| Item | Type | Help Text |
|---|---|---|
verb* |
option | Set output verbosity |
mlock |
option | BOOL Disable Paging |
disable_occ |
option | BOOL Disable options consistency check |
cd |
option | Change to directory before initialization |
chroot |
option | Chroot to directory after initialization |
passtos |
option | BOOL TOS passthrough (applies to IPv4 only) |
log |
option | Write log to file |
log_append |
option | Append log to file |
suppress_timestamps |
option | BOOL Don't log timestamps |
nice* |
option | Change process priority |
fast_io |
option | BOOL Optimize TUN/TAP/UDP writes |
echo |
option | Echo parameters to log |
remap_usr1 |
option | Remap SIGUSR1 signals |
status |
option | Write status to file every n seconds |
status_version |
option | Status file format version |
mute |
option | Limit repeated log messages |
up |
option | Shell cmd to execute after tun device open |
up_delay |
option | BOOL Delay tun/tap open and up script execution |
down |
option | Shell cmd to run after tun device close |
down_pre |
option | BOOL Call down cmd/script before TUN/TAP close |
up_restart |
option | BOOL Run up/down scripts for all restarts |
route_up |
option | Execute shell cmd after routes are added |
setenv |
option | Pass environment variables to script |
tls_verify |
option | Shell command to verify X509 name |
client_connect |
option | Run script cmd on client connection |
client_disconnect |
option | Run script cmd on client disconnection |
learn_address |
option | Executed in server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table |
auth_user_pass_verify |
option | Executed in server mode on new client connections, when the client is still untrusted |
script_security |
option | Policy level over usage of external programs and scripts |
compress |
option | Enable a compression algorithm |
| Item | Type | Help Text |
|---|---|---|
mode |
option | Major mode |
local |
option | Local host name or IP address |
port* |
option | TCP/UDP port # for both local and remote |
lport |
option | TCP/UDP port # for local (default=1194) |
rport |
option | TCP/UDP port # for remote (default=1194) |
float |
option | BOOL Allow remote to change its IP or port |
nobind* |
option | BOOL Do not bind to local address and port |
dev |
option | tun/tap device |
dev_type* |
option | Type of used device |
dev_node |
option | Use tun/tap device node |
ifconfig* |
option | Set tun/tap adapter parameters |
ifconfig_noexec |
option | BOOL Don't actually execute ifconfig |
ifconfig_nowarn |
option | BOOL Don't warn on ifconfig inconsistencies |
route |
option | Add route after establishing connection |
route_gateway |
option | Specify a default gateway for routes |
route_delay |
option | Delay n seconds after connection |
route_noexec |
option | BOOL Don't add routes automatically |
route_nopull |
option | BOOL Don't pull routes automatically |
allow_recursive_routing |
option | BOOL Don't drop incoming tun packets with same destination as host |
mtu_disc |
option | Enable Path MTU discovery |
mtu_test |
option | BOOL Empirically measure MTU |
comp_lzo* |
option | Use fast LZO compression |
link_mtu |
option | Set TCP/UDP MTU |
tun_mtu |
option | Set tun/tap device MTU |
tun_mtu_extra |
option | Set tun/tap device overhead |
sndbuf |
option | Set the TCP/UDP send buffer size |
rcvbuf |
option | Set the TCP/UDP receive buffer size |
txqueuelen |
option | Set tun/tap TX queue length |
shaper |
option | Shaping for peer bandwidth |
inactive |
option | tun/tap inactivity timeout |
keepalive* |
option | Helper directive to simplify the expression of --ping and --ping-restart in server mode configurations |
ping |
option | Ping remote every n seconds over TCP/UDP port |
ping_exit |
option | Remote ping timeout |
ping_restart |
option | Restart after remote ping timeout |
ping_timer_rem |
option | BOOL Only process ping timeouts if routes exist |
persist_tun |
option | BOOL Keep tun/tap device open on restart |
persist_key |
option | BOOL Don't re-read key on restart |
persist_local_ip |
option | BOOL Keep local IP address on restart |
persist_remote_ip |
option | BOOL Keep remote IP address on restart |
management |
option | Enable management interface on IP port |
management_query_passwords |
option | BOOL Query management channel for private key |
management_hold |
option | BOOL Start OpenVPN in a hibernating state |
management_log_cache |
option | Number of lines for log file history |
topology |
option | 'net30', 'p2p', or 'subnet' |
| Item | Type | Help Text |
|---|---|---|
server* |
option | Configure server mode |
server_bridge* |
option | Configure server bridge |
client* |
option | Configure client mode |
client_to_client* |
option | BOOL Allow client-to-client traffic |
pull |
option | BOOL Accept options pushed from server |
auth_user_pass |
option | Authenticate using username/password |
auth_retry |
option | Handling of authentication failures |
explicit_exit_notify |
option | Send notification to peer on disconnect |
remote* |
option | Remote host name or IP address |
remote_random |
option | BOOL Randomly choose remote server |
proto* |
option | Use protocol |
connect_retry |
option | Connection retry interval |
http_proxy |
option | Connect to remote host through an HTTP proxy |
http_proxy_retry |
option | BOOL Retry indefinitely on HTTP proxy errors |
http_proxy_timeout |
option | Proxy timeout in seconds |
http_proxy_option |
option | Set extended HTTP proxy options |
socks_proxy |
option | Connect through Socks5 proxy |
socks_proxy_retry |
option | BOOL Retry indefinitely on Socks proxy errors |
resolv_retry |
option | If hostname resolve fails, retry |
redirect_gateway |
option | Automatically redirect default route |
verify_client_cert |
option | Specify whether the client is required to supply a valid certificate |
| Item | Type | Help Text |
|---|---|---|
secret* |
option | Enable Static Key encryption mode (non-TLS) |
auth |
option | HMAC authentication for packets |
cipher |
option | Encryption cipher for packets |
keysize |
option | Size of cipher key |
engine |
option | Enable OpenSSL hardware crypto engines |
replay_window |
option | Replay protection sliding window size |
mute_replay_warnings |
option | BOOL Silence the output of replay warnings |
replay_persist |
option | Persist replay-protection state |
tls_server |
option | BOOL Enable TLS and assume server role |
ca* |
option | Certificate authority |
dh* |
option | Diffie-Hellman parameters |
cert* |
option | Local certificate |
key* |
option | Local private key |
pkcs12* |
option | PKCS#12 file containing keys |
key_method |
option | Enable TLS and assume client role |
tls_cipher |
list | TLS cipher |
tls_ciphersuites |
list | TLS 1.3 or newer cipher |
tls_timeout |
option | Retransmit timeout on TLS control channel |
reneg_bytes |
option | Renegotiate data chan. key after bytes |
reneg_pkts |
option | Renegotiate data chan. key after packets |
reneg_sec |
option | Renegotiate data chan. key after seconds |
hand_window |
option | Timeframe for key exchange |
tran_window |
option | Key transition window |
single_session |
option | BOOL Allow only one session |
tls_exit |
option | BOOL Exit on TLS negotiation failure |
tls_auth |
option | Additional authentication over TLS |
tls_crypt |
option | Encrypt and authenticate all control channel packets with the key |
auth_nocache |
option | BOOL Don't cache --askpass or --auth-user-pass passwords |
tls_remote |
option | Only accept connections from given X509 name |
ns_cert_type |
option | Require explicit designation on certificate |
remote_cert_tls |
option | Require explicit key usage on certificate |
crl_verify |
option | Check peer certificate against a CRL |
tls_version_min |
option | The lowest supported TLS version |
tls_version_max |
option | The highest supported TLS version |
key_direction* |
option | The key direction for 'tls-auth' and 'secret' options |
ncp_disable |
option | BOOL This completely disables cipher negotiation |
ncp_ciphers |
list | Restrict the allowed ciphers to be negotiated |
| Item | Type | Help Text |
|---|---|---|
askpass |
option | |
bcast_buffers |
option | |
capath |
option | |
client_config_dir |
option | |
connect_freq |
option | |
connect_retry_max |
option | |
connect_timeout |
option | |
ecdh_curve |
option | |
extra_certs |
option | |
fragment |
option | |
group |
option | |
hash_size |
option | |
ifconfig_ipv6 |
option | |
ifconfig_ipv6_pool |
option | |
ifconfig_ipv6_push |
option | |
ifconfig_pool |
option | |
ifconfig_pool_persist |
option | |
ifconfig_push |
option | |
ipchange |
option | |
iroute |
option | |
iroute_ipv6 |
option | |
lladdr |
option | |
max_clients |
option | |
max_routes_per_client |
option | |
mssfix |
option | |
plugin |
option | |
port_share |
option | |
prng |
option | |
pull_filter |
option | |
push |
option | |
remote_cert_eku |
option | |
remote_cert_ku |
option | |
route_ipv6 |
option | |
route_metric |
option | |
route_pre_down |
option | |
server_ipv6 |
option | |
syslog |
option | |
tcp_queue_limit |
option | |
tmp_dir |
option | |
topology |
option | |
user |
option | |
verb |
option | |
verify_x509_name |
option | |
x509_username_field |
option |
| Item | Type | Help Text |
|---|---|---|
auth_user_pass_optional |
option | BOOL |
bind |
option | BOOL |
ccd_exclusive |
option | BOOL |
comp_noadapt |
option | BOOL |
disable |
option | BOOL |
duplicate_cn |
option | BOOL |
management_forget_disconnect |
option | BOOL |
management_signals |
option | BOOL |
mktun |
option | BOOL |
multihome |
option | BOOL |
opt_verify |
option | BOOL |
push_reset |
option | BOOL |
rmtun |
option | BOOL |
tcp_nodelay |
option | BOOL |
test_crypto |
option | BOOL |
tls_client |
option | BOOL |
username_as_common_name |
option | BOOL |