tion.
915
916              The direction parameter should always be complementary on either
917              side of the connection, i.e. one side should use 0 and the other
918              should use 1, or both sides should omit it altogether.
919
920              The  direction  parameter requires that file contains a 2048 bit
921              key. While pre-1.5 versions of OpenVPN  generate  1024  bit  key
922              files,  any  version of OpenVPN which supports the direction pa‐
923              rameter, will also support 2048 bit key  file  generation  using
924              the --genkey option.
925
926              Static  key  encryption mode has certain advantages, the primary
927              being ease of configuration.
928
929              There are no certificates or certificate authorities or  compli‐
930              cated negotiation handshakes and protocols. The only requirement
931              is that you have a pre-existing secure channel  with  your  peer
932              (such as ssh) to initially copy the key. This requirement, along
933              with the fact that your key never changes  unless  you  manually
934              generate  a new one, makes it somewhat less secure than TLS mode
935              (see below). If an attacker manages to steal  your  key,  every‐
936              thing  that  was ever encrypted with it is compromised. Contrast
937              that to the perfect forward secrecy features of TLS mode  (using
938              Diffie Hellman key exchange), where even if an attacker was able
939              to steal your private key, he would gain no information to  help
940              him decrypt past sessions.
941
942              Another  advantageous  aspect  of  Static Key encryption mode is
943              that it is a handshake-free protocol without any  distinguishing
944              signature or feature (such as a header or protocol handshake se‐
945              quence) that would mark the ciphertext packets as  being  gener‐
946              ated  by  OpenVPN.  Anyone  eavesdropping  on the wire would see
947              nothing but random-looking data.
948
949       --tran-window n
950              Transition window -- our old key can live this many seconds  af‐
951              ter  a  new  a  key renegotiation begins (default 3600 seconds).
952              This feature allows for a graceful transition from  old  to  new
953              key,  and removes the key renegotiation sequence from the criti‐
954              cal path of tunnel data forwarding.
955
956   Client Options
957       The client options are used when connecting to an OpenVPN  server  con‐
958       figured  to use --server, --server-bridge, or --mode server in its con‐
959       figuration.
960
961       --allow-pull-fqdn
962              Allow client to pull DNS names from server  (rather  than  being
963              limited   to   IP   address)   for   --ifconfig,   --route,  and
964              --route-gateway.
965
966       --allow-recursive-routing
967              When this option is set, OpenVPN  will  not  drop  incoming  tun
968              packets with same destination as host.
969
970       --auth-token token
971              This  is  not an option to be used directly in any configuration
972              files, but rather  push  this  option  from  a  --client-connect
973              script    or   a   --plugin   which   hooks   into   the   OPEN‐
974              VPN_PLUGIN_CLIENT_CONNECT  or   OPENVPN_PLUGIN_CLIENT_CONNECT_V2
975              calls. This option provides a possibility to replace the clients
976              password with an authentication token during the lifetime of the
977              OpenVPN client.
978
979              Whenever    the    connection    is    renegotiated    and   the
980              --auth-user-pass-verify script or --plugin  making  use  of  the
981              OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY  hook is triggered, it will
982              pass over this token as the password instead of the password the
983              user  provided.  The authentication token can only be reset by a
984              full reconnect where the server can  push  new  options  to  the
985              client. The password the user entered is never preserved once an
986              authentication token has been set. If the  OpenVPN  server  side
987              rejects the authentication token then the client will receive an
988              AUTH_FAILED and disconnect.
989
990              The purpose of this is to enable two factor authentication meth‐
991              ods,  such  as  HOTP  or TOTP, to be used without needing to re‐
992              trieve a new OTP code each time the connection is  renegotiated.
993              Another  use  case is to cache authentication data on the client
994              without needing to have the users password cached in memory dur‐
995              ing the life time of the session.
996
997              To  make  use  of  this  feature, the --client-connect script or
998              --plugin needs to put
999
1000                 push "auth-token UNIQUE_TOKEN_VALUE"
1001
1002              into the file/buffer for dynamic configuration data.  This  will
1003              then  make  the OpenVPN server to push this value to the client,
1004              which replaces the local password with the UNIQUE_TOKEN_VALUE.
1005
1006              Newer clients (2.4.7+) will fall back to the  original  password
1007              method  after  a  failed auth. Older clients will keep using the
1008              token value and react according to --auth-retry
1009
1010       --auth-token-user base64username
1011              Companion option to --auth-token. This  options  allows  one  to
1012              override  the  username used by the client when reauthenticating
1013              with the auth-token.  It also allows one to use --auth-token  in
1014              setups that normally do not use username and password.
1015
1016              The username has to be base64 encoded.
1017
1018       --auth-user-pass
1019              Authenticate with server using username/password.
1020
1021              Valid syntaxes:
1022
1023                 auth-user-pass
1024                 auth-user-pass up
1025
1026              If up is present, it must be a file containing username/password
1027              on 2 lines. If the password line is missing, OpenVPN will prompt
1028              for one.
1029
1030              If  up  is  omitted, username/password will be prompted from the
1031              console.
1032
1033              The server configuration must specify an --auth-user-pass-verify
1034              script to verify the username/password provided by the client.
1035
1036       --auth-retry type
1037              Controls  how OpenVPN responds to username/password verification
1038              errors such as the client-side response to an  AUTH_FAILED  mes‐
1039              sage  from the server or verification failure of the private key
1040              password.
1041
1042              Normally used to prevent auth errors from  being  fatal  on  the
1043              client  side,  and to permit username/password requeries in case
1044              of error.
1045
1046              An AUTH_FAILED message is generated by the server if the  client
1047              fails  --auth-user-pass  authentication,  or  if the server-side
1048              --client-connect script returns an error status when the  client
1049              tries to connect.
1050
1051              type can be one of:
1052
1053              none   Client  will  exit  with  a  fatal error (this is the de‐
1054                     fault).
1055
1056              nointeract
1057                     Client will retry the connection without  requerying  for
1058                     an  --auth-user-pass  username/password.  Use this option
1059                     for unattended clients.
1060
1061              interact
1062                     Client  will  requery  for  an   --auth-user-pass   user‐
1063                     name/password and/or private key password before attempt‐
1064                     ing a reconnection.
1065
1066              Note that while this option cannot be pushed,  it  can  be  con‐
1067              trolled from the management interface.
1068
1069       --client
1070              A  helper  directive  designed  to simplify the configuration of
1071              OpenVPN's client mode. This directive is equivalent to:
1072
1073                 pull
1074                 tls-client
1075
1076       --client-nat args
1077              This pushable client option sets up a stateless  one-to-one  NAT
1078              rule  on  packet  addresses  (not ports), and is useful in cases
1079              where routes or ifconfig settings pushed  to  the  client  would
1080              create an IP numbering conflict.
1081
1082              Examples:
1083
1084                 client-nat snat 192.168.0.0/255.255.0.0
1085                 client-nat dnat 10.64.0.0/255.255.0.0
1086
1087              network/netmask  (for  example  192.168.0.0/255.255.0.0) defines
1088              the local view of a resource from the client perspective,  while
1089              alias/netmask  (for  example  10.64.0.0/255.255.0.0) defines the
1090              remote view from the server perspective.
1091
1092              Use snat (source NAT) for resources owned by the client and dnat
1093              (destination NAT) for remote resources.
1094
1095              Set  --verb  6  for debugging info showing the transformation of
1096              src/dest addresses in packets.
1097
1098       --connect-retry args
1099              Wait n seconds between connection  attempts  (default  1).   Re‐
1100              peated reconnection attempts are slowed down after 5 retries per
1101              remote by doubling the wait time  after  each  unsuccessful  at‐
1102              tempt.
1103
1104              Valid syntaxes:
1105
1106                 connect retry n
1107                 connect retry n max
1108
1109              If the optional argument max is specified, the maximum wait time
1110              in seconds gets capped at that value (default 300).
1111
1112       --connect-retry-max n
1113              n specifies the number of times each  --remote  or  <connection>
1114              entry  is  tried. Specifying n as 1 would try each entry exactly
1115              once. A successful connection resets the counter.  (default  un‐
1116              limited).
1117
1118       --connect-timeout n
1119              See --server-poll-timeout.
1120
1121       --dns args
1122              Client DNS configuration to be used with the connection.
1123
1124              Valid syntaxes:
1125
1126                 dns search-domains domain [domain ...]
1127                 dns server n address addr[:port] [addr[:port] ...]
1128                 dns server n resolve-domains domain [domain ...]
1129                 dns server n dnssec yes|optional|no
1130                 dns server n transport DoH|DoT|plain
1131                 dns server n sni server-name
1132
1133              The  --dns  search-domains  directive  takes  one or more domain
1134              names to be added as DNS domain suffixes. If it is repeated mul‐
1135              tiple  times  within  a  configuration the domains are appended,
1136              thus e.g. domain names pushed by a server will amend locally de‐
1137              fined ones.
1138
1139              The  --dns  server  directive is used to configure DNS server n.
1140              The server id n must be a value between -128 and 127. For pushed
1141              DNS  server  options it must be between 0 and 127. The server id
1142              is used to group options and also for ordering the list of  con‐
1143              figured DNS servers; lower numbers come first. DNS servers being
1144              pushed to a client replace already configured DNS  servers  with
1145              the same server id.
1146
1147              The address option configures the IPv4 and / or IPv6 address(es)
1148              of the DNS server. Up to eight addresses can  be  specified  per
1149              DNS  server.   Optionally  a port can be appended after a colon.
1150              IPv6 addresses need to be enclosed in brackets if a port is  ap‐
1151              pended.
1152
1153              The resolve-domains option takes one or more DNS domains used to
1154              define a split-dns or dns-routing setup, where  only  the  given
1155              domains are resolved by the server. Systems which do not support
1156              fine grained DNS domain configuration will ignore this setting.
1157
1158              The dnssec option is used  to  configure  validation  of  DNSSEC
1159              records.   While the exact semantics may differ for resolvers on
1160              different systems, yes likely  makes  validation  mandatory,  no
1161              disables it, and optional uses it opportunistically.
1162
1163              The   transport   option   enables   DNS-over-HTTPS   (DoH)   or
1164              DNS-over-TLS (DoT) for a DNS server. The sni option can be  used
1165              with them to specify the server-name for TLS server name indica‐
1166              tion.
1167
1168              Each server has to have at least one address  configured  for  a
1169              configuration to be valid. All the other options can be omitted.
1170
1171              Note  that not all options may be supported on all platforms. As
1172              soon support for different systems is  implemented,  information
1173              will be added here how unsupported options are treated.
1174
1175              The  --dns option will eventually obsolete the --dhcp-option di‐
1176              rective.  Until then it will replace configuration at the places
1177              --dhcp-option  puts  it,  so that --dns overrides --dhcp-option.
1178              Thus, --dns can be used today to migrate from --dhcp-option.
1179
1180       --explicit-exit-notify n
1181              In UDP client mode or point-to-point mode, send  server/peer  an
1182              exit  notification  if tunnel is restarted or OpenVPN process is
1183              exited. In client mode, on exit/restart, this option  will  tell
1184              the  server  to  immediately  close  its  client instance object
1185              rather than waiting for a timeout.
1186
1187              If both server and client support sending this message using the
1188              control  channel,  the  message  will be sent as control-channel
1189              message. Otherwise the message is sent as data-channel  message,
1190              which will be ignored by data-channel offloaded peers.
1191
1192              The  n parameter (default 1 if not present) controls the maximum
1193              number of attempts that the client will try to resend  the  exit
1194              notification message if messages are sent in data-channel mode.
1195
1196              In UDP server mode, send RESTART control channel command to con‐
1197              nected clients. The n parameter (default 1 if not present)  con‐
1198              trols  client behavior. With n = 1 client will attempt to recon‐
1199              nect to the same server, with n = 2 client will advance  to  the
1200              next server.
1201
1202              OpenVPN  will not send any exit notifications unless this option
1203              is enabled.
1204
1205       --inactive args
1206              Causes OpenVPN to exit after n  seconds  of  inactivity  on  the
1207              TUN/TAP  device. The time length of inactivity is measured since
1208              the last incoming or outgoing tunnel packet. The  default  value
1209              is 0 seconds, which disables this feature.
1210
1211              Valid syntaxes:
1212
1213                 inactive n
1214                 inactive n bytes
1215
1216              If  the  optional bytes parameter is included, exit if less than
1217              bytes of combined in/out traffic are produced on the tun/tap de‐
1218              vice in n seconds.
1219
1220              In  any  case,  OpenVPN's  internal ping packets (which are just
1221              keepalives) and TLS control packets are not  considered  "activ‐
1222              ity",  nor  are they counted as traffic, as they are used inter‐
1223              nally by OpenVPN and are not an indication of actual user activ‐
1224              ity.
1225
1226       --proto-force p
1227              When  iterating  through connection profiles, only consider pro‐
1228              files using protocol p (tcp | udp).
1229
1230              Note that this specifically only filters by the transport  layer
1231              protocol,  i.e. UDP or TCP. This does not affect whether IPv4 or
1232              IPv6 is used as IP protocol.
1233
1234              For implementation reasons the option accepts the 4 and  6  suf‐
1235              fixes  when  specifying  the protocol (i.e. udp4 / udp6 / tcp4 /
1236              tcp6).  However, these behave the same as without the suffix and
1237              should be avoided to prevent confusion.
1238
1239       --pull This  option  must  be used on a client which is connecting to a
1240              multi-client server. It indicates to OpenVPN that it should  ac‐
1241              cept options pushed by the server, provided they are part of the
1242              legal set of pushable options (note that the  --pull  option  is
1243              implied by --client ).
1244
1245              In  particular,  --pull  allows the server to push routes to the
1246              client, so you should not use --pull or --client  in  situations
1247              where  you  don't  trust  the  server  to  have control over the
1248              client's routing table.
1249
1250       --pull-filter args
1251              Filter options on the client pushed by the server to the client.
1252
1253              Valid syntaxes:
1254
1255                 pull-filter accept text
1256                 pull-filter ignore text
1257                 pull-filter reject text
1258
1259              Filter options received from the server  if  the  option  starts
1260              with text.  The action flag accept allows the option, ignore re‐
1261              moves it and reject  flags  an  error  and  triggers  a  SIGUSR1
1262              restart.  The  filters may be specified multiple times, and each
1263              filter is applied in the order it is specified. The filtering of
1264              each option stops as soon as a match is found. Unmatched options
1265              are accepted by default.
1266
1267              Prefix comparison is used to match text against the received op‐
1268              tion so that
1269
1270                 pull-filter ignore "route"
1271
1272              would  remove all pushed options starting with route which would
1273              include, for example, route-gateway. Enclose text in  quotes  to
1274              embed spaces.
1275
1276                 pull-filter accept "route 192.168.1."
1277                 pull-filter ignore "route "
1278
1279              would remove all routes that do not start with 192.168.1.
1280
1281              Note  that  reject may result in a repeated cycle of failure and
1282              reconnect, unless multiple remotes are specified and  connection
1283              to the next remote succeeds. To silently ignore an option pushed
1284              by the server, use ignore.
1285
1286       --push-peer-info
1287              Push additional information about the client to server. The fol‐
1288              lowing data is always pushed to the server:
1289
1290              IV_VER=<version>
1291                     The client OpenVPN version
1292
1293              IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]
1294                     The client OS platform
1295
1296              IV_LZO_STUB=1
1297                     If client was built with LZO stub capability
1298
1299              IV_LZ4=1
1300                     If the client supports LZ4 compressions.
1301
1302              IV_PROTO
1303                     Details about protocol extensions that the peer supports.
1304                     The variable is a bitfield and the bits  are  defined  as
1305                     follows (starting a bit 0 for the first (unused) bit:
1306
1307                     • bit 1: The peer supports peer-id floating mechanism
1308
1309                     • bit  2:  The client expects a push-reply and the server
1310                       may send this reply without waiting for a  push-request
1311                       first.
1312
1313                     • bit  3:  The  client is capable of doing key derivation
1314                       using RFC5705 key material exporter.
1315
1316                     • bit 4: The client is capable  of  accepting  additional
1317                       arguments to the AUTH_PENDING message.
1318
1319              IV_NCP=2
1320                     Negotiable  ciphers,  client  supports --cipher pushed by
1321                     the server, a value of 2 or greater indicates client sup‐
1322                     ports AES-GCM-128 and AES-GCM-256.
1323
1324              IV_CIPHERS=<ncp-ciphers>
1325                     The  client  announces the list of supported ciphers con‐
1326                     figured with the --data-ciphers option to the server.
1327
1328              IV_MTU=<max_mtu>
1329                     The client announces the support of pushable MTU and  the
1330                     maximum MTU it is willing to accept.
1331
1332              IV_GUI_VER=<gui_id> <version>
1333                     The  UI  version  of  a UI if one is running, for example
1334                     de.blinkt.openvpn 0.5.47 for the Android app.
1335
1336              IV_SSO=[crtext,][openurl,][proxy_url]
1337                     Additional  authentication  methods  supported   by   the
1338                     client.   This  may  be  set  by  the client UI/GUI using
1339                     --setenv
1340
1341              When --push-peer-info is enabled the additional information con‐
1342              sists of the following data:
1343
1344              IV_HWADDR=<string>
1345                     This  is intended to be a unique and persistent ID of the
1346                     client.  The string  value  can  be  any  readable  ASCII
1347                     string up to 64 bytes.  OpenVPN 2.x and some other imple‐
1348                     mentations use the MAC address of the client's  interface
1349                     used to reach the default gateway. If this string is gen‐
1350                     erated by the client, it should be  consistent  and  pre‐
1351                     served  across  independent session and preferably re-in‐
1352                     stallations and upgrades.
1353
1354              IV_SSL=<version string>
1355                     The ssl version used by the client, e.g.  OpenSSL  1.0.2f
1356                     28 Jan 2016.
1357
1358              IV_PLAT_VER=x.y
1359                     The version of the operating system, e.g. 6.1 for Windows
1360                     7.
1361
1362              UV_<name>=<value>
1363                     Client environment variables whose names start with UV_
1364
1365       --remote args
1366              Remote host name or IP address, port and protocol.
1367
1368              Valid syntaxes:
1369
1370                 remote host
1371                 remote host port
1372                 remote host port proto
1373
1374              The port and proto arguments are optional.  The  OpenVPN  client
1375              will  try  to connect to a server at host:port.  The proto argu‐
1376              ment indicates the protocol to use when connecting with the  re‐
1377              mote,  and  may  be tcp or udp.  To enforce IPv4 or IPv6 connec‐
1378              tions add a 4 or 6 suffix; like udp4 / udp6 / tcp4 / tcp6.
1379
1380              On the client, multiple --remote options may  be  specified  for
1381              redundancy, each referring to a different OpenVPN server, in the
1382              order specified by the list of --remote options. Specifying mul‐
1383              tiple --remote options for this purpose is a special case of the
1384              more general connection-profile feature.  See  the  <connection>
1385              documentation below.
1386
1387              The  client  will  move  on to the next host in the list, in the
1388              event of connection failure. Note that at any  given  time,  the
1389              OpenVPN client will at most be connected to one server.
1390
1391              Examples:
1392
1393                 remote server1.example.net
1394                 remote server1.example.net 1194
1395                 remote server2.example.net 1194 tcp
1396
1397              Note:  Since  UDP  is  connectionless, connection failure is de‐
1398                     fined by the --ping and --ping-restart options.
1399
1400                     Also, if you use multiple --remote options, AND  you  are
1401                     dropping root privileges on the client with --user and/or
1402                     --group AND the client is running a  non-Windows  OS,  if
1403                     the  client  needs  to  switch to a different server, and
1404                     that server pushes back different TUN/TAP or  route  set‐
1405                     tings,  the  client  may lack the necessary privileges to
1406                     close and reopen the TUN/TAP interface. This could  cause
1407                     the client to exit with a fatal error.
1408
1409              If --remote is unspecified, OpenVPN will listen for packets from
1410              any IP address, but will not act on those  packets  unless  they
1411              pass  all authentication tests. This requirement for authentica‐
1412              tion is binding on all potential peers, even  those  from  known
1413              and  supposedly trusted IP addresses (it is very easy to forge a
1414              source IP address on a UDP packet).
1415
1416              When used in TCP mode, --remote will act as a filter,  rejecting
1417              connections from any host which does not match host.
1418
1419              If  host  is a DNS name which resolves to multiple IP addresses,
1420              OpenVPN will try them in the order that the system getaddrinfo()
1421              presents  them, so priorization and DNS randomization is done by
1422              the system library. Unless an IP version is forced by the proto‐
1423              col  specification  (4/6 suffix), OpenVPN will try both IPv4 and
1424              IPv6 addresses, in the order getaddrinfo() returns them.
1425
1426       --remote-random
1427              When multiple --remote address/ports are specified, or  if  con‐
1428              nection  profiles  are being used, initially randomize the order
1429              of the list as a kind of basic load-balancing measure.
1430
1431       --remote-random-hostname
1432              Prepend a random string (6 bytes, 12 hex characters) to hostname
1433              to prevent DNS caching. For example, "foo.bar.gov" would be mod‐
1434              ified to "<random-chars>.foo.bar.gov".
1435
1436       --resolv-retry n
1437              If hostname resolve fails for --remote, retry resolve for n sec‐
1438              onds before failing.
1439
1440              Set n to infinite to retry indefinitely.
1441
1442              By  default, --resolv-retry infinite is enabled. You can disable
1443              by setting n=0.
1444
1445       --single-session
1446              After initially connecting to a remote peer,  disallow  any  new
1447              connections.  Using  this option means that a remote peer cannot
1448              connect, disconnect, and then reconnect.
1449
1450              If the daemon is reset by a signal or  --ping-restart,  it  will
1451              allow one new connection.
1452
1453              --single-session  can  be used with --ping-exit or --inactive to
1454              create a single dynamic session that will exit when finished.
1455
1456       --server-poll-timeout n
1457              When connecting to a remote server do not wait for more  than  n
1458              seconds  for  a  response before trying the next server. The de‐
1459              fault value is 120. This timeout includes proxy and TCP  connect
1460              timeouts.
1461
1462       --static-challenge args
1463              Enable static challenge/response protocol
1464
1465              Valid syntax:
1466
1467                 static-challenge text echo
1468
1469              The text challenge text is presented to the user which describes
1470              what information is requested.  The echo flag indicates  if  the
1471              user's  input should be echoed on the screen.  Valid echo values
1472              are 0 or 1.
1473
1474              See management-notes.txt in the OpenVPN distribution for  a  de‐
1475              scription of the OpenVPN challenge/response protocol.
1476
1477       --show-proxy-settings
1478              Show  sensed  HTTP or SOCKS proxy settings. Currently, only Win‐
1479              dows clients support this option.
1480
1481       --http-proxy args
1482              Connect to remote host through an HTTP proxy.  This requires  at
1483              least  an  address  server and port argument.  If HTTP Proxy-Au‐
1484              thenticate is required, a file name to an authfile file contain‐
1485              ing a username and password on 2 lines can be given, or stdin to
1486              prompt from console. Its content can also be  specified  in  the
1487              config file with the --http-proxy-user-pass option. (See section
1488              on inline files)
1489
1490              The last optional argument is an auth-method which should be one
1491              of none, basic, or ntlm.
1492
1493              HTTP  Digest  authentication  is supported as well, but only via
1494              the auto or auto-nct flags (below).  This must replace the auth‐
1495              file argument.
1496
1497              The  auto  flag  causes  OpenVPN  to automatically determine the
1498              auth-method and query stdin  or  the  management  interface  for
1499              username/password  credentials, if required. This flag exists on
1500              OpenVPN 2.1 or higher.
1501
1502              The auto-nct flag (no clear-text auth) instructs OpenVPN to  au‐
1503              tomatically  determine  the authentication method, but to reject
1504              weak authentication protocols such as HTTP Basic Authentication.
1505
1506              Examples:
1507
1508                 http-proxy proxy.example.net 3128
1509                 http-proxy proxy.example.net 3128 authfile.txt
1510                 http-proxy proxy.example.net 3128 stdin
1511                 http-proxy proxy.example.net 3128 auto basic
1512                 http-proxy proxy.example.net 3128 auto-nct ntlm
1513
1514       --http-proxy-option args
1515              Set extended HTTP proxy options. Requires an option type as  ar‐
1516              gument  and  an  optional  parameter to the type.  Repeat to set
1517              multiple options.
1518
1519              VERSION version
1520                     Set HTTP version number to version (default 1.0).
1521
1522              AGENT user-agent
1523                     Set HTTP "User-Agent" string to user-agent.
1524
1525              CUSTOM-HEADER name content
1526                     Adds the custom Header with name as name and  content  as
1527                     the content of the custom HTTP header.
1528
1529              Examples:
1530
1531                 http-proxy-option VERSION 1.1
1532                 http-proxy-option AGENT OpenVPN/2.4
1533                 http-proxy-option X-Proxy-Flag some-flags
1534
1535       --socks-proxy args
1536              Connect  to  remote  host  through  a  Socks5 proxy.  A required
1537              server argument is needed.  Optionally a port (default 1080) and
1538              authfile  can  be  given.   The  authfile is a file containing a
1539              username and password on 2 lines, or stdin can be used to prompt
1540              from console.
1541
1542   Server Options
1543       Starting  with  OpenVPN 2.0, a multi-client TCP/UDP server mode is sup‐
1544       ported, and can be enabled with the --mode  server  option.  In  server
1545       mode,  OpenVPN will listen on a single port for incoming client connec‐
1546       tions. All client connections will be routed through a  single  tun  or
1547       tap interface. This mode is designed for scalability and should be able
1548       to support hundreds or even thousands of clients on  sufficiently  fast
1549       hardware. SSL/TLS authentication must be used in this mode.
1550
1551       --auth-gen-token args
1552              Returns  an  authentication  token to successfully authenticated
1553              clients.
1554
1555              Valid syntax:
1556
1557                 auth-gen-token [lifetime] [renewal-time] [external-auth]
1558
1559              After  successful  user/password  authentication,  the   OpenVPN
1560              server will with this option generate a temporary authentication
1561              token and push that to the client. On the  following  renegotia‐
1562              tions,  the  OpenVPN  client will pass this token instead of the
1563              users password. On the server side the server will do the  token
1564              authentication  internally and it will NOT do any additional au‐
1565              thentications against configured external user/password  authen‐
1566              tication mechanisms.
1567
1568              The  tokens  implemented  by  this  mechanism include an initial
1569              timestamp and a renew timestamp and are secured by HMAC.
1570
1571              The lifetime argument defines how long the  generated  token  is
1572              valid.   The  lifetime is defined in seconds. If lifetime is not
1573              set or it is set to 0, the token will never expire.
1574
1575              If renewal-time is not set it defaults to reneg-sec.
1576
1577              The token will expire either after the  configured  lifetime  of
1578              the  token is reached or after not being renewed for more than 2
1579              * renewal-time seconds. Clients will be sent renewed  tokens  on
1580              every TLS renegotiation. If renewal-time is lower than reneg-sec
1581              the server will push an  updated temporary authentication  token
1582              every  reneweal-time seconds. This is done to invalidate a token
1583              if a client is disconnected for a sufficiently long time,  while
1584              at  the same time permitting much longer token lifetimes for ac‐
1585              tive clients.
1586
1587              This feature is useful for environments which are configured  to
1588              use  One  Time  Passwords (OTP) as part of the user/password au‐
1589              thentications and that authentication mechanism does not  imple‐
1590              ment any auth-token support.
1591
1592              When the external-auth keyword is present the normal authentica‐
1593              tion method will always be called even if  auth-token  succeeds.
1594              Normally  other authentications method are skipped if auth-token
1595              verification succeeds or fails.
1596
1597              This option postpones this decision to the external  authentica‐
1598              tion methods and checks the validity of the account and do other
1599              checks.
1600
1601              In this mode the environment will  have  a  session_id  variable
1602              that  holds the session id from auth-gen-token. Also an environ‐
1603              ment variable session_state is present. This variable  indicates
1604              whether  the  auth-token  has  succeeded or not. It can have the
1605              following values:
1606
1607              Initial
1608                     No token from client.
1609
1610              Authenticated
1611                     Token is valid and not expired.
1612
1613              Expired
1614                     Token is valid but has expired.
1615
1616              Invalid
1617                     Token is invalid (failed HMAC or wrong length)
1618
1619              AuthenticatedEmptyUser / ExpiredEmptyUser
1620                     The token is not valid with the username  sent  from  the
1621                     client  but  would  be valid (or expired) if we assume an
1622                     empty username was used instead.  These two cases  are  a
1623                     workaround  for  behaviour  in  OpenVPN 3.  If this work‐
1624                     around is not needed these two cases should be handled in
1625                     the same way as Invalid.
1626
1627              Warning:  Use  this feature only if you want your authentication
1628              method called on every verification. Since the external  authen‐
1629              tication  is called it needs to also indicate a success or fail‐
1630              ure of the authentication. It is strongly recommended to  return
1631              an  authentication  failure  in  the case of the Invalid/Expired
1632              auth-token with the external-auth option unless the client could
1633              authenticate  in  another  acceptable  way (e.g. client certifi‐
1634              cate), otherwise returning success will lead  to  authentication
1635              bypass  (as  does  returning  success on a wrong password from a
1636              script).
1637
1638       --auth-gen-token-secret file
1639              Specifies a file that holds  a  secret  for  the  HMAC  used  in
1640              --auth-gen-token  If file is not present OpenVPN will generate a
1641              random secret on startup. This file should be used if auth-token
1642              should validate after restarting a server or if client should be
1643              able  to  roam  between  multiple  OpenVPN  servers  with  their
1644              auth-token.
1645
1646       --auth-user-pass-optional
1647              Allow  connections  by  clients  that  do  not  specify  a user‐
1648              name/password.  Normally, when --auth-user-pass-verify or --man‐
1649              agement-client-auth  are  specified (or an authentication plugin
1650              module), the  OpenVPN  server  daemon  will  require  connecting
1651              clients  to  specify  a username and password. This option makes
1652              the submission of a username/password by clients optional, pass‐
1653              ing  the  responsibility to the user-defined authentication mod‐
1654              ule/script to accept or deny the client based on  other  factors
1655              (such as the setting of X509 certificate fields).  When this op‐
1656              tion is used, and a connecting client does not  submit  a  user‐
1657              name/password,  the  user-defined  authentication  module/script
1658              will see the username and password as being set to empty strings
1659              (""). The authentication module/script MUST have logic to detect
1660              this condition and respond accordingly.
1661
1662       --ccd-exclusive
1663              Require, as a condition of  authentication,  that  a  connecting
1664              client has a --client-config-dir file.
1665
1666       --client-config-dir dir
1667              Specify  a directory dir for custom client config files. After a
1668              connecting client has been authenticated, OpenVPN will  look  in
1669              this  directory  for a file having the same name as the client's
1670              X509 common name. If a matching file exists, it will  be  opened
1671              and  parsed  for  client-specific  configuration  options. If no
1672              matching file is found, OpenVPN will instead  try  to  open  and
1673              parse a default file called "DEFAULT", which may be provided but
1674              is not required. Note that the configuration files must be read‐
1675              able by the OpenVPN process after it has dropped it's root priv‐
1676              ileges.
1677
1678              This file can specify a fixed IP address for a given client  us‐
1679              ing  --ifconfig-push,  as  well  as  fixed  subnets owned by the
1680              client using --iroute.
1681
1682              One of the useful properties of this option is  that  it  allows
1683              client  configuration  files to be conveniently created, edited,
1684              or removed while the server is live, without needing to  restart
1685              the server.
1686
1687              The  following  options  are legal in a client-specific context:
1688              --push, --push-reset, --push-remove, --iroute,  --ifconfig-push,
1689              --vlan-pvid and --config.
1690
1691       --client-to-client
1692              Because the OpenVPN server mode handles multiple clients through
1693              a single tun or tap interface, it is effectively a  router.  The
1694              --client-to-client   flag  tells  OpenVPN  to  internally  route
1695              client-to-client traffic rather than pushing  all  client-origi‐
1696              nating traffic to the TUN/TAP interface.
1697
1698              When  this  option  is  used,  each  client will "see" the other
1699              clients which are currently connected.  Otherwise,  each  client
1700              will  only  see the server. Don't use this option if you want to
1701              firewall tunnel traffic using custom, per-client rules.
1702
1703              Please note that when using data channel offload this option has
1704              no  effect.  Packets are always sent to the tunnel interface and
1705              then routed based on the system routing table.
1706
1707       --disable
1708              Disable a particular client (based on the common name) from con‐
1709              necting.   Don't  use this option to disable a client due to key
1710              or password compromise. Use a CRL (certificate revocation  list)
1711              instead (see the --crl-verify option).
1712
1713              This  option must be associated with a specific client instance,
1714              which means that it must be specified either  in  a  client  in‐
1715              stance config file using --client-config-dir or dynamically gen‐
1716              erated using a --client-connect script.
1717
1718       --connect-freq args
1719              Allow a maximum of  n  new  connections  per  sec  seconds  from
1720              clients.
1721
1722              Valid syntax:
1723
1724                 connect-freq n sec
1725
1726              This  is  designed to contain DoS attacks which flood the server
1727              with connection requests using  certificates  which  will  ulti‐
1728              mately fail to authenticate.
1729
1730              This limit applies after --connect-freq-initial and only applies
1731              to client that have completed the three-way handshake or  client
1732              that  use --tls-crypt-v2 without cookie support (allow-noncookie
1733              argument to --tls-crypt-v2).
1734
1735              This is an imperfect solution however, because  in  a  real  DoS
1736              scenario, legitimate connections might also be refused.
1737
1738              For  the best protection against DoS attacks in server mode, use
1739              --proto udp and either --tls-auth or --tls-crypt.
1740
1741       --connect-freq-initial args
1742              (UDP only) Allow a maximum of n initial  connection  packet  re‐
1743              sponses per sec seconds from the OpenVPN server to clients.
1744
1745              Valid syntax:
1746
1747                 connect-freq-initial n sec
1748
1749              OpenVPN  starting at 2.6 is very efficient in responding to ini‐
1750              tial connection packets. When not limiting the initial responses
1751              an OpenVPN daemon can be abused in reflection attacks.  This op‐
1752              tion is designed to limit the rate OpenVPN will respond to  ini‐
1753              tial attacks.
1754
1755              Connection  attempts  that  complete the initial three-way hand‐
1756              shake will not be counted against the limit. The default  is  to
1757              allow 100 initial connection per 10s.
1758
1759       --duplicate-cn
1760              Allow multiple clients with the same common name to concurrently
1761              connect. In the absence of this option, OpenVPN will  disconnect
1762              a  client  instance  upon  connection of a new client having the
1763              same common name.
1764
1765       --ifconfig-pool args
1766              Set aside a pool of subnets to be dynamically allocated to  con‐
1767              necting clients, similar to a DHCP server.
1768
1769              Valid syntax:
1770
1771                 ifconfig-pool start-IP end-IP [netmask]
1772
1773              For  tun-style  tunnels,  each client will be given a /30 subnet
1774              (for interoperability with Windows clients).  For tap-style tun‐
1775              nels,  individual  addresses will be allocated, and the optional
1776              netmask parameter will also be pushed to clients.
1777
1778       --ifconfig-ipv6-pool args
1779              Specify an IPv6 address pool for dynamic assignment to clients.
1780
1781              Valid args:
1782
1783                 ifconfig-ipv6-pool ipv6addr/bits
1784
1785              The pool starts at ipv6addr and matches  the  offset  determined
1786              from  the start of the IPv4 pool.  If the host part of the given
1787              IPv6 address is 0, the pool starts at ipv6addr +1.
1788
1789       --ifconfig-pool-persist args
1790              Persist/unpersist ifconfig-pool data to file, at seconds  inter‐
1791              vals (default 600), as well as on program startup and shutdown.
1792
1793              Valid syntax:
1794
1795                 ifconfig-pool-persist file [seconds]
1796
1797              The  goal  of  this option is to provide a long-term association
1798              between clients (denoted by their common name) and  the  virtual
1799              IP  address assigned to them from the ifconfig-pool. Maintaining
1800              a long-term association is good for clients  because  it  allows
1801              them to effectively use the --persist-tun option.
1802
1803              file  is  a  comma-delimited  ASCII  file,  formatted  as  <Com‐
1804              mon-Name>,<IP-address>.
1805
1806              If seconds = 0, file will be treated as read-only. This is  use‐
1807              ful if you would like to treat file as a configuration file.
1808
1809              Note  that  the  entries  in this file are treated by OpenVPN as
1810              suggestions only, based on past associations  between  a  common
1811              name  and IP address.  They do not guarantee that the given com‐
1812              mon name will always receive the given IP address. If  you  want
1813              guaranteed assignment, use --ifconfig-push
1814
1815       --ifconfig-push args
1816              Push  virtual  IP  endpoints  for  client tunnel, overriding the
1817              --ifconfig-pool dynamic allocation.
1818
1819              Valid syntax:
1820
1821                 ifconfig-push local remote-netmask [alias]
1822
1823              The parameters local and remote-netmask are set according to the
1824              --ifconfig directive which you want to execute on the client ma‐
1825              chine to configure the remote end of the tunnel. Note  that  the
1826              parameters  local and remote-netmask are from the perspective of
1827              the client, not the server. They may be DNS names rather than IP
1828              addresses,  in which case they will be resolved on the server at
1829              the time of client connection.
1830
1831              The optional alias parameter may be  used  in  cases  where  NAT
1832              causes  the client view of its local endpoint to differ from the
1833              server view. In this case local/remote-netmask will refer to the
1834              server  view while alias/remote-netmask will refer to the client
1835              view.
1836
1837              This option must be associated with a specific client  instance,
1838              which  means  that  it  must be specified either in a client in‐
1839              stance config file using --client-config-dir or dynamically gen‐
1840              erated using a --client-connect script.
1841
1842              Remember also to include a --route directive in the main OpenVPN
1843              config file which encloses local, so that the kernel  will  know
1844              to route it to the server's TUN/TAP interface.
1845
1846              OpenVPN's  internal  client IP address selection algorithm works
1847              as follows:
1848
1849              1. Use --client-connect script  generated  file  for  static  IP
1850                 (first choice).
1851
1852              2. Use --client-config-dir file for static IP (next choice).
1853
1854              3. Use --ifconfig-pool allocation for dynamic IP (last choice).
1855
1856       --ifconfig-ipv6-push args
1857              for --client-config-dir per-client static IPv6 interface config‐
1858              uration, see --client-config-dir and  --ifconfig-push  for  more
1859              details.
1860
1861              Valid syntax:
1862
1863                 ifconfig-ipv6-push ipv6addr/bits ipv6remote
1864
1865       --multihome
1866              Configure a multi-homed UDP server. This option needs to be used
1867              when a server has more than one IP address (e.g. multiple inter‐
1868              faces,  or  secondary IP addresses), and is not using --local to
1869              force binding to one specific address only. This option will add
1870              some extra lookups to the packet path to ensure that the UDP re‐
1871              ply packets are always sent from the address that the client  is
1872              talking  to. This is not supported on all platforms, and it adds
1873              more processing, so it's not enabled by default.
1874
1875              Notes:
1876
1877                     • This option is only relevant for UDP servers.
1878
1879                     • If you do an IPv6+IPv4 dual-stack bind on a  Linux  ma‐
1880                       chine  with  multiple IPv4 address, connections to IPv4
1881                       addresses will not work right on kernels  before  3.15,
1882                       due  to missing kernel support for the IPv4-mapped case
1883                       (some distributions have ported this to earlier  kernel
1884                       versions, though).
1885
1886       --iroute args
1887              Generate an internal route to a specific client. The netmask pa‐
1888              rameter, if omitted, defaults to 255.255.255.255.
1889
1890              Valid syntax:
1891
1892                 iroute network [netmask]
1893
1894              This directive can be used to route  a  fixed  subnet  from  the
1895              server to a particular client, regardless of where the client is
1896              connecting from.  Remember that you must also add the  route  to
1897              the  system  routing table as well (such as by using the --route
1898              directive). The reason why two routes are  needed  is  that  the
1899              --route  directive routes the packet from the kernel to OpenVPN.
1900              Once in OpenVPN, the --iroute directive routes to  the  specific
1901              client.
1902
1903              However,  when  using  DCO,  the  --iroute  directive is usually
1904              enough for DCO to fully configure the routing table.  The  extra
1905              --route  directive is required only if the expected behaviour is
1906              to route the traffic for a specific network to the VPN interface
1907              also  when the responsible client is not connected (traffic will
1908              then be dropped).
1909
1910              This option must be specified either in a client instance config
1911              file  using --client-config-dir or dynamically generated using a
1912              --client-connect script.
1913
1914              The --iroute directive also has an  important  interaction  with
1915              --push  "route ...". --iroute essentially defines a subnet which
1916              is owned by a particular client (we will call this client A). If
1917              you would like other clients to be able to reach A's subnet, you
1918              can use --push "route ..." together with  --client-to-client  to
1919              effect this. In order for all clients to see A's subnet, OpenVPN
1920              must push this route to all clients EXCEPT for A, since the sub‐
1921              net  is already owned by A. OpenVPN accomplishes this by not not
1922              pushing a route to a client if it matches one  of  the  client's
1923              iroutes.
1924
1925       --iroute-ipv6 args
1926              for  --client-config-dir per-client static IPv6 route configura‐
1927              tion, see --iroute for more details how to setup and  use  this,
1928              and how --iroute and --route interact.
1929
1930              Valid syntax:
1931
1932                 iroute-ipv6 ipv6addr/bits
1933
1934       --max-clients n
1935              Limit server to a maximum of n concurrent clients.
1936
1937       --max-routes-per-client n
1938              Allow  a  maximum of n internal routes per client (default 256).
1939              This is designed to help contain DoS attacks where an  authenti‐
1940              cated  client  floods  the server with packets appearing to come
1941              from many unique MAC addresses, forcing the  server  to  deplete
1942              virtual  memory  as its internal routing table expands. This di‐
1943              rective can be used in a --client-config-dir file or auto-gener‐
1944              ated  by  a --client-connect script to override the global value
1945              for a particular client.
1946
1947              Note that this directive affects OpenVPN's internal routing  ta‐
1948              ble, not the kernel routing table.
1949
1950       --opt-verify
1951              DEPRECATED Clients that connect with options that are incompati‐
1952              ble with those of the server will be disconnected.
1953
1954              Options  that  will  be  compared  for   compatibility   include
1955              dev-type,  link-mtu,  tun-mtu,  proto, ifconfig, comp-lzo, frag‐
1956              ment,  keydir,  cipher,  auth,   keysize,   secret,   no-replay,
1957              tls-auth, key-method, tls-server and tls-client.
1958
1959              This option requires that --disable-occ NOT be used.
1960
1961       --port-share args
1962              Share OpenVPN TCP with another service
1963
1964              Valid syntax:
1965
1966                 port-share host port [dir]
1967
1968              When run in TCP server mode, share the OpenVPN port with another
1969              application, such as an HTTPS server. If OpenVPN senses  a  con‐
1970              nection  to  its  port which is using a non-OpenVPN protocol, it
1971              will proxy the connection to the server at host:port.  Currently
1972              only  designed to work with HTTP/HTTPS, though it would be theo‐
1973              retically possible to extend to other protocols such as ssh.
1974
1975              dir specifies an optional directory where a temporary file  with
1976              name  N  containing  content C will be dynamically generated for
1977              each proxy connection, where N is  the  source  IP:port  of  the
1978              client  connection and C is the source IP:port of the connection
1979              to the proxy receiver. This directory can be used as  a  dictio‐
1980              nary  by  the proxy receiver to determine the origin of the con‐
1981              nection. Each generated file will be automatically deleted  when
1982              the proxied connection is torn down.
1983
1984              Not implemented on Windows.
1985
1986       --push option
1987              Push  a  config file option back to the client for remote execu‐
1988              tion. Note that option must be enclosed in double  quotes  ("").
1989              The  client  must  specify --pull in its config file. The set of
1990              options which can be pushed is limited by both  feasibility  and
1991              security. Some options such as those which would execute scripts
1992              are banned, since they would  effectively  allow  a  compromised
1993              server  to  execute  arbitrary code on the client. Other options
1994              such as TLS or MTU  parameters  cannot  be  pushed  because  the
1995              client  needs  to  know them before the connection to the server
1996              can be initiated.
1997
1998              This is a partial list of options which can currently be pushed:
1999              --route,   --route-gateway,  --route-delay,  --redirect-gateway,
2000              --ip-win32,   --dhcp-option,    --dns,    --inactive,    --ping,
2001              --ping-exit,   --ping-restart,  --setenv,  --auth-token,  --per‐
2002              sist-key,  --persist-tun,  --echo,  --comp-lzo,  --socket-flags,
2003              --sndbuf, --rcvbuf, --session-timeout
2004
2005       --push-remove opt
2006              Selectively  remove  all  --push options matching "opt" from the
2007              option list for a client. opt is matched as a substring  against
2008              the   whole   option  string  to-be-pushed  to  the  client,  so
2009              --push-remove route would remove all --push route ... and --push
2010              route-ipv6  ...   statements,  while  --push-remove  "route-ipv6
2011              2001:" would only remove IPv6 routes for 2001:... networks.
2012
2013              --push-remove can only be used  in  a  client-specific  context,
2014              like  in  a --client-config-dir file, or --client-connect script
2015              or plugin -- similar to --push-reset, just more selective.
2016
2017              NOTE: to change an option, --push-remove can be  used  to  first
2018              remove  the old value, and then add a new --push option with the
2019              new value.
2020
2021              NOTE 2: due to implementation details,  'ifconfig'  and  'ifcon‐
2022              fig-ipv6'  can only be removed with an exact match on the option
2023              ( push-remove ifconfig), no substring matching and  no  matching
2024              on the IPv4/IPv6 address argument is possible.
2025
2026       --push-reset
2027              Don't  inherit  the  global  push list for a specific client in‐
2028              stance.  Specify this option in a client-specific  context  such
2029              as  with  a  --client-config-dir configuration file. This option
2030              will ignore --push options at the global config file level.
2031
2032              NOTE: --push-reset is very thorough: it will remove  almost  all
2033              options  from  the list of to-be-pushed options.  In many cases,
2034              some of these options will need to be re-configured afterwards -
2035              specifically,  --topology  subnet  and  --route-gateway will get
2036              lost and this will break client configs in  many  cases.   Thus,
2037              for most purposes, --push-remove is better suited to selectively
2038              remove push options for individual clients.
2039
2040       --server args
2041              A helper directive designed to  simplify  the  configuration  of
2042              OpenVPN's  server  mode.  This  directive will set up an OpenVPN
2043              server which will allocate addresses to clients out of the given
2044              network/netmask.  The  server itself will take the .1 address of
2045              the given network for use as the server-side endpoint of the lo‐
2046              cal  TUN/TAP interface. If the optional nopool flag is given, no
2047              dynamic IP address pool will prepared for VPN clients.
2048
2049              Valid syntax:
2050
2051                 server network netmask [nopool]
2052
2053              For example, --server 10.8.0.0 255.255.255.0 expands as follows:
2054
2055                 mode server
2056                 tls-server
2057                 push "topology [topology]"
2058
2059                 if dev tun AND (topology == net30 OR topology == p2p):
2060                   ifconfig 10.8.0.1 10.8.0.2
2061                   if !nopool:
2062                     ifconfig-pool 10.8.0.4 10.8.0.251
2063                   route 10.8.0.0 255.255.255.0
2064                   if client-to-client:
2065                     push "route 10.8.0.0 255.255.255.0"
2066                   else if topology == net30:
2067                     push "route 10.8.0.1"
2068
2069                 if dev tap OR (dev tun AND topology == subnet):
2070                   ifconfig 10.8.0.1 255.255.255.0
2071                   if !nopool:
2072                     ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
2073                   push "route-gateway 10.8.0.1"
2074                   if route-gateway unset:
2075                     route-gateway 10.8.0.2
2076
2077              Don't  use  --server  if  you   are   ethernet   bridging.   Use
2078              --server-bridge instead.
2079
2080       --server-bridge args
2081              A helper directive similar to --server which is designed to sim‐
2082              plify the configuration of OpenVPN's  server  mode  in  ethernet
2083              bridging configurations.
2084
2085              Valid syntaxes:
2086
2087                 server-bridge gateway netmask pool-start-IP pool-end-IP
2088                 server-bridge [nogw]
2089
2090              If  --server-bridge  is used without any parameters, it will en‐
2091              able a DHCP-proxy mode, where connecting  OpenVPN  clients  will
2092              receive an IP address for their TAP adapter from the DHCP server
2093              running on the OpenVPN server-side LAN. Note that  only  clients
2094              that  support  the binding of a DHCP client with the TAP adapter
2095              (such as Windows) can support this mode. The optional nogw  flag
2096              (advanced)  indicates  that  gateway  information  should not be
2097              pushed to the client.
2098
2099              To configure ethernet bridging, you must  first  use  your  OS's
2100              bridging  capability to bridge the TAP interface with the ether‐
2101              net NIC interface.  For example, on Linux this is done with  the
2102              brctl  tool,  and with Windows XP it is done in the Network Con‐
2103              nections Panel by selecting the ethernet and  TAP  adapters  and
2104              right-clicking on "Bridge Connections".
2105
2106              Next  you you must manually set the IP/netmask on the bridge in‐
2107              terface.  The gateway and netmask parameters to  --server-bridge
2108              can  be set to either the IP/netmask of the bridge interface, or
2109              the IP/netmask of the default gateway/router on the bridged sub‐
2110              net.
2111
2112              Finally,  set aside a IP range in the bridged subnet, denoted by
2113              pool-start-IP and pool-end-IP, for OpenVPN to allocate  to  con‐
2114              necting clients.
2115
2116              For  example,  server-bridge  10.8.0.4  255.255.255.0 10.8.0.128
2117              10.8.0.254 expands as follows:
2118
2119                 mode server
2120                 tls-server
2121
2122                 ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
2123                 push "route-gateway 10.8.0.4"
2124
2125              In another example, --server-bridge (without parameters) expands
2126              as follows:
2127
2128                 mode server
2129                 tls-server
2130
2131                 push "route-gateway dhcp"
2132
2133              Or --server-bridge nogw expands as follows:
2134
2135                 mode server
2136                 tls-server
2137
2138       --server-ipv6 args
2139              Convenience-function  to enable a number of IPv6 related options
2140              at once, namely --ifconfig-ipv6, --ifconfig-ipv6-pool and --push
2141              tun-ipv6.
2142
2143              Valid syntax:
2144
2145                 server-ipv6 ipv6addr/bits
2146
2147              Pushing  of  the  --tun-ipv6 directive is done for older clients
2148              which require an explicit --tun-ipv6 in their configuration.
2149
2150       --stale-routes-check args
2151              Remove routes which haven't had activity for n seconds (i.e. the
2152              ageing time).  This check is run every t seconds (i.e. check in‐
2153              terval).
2154
2155              Valid syntax:
2156
2157                 stale-routes-check n [t]
2158
2159              If t is not present it defaults to n.
2160
2161              This option helps to keep the dynamic routing table  small.  See
2162              also --max-routes-per-client
2163
2164       --username-as-common-name
2165              Use  the  authenticated username as the common-name, rather than
2166              the common-name from the client certificate. Requires that  some
2167              form  of  --auth-user-pass verification is in effect. As the re‐
2168              placement happens after --auth-user-pass verification, the veri‐
2169              fication  script  or  plugin  will still receive the common-name
2170              from the certificate.
2171
2172              The common_name environment variable passed to scripts and plug‐
2173              ins  invoked  after  authentication (e.g, client-connect script)
2174              and file names parsed in client-config directory will match  the
2175              username.
2176
2177       --verify-client-cert mode
2178              Specify  whether  the  client is required to supply a valid cer‐
2179              tificate.
2180
2181              Possible mode options are:
2182
2183              none   A client certificate is not required. the client needs to
2184                     authenticate  using username/password only. Be aware that
2185                     using this directive is less secure than  requiring  cer‐
2186                     tificates from all clients.
2187
2188                     If  you  use this directive, the entire responsibility of
2189                     authentication will rest on your  --auth-user-pass-verify
2190                     script,  so  keep  in mind that bugs in your script could
2191                     potentially compromise the security of your VPN.
2192
2193                     --verify-client-cert none is functionally  equivalent  to
2194                     --client-cert-not-required.
2195
2196              optional
2197                     A client may present a certificate but it is not required
2198                     to do so.  When using this directive, you should also use
2199                     a  --auth-user-pass-verify  script to ensure that clients
2200                     are authenticated using a  certificate,  a  username  and
2201                     password, or possibly even both.
2202
2203                     Again,  the  entire responsibility of authentication will
2204                     rest on your --auth-user-pass-verify script, so  keep  in
2205                     mind  that  bugs in your script could potentially compro‐
2206                     mise the security of your VPN.
2207
2208              require
2209                     This is the default  option.  A  client  is  required  to
2210                     present a certificate, otherwise VPN access is refused.
2211
2212              If you don't use this directive (or use --verify-client-cert re‐
2213              quire) but you also specify an  --auth-user-pass-verify  script,
2214              then OpenVPN will perform double authentication. The client cer‐
2215              tificate verification  AND  the  --auth-user-pass-verify  script
2216              will  need  to succeed in order for a client to be authenticated
2217              and accepted onto the VPN.
2218
2219       --vlan-tagging
2220              Server-only option. Turns the OpenVPN  server  instance  into  a
2221              switch that understands VLAN-tagging, based on IEEE 802.1Q.
2222
2223              The server TAP device and each of the connecting clients is seen
2224              as a port of the switch. All client ports are in  untagged  mode
2225              and  the  server  TAP device is VLAN-tagged, untagged or accepts
2226              both, depending on the --vlan-accept setting.
2227
2228              Ethernet frames with a prepended 802.1Q tag are called "tagged".
2229              If  the  VLAN  Identifier (VID) field in such a tag is non-zero,
2230              the frame is called "VLAN-tagged". If the VID is zero,  but  the
2231              Priority  Control  Point  (PCP)  field is non-zero, the frame is
2232              called "prio-tagged". If there is no 802.1Q tag,  the  frame  is
2233              "untagged".
2234
2235              Using   the   --vlan-pvid   v   option   once  per  client  (see
2236              --client-config-dir), each port can be associated with a certain
2237              VID.   Packets  can  only  be forwarded between ports having the
2238              same VID.  Therefore, clients with differing VIDs are completely
2239              separated  from one-another, even if --client-to-client is acti‐
2240              vated.
2241
2242              The packet filtering takes place in the OpenVPN server.  Clients
2243              should not have any VLAN tagging configuration applied.
2244
2245              The  --vlan-tagging  option is off by default. While turned off,
2246              OpenVPN accepts any Ethernet frame and does not perform any spe‐
2247              cial processing for VLAN-tagged packets.
2248
2249              This option can only be activated in --dev tap mode.
2250
2251       --vlan-accept args
2252              Configure the VLAN tagging policy for the server TAP device.
2253
2254              Valid syntax:
2255
2256                 vlan-accept  all|tagged|untagged
2257
2258              The following modes are available:
2259
2260              tagged Admit  only  VLAN-tagged frames. Only VLAN-tagged packets
2261                     are accepted, while untagged or  priority-tagged  packets
2262                     are dropped when entering the server TAP device.
2263
2264              untagged
2265                     Admit  only untagged and prio-tagged frames.  VLAN-tagged
2266                     packets  are  not  accepted,  while  untagged  or  prior‐
2267                     ity-tagged  packets  entering  the  server TAP device are
2268                     tagged  with  the  value  configured   for   the   global
2269                     --vlan-pvid setting.
2270
2271              all (default)
2272                     Admit  all  frames.   All  packets  are admitted and then
2273                     treated like untagged or tagged mode respectively.
2274
2275              Note:  Some vendors refer to switch ports running in tagged mode
2276                     as  "trunk  ports"  and  switch ports running in untagged
2277                     mode as "access ports".
2278
2279              Packets forwarded from clients to  the  server  are  VLAN-tagged
2280              with  the  originating client's PVID, unless the VID matches the
2281              global --vlan-pvid, in which case the tag is removed.
2282
2283              If no PVID is configured for a given  client  (see  --vlan-pvid)
2284              packets are tagged with 1 by default.
2285
2286       --vlan-pvid v
2287              Specifies  which  VLAN  identifier  a "port" is associated with.
2288              Only valid when --vlan-tagging is specified.
2289
2290              In the client context, the setting specifies  which  VLAN  ID  a
2291              client is associated with. In the global context, the VLAN ID of
2292              the server TAP device is set. The latter only  makes  sense  for
2293              --vlan-accept untagged and --vlan-accept all modes.
2294
2295              Valid  values  for v go from 1 through to 4094. The global value
2296              defaults to 1. If no --vlan-pvid is specified in the client con‐
2297              text, the global value is inherited.
2298
2299              In  some switch implementations, the PVID is also referred to as
2300              "Native VLAN".
2301

ENCRYPTION OPTIONS

2303   SSL Library information
2304       --show-ciphers
2305              (Standalone) Show all cipher algorithms to use with the --cipher
2306              option.
2307
2308       --show-digests
2309              (Standalone)  Show all message digest algorithms to use with the
2310              --auth option.
2311
2312       --show-tls
2313              (Standalone) Show all TLS ciphers supported by  the  crypto  li‐
2314              brary.   OpenVPN  uses  TLS  to secure the control channel, over
2315              which the keys that are used to protect the actual  VPN  traffic
2316              are exchanged. The TLS ciphers will be sorted from highest pref‐
2317              erence (most secure) to lowest.
2318
2319              Be aware that whether a cipher suite in this list  can  actually
2320              work  depends  on  the  specific  setup of both peers (e.g. both
2321              peers must support the cipher, and an ECDSA  cipher  suite  will
2322              not work if you are using an RSA certificate, etc.).
2323
2324       --show-engines
2325              (Standalone)  Show currently available hardware-based crypto ac‐
2326              celeration engines supported by the OpenSSL library.
2327
2328       --show-groups
2329              (Standalone) Show all available elliptic  curves/groups  to  use
2330              with the --ecdh-curve and tls-groups options.
2331
2332   Generating key material
2333       --genkey args
2334              (Standalone)  Generate  a key to be used of the type keytype. if
2335              keyfile is left out or empty the key will be output  on  stdout.
2336              See the following sections for the different keytypes.
2337
2338              Valid syntax:
2339
2340                 --genkey keytype keyfile
2341
2342              Valid keytype arguments are:
2343
2344              secret                Standard OpenVPN shared secret keys
2345
2346              tls-crypt             Alias for secret
2347
2348              tls-auth              Alias for secret
2349
2350              auth-token            Key used for --auth-gen-token-key
2351
2352              tls-crypt-v2-server   TLS Crypt v2 server key
2353
2354              tls-crypt-v2-client   TLS Crypt v2 client key
2355
2356              Examples:
2357
2358                 $ openvpn --genkey secret shared.key
2359                 $ openvpn --genkey tls-crypt shared.key
2360                 $ openvpn --genkey tls-auth shared.key
2361                 $ openvpn --genkey tls-crypt-v2-server v2crypt-server.key
2362                 $ openvpn --tls-crypt-v2 v2crypt-server.key --genkey tls-crypt-v2-client v2crypt-client-1.key
2363
2364              • Generating  Shared  Secret  Keys Generate a shared secret, for
2365                use with the --secret, --tls-auth or --tls-crypt options.
2366
2367                Syntax:
2368
2369                   $ openvpn --genkey secret|tls-crypt|tls-auth keyfile
2370
2371                The key is saved in keyfile.  All  three  variants  (--secret,
2372                tls-crypt  and  tls-auth)  generate  the same type of key. The
2373                aliases are added for convenience.
2374
2375                If using this for --secret, this file must be shared with  the
2376                peer over a pre-existing secure channel such as scp(1).
2377
2378              • Generating  TLS  Crypt v2 Server key Generate a --tls-crypt-v2
2379                key to be used by an OpenVPN server.  The  key  is  stored  in
2380                keyfile.
2381
2382                Syntax:
2383
2384                   --genkey tls-crypt-v2-server keyfile
2385
2386              • Generating  TLS  Crypt v2 Client key Generate a --tls-crypt-v2
2387                key to be used by OpenVPN clients.  The key is stored in  key‐
2388                file.
2389
2390                Syntax
2391
2392                   --genkey tls-crypt-v2-client keyfile [metadata]
2393
2394                If  supplied,  include  the  supplied  metadata in the wrapped
2395                client key. This metadata must be supplied  in  base64-encoded
2396                form. The metadata must be at most 733 bytes long (980 charac‐
2397                ters in base64, though note that 980 base64 characters can en‐
2398                code more than 733 bytes).
2399
2400                If  no  metadata  is  supplied, OpenVPN will use a 64-bit unix
2401                timestamp representing the current time  in  UTC,  encoded  in
2402                network order, as metadata for the generated key.
2403
2404                A  tls-crypt-v2  client  key is wrapped using a server key. To
2405                generate a client key, the  user  must  therefore  supply  the
2406                server key using the --tls-crypt-v2 option.
2407
2408                Servers  can  use  --tls-crypt-v2-verify to specify a metadata
2409                verification command.
2410
2411              • Generate Authentication Token key Generate a new  secret  that
2412                can be used with --auth-gen-token-secret
2413
2414                Syntax:
2415
2416                   --genkey auth-token [keyfile]
2417
2418                Note:  This file should be kept secret to the server as anyone
2419                       that has access to this file will be able  to  generate
2420                       auth  tokens  that  the  OpenVPN  server will accept as
2421                       valid.
2422
2423   Data Channel Renegotiation
2424       When running OpenVPN in client/server mode, the data channel will use a
2425       separate  ephemeral  encryption  key which is rotated at regular inter‐
2426       vals.
2427
2428       --reneg-bytes n
2429              Renegotiate data channel key after  n  bytes  sent  or  received
2430              (disabled  by default with an exception, see below). OpenVPN al‐
2431              lows the lifetime of a key to be expressed as a number of  bytes
2432              encrypted/decrypted,  a  number  of packets, or a number of sec‐
2433              onds. A key renegotiation will be forced if any of  these  three
2434              criteria are met by either peer.
2435
2436              If  using  ciphers  with  cipher block sizes less than 128-bits,
2437              --reneg-bytes is set to 64MB by default, unless it is explicitly
2438              disabled  by setting the value to 0, but this is HIGHLY DISCOUR‐
2439              AGED as this is designed to  add  some  protection  against  the
2440              SWEET32 attack vector. For more information see the --cipher op‐
2441              tion.
2442
2443       --reneg-pkts n
2444              Renegotiate data channel key after n packets sent  and  received
2445              (disabled by default).
2446
2447       --reneg-sec args
2448              Renegotiate  data channel key after at most max seconds (default
2449              3600) and at least min  seconds  (default  is  90%  of  max  for
2450              servers, and equal to max for clients).
2451
2452                 reneg-sec max [min]
2453
2454              The  effective --reneg-sec value used is per session pseudo-uni‐
2455              form-randomized between min and max.
2456
2457              With the default value of 3600 this results in an effective  per
2458              session  value in the range of 3240 .. 3600 seconds for servers,
2459              or just 3600 for clients.
2460
2461              When using dual-factor authentication, note  that  this  default
2462              value  may  cause  the  end user to be challenged to reauthorize
2463              once per hour.
2464
2465              Also, keep in mind that this option can  be  used  on  both  the
2466              client  and  server,  and whichever uses the lower value will be
2467              the one to trigger the renegotiation. A common mistake is to set
2468              --reneg-sec  to  a  higher value on either the client or server,
2469              while the other side of the connection is still  using  the  de‐
2470              fault value of 3600 seconds, meaning that the renegotiation will
2471              still occur once per 3600 seconds. The solution is  to  increase
2472              --reneg-sec on both the client and server, or set it to 0 on one
2473              side of the connection (to disable), and to your chosen value on
2474              the other side.
2475
2476   TLS Mode Options
2477       TLS  mode  is the most powerful crypto mode of OpenVPN in both security
2478       and flexibility. TLS mode works by establishing control and data  chan‐
2479       nels  which  are multiplexed over a single TCP/UDP port. OpenVPN initi‐
2480       ates a TLS session over the control channel and uses it to exchange ci‐
2481       pher  and HMAC keys to protect the data channel. TLS mode uses a robust
2482       reliability layer over the UDP connection for all control channel  com‐
2483       munication,  while  the  data channel, over which encrypted tunnel data
2484       passes, is forwarded without any mediation. The result is the  best  of
2485       both  worlds:  a fast data channel that forwards over UDP with only the
2486       overhead of encrypt, decrypt, and HMAC functions, and a control channel
2487       that  provides  all of the security features of TLS, including certifi‐
2488       cate-based authentication and Diffie Hellman forward secrecy.
2489
2490       To use TLS mode, each peer that runs OpenVPN should have its own  local
2491       certificate/key pair (--cert and --key), signed by the root certificate
2492       which is specified in --ca.
2493
2494       When two OpenVPN peers connect, each presents its local certificate  to
2495       the  other. Each peer will then check that its partner peer presented a
2496       certificate which was signed by the master root certificate  as  speci‐
2497       fied in --ca.
2498
2499       If  that  check  on  both peers succeeds, then the TLS negotiation will
2500       succeed, both OpenVPN peers will exchange temporary session  keys,  and
2501       the tunnel will begin passing data.
2502
2503       The OpenVPN project provides a set of scripts for managing RSA certifi‐
2504       cates and keys: https://github.com/OpenVPN/easy-rsa
2505
2506       --askpass file
2507              Get certificate password from console or file before  we  daemo‐
2508              nize.
2509
2510              Valid syntaxes:
2511
2512                 askpass
2513                 askpass file
2514
2515              For  the extremely security conscious, it is possible to protect
2516              your private key with a password. Of course this means that  ev‐
2517              ery time the OpenVPN daemon is started you must be there to type
2518              the password. The --askpass option allows you to  start  OpenVPN
2519              from  the command line.  It will query you for a password before
2520              it daemonizes. To protect a private  key  with  a  password  you
2521              should  omit  the -nodes option when you use the openssl command
2522              line tool to manage certificates and private keys.
2523
2524              If file is specified, read the password from the first  line  of
2525              file.  Keep  in  mind  that storing your password in a file to a
2526              certain extent invalidates the extra security provided by  using
2527              an encrypted key.
2528
2529       --ca file
2530              Certificate authority (CA) file in .pem format, also referred to
2531              as the root certificate. This file can  have  multiple  certifi‐
2532              cates  in  .pem format, concatenated together. You can construct
2533              your own certificate authority certificate and  private  key  by
2534              using a command such as:
2535
2536                 openssl req -nodes -new -x509 -keyout ca.key -out ca.crt
2537
2538              Then  edit  your openssl.cnf file and edit the certificate vari‐
2539              able to point to your new root certificate ca.crt.
2540
2541              For testing purposes only, the OpenVPN distribution  includes  a
2542              sample  CA  certificate (ca.crt). Of course you should never use
2543              the test certificates and test keys distributed with OpenVPN  in
2544              a  production environment, since by virtue of the fact that they
2545              are distributed with OpenVPN, they are totally insecure.
2546
2547       --capath dir
2548              Directory containing trusted certificates (CAs  and  CRLs).  Not
2549              available with mbed TLS.
2550
2551              CAs in the capath directory are expected to be named <hash>.<n>.
2552              CRLs are expected to be named <hash>.r<n>. See the  -CApath  op‐
2553              tion  of  openssl  verify, and the -hash option of openssl x509,
2554              openssl crl and X509_LOOKUP_hash_dir()(3) for more information.
2555
2556              Similar to the --crl-verify option, CRLs  are  not  mandatory  -
2557              OpenVPN  will  log the usual warning in the logs if the relevant
2558              CRL is missing, but the connection will be allowed.
2559
2560       --cert file
2561              Local peer's signed certificate in .pem format -- must be signed
2562              by  a  certificate  authority whose certificate is in --ca file.
2563              Each peer in an OpenVPN link running in TLS mode should have its
2564              own certificate and private key file. In addition, each certifi‐
2565              cate should have been signed by the key of a certificate author‐
2566              ity  whose  public key resides in the --ca certificate authority
2567              file. You can easily make your own  certificate  authority  (see
2568              above)  or  pay  money  to  use  a  commercial  service  such as
2569              thawte.com (in which case you will be  helping  to  finance  the
2570              world's  second space tourist :). To generate a certificate, you
2571              can use a command such as:
2572
2573                 openssl req -nodes -new -keyout mycert.key -out mycert.csr
2574
2575              If your certificate authority private key lives on  another  ma‐
2576              chine, copy the certificate signing request (mycert.csr) to this
2577              other machine (this can be done over an insecure channel such as
2578              email). Now sign the certificate with a command such as:
2579
2580                 openssl ca -out mycert.crt -in mycert.csr
2581
2582              Now  copy  the  certificate  (mycert.crt) back to the peer which
2583              initially generated the .csr file (this can  be  over  a  public
2584              medium).  Note that the openssl ca command reads the location of
2585              the certificate authority key from its configuration  file  such
2586              as  /usr/share/ssl/openssl.cnf -- note also that for certificate
2587              authority functions, you must set up the files index.txt (may be
2588              empty) and serial (initialize to 01).
2589
2590       --crl-verify args
2591              Check peer certificate against a Certificate Revocation List.
2592
2593              Valid syntax:
2594
2595                 crl-verify file/directory flag
2596
2597              Examples:
2598
2599                 crl-verify crl-file.pem
2600                 crl-verify /etc/openvpn/crls dir
2601
2602              A  CRL  (certificate  revocation list) is used when a particular
2603              key is compromised but when the overall PKI is still intact.
2604
2605              Suppose you had a PKI consisting of a CA, root certificate,  and
2606              a  number of client certificates. Suppose a laptop computer con‐
2607              taining a client key and certificate was stolen. By  adding  the
2608              stolen certificate to the CRL file, you could reject any connec‐
2609              tion which attempts to use it, while preserving the overall  in‐
2610              tegrity of the PKI.
2611
2612              The  only  time when it would be necessary to rebuild the entire
2613              PKI from scratch would be if the root certificate key itself was
2614              compromised.
2615
2616              The  option  is  not mandatory - if the relevant CRL is missing,
2617              OpenVPN will log a warning in the logs - e.g.
2618
2619                 VERIFY WARNING: depth=0, unable to get certificate CRL
2620
2621              but the connection will be allowed.  If the optional dir flag is
2622              specified,  enable  a  different  mode  where  the crl-verify is
2623              pointed at a directory containing files named as revoked  serial
2624              numbers  (the  files may be empty, the contents are never read).
2625              If a client requests a connection, where the client  certificate
2626              serial  number (decimal string) is the name of a file present in
2627              the directory, it will be rejected.
2628
2629              Note:  As the crl file (or directory) is read every time a  peer
2630                     connects,  if  you  are  dropping  root  privileges  with
2631                     --user, make sure that this user  has  sufficient  privi‐
2632                     leges to read the file.
2633
2634       --dh file
2635              File  containing  Diffie  Hellman parameters in .pem format (re‐
2636              quired for --tls-server only).
2637
2638              Set file to none to disable Diffie Hellman key exchange (and use
2639              ECDH only). Note that this requires peers to be using an SSL li‐
2640              brary that supports ECDH TLS cipher suites (e.g. OpenSSL 1.0.1+,
2641              or mbed TLS 2.0+).
2642
2643              Use openssl dhparam -out dh2048.pem 2048 to generate 2048-bit DH
2644              parameters. Diffie Hellman parameters may be considered public.
2645
2646       --ecdh-curve name
2647              Specify the curve to use  for  elliptic  curve  Diffie  Hellman.
2648              Available curves can be listed with --show-curves. The specified
2649              curve will only be used for ECDH TLS-ciphers.
2650
2651              This option is not supported in mbed TLS builds of OpenVPN.
2652
2653       --extra-certs file
2654              Specify a file containing one or more  PEM  certs  (concatenated
2655              together) that complete the local certificate chain.
2656
2657              This  option  is useful for "split" CAs, where the CA for server
2658              certs is different than the CA for client certs.  Putting  certs
2659              in  this  file allows them to be used to complete the local cer‐
2660              tificate chain without trusting them to verify the  peer-submit‐
2661              ted  certificate,  as would be the case if the certs were placed
2662              in the ca file.
2663
2664       --hand-window n
2665              Handshake Window -- the TLS-based  key  exchange  must  finalize
2666              within n seconds of handshake initiation by any peer (default 60
2667              seconds). If the handshake fails we will attempt  to  reset  our
2668              connection  with  our  peer  and try again. Even in the event of
2669              handshake failure we will still use our expiring key for  up  to
2670              --tran-window  seconds to maintain continuity of transmission of
2671              tunnel data.
2672
2673              The --hand-window parameter also controls  the  amount  of  time
2674              that  the OpenVPN client repeats the pull request until it times
2675              out.
2676
2677       --key file
2678              Local peer's private key in .pem format.  Use  the  private  key
2679              which  was generated when you built your peer's certificate (see
2680              --cert file above).
2681
2682       --pkcs12 file
2683              Specify a PKCS #12 file containing local private key, local cer‐
2684              tificate,  and  root CA certificate. This option can be used in‐
2685              stead of --ca, --cert, and --key.  Not available with mbed TLS.
2686
2687       --remote-cert-eku oid
2688              Require that peer certificate was signed with  an  explicit  ex‐
2689              tended key usage.
2690
2691              This is a useful security option for clients, to ensure that the
2692              host they connect to is a designated server.
2693
2694              The extended key usage should be encoded  in  oid  notation,  or
2695              OpenSSL symbolic representation.
2696
2697       --remote-cert-ku key-usage
2698              Require  that  peer  certificate  was  signed  with  an explicit
2699              key-usage.
2700
2701              If present in the certificate, the keyUsage value  is  validated
2702              by the TLS library during the TLS handshake. Specifying this op‐
2703              tion without arguments requires this extension to be present (so
2704              the TLS library will verify it).
2705
2706              If  key-usage  is  a list of usage bits, the keyUsage field must
2707              have at least the same bits set as the bits in one of the values
2708              supplied in the key-usage list.
2709
2710              The key-usage values in the list must be encoded in hex, e.g.
2711
2712                 remote-cert-ku a0
2713
2714       --remote-cert-tls type
2715              Require  that  peer  certificate was signed with an explicit key
2716              usage and extended key usage based on RFC3280 TLS rules.
2717
2718              Valid syntaxes:
2719
2720                 remote-cert-tls server
2721                 remote-cert-tls client
2722
2723              This is a useful security option for clients, to ensure that the
2724              host  they  connect  to is a designated server. Or the other way
2725              around; for a server to verify that only  hosts  with  a  client
2726              certificate can connect.
2727
2728              The --remote-cert-tls client option is equivalent to
2729
2730                 remote-cert-ku
2731                 remote-cert-eku "TLS Web Client Authentication"
2732
2733              The --remote-cert-tls server option is equivalent to
2734
2735                 remote-cert-ku
2736                 remote-cert-eku "TLS Web Server Authentication"
2737
2738              This  is  an  important security precaution to protect against a
2739              man-in-the-middle attack where an authorized client attempts  to
2740              connect  to  another client by impersonating the server. The at‐
2741              tack is easily prevented by having  clients  verify  the  server
2742              certificate   using   any   one   of  --remote-cert-tls,  --ver‐
2743              ify-x509-name, --peer-fingerprint or --tls-verify.
2744
2745       --tls-auth args
2746              Add an additional layer of HMAC authentication on top of the TLS
2747              control  channel  to mitigate DoS attacks and attacks on the TLS
2748              stack.
2749
2750              Valid syntaxes:
2751
2752                 tls-auth file
2753                 tls-auth file 0
2754                 tls-auth file 1
2755
2756              In a nutshell, --tls-auth enables a kind of "HMAC  firewall"  on
2757              OpenVPN's  TCP/UDP port, where TLS control channel packets bear‐
2758              ing an incorrect HMAC signature can be dropped immediately with‐
2759              out response.
2760
2761              file (required) is a file in OpenVPN static key format which can
2762              be generated by --genkey.
2763
2764              Older  versions  (up  to  OpenVPN  2.3)  supported  a   freeform
2765              passphrase  file.  This is no longer supported in newer versions
2766              (v2.4+).
2767
2768              See the --secret option for more information on the optional di‐
2769              rection parameter.
2770
2771              --tls-auth is recommended when you are running OpenVPN in a mode
2772              where it is listening for packets from any IP address,  such  as
2773              when  --remote  is  not specified, or --remote is specified with
2774              --float.
2775
2776              The rationale for this feature is as  follows.  TLS  requires  a
2777              multi-packet  exchange before it is able to authenticate a peer.
2778              During this time before authentication,  OpenVPN  is  allocating
2779              resources (memory and CPU) to this potential peer. The potential
2780              peer is also exposing many parts of OpenVPN and the OpenSSL  li‐
2781              brary  to the packets it is sending. Most successful network at‐
2782              tacks today seek to either exploit bugs  in  programs  (such  as
2783              buffer  overflow  attacks) or force a program to consume so many
2784              resources that it becomes unusable. Of course the first line  of
2785              defense  is  always to produce clean, well-audited code. OpenVPN
2786              has been written with buffer overflow attack prevention as a top
2787              priority. But as history has shown, many of the most widely used
2788              network applications have, from time to time, fallen  to  buffer
2789              overflow attacks.
2790
2791              So  as  a  second  line  of defense, OpenVPN offers this special
2792              layer of authentication on top of the  TLS  control  channel  so
2793              that  every packet on the control channel is authenticated by an
2794              HMAC signature and a unique ID for replay protection. This  sig‐
2795              nature  will  also  help protect against DoS (Denial of Service)
2796              attacks. An important rule of thumb in reducing vulnerability to
2797              DoS  attacks is to minimize the amount of resources a potential,
2798              but as yet unauthenticated, client is able to consume.
2799
2800              --tls-auth does this by signing every TLS control channel packet
2801              with  an HMAC signature, including packets which are sent before
2802              the TLS level has had a chance to authenticate the peer. The re‐
2803              sult  is  that  packets  without  the  correct  signature can be
2804              dropped immediately upon reception, before they have a chance to
2805              consume  additional system resources such as by initiating a TLS
2806              handshake. --tls-auth can be strengthened by  adding  the  --re‐
2807              play-persist  option which will keep OpenVPN's replay protection
2808              state in a file so that it is not lost across restarts.
2809
2810              It should be emphasized that this feature is optional  and  that
2811              the key file used with --tls-auth gives a peer nothing more than
2812              the power to initiate a TLS handshake. It is not used to encrypt
2813              or authenticate any tunnel data.
2814
2815              Use  --tls-crypt  instead if you want to use the key file to not
2816              only authenticate, but also encrypt the TLS control channel.
2817
2818       --tls-groups list
2819              A list of allowable groups/curves in order of preference.
2820
2821              Set the allowed elliptic  curves/groups  for  the  TLS  session.
2822              These  groups  are  allowed to be used in signatures and key ex‐
2823              change.
2824
2825              mbedTLS currently allows all known curves per default.
2826
2827              OpenSSL 1.1+ restricts the list per default to
2828
2829                 "X25519:secp256r1:X448:secp521r1:secp384r1".
2830
2831              If you use certificates that use non-standard curves, you  might
2832              need to add them here. If you do not force the ecdh curve by us‐
2833              ing --ecdh-curve, the groups for ecdh will also be  picked  from
2834              this list.
2835
2836              OpenVPN  maps  the  curve  name secp256r1 to prime256v1 to allow
2837              specifying the same tls-groups option for mbedTLS and OpenSSL.
2838
2839              Warning: this option not only affects  elliptic  curve  certifi‐
2840              cates but also the key exchange in TLS 1.3 and using this option
2841              improperly will disable TLS 1.3.
2842
2843       --tls-cert-profile profile
2844              Set the allowed cryptographic algorithms  for  certificates  ac‐
2845              cording to profile.
2846
2847              The following profiles are supported:
2848
2849              insecure
2850                     Identical for mbed TLS to legacy
2851
2852              legacy (default)
2853                     SHA1 and newer, RSA 2048-bit+, any elliptic curve.
2854
2855              preferred
2856                     SHA2 and newer, RSA 2048-bit+, any elliptic curve.
2857
2858              suiteb SHA256/SHA384, ECDSA with P-256 or P-384.
2859
2860              This option is only fully supported for mbed TLS builds. OpenSSL
2861              builds use the following approximation:
2862
2863              insecure
2864                     sets "security level 0"
2865
2866              legacy (default)
2867                     sets "security level 1"
2868
2869              preferred
2870                     sets "security level 2"
2871
2872              suiteb sets "security level 3" and --tls-cipher "SUITEB128".
2873
2874              OpenVPN will migrate to 'preferred' as default  in  the  future.
2875              Please ensure that your keys already comply.
2876
2877       WARNING: --tls-ciphers, --tls-ciphersuites and tls-groups
2878              These  options  are expert features, which - if used correctly -
2879              can improve the security of your VPN connection. But it is  also
2880              easy  to unwittingly use them to carefully align a gun with your
2881              foot, or just break your connection. Use with care!
2882
2883       --tls-cipher l
2884              A list l of allowable TLS ciphers delimited by a colon (":").
2885
2886              These setting can be used to ensure that certain  cipher  suites
2887              are  used (or not used) for the TLS connection. OpenVPN uses TLS
2888              to secure the control channel, over which the keys that are used
2889              to protect the actual VPN traffic are exchanged.
2890
2891              The  supplied  list  of ciphers is (after potential OpenSSL/IANA
2892              name translation) simply supplied to the crypto library.  Please
2893              see the OpenSSL and/or mbed TLS documentation for details on the
2894              cipher list interpretation.
2895
2896              For OpenSSL, the --tls-cipher is used for TLS 1.2 and below.
2897
2898              Use --show-tls to see a list of TLS ciphers  supported  by  your
2899              crypto library.
2900
2901              The default for --tls-cipher is to use mbed TLS's default cipher
2902              list      when      using      mbed       TLS       or       DE‐
2903              FAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA    when
2904              using OpenSSL.
2905
2906       --tls-ciphersuites l
2907              Same as --tls-cipher but for TLS 1.3 and up. mbed TLS has no TLS
2908              1.3 support yet and only the --tls-cipher setting is used.
2909
2910              The  default  for  --tls-ciphersuites  is  to use the crypto li‐
2911              brary's default.
2912
2913       --tls-client
2914              Enable TLS and assume client role during TLS handshake.
2915
2916       --tls-crypt keyfile
2917              Encrypt and authenticate all control channel  packets  with  the
2918              key from keyfile. (See --tls-auth for more background.)
2919
2920              Encrypting (and authenticating) control channel packets:
2921
2922              • provides  more  privacy by hiding the certificate used for the
2923                TLS connection,
2924
2925              • makes it harder to identify OpenVPN traffic as such,
2926
2927              • provides "poor-man's" post-quantum security, against attackers
2928                who  will  never  know the pre-shared key (i.e. no forward se‐
2929                crecy).
2930
2931              In contrast to --tls-auth, --tls-crypt does not require the user
2932              to set --key-direction.
2933
2934              Security Considerations
2935
2936              All  peers  use the same --tls-crypt pre-shared group key to au‐
2937              thenticate and encrypt control channel messages. To ensure  that
2938              IV  collisions  remain  unlikely, this key should not be used to
2939              encrypt more than 2^48 client-to-server or 2^48 server-to-client
2940              control channel messages. A typical initial negotiation is about
2941              10 packets in each direction. Assuming both initial  negotiation
2942              and  renegotiations are at most 2^16 (65536) packets (to be con‐
2943              servative), and (re)negotiations happen  each  minute  for  each
2944              user  (24/7),  this  limits  the  tls-crypt key lifetime to 8171
2945              years divided by the number of users. So a setup with 1000 users
2946              should  rotate  the  key  at least once each eight years. (And a
2947              setup with 8000 users each year.)
2948
2949              If IV collisions were to occur, this could result in  the  secu‐
2950              rity  of  --tls-crypt  degrading  to  the same security as using
2951              --tls-auth.  That is, the control channel  still  benefits  from
2952              the  extra  protection  against active man-in-the-middle-attacks
2953              and DoS attacks, but may  no  longer  offer  extra  privacy  and
2954              post-quantum security on top of what TLS itself offers.
2955
2956              For  large  setups or setups where clients are not trusted, con‐
2957              sider using --tls-crypt-v2 instead. That uses per-client  unique
2958              keys, and thereby improves the bounds to 'rotate a client key at
2959              least once per 8000 years'.
2960
2961       --tls-crypt-v2 keyfile
2962              Valid syntax:
2963
2964                 tls-crypt-v2 keyfile
2965                 tls-crypt-v2 keyfile force-cookie
2966                 tls-crypt-v2 keyfile allow-noncookie
2967
2968              Use client-specific tls-crypt keys.
2969
2970              For clients, keyfile is a client-specific tls-crypt key. Such  a
2971              key  can be generated using the --genkey tls-crypt-v2-client op‐
2972              tion.
2973
2974              For servers, keyfile is used to unwrap client-specific keys sup‐
2975              plied  by  the  client during connection setup. This key must be
2976              the same as the key used to  generate  the  client-specific  key
2977              (see --genkey tls-crypt-v2-client).
2978
2979              On servers, this option can be used together with the --tls-auth
2980              or --tls-crypt option. In that  case,  the  server  will  detect
2981              whether  the client is using client-specific keys, and automati‐
2982              cally select the right mode.
2983
2984              The optional parameters force-cookie  allows  only  tls-crypt-v2
2985              clients  that  support  a cookie based stateless three way hand‐
2986              shake that avoids replay attacks and  state  exhaustion  on  the
2987              server  side (OpenVPN 2.6 and later). The option allow-noncookie
2988              explicitly allows older tls-crypt-v2  clients.  The  default  is
2989              (currently) allow-noncookie.
2990
2991       --tls-crypt-v2-verify cmd
2992              Run  command  cmd  to verify the metadata of the client-specific
2993              tls-crypt-v2 key of a connecting client. This allows server  ad‐
2994              ministrators  to  reject client connections, before exposing the
2995              TLS stack (including the notoriously dangerous X.509  and  ASN.1
2996              stacks) to the connecting client.
2997
2998              OpenVPN supplies the following environment variables to the com‐
2999              mand:
3000
3001script_type is set to tls-crypt-v2-verify
3002
3003metadata_type is set to 0 if the metadata was  user  supplied,
3004                or 1 if it's a 64-bit unix timestamp representing the key cre‐
3005                ation time.
3006
3007metadata_file contains the filename of a temporary  file  that
3008                contains the client metadata.
3009
3010              The command can reject the connection by exiting with a non-zero
3011              exit code.
3012
3013       --tls-exit
3014              Exit on TLS negotiation failure.
3015
3016       --tls-export-cert directory
3017              Store the certificates the clients use upon connection  to  this
3018              directory.  This will be done before --tls-verify is called. The
3019              certificates will use a temporary name and will be deleted  when
3020              the  tls-verify  script returns. The file name used for the cer‐
3021              tificate is available via the peer_cert environment variable.
3022
3023       --tls-server
3024              Enable TLS and assume server role  during  TLS  handshake.  Note
3025              that OpenVPN is designed as a peer-to-peer application. The des‐
3026              ignation of client or server is only for the purpose of  negoti‐
3027              ating the TLS control channel.
3028
3029       --tls-timeout n
3030              Packet  retransmit timeout on TLS control channel if no acknowl‐
3031              edgment from remote within n seconds (default 2).  When  OpenVPN
3032              sends a control packet to its peer, it will expect to receive an
3033              acknowledgement within n  seconds  or  it  will  retransmit  the
3034              packet,  subject  to  a  TCP-like exponential backoff algorithm.
3035              This parameter only applies to  control  channel  packets.  Data
3036              channel  packets  (which  carry encrypted tunnel data) are never
3037              acknowledged, sequenced, or retransmitted by OpenVPN because the
3038              higher level network protocols running on top of the tunnel such
3039              as TCP expect this role to be left to them.
3040
3041       --tls-version-min args
3042              Sets the minimum TLS version we will accept from the  peer  (de‐
3043              fault in 2.6.0 and later is "1.2").
3044
3045              Valid syntax:
3046
3047                 tls-version-min version ['or-highest']
3048
3049              Examples  for version include 1.0, 1.1, or 1.2. If or-highest is
3050              specified and version is not recognized, we will only accept the
3051              highest TLS version supported by the local SSL implementation.
3052
3053       --tls-version-max version
3054              Set  the maximum TLS version we will use (default is the highest
3055              version supported). Examples for version include  1.0,  1.1,  or
3056              1.2.
3057
3058       --verify-hash args
3059              DEPRECATED Specify SHA1 or SHA256 fingerprint for level-1 cert.
3060
3061              Valid syntax:
3062
3063                 verify-hash hash [algo]
3064
3065              The level-1 cert is the CA (or intermediate cert) that signs the
3066              leaf certificate, and is one removed from the  leaf  certificate
3067              in the direction of the root. When accepting a connection from a
3068              peer, the level-1 cert fingerprint must match hash  or  certifi‐
3069              cate  verification will fail. Hash is specified as XX:XX:... For
3070              example:
3071
3072                 AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16
3073
3074              The algo flag can be either SHA1 or SHA256. If not provided,  it
3075              defaults to SHA1.
3076
3077              This option can also be inlined
3078
3079                 <verify-hash>
3080                 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
3081                 11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00
3082                 </verify-hash>
3083
3084       If the option is inlined, algo is always SHA256.
3085
3086       --peer-fingerprint args
3087                 Specify  a  SHA256 fingerprint or list of SHA256 fingerprints
3088                 to verify the peer certificate against. The peer  certificate
3089                 must match one of the fingerprint or certificate verification
3090                 will fail. The option can also be inlined
3091
3092              Valid syntax:
3093
3094                 peer-fingerprint AD:B0:95:D8:09:...
3095
3096              or inline:
3097
3098                 <peer-fingerprint>
3099                 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
3100                 11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00
3101                 </peer-fingerprint>
3102
3103              When the --peer-fingerprint option is used, specifying a CA with
3104              --ca  or --capath is optional. This allows the he --peer-finger‐
3105              print to be used as alternative to a PKI with  self-signed  cer‐
3106              tificates  for small setups. See the examples section for such a
3107              setup.
3108
3109       --verify-x509-name args
3110              Accept connections only if a host's X.509 name is equal to name.
3111              The remote host must also pass all other tests of verification.
3112
3113              Valid syntax:
3114
3115                 verify-x509 name type
3116
3117              Which  X.509  name is compared to name depends on the setting of
3118              type.  type can be subject to match the complete subject DN (de‐
3119              fault),  name  to  match a subject RDN or name-prefix to match a
3120              subject RDN prefix. Which RDN is verified as name depends on the
3121              --x509-username-field option. But it defaults to the common name
3122              (CN), e.g. a certificate with a subject DN
3123
3124                 C=KG, ST=NA, L=Bishkek, CN=Server-1
3125
3126              would be matched by:
3127
3128                 verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'
3129                 verify-x509-name Server-1 name
3130                 verify-x509-name Server- name-prefix
3131
3132              The last example is useful if you want a client to  only  accept
3133              connections to Server-1, Server-2, etc.
3134
3135              --verify-x509-name  is a useful replacement for the --tls-verify
3136              option to verify the  remote  host,  because  --verify-x509-name
3137              works in a --chroot environment without any dependencies.
3138
3139              Using  a  name  prefix is a useful alternative to managing a CRL
3140              (Certificate Revocation List) on the client, since it allows the
3141              client  to  refuse  all certificates except for those associated
3142              with designated servers.
3143
3144              NOTE:  Test against a name prefix only when you are using  Open‐
3145                     VPN  with a custom CA certificate that is under your con‐
3146                     trol. Never use this option with  type  name-prefix  when
3147                     your  client  certificates  are  signed by a third party,
3148                     such as a commercial web CA.
3149
3150       --x509-track attribute
3151              Save peer X509 attribute value in environment for use by plugins
3152              and  management interface. Prepend a + to attribute to save val‐
3153              ues  from  full  cert  chain.  Values   will   be   encoded   as
3154              X509_<depth>_<attribute>=<value>.  Multiple --x509-track options
3155              can be defined to track multiple attributes.
3156
3157       --x509-username-field args
3158              Fields in the X.509 certificate subject to be used as the  user‐
3159              name (default CN). If multiple fields are specified their values
3160              will be concatenated into the one username using _ symbol  as  a
3161              separator.
3162
3163              Valid syntax:
3164
3165                 x509-username-field [ext:]fieldname [[ext:]fieldname...]
3166
3167              Typically,  this option is specified with fieldname arguments as
3168              either of the following:
3169
3170                 x509-username-field emailAddress
3171                 x509-username-field ext:subjectAltName
3172                 x509-username-field CN serialNumber
3173
3174              The first example uses the value of the  emailAddress  attribute
3175              in  the  certificate's Subject field as the username. The second
3176              example uses the ext: prefix to signify that the X.509 extension
3177              fieldname  subjectAltName  be searched for an rfc822Name (email)
3178              field to be used as the username. In cases where there are  mul‐
3179              tiple  email  addresses in ext:fieldname, the last occurrence is
3180              chosen. The last example uses the value of the CN  attribute  in
3181              the  Subject  field, combined with the _ separator and the hexa‐
3182              decimal representation of the certificate's serialNumber.
3183
3184              When this option is used,  the  --verify-x509-name  option  will
3185              match against the chosen fieldname instead of the Common Name.
3186
3187              Only  the  subjectAltName and issuerAltName X.509 extensions and
3188              serialNumber X.509 attribute are supported.
3189
3190              Please note: This option has a feature  which  will  convert  an
3191              all-lowercase fieldname to uppercase characters, e.g., ou -> OU.
3192              A mixed-case fieldname or one having the  ext:  prefix  will  be
3193              left  as-is.  This  automatic upcasing feature is deprecated and
3194              will be removed in a future release.
3195
3196              Non-compliant symbols are being replaced with the _ symbol, same
3197              as  the  field  separator, so concatenating multiple fields with
3198              such or _ symbols can potentially lead to username collisions.
3199
3200   PKCS#11 / SmartCard options
3201       --pkcs11-cert-private args
3202              Set if access to certificate object should  be  performed  after
3203              login.  Every provider has its own setting.
3204
3205              Valid syntaxes:
3206
3207                 pkcs11-cert-private 0
3208                 pkcs11-cert-private 1
3209
3210       --pkcs11-id name
3211              Specify  the serialized certificate id to be used. The id can be
3212              gotten by the standalone --show-pkcs11-ids option. See also  the
3213              description of --pkcs11-providers option.
3214
3215       --pkcs11-id-management
3216              Acquire  PKCS#11  id  from  management interface. In this case a
3217              NEED-STR 'pkcs11-id-request' real-time  message  will  be  trig‐
3218              gered,  application  may use pkcs11-id-count command to retrieve
3219              available number of certificates, and pkcs11-id-get  command  to
3220              retrieve  certificate id and certificate body.  See also the de‐
3221              scription of --pkcs11-providers option.
3222
3223       --pkcs11-pin-cache seconds
3224              Specify how many seconds the PIN can be cached, the  default  is
3225              until the token is removed.
3226
3227       --pkcs11-private-mode mode
3228              Specify  which method to use in order to perform private key op‐
3229              erations.  A different mode can be specified for each  provider.
3230              Mode is encoded as hex number, and can be a mask one of the fol‐
3231              lowing:
3232
3233              0 (default)   Try to determine automatically.
3234
3235              1             Use sign.
3236
3237              2             Use sign recover.
3238
3239              4             Use decrypt.
3240
3241              8             Use unwrap.
3242
3243       --pkcs11-protected-authentication args
3244              Use PKCS#11 protected authentication path, useful for  biometric
3245              and external keypad devices. Every provider has its own setting.
3246
3247              Valid syntaxes:
3248
3249                 pkcs11-protected-authentication 0
3250                 pkcs11-protected-authentication 1
3251
3252       --pkcs11-providers providers
3253              Specify an RSA Security Inc. PKCS #11 Cryptographic Token Inter‐
3254              face (Cryptoki) providers to load. A space-separated list of one
3255              or  more  provider  library  names may be specified. This option
3256              along with --pkcs11-id or pkcs11-id-management can be  used  in‐
3257              stead of --cert and --key or --pkcs12.
3258
3259              If  p11-kit  is  present  on  the  system and was enabled during
3260              build, its p11-kit-proxy.so module will be loaded by default  if
3261              either  the  --pkcs11-id  or  --pkcs11-id-management  options is
3262              present without --pkcs11-providers. If default  loading  is  not
3263              enabled  in the build and no providers are specified, the former
3264              options will be ignored.
3265
3266       --show-pkcs11-ids args
3267              (Standalone) Show PKCS#11 token object list.
3268
3269              Valid syntax:
3270
3271                 show-pkcs11 [provider] [cert_private]
3272
3273              Specify cert_private as 1 if certificates are stored as  private
3274              objects.
3275
3276              If  p11-kit  is  present on the system, the provider argument is
3277              optional; if omitted the default p11-kit-proxy.so module will be
3278              queried.
3279
3280              --verb  option  can be used BEFORE this option to produce debug‐
3281              ging information.
3282

DATA CHANNEL CIPHER NEGOTIATION

3284       OpenVPN 2.4 and higher have the capability to negotiate the data cipher
3285       that is used to encrypt data packets. This section describes the mecha‐
3286       nism in more detail and the different backwards compatibility mechanism
3287       with older server and clients.
3288
3289   OpenVPN 2.5 and later behaviour
3290       When  both client and server are at least running OpenVPN 2.5, that the
3291       order of the ciphers of the server's --data-ciphers is used to pick the
3292       the data cipher.  That means that the first cipher in that list that is
3293       also in the client's --data-ciphers list is chosen. If no common cipher
3294       is  found the client is rejected with a AUTH_FAILED message (as seen in
3295       client log):
3296          AUTH: Received control message: AUTH_FAILED,Data channel cipher  ne‐
3297          gotiation failed (no shared cipher)
3298
3299       OpenVPN  2.5  and  later  will  only  allow  the  ciphers  specified in
3300       --data-ciphers.   If  --data-ciphers  is  not  set   the   default   is
3301       AES-256-GCM:AES-128-GCM.   In  2.6  and later the default is changed to
3302       AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305  when  Chacha20-Poly1305   is
3303       available.
3304
3305       For  backwards  compatibility  OpenVPN 2.6 and later with --compat-mode
3306       2.4.x (or lower) and OpenVPN 2.5 will automatically add a cipher speci‐
3307       fied using the --cipher option to this list.
3308
3309   OpenVPN 2.4 clients
3310       The  negotiation  support in OpenVPN 2.4 was the first iteration of the
3311       implementation and still had some quirks. Its main goal was "upgrade to
3312       AES-256-GCM  when  possible".   An  OpenVPN  2.4  client  that is built
3313       against a crypto library that supports AES in GCM  mode  and  does  not
3314       have  --ncp-disable  will  always  announce support for AES-256-GCM and
3315       AES-128-GCM to a server by sending IV_NCP=2.
3316
3317       This only causes a problem if --ncp-ciphers  option  has  been  changed
3318       from  the  default  of AES-256-GCM:AES-128-GCM to a value that does not
3319       include these  two  ciphers.  When  an  OpenVPN  server  tries  to  use
3320       AES-256-GCM  or AES-128-GCM the connection will then fail. It is there‐
3321       fore recommended to always have the AES-256-GCM and AES-128-GCM ciphers
3322       to the --ncp-ciphers options to avoid this behaviour.
3323
3324   OpenVPN 3 clients
3325       Clients     based     on     the     OpenVPN     3.x     library     (‐
3326       https://github.com/openvpn/openvpn3/)  do  not  have   a   configurable
3327       --ncp-ciphers  or --data-ciphers option. Newer versions by default dis‐
3328       able legacy AES-CBC, BF-CBC, and DES-CBC ciphers.  These  clients  will
3329       always   announce   support   for  all  their  supported  AEAD  ciphers
3330       (AES-256-GCM,    AES-128-GCM    and    in    newer    versions     also
3331       Chacha20-Poly1305).
3332
3333       To  support  OpenVPN  3.x  based  clients at least one of these ciphers
3334       needs to be included in the server's --data-ciphers option.
3335
3336   OpenVPN 2.3 and older clients (and clients with --ncp-disable)
3337       When a client without cipher negotiation support connects to  a  server
3338       the  cipher specified with the --cipher option in the client configura‐
3339       tion must be included in the --data-ciphers option of the server to al‐
3340       low  the  client  to  connect.  Otherwise  the  client will be sent the
3341       AUTH_FAILED message that indicates no shared cipher.
3342
3343       If the client is 2.3 or older and has been configured  with  the  --en‐
3344       able-small  ./configure argument, using data-ciphers-fallback cipher in
3345       the server config file with the explicit cipher used by the  client  is
3346       necessary.
3347
3348   OpenVPN 2.4 server
3349       When  a  client indicates support for AES-128-GCM and AES-256-GCM (with
3350       IV_NCP=2) an OpenVPN 2.4 server will  send  the  first  cipher  of  the
3351       --ncp-ciphers  to  the OpenVPN client regardless of what the cipher is.
3352       To emulate the behaviour of an OpenVPN 2.4 client as close as  possible
3353       and  have  compatibility  to a setup that depends on this quirk, adding
3354       AES-128-GCM and AES-256-GCM to the client's  --data-ciphers  option  is
3355       required.  OpenVPN  2.5+  will only announce the IV_NCP=2 flag if those
3356       ciphers are present.
3357
3358   OpenVPN 2.3 and older servers (and servers with --ncp-disable)
3359       The cipher used by the server must be included in --data-ciphers to al‐
3360       low  the  client connecting to a server without cipher negotiation sup‐
3361       port.  (For compatibility OpenVPN 2.5 will also accept the  cipher  set
3362       with --cipher)
3363
3364       If  the  server is 2.3 or older and  has been configured with the --en‐
3365       able-small ./configure argument, adding --data-ciphers-fallback  cipher
3366       to  the  client  config  with the explicit cipher used by the server is
3367       necessary.
3368
3369   Blowfish in CBC mode (BF-CBC) deprecation
3370       The --cipher option defaulted to BF-CBC in OpenVPN 2.4 and  older  ver‐
3371       sion.  The default was never changed to ensure backwards compatibility.
3372       In OpenVPN 2.5 this behaviour has now been changed so that if the --ci‐
3373       pher is not explicitly set it does not allow the weak BF-CBC cipher any
3374       more and needs to explicitly added as  --cipher  BFC-CBC  or  added  to
3375       --data-ciphers.
3376
3377       We  strongly  recommend  to switching away from BF-CBC to a more secure
3378       cipher as soon as possible instead.
3379

NETWORK CONFIGURATION

3381       OpenVPN consists of two sides of network configuration.   One  side  is
3382       the  link between the local and remote side, the other side is the vir‐
3383       tual network adapter (tun/tap device).
3384
3385   Link Options
3386       This link options section covers options related to the connection  be‐
3387       tween the local and the remote host.
3388
3389       --bind keywords
3390              Bind  to  local address and port. This is the default unless any
3391              of --proto tcp-client , --http-proxy or --socks-proxy are used.
3392
3393              If the optional ipv6only keyword is present  OpenVPN  will  bind
3394              only to IPv6 (as opposed to IPv6 and IPv4) when a IPv6 socket is
3395              opened.
3396
3397       --float
3398              Allow remote peer to change its IP address and/or  port  number,
3399              such  as  due  to  DHCP  (this is the default if --remote is not
3400              used).  --float when specified with --remote allows  an  OpenVPN
3401              session  to initially connect to a peer at a known address, how‐
3402              ever if packets arrive from a new address and pass all authenti‐
3403              cation  tests, the new address will take control of the session.
3404              This is useful when you are connecting to a peer which  holds  a
3405              dynamic address such as a dial-in user or DHCP client.
3406
3407              Essentially, --float tells OpenVPN to accept authenticated pack‐
3408              ets from any address, not only the address which  was  specified
3409              in the --remote option.
3410
3411       --fragment args
3412              Valid syntax:
3413
3414                 fragment max
3415                 fragment max mtu
3416
3417              Enable  internal datagram fragmentation so that no UDP datagrams
3418              are sent which are larger than max bytes.
3419
3420              If the mtu parameter is present the max parameter is interpreted
3421              to  include IP and UDP encapsulation overhead. The mtu parameter
3422              is introduced in OpenVPN version 2.6.0.
3423
3424              If the mtu parameter is absent, the max parameter is interpreted
3425              in  the  same  way  as  the  --link-mtu parameter, i.e.  the UDP
3426              packet size after encapsulation overhead has been added in,  but
3427              not including the UDP header itself.
3428
3429              The  --fragment  option  only makes sense when you are using the
3430              UDP protocol (--proto udp).
3431
3432              --fragment adds 4 bytes of overhead per datagram.
3433
3434              See the --mssfix option below for an important related option to
3435              --fragment.
3436
3437              It should also be noted that this option is not meant to replace
3438              UDP fragmentation at the IP stack level. It is only meant  as  a
3439              last resort when path MTU discovery is broken. Using this option
3440              is less efficient than fixing path MTU  discovery  for  your  IP
3441              link and using native IP fragmentation instead.
3442
3443              Having  said that, there are circumstances where using OpenVPN's
3444              internal fragmentation capability may be your only option,  such
3445              as  tunneling  a  UDP multicast stream which requires fragmenta‐
3446              tion.
3447
3448       --keepalive args
3449              A helper directive designed to simplify the expression of --ping
3450              and --ping-restart.
3451
3452              Valid syntax:
3453
3454                 keepalive interval timeout
3455
3456              Send  ping  once  every interval seconds, restart if ping is not
3457              received for timeout seconds.
3458
3459              This option can be used on both client and server side,  but  it
3460              is  enough to add this on the server side as it will push appro‐
3461              priate --ping and --ping-restart options to the client. If  used
3462              on  both  server  and client, the values pushed from server will
3463              override the client local values.
3464
3465              The timeout argument will be twice as long on the  server  side.
3466              This  ensures  that  a timeout is detected on client side before
3467              the server side drops the connection.
3468
3469              For example, --keepalive 10 60 expands as follows:
3470
3471                 if mode server:
3472                     ping 10                    # Argument: interval
3473                     ping-restart 120           # Argument: timeout*2
3474                     push "ping 10"             # Argument: interval
3475                     push "ping-restart 60"     # Argument: timeout
3476                 else
3477                     ping 10                    # Argument: interval
3478                     ping-restart 60            # Argument: timeout
3479
3480       --link-mtu n
3481              DEPRECATED Sets an upper bound on the size of UDP packets  which
3482              are sent between OpenVPN peers. It's best not to set this param‐
3483              eter unless you know what you're doing.
3484
3485              Due to variable header size of IP header (20 bytes for IPv4  and
3486              40  bytes  for IPv6) and dynamically negotiated data channel ci‐
3487              pher, this option is not reliable.  It  is  recommended  to  set
3488              tun-mtu with enough headroom instead.
3489
3490       --local host
3491              Local  host  name  or IP address for bind. If specified, OpenVPN
3492              will bind to this address only.  If  unspecified,  OpenVPN  will
3493              bind to all interfaces.
3494
3495       --lport port
3496              Set  local  TCP/UDP port number or name. Cannot be used together
3497              with --nobind option.
3498
3499       --mark value
3500              Mark encrypted packets being sent with value. The mark value can
3501              be matched in policy routing and packetfilter rules. This option
3502              is only supported in Linux and does nothing on  other  operating
3503              systems.
3504
3505       --mode m
3506              Set   OpenVPN   major   mode.   By   default,  OpenVPN  runs  in
3507              point-to-point mode (p2p). OpenVPN 2.0  introduces  a  new  mode
3508              (server) which implements a multi-client server capability.
3509
3510       --mssfix args
3511              Valid syntax:
3512
3513                 mssfix max [mtu]
3514
3515                 mssfix max [fixed]
3516
3517                 mssfix
3518
3519              Announce  to  TCP  sessions  running  over  the tunnel that they
3520              should limit their send packet sizes such that after OpenVPN has
3521              encapsulated  them,  the  resulting UDP packet size that OpenVPN
3522              sends to its peer will not exceed max bytes. The  default  value
3523              is 1492 mtu. Use 0 as max to disable mssfix.
3524
3525              If  the  mtu parameter is specified the max value is interpreted
3526              as the resulting packet size of VPN packets including the IP and
3527              UDP  header.  Support for the mtu parameter was added with Open‐
3528              VPN version 2.6.0.
3529
3530              If the mtu parameter is not specified, the max parameter is  in‐
3531              terpreted in the same way as the --link-mtu parameter, i.e.  the
3532              UDP packet size after encapsulation overhead has been added  in,
3533              but  not including the UDP header itself. Resulting packet would
3534              be at most 28 bytes larger for IPv4 and 48 bytes for IPv6 (20/40
3535              bytes  for  IP header and 8 bytes for UDP header). Default value
3536              of 1450 allows OpenVPN packets to be transmitted over IPv4 on  a
3537              link with MTU 1478 or higher without IP level fragmentation (and
3538              1498 for IPv6).
3539
3540              If the fixed parameter is specified, OpenVPN will  make  no  at‐
3541              tempt  to  calculate  the VPN encapsulation overhead but instead
3542              will set the MSS to limit the size of the payload IP packets  to
3543              the  specified number. IPv4 packets will have the MSS value low‐
3544              ered to mssfix - 40 and IPv6 packets to mssfix - 60.
3545
3546              if --mssfix is specified is specified without any  parameter  it
3547              inherits  the  parameters of --fragment if specified or uses the
3548              default for --mssfix otherwise.
3549
3550              The --mssfix option only makes sense when you are using the  UDP
3551              protocol  for  OpenVPN  peer-to-peer communication, i.e. --proto
3552              udp.
3553
3554              --mssfix and --fragment can  be  ideally  used  together,  where
3555              --mssfix  will try to keep TCP from needing packet fragmentation
3556              in the first place, and if big packets come through anyhow (from
3557              protocols  other  than TCP), --fragment will internally fragment
3558              them.
3559
3560              --max-packet-size, --fragment, and --mssfix are designed to work
3561              around  cases  where Path MTU discovery is broken on the network
3562              path between OpenVPN peers.
3563
3564              The usual symptom of such a breakdown is an  OpenVPN  connection
3565              which successfully starts, but then stalls during active usage.
3566
3567              If --fragment and --mssfix are used together, --mssfix will take
3568              its default max parameter from the --fragment max option.
3569
3570              Therefore, one could lower the maximum UDP packet size  to  1300
3571              (a  good  first try for solving MTU-related connection problems)
3572              with the following options:
3573
3574                 --tun-mtu 1500 --fragment 1300 --mssfix
3575
3576              If the max-packet-size size option is used in the  configuration
3577              it will also act as if mssfix size mtu was specified in the con‐
3578              figuration.
3579
3580       --mtu-disc type
3581              Should we do Path MTU discovery on TCP/UDP  channel?  Only  sup‐
3582              ported  on OSes such as Linux that supports the necessary system
3583              call to set.
3584
3585              Valid types:
3586
3587              no      Never send DF (Don't Fragment) frames
3588
3589              maybe   Use per-route hints
3590
3591              yes     Always DF (Don't Fragment)
3592
3593       --mtu-test
3594              To empirically  measure  MTU  on  connection  startup,  add  the
3595              --mtu-test  option to your configuration. OpenVPN will send ping
3596              packets of various sizes to the  remote  peer  and  measure  the
3597              largest packets which were successfully received. The --mtu-test
3598              process normally takes about 3 minutes to complete.
3599
3600       --nobind
3601              Do not bind to local address and port. The IP stack  will  allo‐
3602              cate  a  dynamic  port for returning packets. Since the value of
3603              the dynamic port could not be known in advance by a  peer,  this
3604              option  is only suitable for peers which will be initiating con‐
3605              nections by using the --remote option.
3606
3607       --passtos
3608              Set the TOS field of the tunnel packet to what the payload's TOS
3609              is.
3610
3611       --ping n
3612              Ping  remote over the TCP/UDP control channel if no packets have
3613              been sent for at least n seconds (specify --ping on  both  peers
3614              to  cause ping packets to be sent in both directions since Open‐
3615              VPN ping packets are not echoed like IP ping packets). When used
3616              in  one  of OpenVPN's secure modes (where --secret, --tls-server
3617              or --tls-client is specified), the ping packet will  be  crypto‐
3618              graphically secure.
3619
3620              This option has two intended uses:
3621
3622              1. Compatibility with stateful firewalls. The periodic ping will
3623                 ensure that a stateful firewall rule which allows OpenVPN UDP
3624                 packets to pass will not time out.
3625
3626              2. To  provide  a  basis for the remote to test the existence of
3627                 its peer using the --ping-exit option.
3628
3629              When using OpenVPN in server mode see also --keepalive.
3630
3631       --ping-exit n
3632              Causes OpenVPN to exit after n seconds pass without reception of
3633              a  ping or other packet from remote. This option can be combined
3634              with --inactive, --ping and --ping-exit to create  a  two-tiered
3635              inactivity disconnect.
3636
3637              For example,
3638
3639                 openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
3640
3641              when  used  on  both  peers will cause OpenVPN to exit within 60
3642              seconds if its peer disconnects, but will exit after one hour if
3643              no actual tunnel data is exchanged.
3644
3645       --ping-restart n
3646              Similar  to  --ping-exit,  but trigger a SIGUSR1 restart after n
3647              seconds pass without reception of a ping or  other  packet  from
3648              remote.
3649
3650              This  option  is useful in cases where the remote peer has a dy‐
3651              namic IP address and a low-TTL DNS name is used to track the  IP
3652              address  using  a service such as https://www.nsupdate.info/ + a
3653              dynamic DNS client such as ddclient.
3654
3655              If the peer cannot be reached,  a  restart  will  be  triggered,
3656              causing  the  hostname  used with --remote to be re-resolved (if
3657              --resolv-retry is also specified).
3658
3659              In server mode, --ping-restart, --inactive or any other type  of
3660              internally generated signal will always be applied to individual
3661              client instance objects, never to whole server itself. Note also
3662              in  server mode that any internally generated signal which would
3663              normally cause a restart, will cause the deletion of the  client
3664              instance object instead.
3665
3666              In  client mode, the --ping-restart parameter is set to 120 sec‐
3667              onds by default. This default will hold until the client pulls a
3668              replacement value from the server, based on the --keepalive set‐
3669              ting in the server configuration. To disable the 120 second  de‐
3670              fault, set --ping-restart 0 on the client.
3671
3672              See the signals section below for more information on SIGUSR1.
3673
3674              Note  that the behavior of SIGUSR1 can be modified by the --per‐
3675              sist-tun, --persist-key,  --persist-local-ip  and  --persist-re‐
3676              mote-ip options.
3677
3678              Also  note  that --ping-exit and --ping-restart are mutually ex‐
3679              clusive and cannot be used together.
3680
3681       --ping-timer-rem
3682              Run the --ping-exit / --ping-restart timer only if we have a re‐
3683              mote  address. Use this option if you are starting the daemon in
3684              listen mode (i.e. without an explicit --remote  peer),  and  you
3685              don't  want  to start clocking timeouts until a remote peer con‐
3686              nects.
3687
3688       --proto p
3689              Use protocol p for communicating with remote host. p can be udp,
3690              tcp-client,  or  tcp-server.  You  can also limit OpenVPN to use
3691              only IPv4 or only IPv6 by specifying  p  as  udp4,  tcp4-client,
3692              tcp4-server or udp6, tcp6-client, tcp6-server, respectively.
3693
3694              The default protocol is udp when --proto is not specified.
3695
3696              For  UDP  operation,  --proto  udp  should  be specified on both
3697              peers.
3698
3699              For TCP operation, one peer must use --proto tcp-server and  the
3700              other   must   use  --proto  tcp-client.  A  peer  started  with
3701              tcp-server will wait indefinitely for an incoming connection.  A
3702              peer  started  with  tcp-client  will attempt to connect, and if
3703              that fails, will sleep for 5 seconds (adjustable via the  --con‐
3704              nect-retry  option)  and  try  again infinite or up to N retries
3705              (adjustable via the --connect-retry-max option). Both TCP client
3706              and server will simulate a SIGUSR1 restart signal if either side
3707              resets the connection.
3708
3709              OpenVPN is designed to operate optimally over UDP, but TCP capa‐
3710              bility  is  provided for situations where UDP cannot be used. In
3711              comparison with UDP, TCP will usually be somewhat less efficient
3712              and less robust when used over unreliable or congested networks.
3713
3714              This  article  outlines  some of problems with tunneling IP over
3715              TCP: http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
3716
3717              There are certain cases, however, where using TCP may be  advan‐
3718              tageous from a security and robustness perspective, such as tun‐
3719              neling non-IP or application-level UDP protocols,  or  tunneling
3720              protocols which don't possess a built-in reliability layer.
3721
3722       --port port
3723              TCP/UDP port number or port name for both local and remote (sets
3724              both --lport and --rport options to given port). The current de‐
3725              fault  of  1194 represents the official IANA port number assign‐
3726              ment for OpenVPN and has been  used  since  version  2.0-beta17.
3727              Previous versions used port 5000 as the default.
3728
3729       --rport port
3730              Set TCP/UDP port number or name used by the --remote option. The
3731              port can also be set directly using the --remote option.
3732
3733       --replay-window args
3734              Modify the replay protection sliding-window size and  time  win‐
3735              dow.
3736
3737              Valid syntaxes:
3738
3739                 replay-window n
3740                 replay-window n t
3741
3742              Use a replay protection sliding-window of size n and a time win‐
3743              dow of t seconds.
3744
3745              By default n is 64 (the IPSec default) and t is 15 seconds.
3746
3747              This option is only relevant  in  UDP  mode,  i.e.  when  either
3748              --proto udp is specified, or no --proto option is specified.
3749
3750              When OpenVPN tunnels IP packets over UDP, there is the possibil‐
3751              ity that packets might be dropped or delivered out of order. Be‐
3752              cause  OpenVPN,  like  IPSec,  is emulating the physical network
3753              layer, it will accept an out-of-order packet sequence, and  will
3754              deliver such packets in the same order they were received to the
3755              TCP/IP  protocol  stack,  provided  they  satisfy  several  con‐
3756              straints.
3757
3758              a. The  packet  cannot be a replay (unless --no-replay is speci‐
3759                 fied, which disables replay protection altogether).
3760
3761              b. If a packet arrives out of order, it will only be accepted if
3762                 the  difference  between  its sequence number and the highest
3763                 sequence number received so far is less than n.
3764
3765              c. If a packet arrives out of order, it will only be accepted if
3766                 it  arrives no later than t seconds after any packet contain‐
3767                 ing a higher sequence number.
3768
3769              If you are using a network link with a large  pipeline  (meaning
3770              that the product of bandwidth and latency is high), you may want
3771              to use a larger value for n. Satellite links in particular often
3772              require this.
3773
3774              If  you  run  OpenVPN  at  --verb  4,  you  will see the message
3775              "PID_ERR replay-window backtrack occurred [x]"  every  time  the
3776              maximum  sequence number backtrack seen thus far increases. This
3777              can be used to calibrate n.
3778
3779              There is some controversy on the appropriate method of  handling
3780              packet reordering at the security layer.
3781
3782              Namely, to what extent should the security layer protect the en‐
3783              capsulated protocol from attacks which masquerade as  the  kinds
3784              of  normal  packet  loss  and reordering that occur over IP net‐
3785              works?
3786
3787              The IPSec and OpenVPN approach is  to  allow  packet  reordering
3788              within a certain fixed sequence number window.
3789
3790              OpenVPN  adds  to the IPSec model by limiting the window size in
3791              time as well as sequence space.
3792
3793              OpenVPN also adds TCP transport as an  option  (not  offered  by
3794              IPSec)  in  which  case OpenVPN can adopt a very strict attitude
3795              towards message deletion and reordering: Don't allow  it.  Since
3796              TCP  guarantees reliability, any packet loss or reordering event
3797              can be assumed to be an attack.
3798
3799              In this sense, it could be argued that TCP tunnel  transport  is
3800              preferred  when  tunneling  non-IP  or UDP application protocols
3801              which might be vulnerable to a message  deletion  or  reordering
3802              attack  which  falls within the normal operational parameters of
3803              IP networks.
3804
3805              So I would make the statement that one  should  never  tunnel  a
3806              non-IP  protocol  or  UDP  application protocol over UDP, if the
3807              protocol might be vulnerable to a message deletion or reordering
3808              attack that falls within the normal operating parameters of what
3809              is to be expected from the physical IP  layer.  The  problem  is
3810              easily fixed by simply using TCP as the VPN transport layer.
3811
3812       --replay-persist file
3813              Persist  replay-protection  state  across sessions using file to
3814              save and reload the state.
3815
3816              This option will keep a disk copy of the current replay  protec‐
3817              tion  state  (i.e. the most recent packet timestamp and sequence
3818              number received from the remote peer), so  that  if  an  OpenVPN
3819              session  is stopped and restarted, it will reject any replays of
3820              packets which were already received by the prior session.
3821
3822              This option only makes sense when replay protection  is  enabled
3823              (the  default)  and you are using either --secret (shared-secret
3824              key mode) or TLS mode with --tls-auth.
3825
3826       --session-timeout n
3827              Raises SIGTERM for the client instance after n seconds since the
3828              beginning  of  the  session,  forcing OpenVPN to disconnect.  In
3829              client mode, OpenVPN will disconnect and exit, while  in  server
3830              mode all client sessions are terminated.
3831
3832              This  option  can  also be specified in a client instance config
3833              file using --client-config-dir or dynamically generated using  a
3834              --client-connect script. In these cases, only the related client
3835              session is terminated.
3836
3837       --socket-flags flags
3838              Apply the given flags to  the  OpenVPN  transport  socket.  Cur‐
3839              rently, only TCP_NODELAY is supported.
3840
3841              The  TCP_NODELAY  socket  flag is useful in TCP mode, and causes
3842              the kernel to send tunnel packets immediately over the TCP  con‐
3843              nection  without  trying to group several smaller packets into a
3844              larger packet.  This can result in a considerably improvement in
3845              latency.
3846
3847              This  option  is  pushable  from server to client, and should be
3848              used on both client and server for maximum effect.
3849
3850       --tcp-nodelay
3851              This macro sets the TCP_NODELAY socket flag  on  the  server  as
3852              well  as  pushes  it to connecting clients. The TCP_NODELAY flag
3853              disables the Nagle algorithm on TCP sockets causing  packets  to
3854              be transmitted immediately with low latency, rather than waiting
3855              a short period of time in order  to  aggregate  several  packets
3856              into  a larger containing packet.  In VPN applications over TCP,
3857              TCP_NODELAY is generally a good latency optimization.
3858
3859              The macro expands as follows:
3860
3861                 if mode server:
3862                     socket-flags TCP_NODELAY
3863                     push "socket-flags TCP_NODELAY"
3864
3865       --max-packet-size size
3866              This option will instruct OpenVPN to try to  limit  the  maximum
3867              on-write  packet  size by restricting the control channel packet
3868              size and setting --mssfix.
3869
3870              OpenVPN will try to keep its control channel messages below this
3871              size but due to some constraints in the protocol this is not al‐
3872              ways possible. If the option is not set, the control packet max‐
3873              imum  size  defaults  to  1250.  The control channel packet size
3874              will be restricted to values between 154 and 2048.  The  maximum
3875              packet size includes encapsulation overhead like UDP and IP.
3876
3877              In terms of --mssfix it will expand to:
3878
3879                 mssfix size mtu
3880
3881              If you need to set --mssfix for data channel and control channel
3882              maximum packet size independently, use --max-packet-size  first,
3883              followed by a --mssfix in the configuration.
3884
3885              In  general  the default size of 1250 should work almost univer‐
3886              sally apart from specific corner cases,  especially  since  IPv6
3887              requires a MTU of 1280 or larger.
3888
3889   Virtual Network Adapter (VPN interface)
3890       Options in this section relates to configuration of the virtual tun/tap
3891       network interface, including setting the VPN  IP  address  and  network
3892       routing.
3893
3894       --bind-dev device
3895              (Linux  only)  Set device to bind the server socket to a Virtual
3896              Routing and Forwarding device
3897
3898       --block-ipv6
3899              On the client, instead of sending IPv6 packets over the VPN tun‐
3900              nel,  all IPv6 packets are answered with an ICMPv6 no route host
3901              message. On the server, all IPv6 packets from  clients  are  an‐
3902              swered  with an ICMPv6 no route to host message. This options is
3903              intended for cases when IPv6 should be blocked and other options
3904              are  not  available.  --block-ipv6  will  use the remote IPv6 as
3905              source address of the ICMPv6 packets if set, otherwise will  use
3906              fe80::7 as source address.
3907
3908              For this option to make sense you actually have to route traffic
3909              to the tun interface. The following example config  block  would
3910              send all IPv6 traffic to OpenVPN and answer all requests with no
3911              route to host, effectively blocking IPv6 (to avoid IPv6  connec‐
3912              tions  from  dual-stacked  clients  leaking around IPv4-only VPN
3913              services).
3914
3915              Client config
3916
3917                        --ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1
3918                        --redirect-gateway ipv6
3919                        --block-ipv6
3920
3921              Server config
3922                     Push a "valid" ipv6 config to the client and block on the
3923                     server
3924
3925                        --push "ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
3926                        --push "redirect-gateway ipv6"
3927                        --block-ipv6
3928
3929              Note:  this  option  does  not  influence  traffic sent from the
3930              server towards the client (neither on  the  server  nor  on  the
3931              client  side).   This  is not seen as necessary, as such traffic
3932              can be most easily avoided by not configuring IPv6 on the server
3933              tun, or setting up a server-side firewall rule.
3934
3935       --dev device
3936              TUN/TAP  virtual network device which can be tunX, tapX, null or
3937              an arbitrary name string (X can be omitted  for  a  dynamic  de‐
3938              vice.)
3939
3940              See  examples  section  below for an example on setting up a TUN
3941              device.
3942
3943              You must use either tun devices on both ends of  the  connection
3944              or tap devices on both ends. You cannot mix them, as they repre‐
3945              sent different underlying network layers:
3946
3947              tun    devices encapsulate IPv4 or IPv6 (OSI Layer 3)
3948
3949              tap    devices encapsulate Ethernet 802.3 (OSI Layer 2).
3950
3951              Valid syntaxes:
3952
3953                 dev tun2
3954                 dev tap4
3955                 dev ovpn
3956
3957              What happens if the device name is not tun or  tap  is  platform
3958              dependent.
3959
3960              On  most platforms, tunN (e.g. tun2, tun30) and tapN (e.g. tap3)
3961              will create a numbered tun/tap interface with the number  speci‐
3962              fied  - this is useful if multiple OpenVPN instances are active,
3963              and the instance-to-device mapping  needs  to  be  known.   Some
3964              platforms  do  not  support "numbered tap", so trying --dev tap3
3965              will fail.
3966
3967              Arbitrary device names (e.g. --dev tun-home) will only  work  on
3968              FreeBSD  (with  the DCO kernel driver for tun devices) and Linux
3969              (for both tun and tap devices, DCO and tun/tap driver).
3970
3971              If such a device name starts with tun or  tap  (e.g.  tun-home),
3972              OpenVPN will choose the right device type automatically.  Other‐
3973              wise  the  desired  device  type  needs  to  be  specified  with
3974              --dev-type tun or --dev-type tap.
3975
3976              On Windows, only the names tun and tap are supported.  Selection
3977              among multiple installed drivers or  driver  instances  is  done
3978              with --dev-node and --windows-driver.
3979
3980       --dev-node node
3981              This  is  a  highly system dependent option to influence tun/tap
3982              driver selection.
3983
3984              On Linux, tun/tap devices are created by accessing /dev/net/tun,
3985              and this device name can be changed using --dev-node ....
3986
3987              Under  Mac  OS  X this option can be used to specify the default
3988              tun implementation. Using --dev-node utun forces  usage  of  the
3989              native Darwin tun kernel support. Use --dev-node utunN to select
3990              a  specific  utun  instance.  To  force   using   the   tun.kext
3991              (/dev/tunX) use --dev-node tun. When not specifying a --dev-node
3992              option openvpn will first try to open utun,  and  fall  back  to
3993              tun.kext.
3994
3995              On  Windows systems, select the TAP-Win32 adapter which is named
3996              node in the Network Connections Control Panel or the raw GUID of
3997              the adapter enclosed by braces. The --show-adapters option under
3998              Windows can also be used to enumerate  all  available  TAP-Win32
3999              adapters  and  will  show  both  the network connections control
4000              panel name and the GUID for each TAP-Win32 adapter.
4001
4002              On other platforms, --dev-node node will influence the naming of
4003              the  created  tun/tap device, if supported on that platform.  If
4004              OpenVPN cannot figure out whether node is a TUN  or  TAP  device
4005              based  on  the  name,  you should also specify --dev-type tun or
4006              --dev-type tap.
4007
4008       --dev-type device-type
4009              Which device type are we using? device-type should be  tun  (OSI
4010              Layer  3)  or  tap  (OSI  Layer  2). Use this option only if the
4011              TUN/TAP device used with --dev does not begin with tun or tap.
4012
4013       --dhcp-option args
4014              Set additional network parameters on supported platforms. May be
4015              specified  on  the  client or pushed from the server. On Windows
4016              these options are handled by the tap-windows6 driver by  default
4017              or  directly by OpenVPN if dhcp is disabled or the wintun driver
4018              is in use. The OpenVPN for Android client also handles them  in‐
4019              ternally.
4020
4021              On  all  other  platforms  these  options  are only saved in the
4022              client's environment under the  name  foreign_option_{n}  before
4023              the  --up  script  is called. A plugin or an --up script must be
4024              used to pick up and interpret these as required. Many Linux dis‐
4025              tributions include such scripts and some third-party user inter‐
4026              faces such as tunnelblick also come with  scripts  that  process
4027              these options.
4028
4029              Valid syntax:
4030
4031                 dhcp-option type [parm]
4032
4033              DOMAIN name
4034                     Set Connection-specific DNS Suffix to name.
4035
4036              ADAPTER_DOMAIN_SUFFIX name
4037                     Alias  to  DOMAIN.  This  is  a  compatibility option, it
4038                     should not be used in new deployments.
4039
4040              DOMAIN-SEARCH name
4041                     Add name to the domain search list.  Repeat  this  option
4042                     to add more entries. Up to 10 domains are supported.
4043
4044              DNS address
4045                     Set primary domain name server IPv4 or IPv6 address.  Re‐
4046                     peat this option to set secondary DNS server addresses.
4047
4048                     Note: DNS IPv6 servers are currently set using netsh (the
4049                     existing DHCP code can only do IPv4 DHCP, and that proto‐
4050                     col only permits IPv4  addresses  anywhere).  The  option
4051                     will be put into the environment, so an --up script could
4052                     act upon it if needed.
4053
4054              WINS address
4055                     Set primary WINS server address (NetBIOS over TCP/IP Name
4056                     Server).  Repeat this option to set secondary WINS server
4057                     addresses.
4058
4059              NBDD address
4060                     Set primary NBDD  server  address  (NetBIOS  over  TCP/IP
4061                     Datagram  Distribution Server). Repeat this option to set
4062                     secondary NBDD server addresses.
4063
4064              NTP address
4065                     Set primary NTP server address (Network  Time  Protocol).
4066                     Repeat this option to set secondary NTP server addresses.
4067
4068              NBT type
4069                     Set NetBIOS over TCP/IP Node type. Possible options:
4070
4071                     1      b-node (broadcasts)
4072
4073                     2      p-node  (point-to-point  name  queries  to  a WINS
4074                            server)
4075
4076                     4      m-node (broadcast then query name server)
4077
4078                     8      h-node (query name server, then broadcast).
4079
4080              NBS scope-id
4081                     Set NetBIOS over TCP/IP Scope. A NetBIOS  Scope  ID  pro‐
4082                     vides  an  extended  naming  service for the NetBIOS over
4083                     TCP/IP (Known as NBT) module. The primary  purpose  of  a
4084                     NetBIOS  scope ID is to isolate NetBIOS traffic on a sin‐
4085                     gle network to only those nodes  with  the  same  NetBIOS
4086                     scope ID. The NetBIOS scope ID is a character string that
4087                     is appended to the NetBIOS name. The NetBIOS scope ID  on
4088                     two  hosts  must match, or the two hosts will not be able
4089                     to communicate.  The NetBIOS Scope ID also allows comput‐
4090                     ers to use the same computer name, as they have different
4091                     scope IDs. The Scope ID becomes a  part  of  the  NetBIOS
4092                     name,  making  the name unique. (This description of Net‐
4093                     BIOS scopes courtesy of NeonSurge@abyss.com)
4094
4095              DISABLE-NBT
4096                     Disable Netbios-over-TCP/IP.
4097
4098              code   PROXY_HTTP host port Sets a HTTP  proxy  that  should  be
4099                     used when connected to the VPN.
4100
4101                     This  option  currently only works on OpenVPN for Android
4102                     and requires Android 10 or later.
4103
4104       --ifconfig args
4105              Set TUN/TAP adapter parameters. It requires the  IP  address  of
4106              the  local VPN endpoint. For TUN devices in point-to-point mode,
4107              the next argument must be the VPN IP address of the  remote  VPN
4108              endpoint.  For  TAP devices, or TUN devices used with --topology
4109              subnet, the second argument is the subnet mask  of  the  virtual
4110              network segment which is being created or connected to.
4111
4112              For TUN devices, which facilitate virtual point-to-point IP con‐
4113              nections (when used in --topology net30 or p2p mode), the proper
4114              usage of --ifconfig is to use two private IP addresses which are
4115              not a member of any existing subnet which is in use. The IP  ad‐
4116              dresses  may be consecutive and should have their order reversed
4117              on the remote peer.  After the VPN is  established,  by  pinging
4118              rn, you will be pinging across the VPN.
4119
4120              For  TAP  devices,  which  provide the ability to create virtual
4121              ethernet segments, or TUN  devices  in  --topology  subnet  mode
4122              (which create virtual "multipoint networks"), --ifconfig is used
4123              to set an IP address and subnet mask just as a physical ethernet
4124              adapter  would be similarly configured. If you are attempting to
4125              connect to a remote ethernet bridge, the IP address  and  subnet
4126              should  be set to values which would be valid on the the bridged
4127              ethernet segment (note also that DHCP can be used for  the  same
4128              purpose).
4129
4130              This  option,  while  primarily a proxy for the ifconfig(8) com‐
4131              mand, is designed to simplify TUN/TAP  tunnel  configuration  by
4132              providing  a standard interface to the different ifconfig imple‐
4133              mentations on different platforms.
4134
4135              --ifconfig parameters which are IP addresses can also be  speci‐
4136              fied as a DNS or /etc/hosts file resolvable name.
4137
4138              For TAP devices, --ifconfig should not be used if the TAP inter‐
4139              face will be getting an IP address lease from a DHCP server.
4140
4141              Examples:
4142
4143                 # tun device in net30/p2p mode
4144                 ifconfig 10.8.0.2 10.8.0.1
4145
4146                 # tun/tap device in subnet mode
4147                 ifconfig 10.8.0.2 255.255.255.0
4148
4149       --ifconfig-ipv6 args
4150              Configure an IPv6 address on the tun device.
4151
4152              Valid syntax:
4153
4154                 ifconfig-ipv6 ipv6addr/bits [ipv6remote]
4155
4156              The ipv6addr/bits argument is the IPv6 address to use. The  sec‐
4157              ond  parameter  is  used  as route target for --route-ipv6 if no
4158              gateway is specified.
4159
4160              The --topology option has no influence with --ifconfig-ipv6
4161
4162       --ifconfig-noexec
4163              Don't actually execute  ifconfig/netsh  commands,  instead  pass
4164              --ifconfig parameters to scripts using environmental variables.
4165
4166       --ifconfig-nowarn
4167              Don't  output  an options consistency check warning if the --if‐
4168              config option on this side of the connection doesn't  match  the
4169              remote side.  This is useful when you want to retain the overall
4170              benefits of the  options  consistency  check  (also  see  --dis‐
4171              able-occ  option) while only disabling the ifconfig component of
4172              the check.
4173
4174              For example, if you have a configuration where  the  local  host
4175              uses  --ifconfig  but  the  remote  host  does not, use --ifcon‐
4176              fig-nowarn on the local host.
4177
4178              This option will also silence warnings about  potential  address
4179              conflicts  which  occasionally  annoy  more experienced users by
4180              triggering "false positive" warnings.
4181
4182       --lladdr address
4183              Specify the link layer address, more commonly known as  the  MAC
4184              address.  Only applied to TAP devices.
4185
4186       --persist-tun
4187              Don't  close  and  reopen  TUN/TAP device or run up/down scripts
4188              across SIGUSR1 or --ping-restart restarts.
4189
4190              SIGUSR1 is a restart signal similar to SIGHUP, but which  offers
4191              finer-grained control over reset options.
4192
4193       --redirect-gateway flags
4194              Automatically  execute routing commands to cause all outgoing IP
4195              traffic to be redirected over the VPN. This is a client-side op‐
4196              tion.
4197
4198              This option performs three steps:
4199
4200              1. Create a static route for the --remote address which forwards
4201                 to the pre-existing default gateway. This is done so that (3)
4202                 will not create a routing loop.
4203
4204              2. Delete the default gateway route.
4205
4206              3. Set  the  new  default gateway to be the VPN endpoint address
4207                 (derived either from --route-gateway or the second  parameter
4208                 to --ifconfig when --dev tun is specified).
4209
4210              When  the  tunnel  is  torn down, all of the above steps are re‐
4211              versed so that the original default route is restored.
4212
4213              Option flags:
4214
4215              local  Add the local flag if both  OpenVPN  peers  are  directly
4216                     connected via a common subnet, such as with wireless. The
4217                     local flag will cause step (1) above to be omitted.
4218
4219              autolocal
4220                     Try to automatically determine whether  to  enable  local
4221                     flag above.
4222
4223              def1   Use  this  flag  to override the default gateway by using
4224                     0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has
4225                     the benefit of overriding but not wiping out the original
4226                     default gateway.
4227
4228              bypass-dhcp
4229                     Add a direct route to the DHCP server (if it  is  non-lo‐
4230                     cal)  which  bypasses  the  tunnel  (Available on Windows
4231                     clients, may not be available on non-Windows clients).
4232
4233              bypass-dns
4234                     Add a direct route to the  DNS  server(s)  (if  they  are
4235                     non-local)  which  bypasses the tunnel (Available on Win‐
4236                     dows  clients,  may  not  be  available  on   non-Windows
4237                     clients).
4238
4239              block-local
4240                     Block  access to local LAN when the tunnel is active, ex‐
4241                     cept for the LAN gateway itself. This is accomplished  by
4242                     routing  the  local  LAN  (except for the LAN gateway ad‐
4243                     dress) into the tunnel.
4244
4245              ipv6   Redirect IPv6 routing into the tunnel. This works similar
4246                     to  the def1 flag, that is, more specific IPv6 routes are
4247                     added (2000::/4, 3000::/4), covering the whole IPv6  uni‐
4248                     cast space.
4249
4250              !ipv4  Do not redirect IPv4 traffic - typically used in the flag
4251                     pair ipv6 !ipv4 to redirect IPv6-only.
4252
4253       --redirect-private flags
4254              Like --redirect-gateway, but omit actually changing the  default
4255              gateway.  Useful when pushing private subnets.
4256
4257       --route args
4258              Add route to routing table after connection is established. Mul‐
4259              tiple routes can be specified. Routes will be automatically torn
4260              down in reverse order prior to TUN/TAP device close.
4261
4262              Valid syntaxes:
4263
4264                 route network/IP
4265                 route network/IP netmask
4266                 route network/IP netmask gateway
4267                 route network/IP netmask gateway metric
4268
4269              This  option is intended as a convenience proxy for the route(8)
4270              shell command, while at the same time providing portable  seman‐
4271              tics across OpenVPN's platform space.
4272
4273              netmask
4274                     defaults to 255.255.255.255 when not given
4275
4276              gateway
4277                     default  taken from --route-gateway or the second parame‐
4278                     ter to --ifconfig when --dev tun is specified.
4279
4280              metric default taken from --route-metric if set, otherwise 0.
4281
4282              The default can be specified by leaving an option blank or  set‐
4283              ting it to default.
4284
4285              The  network  and  gateway parameters can also be specified as a
4286              DNS or /etc/hosts file resolvable name, or as one of three  spe‐
4287              cial keywords:
4288
4289              vpn_gateway
4290                     The  remote  VPN  endpoint  address  (derived either from
4291                     --route-gateway or the  second  parameter  to  --ifconfig
4292                     when --dev tun is specified).
4293
4294              net_gateway
4295                     The  pre-existing IP default gateway, read from the rout‐
4296                     ing table (not supported on all OSes).
4297
4298              remote_host
4299                     The --remote address if OpenVPN is being  run  in  client
4300                     mode, and is undefined in server mode.
4301
4302       --route-delay args
4303              Valid syntaxes:
4304
4305                 route-delay
4306                 route-delay n
4307                 route-delay n w
4308
4309              Delay  n seconds (default 0) after connection establishment, be‐
4310              fore adding routes. If n is 0, routes will be added  immediately
4311              upon  connection  establishment.  If  --route-delay  is omitted,
4312              routes will be added immediately after TUN/TAP device  open  and
4313              --up  script  execution,  before any --user or --group privilege
4314              downgrade (or --chroot execution.)
4315
4316              This option is designed to be useful in scenarios where DHCP  is
4317              used  to set tap adapter addresses. The delay will give the DHCP
4318              handshake time to complete before routes are added.
4319
4320              On Windows, --route-delay tries to be more intelligent by  wait‐
4321              ing  w seconds (default 30) for the TAP-Win32 adapter to come up
4322              before adding routes.
4323
4324       --route-ipv6 args
4325              Setup IPv6 routing in the system to send the specified IPv6 net‐
4326              work into OpenVPN's tun.
4327
4328              Valid syntax:
4329
4330                 route-ipv6 ipv6addr/bits [gateway] [metric]
4331
4332              The  gateway  parameter  is only used for IPv6 routes across tap
4333              devices, and if missing,  the  ipv6remote  field  from  --ifcon‐
4334              fig-ipv6 or --route-ipv6-gateway is used.
4335
4336       --route-gateway arg
4337              Specify a default gateway for use with --route.
4338
4339              If  dhcp is specified as the parameter, the gateway address will
4340              be  extracted  from  a  DHCP  negotiation   with   the   OpenVPN
4341              server-side LAN.
4342
4343              Valid syntaxes:
4344
4345                 route-gateway gateway
4346                 route-gateway dhcp
4347
4348       --route-ipv6-gateway gw
4349              Specify a default gateway gw for use with --route-ipv6.
4350
4351       --route-metric m
4352              Specify a default metric m for use with --route.
4353
4354       --route-noexec
4355              Don't add or remove routes automatically. Instead pass routes to
4356              --route-up script using environmental variables.
4357
4358       --route-nopull
4359              When used with --client or  --pull,  accept  options  pushed  by
4360              server  EXCEPT  for  routes,  block-outside-dns and dhcp options
4361              like DNS servers.
4362
4363              When used on the client, this option effectively bars the server
4364              from  adding  routes to the client's routing table, however note
4365              that this option still allows the server to set the TCP/IP prop‐
4366              erties of the client's TUN/TAP interface.
4367
4368       --topology mode
4369              Configure  virtual addressing topology when running in --dev tun
4370              mode. This directive has no meaning in --dev tap mode, which al‐
4371              ways uses a subnet topology.
4372
4373              If  you  set  this  directive  on  the  server, the --server and
4374              --server-bridge directives will automatically push  your  chosen
4375              topology  setting to clients as well. This directive can also be
4376              manually pushed to clients. Like the --dev directive,  this  di‐
4377              rective must always be compatible between client and server.
4378
4379              mode can be one of:
4380
4381              net30  Use a point-to-point topology, by allocating one /30 sub‐
4382                     net per client. This is designed to allow  point-to-point
4383                     semantics  when  some  or  all  of the connecting clients
4384                     might be Windows systems. This is the default.
4385
4386              p2p    Use a point-to-point topology where the  remote  endpoint
4387                     of  the client's tun interface always points to the local
4388                     endpoint of the server's tun interface. This  mode  allo‐
4389                     cates a single IP address per connecting client. Only use
4390                     when none of the connecting clients are Windows systems.
4391
4392              subnet Use a subnet rather than  a  point-to-point  topology  by
4393                     configuring the tun interface with a local IP address and
4394                     subnet mask, similar to the topology used  in  --dev  tap
4395                     and  ethernet bridging mode. This mode allocates a single
4396                     IP address per connecting client and works on Windows  as
4397                     well.
4398
4399              Note:  Using --topology subnet changes the interpretation of the
4400              arguments of --ifconfig to mean  "address  netmask",  no  longer
4401              "local remote".
4402
4403       --tun-mtu args
4404              Valid syntaxes:
4405
4406                 tun-mtu tun-mtu
4407                 tun-mtu tun-mtu occ-mtu
4408
4409              Take  the  TUN  device MTU to be tun-mtu and derive the link MTU
4410              from it.  In most cases, you will probably want  to  leave  this
4411              parameter set to its default value.
4412
4413              The default for tun-mtu is 1500.
4414
4415              The  OCC  MTU can be used to avoid warnings about mismatched MTU
4416              from clients. If occ-mtu is not specified, it will to default to
4417              the tun-mtu.
4418
4419              The  MTU  (Maximum  Transmission  Units) is the maximum datagram
4420              size in bytes that can be sent unfragmented  over  a  particular
4421              network  path.  OpenVPN requires that packets on the control and
4422              data channels be sent unfragmented.
4423
4424              MTU problems often manifest themselves as connections which hang
4425              during periods of active usage.
4426
4427              It's  best to use the --fragment and/or --mssfix options to deal
4428              with MTU sizing issues.
4429
4430              Note: Depending on the platform, the operating system allows one
4431              to  receive packets larger than tun-mtu (e.g. Linux and FreeBSD)
4432              but other platforms (like macOS) limit received packets  to  the
4433              same size as the MTU.
4434
4435       --tun-max-mtu maxmtu
4436              This  configures  the maximum MTU size that a server can push to
4437              maxmtu, by configuring the internal buffers to  allow  at  least
4438              this  packet  size.   The default for maxmtu is 1600. Currently,
4439              only increasing beyond 1600 is possible, and attempting  to  re‐
4440              duce max-mtu below 1600 will be ignored.
4441
4442       --tun-mtu-extra n
4443              Assume  that  the TUN/TAP device might return as many as n bytes
4444              more than the --tun-mtu size on read. This parameter defaults to
4445              0, which is sufficient for most TUN devices. TAP devices may in‐
4446              troduce additional overhead in excess of the  MTU  size,  and  a
4447              setting of 32 is the default when TAP devices are used. This pa‐
4448              rameter only controls internal OpenVPN buffer sizing,  so  there
4449              is  no  transmission  overhead  associated  with  using a larger
4450              value.
4451
4452   TUN/TAP standalone operations
4453       These two standalone  operations  will  require  --dev  and  optionally
4454       --user and/or --group.
4455
4456       --mktun
4457              (Standalone)  Create a persistent tunnel on platforms which sup‐
4458              port them such as Linux. Normally TUN/TAP tunnels exist only for
4459              the  period  of time that an application has them open. This op‐
4460              tion takes advantage of the TUN/TAP driver's  ability  to  build
4461              persistent  tunnels that live through multiple instantiations of
4462              OpenVPN and die only when they are deleted or the machine is re‐
4463              booted.
4464
4465              One  of the advantages of persistent tunnels is that they elimi‐
4466              nate the need for separate --up and --down scripts  to  run  the
4467              appropriate  ifconfig(8)  and  route(8) commands. These commands
4468              can be placed in the the same shell script which starts or  ter‐
4469              minates an OpenVPN session.
4470
4471              Another   advantage   is   that  open  connections  through  the
4472              TUN/TAP-based tunnel will not  be  reset  if  the  OpenVPN  peer
4473              restarts. This can be useful to provide uninterrupted connectiv‐
4474              ity through the tunnel in the event  of  a  DHCP  reset  of  the
4475              peer's public IP address (see the --ipchange option above).
4476
4477              One  disadvantage  of persistent tunnels is that it is harder to
4478              automatically configure their  MTU  value  (see  --link-mtu  and
4479              --tun-mtu above).
4480
4481              On some platforms such as Windows, TAP-Win32 tunnels are persis‐
4482              tent by default.
4483
4484       --rmtun
4485              (Standalone) Remove a persistent tunnel.
4486
4487   Virtual Routing and Forwarding
4488       Options in this section relates to configuration of virtual routing and
4489       forwarding in combination with the underlying operating system.
4490
4491       As  of today this is only supported on Linux, a kernel >= 4.9 is recom‐
4492       mended.
4493
4494       This could come in handy when for example the external  network  should
4495       be  only used as a means to connect to some VPN endpoints and all regu‐
4496       lar traffic should only be routed through any tunnel(s).  This could be
4497       achieved by setting up a VRF and configuring the interface connected to
4498       the external network to be part of the VRF.  The  examples  below  will
4499       cover this setup.
4500
4501       Another  option  would be to put the tun/tap interface into a VRF. This
4502       could be done by an up-script which uses the ip link set command  shown
4503       below.
4504
4505   VRF setup with iproute2
4506       Create VRF vrf_external and map it to routing table 1023
4507
4508          ip link add vrf_external type vrf table 1023
4509
4510       Move eth0 into vrf_external
4511
4512          ip link set master vrf_external dev eth0
4513
4514       Any  prefixes  configured  on  eth0  will be moved from the :code`main`
4515       routing table into routing table 1023
4516
4517   VRF setup with ifupdown
4518       For Debian based Distributions ifupdown2 provides an almost drop-in re‐
4519       placement for ifupdown including VRFs and other features.  A configura‐
4520       tion for an interface eth0 being part of  VRF  code:vrf_external  could
4521       look like this:
4522
4523          auto eth0
4524          iface eth0
4525              address 192.0.2.42/24
4526              address 2001:db8:08:15::42/64
4527              gateway 192.0.2.1
4528              gateway 2001:db8:08:15::1
4529              vrf vrf_external
4530
4531          auto vrf_external
4532          iface vrf_external
4533              vrf-table 1023
4534
4535   OpenVPN configuration
4536       The OpenVPN configuration needs to contain this line:
4537
4538          bind-dev vrf_external
4539
4540   Further reading
4541       Wikipedia         has         nice         page        one        VRFs:
4542       https://en.wikipedia.org/wiki/Virtual_routing_and_forwarding
4543
4544       This talk from the Network Track of FrOSCon 2018 provides  an  overview
4545       about advanced layer 2 and layer 3 features of Linux
4546
4547          • Slides:
4548            https://www.slideshare.net/BarbarossaTM/l2l3-fr-fortgeschrittene-helle-und-dunkle-magie-im-linuxnetzwerkstack
4549
4550          • Video                                                    (german):
4551            https://media.ccc.de/v/froscon2018-2247-l2_l3_fur_fortgeschrittene_-_helle_und_dunkle_magie_im_linux-netzwerkstack
4552

SCRIPTING INTEGRATION

4554       OpenVPN  can execute external scripts in various phases of the lifetime
4555       of the OpenVPN process.
4556
4557   Script Order of Execution
4558       1.  --up
4559
4560           Executed after TCP/UDP socket bind and TUN/TAP open.
4561
4562       2.  --tls-verify
4563
4564           Executed when we have a still untrusted remote peer.
4565
4566       3.  --ipchange
4567
4568           Executed after connection  authentication,  or  remote  IP  address
4569           change.
4570
4571       4.  --client-connect
4572
4573           Executed in --mode server mode immediately after client authentica‐
4574           tion.
4575
4576       5.  --route-up
4577
4578           Executed after connection authentication, either immediately after,
4579           or some number of seconds after as defined by the --route-delay op‐
4580           tion.
4581
4582       6.  --route-pre-down
4583
4584           Executed right before the routes are removed.
4585
4586       7.  --client-disconnect
4587
4588           Executed in --mode server mode on client instance shutdown.
4589
4590       8.  --down
4591
4592           Executed after TCP/UDP and TUN/TAP close.
4593
4594       9.  --learn-address
4595
4596           Executed in --mode server mode whenever an  IPv4  address/route  or
4597           MAC address is added to OpenVPN's internal routing table.
4598
4599       10. --auth-user-pass-verify
4600
4601           Executed  in --mode server mode on new client connections, when the
4602           client is still untrusted.
4603
4604       11. --client-crresponse
4605              Execute in --mode server whenever a client sends  a  CR_RESPONSE
4606              message
4607
4608   SCRIPT HOOKS
4609       --auth-user-pass-verify args
4610              Require  the  client to provide a username/password (possibly in
4611              addition to a client certificate) for authentication.
4612
4613              Valid syntax:
4614
4615                 auth-user-pass-verify cmd method
4616
4617              OpenVPN will run command cmd to validate  the  username/password
4618              provided by the client.
4619
4620              cmd  consists of a path to a script (or executable program), op‐
4621              tionally followed by arguments. The path and  arguments  may  be
4622              single-  or  double-quoted and/or escaped using a backslash, and
4623              should be separated by one or more spaces.
4624
4625              If method is set to via-env, OpenVPN will call cmd with the  en‐
4626              vironmental  variables  username  and  password set to the user‐
4627              name/password strings provided by the client. Beware  that  this
4628              method  is insecure on some platforms which make the environment
4629              of a process publicly visible to other unprivileged processes.
4630
4631              If method is set to via-file, OpenVPN will  write  the  username
4632              and  password  to  the  first two lines of a temporary file. The
4633              filename will be passed as an argument to cmd, and the file will
4634              be  automatically  deleted  by OpenVPN after the script returns.
4635              The  location  of  the  temporary  file  is  controlled  by  the
4636              --tmp-dir  option,  and will default to the current directory if
4637              unspecified. For  security,  consider  setting  --tmp-dir  to  a
4638              volatile  storage medium such as /dev/shm (if available) to pre‐
4639              vent the username/password file from touching the hard drive.
4640
4641              The script should examine the username and password, returning a
4642              success  exit code (0) if the client's authentication request is
4643              to be accepted, a failure code (1) to reject the  client,  or  a
4644              that  the  authentication is deferred (2). If the authentication
4645              is deferred, the script must fork/start a background or  another
4646              non-blocking  operation  to  continue  the authentication in the
4647              background. When finshing the authentication, a 1 or 0  must  be
4648              written to the file specified by the auth_control_file.
4649
4650              If  the file specified by auth_failed_reason_file exists and has
4651              non-empty content, the content of this  file  will  be  used  as
4652              AUTH_FAILED  message. To avoid race conditions, this file should
4653              be written before auth_control_file.
4654
4655              This auth fail reason can be something  simple  like  "User  has
4656              been  permanently disabled" but there are also some special auth
4657              failed messages.
4658
4659              The TEMP message indicates that the  authentication  temporarily
4660              failed  and that the client should continue to retry to connect.
4661              The server can optionally give a user readable message and  hint
4662              the  client  a  behavior  how  to  proceed.  The keywords of the
4663              AUTH_FAILED,TEMP message are  comma  separated  keys/values  and
4664              provide  a  hint to the client how to proceed. Currently defined
4665              keywords are:
4666
4667              backoff s
4668                     instructs the client to wait at least  s  seconds  before
4669                     the next connection attempt. If the client already uses a
4670                     higher delay for reconnection attempt, the delay will not
4671                     be shortened.
4672
4673              advance addr
4674                     Instructs  the  client  to reconnect to the next (IP) ad‐
4675                     dress of the current server.
4676
4677              advance remote
4678                     Instructs the client to skip the remaining  IP  addresses
4679                     of  the  current  server  and instead connect to the next
4680                     server specified in the configuration file.
4681
4682              advance no
4683                     Instructs the client to  retry  connecting  to  the  same
4684                     server again.
4685
4686              For example, the message TEMP[backoff 42,advance no]: No free IP
4687              addresses indicates that the VPN connection  can  currently  not
4688              succeed and instructs the client to retry in 42 seconds again.
4689
4690              When  deferred authentication is in use, the script can also re‐
4691              quest pending authentication by writing to the file specified by
4692              the  auth_pending_file.  The  first  line must be the timeout in
4693              seconds, the required method on the second  line  (e.g.  crtext)
4694              and   third  line  must  be  the  EXTRA  as  documented  in  the
4695              client-pending-auth section of doc/management.txt.
4696
4697              This directive is designed to enable  a  plugin-style  interface
4698              for extending OpenVPN's authentication capabilities.
4699
4700              To  protect  against a client passing a maliciously formed user‐
4701              name or password string, the username string must  consist  only
4702              of  these  characters: alphanumeric, underbar ('_'), dash ('-'),
4703              dot ('.'), or at ('@'). The password string can consist  of  any
4704              printable characters except for CR or LF. Any illegal characters
4705              in either the username or password string will be  converted  to
4706              underbar ('_').
4707
4708              Care must be taken by any user-defined scripts to avoid creating
4709              a security vulnerability in the way that these strings are  han‐
4710              dled.  Never  use these strings in such a way that they might be
4711              escaped or evaluated by a shell interpreter.
4712
4713              For a sample script that performs PAM authentication,  see  sam‐
4714              ple-scripts/auth-pam.pl in the OpenVPN source distribution.
4715
4716       --client-crresponse
4717                 Executed  when  the  client  sends a text based challenge re‐
4718                 sponse.
4719
4720                 Valid syntax:
4721
4722                     client-crresponse cmd
4723
4724              OpenVPN will write the response of the client into  a  temporary
4725              file.   The  filename  will be passed as an argument to cmd, and
4726              the file will be automatically  deleted  by  OpenVPN  after  the
4727              script returns.
4728
4729              The  response  is passed as is from the client. The script needs
4730              to check itself if the input is valid,  e.g.  if  the  input  is
4731              valid base64 encoding.
4732
4733              The script can either directly write the result of the verifica‐
4734              tion   to   auth_control_file   or   further   defer   it.   See
4735              `--auth-user-pass-verify`` for details.
4736
4737              For  a  sample  script  that  implement  TOTP  (RFC  6238) based
4738              two-factor authentication, see sample-scripts/totpauth.py.
4739
4740       --client-connect cmd
4741              Run command cmd on client connection.
4742
4743              cmd consists of a path to a script (or executable program),  op‐
4744              tionally  followed  by  arguments. The path and arguments may be
4745              single- or double-quoted and/or escaped using a  backslash,  and
4746              should be separated by one or more spaces.
4747
4748              The  command  is  passed  the  common name and IP address of the
4749              just-authenticated client as environmental variables (see  envi‐
4750              ronmental  variable  section  below). The command is also passed
4751              the pathname of a freshly created temporary file as the last ar‐
4752              gument  (after  any  arguments specified in cmd ), to be used by
4753              the command to pass dynamically generated config file directives
4754              back to OpenVPN.
4755
4756              If  the script wants to generate a dynamic config file to be ap‐
4757              plied on the server when the client connects, it should write it
4758              to the file named by the last argument.
4759
4760              See  the  --client-config-dir option below for options which can
4761              be legally used in a dynamically generated config file.
4762
4763              Note that the return value of script is significant.  If  script
4764              returns  a non-zero error status, it will cause the client to be
4765              disconnected.
4766
4767              If a --client-connect wants to defer the generating of the  con‐
4768              figuration  then  the script needs to use the client_connect_de‐
4769              ferred_file  and  client_connect_config_file  environment  vari‐
4770              ables,  and  write status accordingly into these files.  See the
4771              Environmental Variables section for more details.
4772
4773       --client-disconnect cmd
4774              Like --client-connect but called on  client  instance  shutdown.
4775              Will  not be called unless the --client-connect script and plug‐
4776              ins (if defined) were previously called on  this  instance  with
4777              successful (0) status returns.
4778
4779              The exception to this rule is if the --client-disconnect command
4780              or plugins are cascaded, and at least one  client-connect  func‐
4781              tion  succeeded, then ALL of the client-disconnect functions for
4782              scripts and plugins will be called  on  client  instance  object
4783              deletion, even in cases where some of the related client-connect
4784              functions returned an error status.
4785
4786              The --client-disconnect command is not passed  any  extra  argu‐
4787              ments (only those arguments specified in cmd, if any).
4788
4789       --down cmd
4790              Run  command  cmd  after  TUN/TAP  device close (post --user UID
4791              change and/or --chroot ). cmd consists of a path to  script  (or
4792              executable  program), optionally followed by arguments. The path
4793              and arguments may be single- or double-quoted and/or escaped us‐
4794              ing a backslash, and should be separated by one or more spaces.
4795
4796              Called  with  the same parameters and environmental variables as
4797              the --up option above.
4798
4799              Note that if  you  reduce  privileges  by  using  --user  and/or
4800              --group, your --down script will also run at reduced privilege.
4801
4802       --down-pre
4803              Call --down cmd/script before, rather than after, TUN/TAP close.
4804
4805       --ipchange cmd
4806              Run  command cmd when our remote ip-address is initially authen‐
4807              ticated or changes.
4808
4809              cmd consists of a path to a script (or executable program),  op‐
4810              tionally  followed  by  arguments. The path and arguments may be
4811              single- or double-quoted and/or escaped using a  backslash,  and
4812              should be separated by one or more spaces.
4813
4814              When  cmd is executed two arguments are appended after any argu‐
4815              ments specified in cmd , as follows:
4816
4817                 cmd ip address port number
4818
4819              Don't use --ipchange in --mode server mode. Use a  --client-con‐
4820              nect script instead.
4821
4822              See the Environmental Variables section below for additional pa‐
4823              rameters passed as environmental variables.
4824
4825              If you are running in a dynamic IP address environment where the
4826              IP addresses of either peer could change without notice, you can
4827              use this script, for example, to edit the /etc/hosts  file  with
4828              the  current  address  of the peer. The script will be run every
4829              time the remote peer changes its IP address.
4830
4831              Similarly if our IP address changes due to DHCP, we should  con‐
4832              figure our IP address change script (see man page for dhcpcd(8))
4833              to deliver a SIGHUP or SIGUSR1 signal to OpenVPN.  OpenVPN  will
4834              then  re-establish a connection with its most recently authenti‐
4835              cated peer on its new IP address.
4836
4837       --learn-address cmd
4838              Run command cmd to validate client virtual addresses or routes.
4839
4840              cmd consists of a path to a script (or executable program),  op‐
4841              tionally  followed  by  arguments. The path and arguments may be
4842              single- or double-quoted and/or escaped using a  backslash,  and
4843              should be separated by one or more spaces.
4844
4845              Three arguments will be appended to any arguments in cmd as fol‐
4846              lows:
4847
4848              $1 - [operation]
4849                     "add", "update", or "delete" based on whether or not  the
4850                     address  is  being  added  to,  modified, or deleted from
4851                     OpenVPN's internal routing table.
4852
4853              $2 - [address]
4854                     The address being learned or unlearned. This  can  be  an
4855                     IPv4 address such as "198.162.10.14", an IPv4 subnet such
4856                     as "198.162.10.0/24", or an ethernet  MAC  address  (when
4857                     --dev tap is being used) such as "00:FF:01:02:03:04".
4858
4859              $3 - [common name]
4860                     The  common  name  on the certificate associated with the
4861                     client linked to this address. Only present for "add"  or
4862                     "update" operations, not "delete".
4863
4864              On  "add"  or  "update" methods, if the script returns a failure
4865              code (non-zero), OpenVPN will reject the address  and  will  not
4866              modify its internal routing table.
4867
4868              Normally, the cmd script will use the information provided above
4869              to set appropriate firewall entries on the  VPN  TUN/TAP  inter‐
4870              face.  Since OpenVPN provides the association between virtual IP
4871              or MAC address and the client's authenticated  common  name,  it
4872              allows  a user-defined script to configure firewall access poli‐
4873              cies with regard to the client's high-level common name,  rather
4874              than the low level client virtual addresses.
4875
4876       --route-up cmd
4877              Run  command  cmd after routes are added, subject to --route-de‐
4878              lay.
4879
4880              cmd consists of a path to a script (or executable program),  op‐
4881              tionally  followed  by  arguments. The path and arguments may be
4882              single- or double-quoted and/or escaped using a  backslash,  and
4883              should be separated by one or more spaces.
4884
4885              See the Environmental Variables section below for additional pa‐
4886              rameters passed as environmental variables.
4887
4888       --route-pre-down cmd
4889              Run command cmd before routes are removed upon disconnection.
4890
4891              cmd consists of a path to a script (or executable program),  op‐
4892              tionally  followed  by  arguments. The path and arguments may be
4893              single- or double-quoted and/or escaped using a  backslash,  and
4894              should be separated by one or more spaces.
4895
4896              See the Environmental Variables section below for additional pa‐
4897              rameters passed as environmental variables.
4898
4899       --setenv args
4900              Set a  custom  environmental  variable  name=value  to  pass  to
4901              script.
4902
4903              Valid syntaxes:
4904
4905                 setenv name value
4906                 setenv FORWARD_COMPATIBLE 1
4907                 setenv opt config_option
4908
4909              By  setting  FORWARD_COMPATIBLE  to  1,  the  config file syntax
4910              checking is relaxed so that unknown directives  will  trigger  a
4911              warning  but  not  a fatal error, on the assumption that a given
4912              unknown directive might be valid in future OpenVPN versions.
4913
4914              This option should be used with caution, as there are good secu‐
4915              rity reasons for having OpenVPN fail if it detects problems in a
4916              config file.  Having said that,  there  are  valid  reasons  for
4917              wanting new software features to gracefully degrade when encoun‐
4918              tered by older software versions.
4919
4920              It is also possible to tag a single directive so as not to trig‐
4921              ger a fatal error if the directive isn't recognized. To do this,
4922              prepend the following before the directive: setenv opt
4923
4924              Versions prior to OpenVPN 2.3.3 will always ignore  options  set
4925              with the setenv opt directive.
4926
4927              See also --ignore-unknown-option
4928
4929       --setenv-safe args
4930              Set  a  custom  environmental  variable OPENVPN_name to value to
4931              pass to scripts.
4932
4933              Valid syntaxes:
4934
4935                 setenv-safe name value
4936
4937              This directive is  designed  to  be  pushed  by  the  server  to
4938              clients,  and  the  prepending  of OPENVPN_ to the environmental
4939              variable is a safety precaution to prevent  a  LD_PRELOAD  style
4940              attack from a malicious or compromised server.
4941
4942       --tls-verify cmd
4943              Run command cmd to verify the X509 name of a pending TLS connec‐
4944              tion that has otherwise passed all other tests of  certification
4945              (except  for  revocation via --crl-verify directive; the revoca‐
4946              tion test occurs after the --tls-verify test).
4947
4948              cmd should return 0 to allow the TLS handshake to proceed, or  1
4949              to fail.
4950
4951              cmd  consists of a path to a script (or executable program), op‐
4952              tionally followed by arguments. The path and  arguments  may  be
4953              single-  or  double-quoted and/or escaped using a backslash, and
4954              should be separated by one or more spaces.
4955
4956              When cmd is executed two arguments are appended after any  argu‐
4957              ments specified in cmd, as follows:
4958
4959                 cmd certificate_depth subject
4960
4961              These arguments are, respectively, the current certificate depth
4962              and the X509 subject distinguished name (dn) of the peer.
4963
4964              This feature is useful if the peer you want to trust has a  cer‐
4965              tificate  which  was  signed by a certificate authority who also
4966              signed many other certificates, where you don't necessarily want
4967              to  trust  all of them, but rather be selective about which peer
4968              certificate you will accept. This feature allows you to write  a
4969              script which will test the X509 name on a certificate and decide
4970              whether or not it should be accepted. For a simple  perl  script
4971              which  will  test  the common name field on the certificate, see
4972              the file verify-cn in the OpenVPN distribution.
4973
4974              See the Environmental Variables section below for additional pa‐
4975              rameters passed as environmental variables.
4976
4977       --up cmd
4978              Run command cmd after successful TUN/TAP device open (pre --user
4979              UID change).
4980
4981              cmd consists of a path to a script (or executable program),  op‐
4982              tionally  followed  by  arguments. The path and arguments may be
4983              single- or double-quoted and/or escaped using a  backslash,  and
4984              should be separated by one or more spaces.
4985
4986              The  up  command  is  useful for specifying route commands which
4987              route IP traffic destined for private subnets which exist at the
4988              other end of the VPN connection into the tunnel.
4989
4990              For --dev tun execute as:
4991
4992                 cmd tun_dev tun_mtu 0 ifconfig_local_ip ifconfig_remote_ip [init | restart]
4993
4994              For --dev tap execute as:
4995
4996                 cmd tap_dev tap_mtu 0 ifconfig_local_ip ifconfig_netmask [init | restart]
4997
4998              See the Environmental Variables section below for additional pa‐
4999              rameters passed as environmental variables.  The 0 argument used
5000              to  be  link_mtu  which is no longer passed to scripts - to keep
5001              the argument order, it was replaced with 0.
5002
5003              Note that if cmd includes arguments, all OpenVPN-generated argu‐
5004              ments  will  be  appended to them to build an argument list with
5005              which the executable will be called.
5006
5007              Typically, cmd will run a script to add routes to the tunnel.
5008
5009              Normally the up script is called after  the  TUN/TAP  device  is
5010              opened.  In this context, the last command line parameter passed
5011              to the script will be init. If the --up-restart option  is  also
5012              used,  the  up  script  will  be  called for restarts as well. A
5013              restart is considered to be a partial reinitialization of  Open‐
5014              VPN  where  the TUN/TAP instance is preserved (the --persist-tun
5015              option will enable such preservation).  A restart can be  gener‐
5016              ated by a SIGUSR1 signal, a --ping-restart timeout, or a connec‐
5017              tion reset when the TCP protocol is enabled with the --proto op‐
5018              tion.  If a restart occurs, and --up-restart has been specified,
5019              the up script will be called with restart as the last parameter.
5020
5021              NOTE:  On restart, OpenVPN will not pass the full set  of  envi‐
5022                     ronment  variables  to the script. Namely, everything re‐
5023                     lated to routing and gateways  will  not  be  passed,  as
5024                     nothing  needs  to be done anyway - all the routing setup
5025                     is already in place. Additionally, the up-restart  script
5026                     will run with the downgraded UID/GID settings (if config‐
5027                     ured).
5028
5029              The following standalone example shows how the --up  script  can
5030              be  called in both an initialization and restart context. (NOTE:
5031              for security reasons, don't run the following example unless UDP
5032              port  9999  is  blocked by your firewall. Also, the example will
5033              run indefinitely, so you should abort with control-c).
5034
5035                 openvpn --dev tun --port 9999 --verb 4 --ping-restart 10 \
5036                         --up 'echo up' --down 'echo down' --persist-tun  \
5037                         --up-restart
5038
5039              Note that OpenVPN also provides the --ifconfig option  to  auto‐
5040              matically  ifconfig  the TUN device, eliminating the need to de‐
5041              fine an --up script, unless you also want to configure routes in
5042              the --up script.
5043
5044              If  --ifconfig is also specified, OpenVPN will pass the ifconfig
5045              local and remote endpoints on  the  command  line  to  the  --up
5046              script so that they can be used to configure routes such as:
5047
5048                 route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
5049
5050       --up-delay
5051              Delay  TUN/TAP open and possible --up script execution until af‐
5052              ter TCP/UDP connection establishment with peer.
5053
5054              In --proto udp mode, this option normally requires  the  use  of
5055              --ping  to  allow  connection initiation to be sensed in the ab‐
5056              sence of tunnel data, since UDP is a "connectionless" protocol.
5057
5058              On Windows, this option will delay  the  TAP-Win32  media  state
5059              transitioning  to  "connected"  until  connection establishment,
5060              i.e. the receipt of the  first  authenticated  packet  from  the
5061              peer.
5062
5063       --up-restart
5064              Enable  the --up and --down scripts to be called for restarts as
5065              well as initial program start. This  option  is  described  more
5066              fully above in the --up option documentation.
5067
5068   String Types and Remapping
5069       In  certain  cases,  OpenVPN  will  perform  remapping of characters in
5070       strings. Essentially, any characters outside the set of permitted char‐
5071       acters for each string type will be converted to underbar ('_').
5072
5073       Q: Why is string remapping necessary?
5074              It's an important security feature to prevent the malicious cod‐
5075              ing of strings from untrusted sources to be passed as parameters
5076              to  scripts,  saved  in  the environment, used as a common name,
5077              translated to a filename, etc.
5078
5079       Q: Can string remapping be disabled?
5080              Yes, by  using  the  --no-name-remapping  option,  however  this
5081              should be considered an advanced option.
5082
5083       Here  is a brief rundown of OpenVPN's current string types and the per‐
5084       mitted character class for each string:
5085
5086       X509 Names
5087              Alphanumeric, underbar ('_'), dash ('-'), dot ('.'),  at  ('@'),
5088              colon  (':'),  slash ('/'), and equal ('='). Alphanumeric is de‐
5089              fined as a character which will cause the  C  library  isalnum()
5090              function to return true.
5091
5092       Common Names
5093              Alphanumeric,  underbar  ('_'),  dash  ('-'),  dot ('.'), and at
5094              ('@').
5095
5096       --auth-user-pass username
5097              Same as Common Name, with one exception: starting  with  OpenVPN
5098              2.0.1,     the    username    is    passed    to    the    OPEN‐
5099              VPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin in its raw form, without
5100              string remapping.
5101
5102       --auth-user-pass password
5103              Any  "printable" character except CR or LF. Printable is defined
5104              to be a character which will cause the C library isprint() func‐
5105              tion to return true.
5106
5107       --client-config-dir filename as derived from common name or`username
5108              Alphanumeric,  underbar  ('_'), dash ('-'), and dot ('.') except
5109              for "." or ".." as standalone strings. As of v2.0.1-rc6, the  at
5110              ('@')  character  has  been added as well for compatibility with
5111              the common name character class.
5112
5113       Environmental variable names
5114              Alphanumeric or underbar ('_').
5115
5116       Environmental variable values
5117              Any printable character.
5118
5119       For all cases, characters in a string which are not members of the  le‐
5120       gal  character  class for that string type will be remapped to underbar
5121       ('_').
5122
5123   Environmental Variables
5124       Once set, a variable is persisted indefinitely until it is reset  by  a
5125       new value or a restart,
5126
5127       As  of  OpenVPN 2.0-beta12, in server mode, environmental variables set
5128       by OpenVPN are scoped according to the client objects they are  associ‐
5129       ated with, so there should not be any issues with scripts having access
5130       to stale, previously set variables which refer to different client  in‐
5131       stances.
5132
5133       bytes_received
5134              Total  number  of bytes received from client during VPN session.
5135              Set prior to execution of the --client-disconnect script.
5136
5137       bytes_sent
5138              Total number of bytes sent to client  during  VPN  session.  Set
5139              prior to execution of the --client-disconnect script.
5140
5141       client_connect_config_file
5142              The  path to the configuration file that should be written to by
5143              the --client-connect script (optional, if per-session configura‐
5144              tion is desired).  This is the same file name as passed via com‐
5145              mand line argument on the call to the --client-connect script.
5146
5147       client_connect_deferred_file
5148              This file can be optionally written to in order to  to  communi‐
5149              cate  a  status  code  of  the --client-connect script or plgin.
5150              Only the first character in the file is relevant.   It  must  be
5151              either 1 to indicate normal script execution, 0 indicates an er‐
5152              ror (in the same way that a non zero exit status does) or  2  to
5153              indicate that the script deferred returning the config file.
5154
5155              For  deferred  (background)  handling, the script or plugin MUST
5156              write 2 to the file to indicate the  deferral  and  then  return
5157              with exit code 0 to signal deferred handler started OK.
5158
5159              A  background  process or similar must then take care of writing
5160              the configuration to  the  file  indicated  by  the  client_con‐
5161              nect_config_file  environment  variable and when finished, write
5162              the a 1 to this file (or 0 in case of an error).
5163
5164              The absence of any character in the file when  the  script  fin‐
5165              ishes  executing  is  interpreted  the  same  as  1. This allows
5166              scripts that are not written to support the defer  mechanism  to
5167              be used unmodified.
5168
5169       common_name
5170              The  X509  common  name of an authenticated client. Set prior to
5171              execution   of   --client-connect,    --client-disconnect    and
5172              --auth-user-pass-verify scripts.
5173
5174       config Name of first --config file. Set on program initiation and reset
5175              on SIGHUP.
5176
5177       daemon Set to "1" if the --daemon directive is specified, or "0" other‐
5178              wise.  Set on program initiation and reset on SIGHUP.
5179
5180       daemon_log_redirect
5181              Set  to  "1"  if the --log or --log-append directives are speci‐
5182              fied, or "0" otherwise. Set on program initiation and  reset  on
5183              SIGHUP.
5184
5185       dev    The  actual  name of the TUN/TAP device, including a unit number
5186              if it exists. Set prior to --up or --down script execution.
5187
5188       dev_idx
5189              On Windows, the device index of the TUN/TAP adapter (to be  used
5190              in  netsh.exe  calls which sometimes just do not work right with
5191              interface names). Set prior to --up or --down script execution.
5192
5193       dns_*  The --dns configuration options will be made available to script
5194              execution  through  this set of environment variables. Variables
5195              appear only if the corresponding option has  a  value  assigned.
5196              For  the  semantics of each individual variable, please refer to
5197              the documentation for --dns.
5198
5199                 dns_search_domain_{n}
5200                 dns_server_{n}_address_{m}
5201                 dns_server_{n}_port_{m}
5202                 dns_server_{n}_resolve_domain_{m}
5203                 dns_server_{n}_dnssec
5204                 dns_server_{n}_transport
5205                 dns_server_{n}_sni
5206
5207       foreign_option_{n}
5208              An option pushed via --push to a client which does not  natively
5209              support  it, such as --dhcp-option on a non-Windows system, will
5210              be recorded to this environmental  variable  sequence  prior  to
5211              --up script execution.
5212
5213       ifconfig_broadcast
5214              The  broadcast address for the virtual ethernet segment which is
5215              derived from the --ifconfig option when --dev tap is  used.  Set
5216              prior  to OpenVPN calling the ifconfig or netsh (windows version
5217              of ifconfig) commands which normally occurs prior to --up script
5218              execution.
5219
5220       ifconfig_ipv6_local
5221              The  local  VPN  endpoint IPv6 address specified in the --ifcon‐
5222              fig-ipv6 option (first parameter). Set prior to OpenVPN  calling
5223              the  ifconfig  or  code:netsh (windows version of ifconfig) com‐
5224              mands which normally occurs prior to --up script execution.
5225
5226       ifconfig_ipv6_netbits
5227              The prefix length of the IPv6 network on the VPN interface.  De‐
5228              rived  from  the /nnn parameter of the IPv6 address in the --if‐
5229              config-ipv6 option (first parameter). Set prior to OpenVPN call‐
5230              ing the ifconfig or netsh (windows version of ifconfig) commands
5231              which normally occurs prior to --up script execution.
5232
5233       ifconfig_ipv6_remote
5234              The remote VPN endpoint IPv6 address specified in  the  --ifcon‐
5235              fig-ipv6 option (second parameter). Set prior to OpenVPN calling
5236              the ifconfig or netsh (windows  version  of  ifconfig)  commands
5237              which normally occurs prior to --up script execution.
5238
5239       ifconfig_local
5240              The  local  VPN  endpoint IP address specified in the --ifconfig
5241              option (first parameter). Set prior to OpenVPN calling  the  if‐
5242              config  or  netsh  (windows  version of ifconfig) commands which
5243              normally occurs prior to --up script execution.
5244
5245       ifconfig_remote
5246              The remote VPN endpoint IP address specified in  the  --ifconfig
5247              option  (second  parameter) when --dev tun is used. Set prior to
5248              OpenVPN calling the ifconfig or netsh (windows version of ifcon‐
5249              fig)  commands which normally occurs prior to --up script execu‐
5250              tion.
5251
5252       ifconfig_netmask
5253              The subnet mask of the virtual ethernet segment that  is  speci‐
5254              fied as the second parameter to --ifconfig when --dev tap is be‐
5255              ing used. Set prior to OpenVPN calling  the  ifconfig  or  netsh
5256              (windows  version  of  ifconfig)  commands which normally occurs
5257              prior to --up script execution.
5258
5259       ifconfig_pool_local_ip
5260              The local virtual IP address for the TUN/TAP tunnel  taken  from
5261              an --ifconfig-push directive if specified, or otherwise from the
5262              ifconfig pool (controlled by the --ifconfig-pool config file di‐
5263              rective).  Only set for --dev tun tunnels. This option is set on
5264              the server  prior  to  execution  of  the  --client-connect  and
5265              --client-disconnect scripts.
5266
5267       ifconfig_pool_netmask
5268              The  virtual  IP  netmask  for  the TUN/TAP tunnel taken from an
5269              --ifconfig-push directive if specified, or  otherwise  from  the
5270              ifconfig pool (controlled by the --ifconfig-pool config file di‐
5271              rective). Only set for --dev tap tunnels. This option is set  on
5272              the  server  prior  to  execution  of  the  --client-connect and
5273              --client-disconnect scripts.
5274
5275       ifconfig_pool_remote_ip
5276              The remote virtual IP address for the TUN/TAP tunnel taken  from
5277              an --ifconfig-push directive if specified, or otherwise from the
5278              ifconfig pool (controlled by the --ifconfig-pool config file di‐
5279              rective). This option is set on the server prior to execution of
5280              the --client-connect and --client-disconnect scripts.
5281
5282       link_mtu
5283              No longer passed to scripts since OpenVPN 2.6.0.  Used to be the
5284              maximum packet size (not including the IP header) of tunnel data
5285              in UDP tunnel transport mode.
5286
5287       local  The --local parameter. Set on program initiation  and  reset  on
5288              SIGHUP.
5289
5290       local_port
5291              The  local  port number or name, specified by --port or --lport.
5292              Set on program initiation and reset on SIGHUP.
5293
5294       password
5295              The password provided by  a  connecting  client.  Set  prior  to
5296              --auth-user-pass-verify  script  execution only when the via-env
5297              modifier is specified, and deleted from  the  environment  after
5298              the script returns.
5299
5300       proto  The  --proto  parameter.  Set on program initiation and reset on
5301              SIGHUP.
5302
5303       remote_{n}
5304              The --remote parameter. Set on program initiation and  reset  on
5305              SIGHUP.
5306
5307       remote_port_{n}
5308              The  remote  port number, specified by --port or --rport. Set on
5309              program initiation and reset on SIGHUP.
5310
5311       route_net_gateway
5312              The pre-existing default IP gateway in the system routing table.
5313              Set prior to --up script execution.
5314
5315       route_vpn_gateway
5316              The default gateway used by --route options, as specified in ei‐
5317              ther the --route-gateway option or the second parameter to --if‐
5318              config when --dev tun is specified. Set prior to --up script ex‐
5319              ecution.
5320
5321       route_{parm}_{n}
5322              A set of variables which define each route to be added, and  are
5323              set prior to --up script execution.
5324
5325              parm will be one of network, netmask", gateway, or metric.
5326
5327              n is the OpenVPN route number, starting from 1.
5328
5329              If the network or gateway are resolvable DNS names, their IP ad‐
5330              dress translations will be recorded rather than their  names  as
5331              denoted on the command line or configuration file.
5332
5333       route_ipv6_{parm}_{n}
5334              A set of variables which define each IPv6 route to be added, and
5335              are set prior to --up script execution.
5336
5337              parm will be one of network, gateway or metric.  route_ipv6_net‐
5338              work_{n}  contains  netmask  as  /nnn,  unlike  IPv4 where it is
5339              passed in a separate environment variable.
5340
5341              n is the OpenVPN route number, starting from 1.
5342
5343              If the network or gateway are resolvable DNS names, their IP ad‐
5344              dress  translations  will be recorded rather than their names as
5345              denoted on the command line or configuration file.
5346
5347       peer_cert
5348              Temporary file name containing the client certificate upon  con‐
5349              nection.  Useful in conjunction with --tls-verify.
5350
5351       script_context
5352              Set  to  "init"  or "restart" prior to up/down script execution.
5353              For more information, see documentation for --up.
5354
5355       script_type
5356              Prior to execution of any script, this variable is  set  to  the
5357              type  of  script  being run. It can be one of the following: up,
5358              down,  ipchange,  route-up,  tls-verify,  auth-user-pass-verify,
5359              client-connect, client-disconnect or learn-address. Set prior to
5360              execution of any script.
5361
5362       signal The reason for exit or restart. Can be one of  sigusr1,  sighup,
5363              sigterm,  sigint,  inactive  (controlled  by --inactive option),
5364              ping-exit (controlled by --ping-exit option), ping-restart (con‐
5365              trolled  by  --ping-restart option), connection-reset (triggered
5366              on TCP connection reset), error  or  unknown  (unknown  signal).
5367              This variable is set just prior to down script execution.
5368
5369       time_ascii
5370              Client  connection timestamp, formatted as a human-readable time
5371              string.  Set prior to execution of the --client-connect script.
5372
5373       time_duration
5374              The duration (in seconds) of the client  session  which  is  now
5375              disconnecting. Set prior to execution of the --client-disconnect
5376              script.
5377
5378       time_unix
5379              Client  connection  timestamp,  formatted  as  a  unix   integer
5380              date/time  value. Set prior to execution of the --client-connect
5381              script.
5382
5383       tls_digest_{n} / tls_digest_sha256_{n}
5384              Contains the certificate SHA1 / SHA256 fingerprint, where  n  is
5385              the  verification level. Only set for TLS connections. Set prior
5386              to execution of --tls-verify script.
5387
5388       tls_id_{n}
5389              A series of certificate fields from the remote peer, where n  is
5390              the  verification level. Only set for TLS connections. Set prior
5391              to execution of --tls-verify script.
5392
5393       tls_serial_{n}
5394              The serial number of the certificate from the remote peer, where
5395              n  is  the verification level. Only set for TLS connections. Set
5396              prior to execution of --tls-verify script. This is in  the  form
5397              of  a decimal string like "933971680", which is suitable for do‐
5398              ing serial-based OCSP queries (with OpenSSL, do not prepend "0x"
5399              to  the  string) If something goes wrong while reading the value
5400              from the certificate it will be an empty string,  so  your  code
5401              should  check  that.  See  the  contrib/OCSP_check/OCSP_check.sh
5402              script for an example.
5403
5404       tls_serial_hex_{n}
5405              Like tls_serial_{n}, but in hex form (e.g.  12:34:56:78:9A).
5406
5407       tun_mtu
5408              The MTU of the TUN/TAP device.  Set  prior  to  --up  or  --down
5409              script execution.
5410
5411       trusted_ip / trusted_ip6)
5412              Actual  IP  address  of connecting client or peer which has been
5413              authenticated.   Set   prior   to   execution   of   --ipchange,
5414              --client-connect  and --client-disconnect scripts. If using ipv6
5415              endpoints (udp6, tcp6), trusted_ip6 will be set instead.
5416
5417       trusted_port
5418              Actual port number of connecting client or peer which  has  been
5419              authenticated.   Set   prior   to   execution   of   --ipchange,
5420              --client-connect and --client-disconnect scripts.
5421
5422       untrusted_ip / untrusted_ip6
5423              Actual IP address of connecting client or  peer  which  has  not
5424              been  authenticated  yet.  Sometimes used to nmap the connecting
5425              host in a --tls-verify script to ensure it is  firewalled  prop‐
5426              erly.    Set    prior   to   execution   of   --tls-verify   and
5427              --auth-user-pass-verify scripts. If using ipv6 endpoints  (udp6,
5428              tcp6), untrusted_ip6 will be set instead.
5429
5430       untrusted_port
5431              Actual  port  number  of connecting client or peer which has not
5432              been authenticated yet. Set prior to execution  of  --tls-verify
5433              and --auth-user-pass-verify scripts.
5434
5435       username
5436              The  username  provided  by  a  connecting  client. Set prior to
5437              --auth-user-pass-verify script execution only when  the  via-env
5438              modifier is specified.
5439
5440       X509_{n}_{subject_field}
5441              An  X509 subject field from the remote peer certificate, where n
5442              is the verification level. Only set  for  TLS  connections.  Set
5443              prior to execution of --tls-verify script. This variable is sim‐
5444              ilar to tls_id_{n} except the component X509 subject fields  are
5445              broken out, and no string remapping occurs on these field values
5446              (except for remapping of control characters to "_").  For  exam‐
5447              ple,  the following variables would be set on the OpenVPN server
5448              using the sample client certificate in sample-keys (client.crt).
5449              Note that the verification level is 0 for the client certificate
5450              and 1 for the CA certificate.
5451
5452                 X509_0_emailAddress=me@myhost.mydomain
5453                 X509_0_CN=Test-Client
5454                 X509_0_O=OpenVPN-TEST
5455                 X509_0_ST=NA
5456                 X509_0_C=KG
5457                 X509_1_emailAddress=me@myhost.mydomain
5458                 X509_1_O=OpenVPN-TEST
5459                 X509_1_L=BISHKEK
5460                 X509_1_ST=NA
5461                 X509_1_C=KG
5462
5463   Management Interface Options
5464       OpenVPN provides a feature rich socket based management  interface  for
5465       both server and client mode operations.
5466
5467       --management args
5468              Enable a management server on a socket-name Unix socket on those
5469              platforms supporting it, or on a designated TCP port.
5470
5471              Valid syntaxes:
5472
5473                 management socket-name unix          #
5474                 management socket-name unix pw-file  # (recommended)
5475                 management IP port                   # (INSECURE)
5476                 management IP port pw-file           #
5477
5478              pw-file, if specified, is a password  file  where  the  password
5479              must be on first line. Instead of a filename it can use the key‐
5480              word stdin which will prompt the user for a password to use when
5481              OpenVPN is starting.
5482
5483              For  unix sockets, the default behaviour is to create a unix do‐
5484              main socket that may be connected to by  any  process.  Use  the
5485              --management-client-user  and  --management-client-group  direc‐
5486              tives to restrict access.
5487
5488              The management interface provides a special mode where  the  TCP
5489              management  link  can  operate over the tunnel itself. To enable
5490              this mode, set IP to tunnel. Tunnel mode will cause the  manage‐
5491              ment  interface  to listen for a TCP connection on the local VPN
5492              address of the TUN/TAP interface.
5493
5494              *BEWARE* of enabling the management interface over TCP. In these
5495              cases  you should ALWAYS make use of pw-file to password protect
5496              the management interface. Any user who can connect to  this  TCP
5497              IP:port  will be able to manage and control (and interfere with)
5498              the OpenVPN process. It is also strongly recommended to  set  IP
5499              to  127.0.0.1  (localhost) to restrict accessibility of the man‐
5500              agement server to local clients.
5501
5502              While the management port is designed for  programmatic  control
5503              of  OpenVPN  by  other applications, it is possible to telnet to
5504              the port, using a telnet client in "raw" mode.  Once  connected,
5505              type help for a list of commands.
5506
5507              For  detailed documentation on the management interface, see the
5508              management-notes.txt file in the management folder of the  Open‐
5509              VPN source distribution.
5510
5511       --management-client
5512              Management interface will connect as a TCP/unix domain client to
5513              IP:port specified by --management rather than listen  as  a  TCP
5514              server or on a unix domain socket.
5515
5516              If  the client connection fails to connect or is disconnected, a
5517              SIGTERM signal will be generated causing OpenVPN to quit.
5518
5519       --management-client-auth
5520              Gives management interface client the responsibility to  authen‐
5521              ticate clients after their client certificate has been verified.
5522              See management-notes.txt in OpenVPN  distribution  for  detailed
5523              notes.
5524
5525       --management-client-group g
5526              When  the  management  interface  is  listening on a unix domain
5527              socket, only allow connections from group g.
5528
5529       --management-client-user u
5530              When the management interface is  listening  on  a  unix  domain
5531              socket, only allow connections from user u.
5532
5533       --management-external-cert certificate-hint
5534              Allows  usage  for external certificate instead of --cert option
5535              (client-only). certificate-hint is an arbitrary string which  is
5536              passed  to  a  management  interface  client  as  an argument of
5537              NEED-CERTIFICATE  notification.   Requires   --management-exter‐
5538              nal-key.
5539
5540       --management-external-key args
5541              Allows  usage for external private key file instead of --key op‐
5542              tion (client-only).
5543
5544              Valid syntaxes:
5545
5546                 management-external-key
5547                 management-external-key nopadding
5548                 management-external-key pkcs1
5549                 management-external-key pss
5550
5551              or any combination like:
5552
5553                 management-external-key nopadding pkcs1
5554                 management-external-key pkcs1 pss
5555
5556              The optional parameters nopadding pkcs1 and pss  signal  support
5557              for  different  padding  algorithms. See doc/mangement-notes.txt
5558              for a complete description of this feature.
5559
5560       --management-forget-disconnect
5561              Make OpenVPN forget passwords when  management  session  discon‐
5562              nects.
5563
5564              This  directive  does not affect the --http-proxy username/pass‐
5565              word.  It is always cached.
5566
5567       --management-hold
5568              Start OpenVPN in a hibernating state, until a client of the man‐
5569              agement  interface  explicitly  starts  it with the hold release
5570              command.
5571
5572       --management-log-cache n
5573              Cache the most recent n lines of log file history for  usage  by
5574              the management channel.
5575
5576       --management-query-passwords
5577              Query   management   channel   for   private  key  password  and
5578              --auth-user-pass username/password. Only  query  the  management
5579              channel for inputs which ordinarily would have been queried from
5580              the console.
5581
5582       --management-query-proxy
5583              Query management channel for proxy server information for a spe‐
5584              cific --remote (client-only).
5585
5586       --management-query-remote
5587              Allow  management  interface  to  override  --remote  directives
5588              (client-only).
5589
5590       --management-signal
5591              Send SIGUSR1 signal to OpenVPN  if  management  session  discon‐
5592              nects.  This  is  useful  when you wish to disconnect an OpenVPN
5593              session on user logoff.  For --management-client this option  is
5594              not needed since a disconnect will always generate a SIGTERM.
5595
5596       --management-up-down
5597              Report tunnel up/down events to management interface.
5598
5599   Plug-in Interface Options
5600       OpenVPN can be extended by loading external plug-in modules at runtime.
5601       These plug-ins must be prebuilt and adhere to the OpenVPN Plug-In API.
5602
5603       --plugin args
5604              Loads an OpenVPN plug-in module.
5605
5606              Valid syntax:
5607
5608                 plugin module-name
5609                 plugin module-name "arguments"
5610
5611              The module-name needs to be the first argument,  indicating  the
5612              plug-in to load.  The second argument is an optional init string
5613              which will be passed directly to the plug-in.  If the init  con‐
5614              sists of multiple arguments it must be enclosed in double-quotes
5615              (").  Multiple plugin modules may be  loaded  into  one  OpenVPN
5616              process.
5617
5618              The  module-name  argument  can be just a filename or a filename
5619              with a relative or absolute path. The format of the filename and
5620              path  defines  if  the  plug-in  will  be  loaded from a default
5621              plug-in directory or outside this directory.
5622
5623                 --plugin path         Effective directory used
5624                 ===================== =============================
5625                  myplug.so            DEFAULT_DIR/myplug.so
5626                  subdir/myplug.so     DEFAULT_DIR/subdir/myplug.so
5627                  ./subdir/myplug.so   CWD/subdir/myplug.so
5628                  /usr/lib/my/plug.so  /usr/lib/my/plug.so
5629
5630              DEFAULT_DIR is replaced by the default plug-in directory,  which
5631              is  configured  at the build time of OpenVPN. CWD is the current
5632              directory where OpenVPN was started  or  the  directory  OpenVPN
5633              have  switched  into via the --cd option before the --plugin op‐
5634              tion.
5635
5636              For more information  and  examples  on  how  to  build  OpenVPN
5637              plug-in modules, see the README file in the plugin folder of the
5638              OpenVPN source distribution.
5639
5640              If you are using an RPM install of OpenVPN, see /usr/share/open‐
5641              vpn/plugin.  The  documentation  is in doc and the actual plugin
5642              modules are in lib.
5643
5644              Multiple plugin modules can be cascaded, and modules can be used
5645              in tandem with scripts. The modules will be called by OpenVPN in
5646              the order that they are declared in the config file. If  both  a
5647              plugin  and  script  are  configured  for the same callback, the
5648              script will be called last. If  the  return  code  of  the  mod‐
5649              ule/script controls an authentication function (such as tls-ver‐
5650              ify, auth-user-pass-verify, or client-connect), then every  mod‐
5651              ule  and script must return success (0) in order for the connec‐
5652              tion to be authenticated.
5653
5654              WARNING:
5655                     Plug-ins may do deferred execution, meaning  the  plug-in
5656                     will  return the control back to the main OpenVPN process
5657                     and provide the plug-in result later on via  a  different
5658                     thread or process.  OpenVPN does NOT support multiple au‐
5659                     thentication plug-ins where more than one plugin tries to
5660                     do  deferred  authentication.   If  this behaviour is de‐
5661                     tected, OpenVPN will shut down upon first authentication.
5662
5663   Windows-Specific Options
5664       --allow-nonadmin TAP-adapter
5665              (Standalone) Set TAP-adapter to allow access  from  non-adminis‐
5666              trative accounts. If TAP-adapter is omitted, all TAP adapters on
5667              the system will be configured to  allow  non-admin  access.  The
5668              non-admin  access  setting  will  only persist for the length of
5669              time that the TAP-Win32 device object and driver remain  loaded,
5670              and  will need to be re-enabled after a reboot, or if the driver
5671              is unloaded and reloaded. This directive can only be used by  an
5672              administrator.
5673
5674       --block-outside-dns
5675              Block  DNS  servers  on  other  network  adapters to prevent DNS
5676              leaks. This option prevents any application from  accessing  TCP
5677              or  UDP  port  53  except one inside the tunnel. It uses Windows
5678              Filtering Platform (WFP) and works on Windows Vista or later.
5679
5680              This option is considered unknown on non-Windows  platforms  and
5681              unsupported  on  Windows  XP,  resulting in fatal error. You may
5682              want to use --setenv opt or --ignore-unknown-option  (not  suit‐
5683              able for Windows XP) to ignore said error. Note that pushing un‐
5684              known options from server does not trigger fatal errors.
5685
5686       --cryptoapicert select-string
5687              (Windows/OpenSSL Only) Load the certificate and private key from
5688              the Windows Certificate System Store.
5689
5690              Use this option instead of --cert and --key.
5691
5692              This  makes it possible to use any smart card, supported by Win‐
5693              dows, but also any kind of certificate,  residing  in  the  Cert
5694              Store, where you have access to the private key. This option has
5695              been tested with a couple of  different  smart  cards  (GemSAFE,
5696              Cryptoflex, and Swedish Post Office eID) on the client side, and
5697              also an imported PKCS12 software certificate on the server side.
5698
5699              To select a certificate, based on a substring search in the cer‐
5700              tificate's subject:
5701
5702                 cryptoapicert "SUBJ:Peter Runestig"
5703
5704              To select a certificate, based on certificate's thumbprint (SHA1
5705              hash):
5706
5707                 cryptoapicert "THUMB:f6 49 24 41 01 b4 ..."
5708
5709              The thumbprint hex string can easily be copy-and-pasted from the
5710              Windows  Certificate  Store  GUI. The embedded spaces in the hex
5711              string are optional.
5712
5713              To select a certificate based on a  substring  in  certificate's
5714              issuer name:
5715
5716                 cryptoapicert "ISSUER:Sample CA"
5717
5718              The  first  non-expired certificate found in the user's store or
5719              the machine store that matches the select-string is used.
5720
5721       --dhcp-release
5722              Ask Windows to release the TAP adapter lease on  shutdown.  This
5723              option  has  no effect now, as it is enabled by default starting
5724              with OpenVPN 2.4.1.
5725
5726       --dhcp-renew
5727              Ask Windows to renew the TAP adapter lease on startup. This  op‐
5728              tion  is normally unnecessary, as Windows automatically triggers
5729              a DHCP renegotiation on the TAP adapter when it comes  up,  how‐
5730              ever  if  you set the TAP-Win32 adapter Media Status property to
5731              "Always Connected", you may need this flag.
5732
5733       --ip-win32 method
5734              When using --ifconfig on Windows, set the TAP-Win32  adapter  IP
5735              address  and  netmask using method. Don't use this option unless
5736              you are also using --ifconfig.
5737
5738              manual Don't set the IP address or  netmask  automatically.  In‐
5739                     stead output a message to the console telling the user to
5740                     configure the adapter manually and indicating the IP/net‐
5741                     mask which OpenVPN expects the adapter to be set to.
5742
5743              dynamic [offset] [lease-time]
5744                     Automatically  set the IP address and netmask by replying
5745                     to DHCP query messages generated  by  the  kernel.   This
5746                     mode  is probably the "cleanest" solution for setting the
5747                     TCP/IP properties since it uses the well-known DHCP  pro‐
5748                     tocol.  There  are,  however, two prerequisites for using
5749                     this mode:
5750
5751                     1. The TCP/IP properties for the TAP-Win32  adapter  must
5752                        be set to "Obtain an IP address automatically", and
5753
5754                     2. OpenVPN needs to claim an IP address in the subnet for
5755                        use as the virtual DHCP server address.
5756
5757                     By default in --dev tap mode, OpenVPN will take the  nor‐
5758                     mally unused first address in the subnet. For example, if
5759                     your subnet is 192.168.4.0  netmask  255.255.255.0,  then
5760                     OpenVPN  will  take  the IP address 192.168.4.0 to use as
5761                     the virtual DHCP server  address.   In  --dev  tun  mode,
5762                     OpenVPN will cause the DHCP server to masquerade as if it
5763                     were coming from the remote endpoint.
5764
5765                     The optional offset parameter is an integer  which  is  >
5766                     -256 and < 256 and which defaults to 0. If offset is pos‐
5767                     itive, the DHCP server will masquerade as the IP  address
5768                     at  network  address + offset. If offset is negative, the
5769                     DHCP server will masquerade as the IP address  at  broad‐
5770                     cast address + offset.
5771
5772                     The  Windows  ipconfig  /all  command can be used to show
5773                     what Windows thinks the DHCP server address  is.  OpenVPN
5774                     will "claim" this address, so make sure to use a free ad‐
5775                     dress. Having said  that,  different  OpenVPN  instantia‐
5776                     tions,  including  different ends of the same connection,
5777                     can share the same virtual DHCP server address.
5778
5779                     The lease-time parameter controls the lease time  of  the
5780                     DHCP  assignment  given  to the TAP-Win32 adapter, and is
5781                     denoted in seconds. Normally a very long  lease  time  is
5782                     preferred   because  it  prevents  routes  involving  the
5783                     TAP-Win32 adapter from being lost when the system goes to
5784                     sleep. The default lease time is one year.
5785
5786              netsh  Automatically  set  the  IP address and netmask using the
5787                     Windows command-line "netsh" command. This method appears
5788                     to work correctly on Windows XP but not Windows 2000.
5789
5790              ipapi  Automatically  set  the  IP address and netmask using the
5791                     Windows IP Helper API. This approach does not have  ideal
5792                     semantics,  though  testing  has  indicated that it works
5793                     okay in practice. If you use this option, it is  best  to
5794                     leave  the TCP/IP properties for the TAP-Win32 adapter in
5795                     their default state, i.e. "Obtain an IP address automati‐
5796                     cally."
5797
5798              adaptive (Default)
5799                     Try  dynamic  method  initially and fail over to netsh if
5800                     the DHCP negotiation with the TAP-Win32 adapter does  not
5801                     succeed  in  20 seconds. Such failures have been known to
5802                     occur when  certain  third-party  firewall  packages  in‐
5803                     stalled  on the client machine block the DHCP negotiation
5804                     used by the TAP-Win32 adapter. Note  that  if  the  netsh
5805                     failover  occurs, the TAP-Win32 adapter TCP/IP properties
5806                     will be reset from DHCP to static, and  this  will  cause
5807                     future  OpenVPN  startups  using the adaptive mode to use
5808                     netsh immediately, rather than trying dynamic first.
5809
5810                     To "unstick" the adaptive  mode  from  using  netsh,  run
5811                     OpenVPN  at  least once using the dynamic mode to restore
5812                     the TAP-Win32 adapter TCP/IP properties to a DHCP config‐
5813                     uration.
5814
5815       --pause-exit
5816              Put  up  a  "press  any  key to continue" message on the console
5817              prior to OpenVPN program exit. This option is automatically used
5818              by  the  Windows explorer when OpenVPN is run on a configuration
5819              file using the right-click explorer menu.
5820
5821       --register-dns
5822              Run ipconfig /flushdns and ipconfig /registerdns  on  connection
5823              initiation.  This  is  known  to  kick  Windows into recognizing
5824              pushed DNS servers.
5825
5826       --route-method m
5827              Which method m to use for adding routes on Windows?
5828
5829              adaptive (default)
5830                     Try IP helper API first. If that fails, fall back to  the
5831                     route.exe shell command.
5832
5833              ipapi  Use IP helper API.
5834
5835              exe    Call the route.exe shell command.
5836
5837       --service args
5838              Should  be  used when OpenVPN is being automatically executed by
5839              another program in such a context that no interaction  with  the
5840              user via display or keyboard is possible.
5841
5842              Valid syntax:
5843
5844                 service exit-event [0|1]
5845
5846              In  general,  end-users should never need to explicitly use this
5847              option, as it is automatically  added  by  the  OpenVPN  service
5848              wrapper  when  a  given  OpenVPN configuration is being run as a
5849              service.
5850
5851              exit-event is the name of a Windows  global  event  object,  and
5852              OpenVPN will continuously monitor the state of this event object
5853              and exit when it becomes signaled.
5854
5855              The second parameter indicates the initial state  of  exit-event
5856              and normally defaults to 0.
5857
5858              Multiple  OpenVPN  processes can be simultaneously executed with
5859              the same exit-event parameter.  In  any  case,  the  controlling
5860              process  can  signal  exit-event,  causing all such OpenVPN pro‐
5861              cesses to exit.
5862
5863              When executing an OpenVPN process using the --service directive,
5864              OpenVPN  will  probably not have a console window to output sta‐
5865              tus/error messages, therefore it  is  useful  to  use  --log  or
5866              --log-append to write these messages to a file.
5867
5868       --show-adapters
5869              (Standalone)  Show available TAP-Win32 adapters which can be se‐
5870              lected using the --dev-node option. On non-Windows systems,  the
5871              ifconfig(8) command provides similar functionality.
5872
5873       --show-net
5874              (Standalone) Show OpenVPN's view of the system routing table and
5875              network adapter list.
5876
5877       --show-net-up
5878              Output OpenVPN's view of the system routing  table  and  network
5879              adapter list to the syslog or log file after the TUN/TAP adapter
5880              has been brought up and any routes have been added.
5881
5882       --show-valid-subnets
5883              (Standalone) Show valid subnets for --dev tun  emulation.  Since
5884              the  TAP-Win32  driver exports an ethernet interface to Windows,
5885              and since TUN devices are point-to-point in nature, it is neces‐
5886              sary  for  the TAP-Win32 driver to impose certain constraints on
5887              TUN endpoint address selection.
5888
5889              Namely, the point-to-point endpoints used in TUN  device  emula‐
5890              tion  must  be the middle two addresses of a /30 subnet (netmask
5891              255.255.255.252).
5892
5893       --tap-sleep n
5894              Cause OpenVPN to sleep  for  n  seconds  immediately  after  the
5895              TAP-Win32 adapter state is set to "connected".
5896
5897              This option is intended to be used to troubleshoot problems with
5898              the --ifconfig and --ip-win32 options, and is used to  give  the
5899              TAP-Win32  adapter  time to come up before Windows IP Helper API
5900              operations are applied to it.
5901
5902       --win-sys path
5903              Set the Windows system directory pathname to  use  when  looking
5904              for  system  executables such as route.exe and netsh.exe. By de‐
5905              fault, if this directive is not specified, OpenVPN will use  the
5906              SystemRoot environment variable.
5907
5908              This option has changed behaviour since OpenVPN 2.3. Earlier you
5909              had to define --win-sys env to use  the  SystemRoot  environment
5910              variable,  otherwise  it  defaulted  to  C:\\WINDOWS.  It is not
5911              needed to use the env keyword any more, and it will just be  ig‐
5912              nored.  A warning is logged when this is found in the configura‐
5913              tion file.
5914
5915       --windows-driver drv
5916              Specifies which tun driver to  use.  Values  are  ovpn-dco  (de‐
5917              fault),  tap-windows6  and  wintun.  ovpn-dco and wintun require
5918              --dev tun. wintun also requires OpenVPN process to run elevated,
5919              or be invoked using the Interactive Service.
5920
5921   Standalone Debug Options
5922       --show-gateway args
5923              (Standalone)  Show current IPv4 and IPv6 default gateway and in‐
5924              terface towards the gateway (if the protocol in question is  en‐
5925              abled).
5926
5927              Valid syntax:
5928
5929                 --show-gateway
5930                 --show-gateway IPv6-target
5931
5932              For IPv6 this queries the route towards ::/128, or the specified
5933              IPv6 target address if passed as argument.  For IPv4  on  Linux,
5934              Windows, MacOS and BSD it looks for a 0.0.0.0/0 route.  If there
5935              are more specific routes, the result will not always be matching
5936              the route of the IPv4 packets to the VPN gateway.
5937
5938   Advanced Expert Options
5939       These  are options only required when special tweaking is needed, often
5940       used when debugging or testing out special usage scenarios.
5941
5942       --hash-size args
5943              Set the size of the real address hash table to r and the virtual
5944              address table to v.
5945
5946              Valid syntax:
5947
5948                 hash-size r v
5949
5950              By default, both tables are sized at 256 buckets.
5951
5952       --bcast-buffers n
5953              Allocate n buffers for broadcast datagrams (default 256).
5954
5955       --persist-local-ip
5956              Preserve  initially  resolved  local  IP address and port number
5957              across SIGUSR1 or --ping-restart restarts.
5958
5959       --persist-remote-ip
5960              Preserve most recently authenticated remote IP address and  port
5961              number across SIGUSR1 or --ping-restart restarts.
5962
5963       --rcvbuf size
5964              Set  the TCP/UDP socket receive buffer size. Defaults to operat‐
5965              ing system default.
5966
5967       --shaper n
5968              Limit bandwidth of outgoing tunnel data to n bytes per second on
5969              the  TCP/UDP  port. Note that this will only work if mode is set
5970              to p2p.  If you want to limit the bandwidth in both  directions,
5971              use this option on both peers.
5972
5973              OpenVPN  uses the following algorithm to implement traffic shap‐
5974              ing: Given a shaper rate of n bytes per second, after a datagram
5975              write  of  b bytes is queued on the TCP/UDP port, wait a minimum
5976              of (b / n) seconds before queuing the next write.
5977
5978              It should be noted that OpenVPN supports  multiple  tunnels  be‐
5979              tween  the  same two peers, allowing you to construct full-speed
5980              and reduced bandwidth tunnels at the same time, routing low-pri‐
5981              ority  data  such as off-site backups over the reduced bandwidth
5982              tunnel, and other data over the full-speed tunnel.
5983
5984              Also note that for low bandwidth tunnels (under 1000  bytes  per
5985              second),  you  should probably use lower MTU values as well (see
5986              above), otherwise the packet latency will grow so  large  as  to
5987              trigger  timeouts  in  the TLS layer and TCP connections running
5988              over the tunnel.
5989
5990              OpenVPN allows n to be between 100 bytes/sec and 100 Mbytes/sec.
5991
5992       --sndbuf size
5993              Set the TCP/UDP socket send buffer size. Defaults  to  operating
5994              system default.
5995
5996       --tcp-queue-limit n
5997              Maximum number of output packets queued before TCP (default 64).
5998
5999              When OpenVPN is tunneling data from a TUN/TAP device to a remote
6000              client over a TCP connection, it is possible  that  the  TUN/TAP
6001              device  might produce data at a faster rate than the TCP connec‐
6002              tion can support. When the number of output packets  queued  be‐
6003              fore  sending  to  the TCP socket reaches this limit for a given
6004              client connection, OpenVPN will start to drop  outgoing  packets
6005              directed at this client.
6006
6007       --txqueuelen n
6008              (Linux  only)  Set the TX queue length on the TUN/TAP interface.
6009              Currently defaults to operating system default.
6010
6011       --disable-dco
6012              Disables the opportunistic use of  data  channel  offloading  if
6013              available.   Without this option, OpenVPN will opportunistically
6014              use DCO mode if the config options and the running  kernel  sup‐
6015              ports using DCO.
6016
6017              Data  channel  offload  currently  requires data-ciphers to only
6018              contain AEAD ciphers (AES-GCM and Chacha20-Poly1305)  and  Linux
6019              with the ovpn-dco module.
6020
6021              Note that some options have no effect or cannot be used when DCO
6022              mode is enabled.
6023
6024              On platforms that do not support DCO disable-dco has no effect.
6025

