Wiki

User Tools

Site Tools

Trace: convert_ts_to_mp4
openvpn:options

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
openvpn:options [2020/04/20 10:11] peteropenvpn:options [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 35: Line 35:
 |:::|**SIGUSR1** is a restart signal similar to **SIGHUP**, but which offers finer-grained control over reset options.| |:::|**SIGUSR1** is a restart signal similar to **SIGHUP**, but which offers finer-grained control over reset options.|
 |rcvbuf size|Set the TCP/UDP socket receive buffer size. Defaults to operation system default.| |rcvbuf size|Set the TCP/UDP socket receive buffer size. Defaults to operation system default.|
 +|redirect-gateway flags...|Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN.  This is a client-side option.|
 +|:::|This option performs three steps:|
 +|:::|(1) Create a static route for the **--remote** address which forwards to the pre-existing default gateway.  This is done so that (3) will not create a routing loop.|
 +|:::|(2) Delete the default gateway route.|
 +|:::|(3) Set the new default gateway to be the VPN endpoint address (derived either from **--route-gateway** or the second parameter to **--ifconfig** when **--dev tun** is specified).|
 +|:::|When the tunnel is torn down, all of the above steps are reversed so that the original default route is restored.|
 +|:::|Option flags:|
 +|:::|**local** -- Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless.  The local flag will cause step 1 above to be omitted.|
 +|:::|**autolocal** -- Try to automatically determine whether to enable local flag above.|
 +|:::|**def1** -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0.  This has the benefit of overriding but not wiping out the original default gateway.|
 +|:::|**bypass-dhcp** -- Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).|
 +|:::|**bypass-dns** -- Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).|
 +|:::|**block-local** -- Block access to local LAN when the tunnel is active, except for the LAN gateway itself.  This is accomplished by routing the local LAN (except for the LAN gateway address) into the tunnel.|
 |remote-random|Used to initially "scramble" the connection list.| |remote-random|Used to initially "scramble" the connection list.|
 |:::|When multiple --remote address/ports are specified, or if connection profiles are being used, initially randomize the order of the list as a kind of basic load-balancing measure.| |:::|When multiple --remote address/ports are specified, or if connection profiles are being used, initially randomize the order of the list as a kind of basic load-balancing measure.|
Line 45: Line 58:
 |route network/IP [netmask] [gateway] [metric]|Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close.| |route network/IP [netmask] [gateway] [metric]|Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close.|
 |:::|**netmask** default -- 255.255.255.255| |:::|**netmask** default -- 255.255.255.255|
-|:::|**gateway** default -- taken from --route-gateway or the second parameter to --ifconfig when --dev tun is specified.| +|:::|**gateway** default -- taken from **--route-gateway** or the second parameter to **--ifconfig** when **--dev tun** is specified.| 
-|:::|**metric** default -- taken from --route-metric otherwise 0.|+|:::|**metric** default -- taken from **--route-metric** otherwise 0.|
 |:::|The default can be specified by leaving an option blank or setting it to "default".| |:::|The default can be specified by leaving an option blank or setting it to "default".|
 |:::|The **network** and **gateway** parameters can also be specified as a DNS or /etc/hosts file resolvable name, or as one of three special keywords:| |:::|The **network** and **gateway** parameters can also be specified as a DNS or /etc/hosts file resolvable name, or as one of three special keywords:|
Line 52: Line 65:
 |:::|**net_gateway** -- The pre-existing IP default gateway, read from the routing table (not supported on all OSes).| |:::|**net_gateway** -- The pre-existing IP default gateway, read from the routing table (not supported on all OSes).|
 |:::|**remote_host** -- The **--remote** address if OpenVPN is being run in client mode, and is undefined in server mode.| |:::|**remote_host** -- The **--remote** address if OpenVPN is being run in client mode, and is undefined in server mode.|
 +|route-nopull|When used with **--client** or **--pull**, accept options pushed by server EXCEPT for routes, block-outside-dns and dhcp options like DNS servers.|
 +|:::|When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.|
 |sndbuf size|Set the TCP/UDP socket send buffer size. Defaults to operation system default.| |sndbuf size|Set the TCP/UDP socket send buffer size. Defaults to operation system default.|
-|verb 3|Set output verbosity to n (default=1). Each level shows all info from the previous levels.  Level 3 is recommended if you want a good summary of what's happening without being swamped by output.|+|tun-mtu n|Take the TUN device MTU to be n and derive the link MTU from it (default=1500).  In most cases, you will probably want to leave this parameter set to its default value.| 
 +|:::|The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent unfragmented over a particular network path.  OpenVPN requires that packets on the control or data channels be sent unfragmented.| 
 +|:::|MTU problems often manifest themselves as connections which hang during periods of active usage.| 
 +|:::|It's best to use the **--fragment** and/or **--mssfix** options to deal with MTU sizing issues.| 
 +|verb n|Set output verbosity to **n** (default=1).  Each level shows all info from the previous levels.  Level 3 is recommended if you want a good summary of what's happening without being swamped by output.|
 |:::|**0** -- No output except fatal errors.| |:::|**0** -- No output except fatal errors.|
 |:::|**1 to 4** -- Normal usage range.| |:::|**1 to 4** -- Normal usage range.|
Line 72: Line 91:
  
