openvpn:options
This is an old revision of the document!
OpenVPN - Options
Tunnel Options
| remote-random | Used to initially “scramble” the connection list. | |
| When multiple –remote address/ports are specified, or if connection profiles are being used, initially randomize the order of the list as a kind of basic load-balancing measure. | ||
| route-gateway gw|'dhcp' | Specify a default gateway gw for use with –route. | |
| If dhcp is specified as the parameter, the gateway address will be extracted from a DHCP negotiation with the OpenVPN server-side LAN. | ||
| Tunnel Options | route network/IP [netmask] [gateway] [metric] | Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close. |
| netmask default – 255.255.255.255 | ||
| gateway default – taken from –route-gateway or the second parameter to –ifconfig when –dev tun is specified. | ||
| metric default – taken from –route-metric otherwise 0. | ||
| The default can be specified by leaving an option blank or setting it to “default”. | ||
| The network and gateway parameters can also be specified as a DNS or /etc/hosts file resolvable name, or as one of three special keywords: | ||
| vpn_gateway – The remote VPN endpoint address (derived either from –route-gateway or the second parameter to –ifconfig when –dev tun is specified). | ||
| net_gateway – The pre-existing IP default gateway, read from the routing table (not supported on all OSes). | ||
| remote_host – The –remote address if OpenVPN is being run in client mode, and is undefined in server mode. |
| allow-pull-fqdn | Allow client to pull DNS names from server (rather than being limited to IP address) for –ifconfig, –route, and –route-gateway. |
| comp-lzo [mode] | Use fast LZO compression – may add up to 1 byte per packet for incompressible data. mode may be “yes”, “no”, or “adaptive” (default). |
| In a server mode setup, it is possible to selectively turn compression on or off for individual clients. | |
| First, make sure the client-side config file enables selective compression by having at least one –comp-lzo directive, such as –comp-lzo no. This will turn off compression by default, but allow a future directive push from the server to dynamically change the on/off/adaptive setting. | |
| Next in a –client-config-dir file, specify the compression setting for the client, for example: | |
| comp-lzo yes | |
| push “comp-lzo yes” | |
| The first line sets the comp-lzo setting for the server side of the link, the second sets the client side. | |
| fast-io | (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. |
| The purpose of such a call would normally be to block until the device or socket is ready to accept the write. Such blocking is unnecessary on some platforms which don't support write blocking on UDP sockets or TUN/TAP devices. In such cases, one can optimize the event loop by avoiding the poll/epoll/select call, improving CPU efficiency by 5% to 10%. | |
| This option can only be used on non-Windows systems, when –proto udp is specified, and when –shaper is NOT specified. | |
| fragment 1300 | |
| key-direction 1 | |
| mssfix 1450 | |
| persist-key | Don't re-read key files across SIGUSR1 or –ping-restart. |
| This option can be combined with –user nobody to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot be restarted since it will now be unable to re-read protected key files. | |
| This option solves the problem by persisting keys across SIGUSR1 resets, so they don't need to be re-read. | |
| persist-tun | Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or –ping-restart restarts. |
| SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options. | |
| pull | This option must be used on a client which is connecting to a multi-client server. It indicates to OpenVPN that it should accept options pushed by the server, provided they are part of the legal set of pushable options. |
| In particular, –pull allows the server to push routes to the client, so you should not use –pull or –client in situations where you don't trust the server to have control over the client's routing table. | |
| rcvbuf 524288 | Set the TCP/UDP socket receive buffer size. Defaults to operation system default. |
| remote-cert-tls server | |
| route-delay 2 | |
| route-method exe | |
| route-nopull | When used with –client or –pull, accept options pushed by server EXCEPT for routes, block-outside-dns and dhcp options like DNS servers. |
| When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface. | |
| sndbuf 524288 | Set the TCP/UDP socket send buffer size. Defaults to operation system default. |
| tls-client | Enable TLS and assume client role during TLS handshake. |
| tun-mtu 1500 | |
| verb 3 | Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good summary of what's happening without being swamped by output. |
| 0 – No output except fatal errors. | |
| 1 to 4 – Normal usage range. | |
| 5 – Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets. | |
| 6 to 11 – Debug info range (see errlevel.h for additional information on debug levels). | |
| verify-x509-name Server name-prefix |
openvpn/options.1587374869.txt.gz · Last modified: 2020/07/15 09:30 (external edit)