UNSUPPORTED OPTIONS

6027       Options listed in this section have been removed from OpenVPN  and  are
6028       no longer supported
6029
6030       --client-cert-not-required
6031              Removed  in  OpenVPN  2.5.   This should be replaxed with --ver‐
6032              ify-client-cert none.
6033
6034       --ifconfig-pool-linear
6035              Removed in OpenVPN 2.5.  This should be replaced with --topology
6036              p2p.
6037
6038       --key-method
6039              Removed  in OpenVPN 2.5.  This option should not be used, as us‐
6040              ing the old key-method weakens the VPN tunnel security.  The old
6041              key-method  was  also only needed when the remote side was older
6042              than OpenVPN 2.0.
6043
6044       --management-client-pf
6045              Removed in OpenVPN 2.6.   The  built-in  packet  filtering  (pf)
6046              functionality has been removed.
6047
6048       --ncp-disable
6049              Removed in OpenVPN 2.6.  This option mainly served a role as de‐
6050              bug option when NCP was first introduced.  It should  no  longer
6051              be necessary.
6052
6053       --no-iv
6054              Removed  in  OpenVPN  2.5.  This option should not be used as it
6055              weakens the VPN tunnel security.  This has been  a  NOOP  option
6056              since OpenVPN 2.4.
6057
6058       --no-replay
6059              Removed  in  OpenVPN  2.5.  This option should not be used as it
6060              weakens the VPN tunnel security.
6061
6062       --ns-cert-type
6063              Removed in OpenVPN 2.5.  The nsCertType field is no longer  sup‐
6064              ported  in  recent SSL/TLS libraries.  If your certificates does
6065              not include key usage and extended key usage fields,  they  must
6066              be  upgraded and the --remote-cert-tls option should be used in‐
6067              stead.
6068
6069       --prng Removed in OpenVPN 2.6.  We now always use the PRNG of  the  SSL
6070              library.
6071

CONNECTION PROFILES

6073       Client configuration files may contain multiple remote servers which it
6074       will attempt to connect against.  But there are some configuration  op‐
6075       tions  which  are  related to specific --remote options.  For these use
6076       cases, connection profiles are the solution.
6077
6078       By enacpulating the --remote option and related options within <connec‐
6079       tion> and </connection>, these options are handled as a group.
6080
6081       An  OpenVPN  client will try each connection profile sequentially until
6082       it achieves a successful connection.
6083
6084       --remote-random can be used  to  initially  "scramble"  the  connection
6085       list.
6086
6087       Here is an example of connection profile usage:
6088
6089          client
6090          dev tun
6091
6092          <connection>
6093          remote 198.19.34.56 1194 udp
6094          </connection>
6095
6096          <connection>
6097          remote 198.19.34.56 443 tcp
6098          </connection>
6099
6100          <connection>
6101          remote 198.19.34.56 443 tcp
6102          http-proxy 192.168.0.8 8080
6103          </connection>
6104
6105          <connection>
6106          remote 198.19.36.99 443 tcp
6107          http-proxy 192.168.0.8 8080
6108          </connection>
6109
6110          persist-key
6111          persist-tun
6112          pkcs12 client.p12
6113          remote-cert-tls server
6114          verb 3
6115
6116       First  we try to connect to a server at 198.19.34.56:1194 using UDP. If
6117       that fails, we then try to connect to 198.19.34.56:443  using  TCP.  If
6118       that  also  fails,  then  try  connecting  through  an  HTTP  proxy  at
6119       192.168.0.8:8080 to 198.19.34.56:443 using TCP. Finally, try to connect
6120       through the same proxy to a server at 198.19.36.99:443 using TCP.
6121
6122       The  following  OpenVPN  options  may  be used inside of a <connection>
6123       block:
6124
6125       bind,   connect-retry,    connect-retry-max,    connect-timeout,    ex‐
6126       plicit-exit-notify,  float,  fragment,  http-proxy,  http-proxy-option,
6127       key-direction, link-mtu, local, lport, mssfix, mtu-disc, nobind,  port,
6128       proto,  remote,  rport,  socks-proxy, tls-auth, tls-crypt, tun-mtu and,
6129       tun-mtu-extra.
6130
6131       A defaulting mechanism exists for specifying options to  apply  to  all
6132       <connection>  profiles. If any of the above options (with the exception
6133       of remote ) appear outside of a <connection> block, but in a configura‐
6134       tion file which has one or more <connection> blocks, the option setting
6135       will be used as a default for <connection> blocks which  follow  it  in
6136       the configuration file.
6137
6138       For  example,  suppose the nobind option were placed in the sample con‐
6139       figuration file above, near the top of the file, before the first <con‐
6140       nection>  block.  The effect would be as if nobind were declared in all
6141       <connection> blocks below it.
6142

INLINE FILE SUPPORT

6144       OpenVPN allows including files in the main configuration for the  --ca,
6145       --cert,  --dh,  --extra-certs, --key, --pkcs12, --secret, --crl-verify,
6146       --http-proxy-user-pass,      --tls-auth,       --auth-gen-token-secret,
6147       --peer-fingerprint,  --tls-crypt,  --tls-crypt-v2 and --verify-hash op‐
6148       tions.
6149
6150       Each inline file started by the line <option> and  ended  by  the  line
6151       </option>
6152
6153       Here is an example of an inline file usage
6154
6155          <cert>
6156          -----BEGIN CERTIFICATE-----
6157          [...]
6158          -----END CERTIFICATE-----
6159          </cert>
6160
6161       When using the inline file feature with --pkcs12 the inline file has to
6162       be base64 encoded. Encoding of a .p12 file into base64 can be done  for
6163       example with OpenSSL by running openssl base64 -in input.p12
6164

SIGNALS

6166       SIGHUP Cause  OpenVPN  to  close  all  TUN/TAP and network connections,
6167              restart, re-read the configuration file  (if  any),  and  reopen
6168              TUN/TAP and network connections.
6169
6170       SIGUSR1
6171              Like  SIGHUP`, except don't re-read configuration file, and pos‐
6172              sibly don't close and reopen TUN/TAP device, re-read key  files,
6173              preserve  local  IP  address/port, or preserve most recently au‐
6174              thenticated  remote  IP  address/port  based  on  --persist-tun,
6175              --persist-key,  --persist-local-ip  and  --persist-remote-ip op‐
6176              tions respectively (see above).
6177
6178              This signal may also be internally generated by a timeout condi‐
6179              tion, governed by the --ping-restart option.
6180
6181              This signal, when combined with --persist-remote-ip, may be sent
6182              when the underlying parameters of the host's  network  interface
6183              change  such as when the host is a DHCP client and is assigned a
6184              new IP address.  See --ipchange for more information.
6185
6186       SIGUSR2
6187              Causes OpenVPN to display its current statistics (to the  syslog
6188              file if --daemon is used, or stdout otherwise).
6189
6190       SIGINT, SIGTERM
6191              Causes OpenVPN to exit gracefully.
6192

FAQ

6194       https://community.openvpn.net/openvpn/wiki/FAQ
6195

HOWTO

6197       The  manual  openvpn-examples(5)  gives  some  examples, especially for
6198       small setups.
6199
6200       For a more comprehensive guide to setting up OpenVPN  in  a  production
6201       setting,         see         the         OpenVPN        HOWTO        at
6202       https://openvpn.net/community-resources/how-to/
6203

PROTOCOL

6205       An ongoing effort to document the OpenVPN protocol can be  found  under
6206       https://github.com/openvpn/openvpn-rfc
6207

WEB

6209       OpenVPN's web site is at https://community.openvpn.net/
6210
6211       Go  here  to  download  the latest version of OpenVPN, subscribe to the
6212       mailing lists, read the mailing list archives, or browse the Git repos‐
6213       itory.
6214

BUGS

6216       Report all bugs to the OpenVPN team info@openvpn.net
6217

SEE ALSO

6219       openvpn-examples(5),   dhcpcd(8),  ifconfig(8),  openssl(1),  route(8),
6220       scp(1) ssh(1)
6221

NOTES

6223       This product includes software developed  by  the  OpenSSL  Project  (‐
6224       https://www.openssl.org/)
6225
6226       For     more     information     on     the     TLS    protocol,    see
6227       http://www.ietf.org/rfc/rfc2246.txt
6228
6229       For more information on  the  LZO  real-time  compression  library  see
6230       https://www.oberhumer.com/opensource/lzo/
6231

6233       Copyright  (C) 2002-2020 OpenVPN Inc This program is free software; you
6234       can redistribute it and/or modify it under the terms of the GNU General
6235       Public License version 2 as published by the Free Software Foundation.
6236

AUTHORS

6238       James Yonan james@openvpn.net
6239
6240
6241
6242
6243                                                                    OPENVPN(8)
Impressum