 |client|A helper directive designed to simplify the configuration of OpenVPN's client mode. This directive is equivalent to:| |client|A helper directive designed to simplify the configuration of OpenVPN's client mode. This directive is equivalent to:|
-|:::|pull| +|:::|**pull**
-|:::|tls-client| +|:::|**tls-client**
-|pull|This option must be used on a client which is connecting to a multi-client server. It indicates to OpenVPN that it should accept options pushed by the server, provided they are part of the legal set of pushable options.| +|pull|This option must be used on a client which is connecting to a multi-client server.  It indicates to OpenVPN that it should accept options pushed by the server, provided they are part of the legal set of pushable options.| 
-|:::|In particular, --pull allows the server to push routes to the client, so you should not use --pull or --client in situations where you don't trust the server to have control over the client's routing table.|+|:::|In particular, **--pull** allows the server to push routes to the client, so you should not use **--pull** or **--client** in situations where you don't trust the server to have control over the client's routing table.|
  
  
Line 100: Line 119:
 |:::|This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server.  The attack is easily prevented by having clients verify the server certificate using any one of **--remote-cert-tls**, **--verify-x509-name**, or **--tls-verify**.| |:::|This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server.  The attack is easily prevented by having clients verify the server certificate using any one of **--remote-cert-tls**, **--verify-x509-name**, or **--tls-verify**.|
 |tls-client|Enable TLS and assume client role during TLS handshake.| |tls-client|Enable TLS and assume client role during TLS handshake.|
- 
----- 
- 
- 
- 
- 
- 
- 
- 
-|route-method exe| 
-|route-nopull|When used with **--client** or **--pull**, accept options pushed by server EXCEPT for routes, block-outside-dns and dhcp options like DNS servers.| 
-|:::|When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.| 
-|tun-mtu 1500| 
 |verify-x509-name Server name-prefix|Accept connections only if a host's X.509 name is equal to **name**.  The remote host must also pass all other tests of verification.| |verify-x509-name Server name-prefix|Accept connections only if a host's X.509 name is equal to **name**.  The remote host must also pass all other tests of verification.|
 |:::|Which X.509 name is compared to **name** depends on the setting of type. **type** can be "subject" to match the complete subject DN (default), "name" to match a subject RDN or "name-prefix" to match a subject RDN prefix.  Which RDN is verified as name depends on the **--x509-username-field** option.  But it defaults to the common name (CN), e.g. a certificate with a subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by:| |:::|Which X.509 name is compared to **name** depends on the setting of type. **type** can be "subject" to match the complete subject DN (default), "name" to match a subject RDN or "name-prefix" to match a subject RDN prefix.  Which RDN is verified as name depends on the **--x509-username-field** option.  But it defaults to the common name (CN), e.g. a certificate with a subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by:|
Line 119: Line 125:
 |:::|Using a name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates except for those associated with designated servers.| |:::|Using a name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates except for those associated with designated servers.|
 |:::|**NOTE:** Test against a name prefix only when you are using OpenVPN with a custom CA certificate that is under your control. Never use this option with type "name-prefix" when your client certificates are signed by a third party, such as a commercial web CA.| |:::|**NOTE:** Test against a name prefix only when you are using OpenVPN with a custom CA certificate that is under your control. Never use this option with type "name-prefix" when your client certificates are signed by a third party, such as a commercial web CA.|
 +
 +
 +
 +----
 +
 +===== Windows-Specific Options =====
 +
 +|route-method m|Which method **m** to use for adding routes on Windows?|
 +|:::|**adaptive** (default) -- Try IP helper API first. If that fails, fall back to the route.exe shell command.|
 +|:::|**ipapi** -- Use IP helper API.|
 +|:::|**exe** -- Call the route.exe shell command.|
  
 ---- ----
  
  
openvpn/options.1587377488.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki