### OpenVPN Initialization and Restart Script Example Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html This example demonstrates how the --up script can be invoked for both initial setup and restarts. Ensure UDP port 9999 is blocked by your firewall before running, as it will run indefinitely. ```bash openvpn --dev tun --port 9999 --verb 4 --ping-restart 10 \ --up 'echo up' --down 'echo down' --persist-tun \ --up-restart ``` -------------------------------- ### OpenVPN Configuration File Example Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Example of a basic OpenVPN configuration file for setting up a pre-shared static key connection. It defines the tunnel device, remote peer, and IP addresses for the VPN endpoints. ```openvpn # # Sample OpenVPN configuration file for # using a pre-shared static key. # # '#' or ';' may be used to delimit comments. # Use a dynamic tun device. dev tun # Our remote peer remote mypeer.mydomain # 10.1.0.1 is our local VPN endpoint # 10.1.0.2 is our remote VPN endpoint ifconfig 10.1.0.1 10.1.0.2 ``` -------------------------------- ### OpenVPN Inline File Support Example Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Supports including files directly within the main configuration for options like --ca, --cert, and --key. Use tags to delimit inline files. This example shows an inline certificate. ```openvpn ----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- ``` -------------------------------- ### Keepalive Expansion Example - OpenVPN Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Illustrates how the --keepalive directive expands into --ping and --ping-restart options for both server and client modes, including push directives for the server. ```bash if mode server: ping 10 # Argument: interval ping-restart 120 # Argument: timeout*2 push "ping 10" # Argument: interval push "ping-restart 60" # Argument: timeout else ping 10 # Argument: interval ping-restart 60 # Argument: timeout ``` -------------------------------- ### OpenVPN Connection Profiles Example Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use connection profiles to group --remote options and related settings. OpenVPN attempts to connect to each profile sequentially until successful. This example shows UDP and TCP connections, including one with an HTTP proxy. ```openvpn client dev tun remote 198.19.34.56 1194 udp remote 198.19.34.56 443 tcp remote 198.19.34.56 443 tcp http-proxy 192.168.0.8 8080 remote 198.19.36.99 443 tcp http-proxy 192.168.0.8 8080 persist-key persist-tun pkcs12 client.p12 remote-cert-tls server verb 3 ``` -------------------------------- ### Get Password from Console or File Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use the --askpass option to prompt for a private key password when the OpenVPN daemon starts. If a file is specified, the password will be read from the first line of that file. ```bash askpass ``` ```bash askpass file ``` -------------------------------- ### Sample PAM Authentication Script (Perl) Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html A sample Perl script demonstrating how to perform PAM authentication with OpenVPN. This script is part of the OpenVPN source distribution and serves as an example for custom authentication logic. ```perl sample-scripts/auth-pam.pl ``` -------------------------------- ### Windows Pathname Example in OpenVPN Config Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Demonstrates how to specify Windows pathnames within an OpenVPN configuration file using double backslashes for escaping. This is necessary for parameters containing whitespace. ```openvpn secret "c:\\OpenVPN\\secret.key" ``` -------------------------------- ### Remote Server Configuration Examples Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Specifies the remote server's hostname or IP address, port, and protocol. Multiple --remote options can be used for redundancy. ```shell remote server1.example.net ``` ```shell remote server1.example.net 1194 ``` ```shell remote server2.example.net 1194 tcp ``` -------------------------------- ### IPv6 Routing Setup Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Set up IPv6 routing to direct specified IPv6 networks into OpenVPN's tun device. The gateway parameter is used for IPv6 routes across tap devices. ```bash route-ipv6 ipv6addr/bits [gateway] [metric] ``` -------------------------------- ### Configuring Routes with --up Script and --ifconfig Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html When --ifconfig is used, OpenVPN passes local and remote endpoints to the --up script, enabling route configuration. This example shows how to add a route to a private subnet. ```bash route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 ``` -------------------------------- ### Configure TUN/TAP Server with --server Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html The --server directive simplifies OpenVPN server setup for TUN/TAP interfaces, allocating client IP addresses from a specified network. The 'nopool' flag prevents dynamic IP address allocation. ```text server 10.8.0.0 255.255.255.0 ``` -------------------------------- ### Specify IPv6 Address Pool for Clients Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Specify an IPv6 address pool for dynamic assignment to clients. The pool starts at the given IPv6 address and matches the offset determined from the start of the IPv4 pool. If the host part of the given IPv6 address is 0, the pool starts at ipv6addr + 1. ```config ifconfig-ipv6-pool ipv6addr/bits ``` -------------------------------- ### Load OpenVPN Plug-in Module Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use the --plugin option to load an external module. The module name is the first argument, followed by an optional initialization string. Enclose multi-argument init strings in double quotes. ```bash plugin module-name ``` ```bash plugin module-name "arguments" ``` -------------------------------- ### OpenVPN Route Method Selection Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Specifies the method for adding routes on Windows. Options include 'adaptive' (default, tries IP helper API then route.exe), 'ipapi' (uses IP helper API), and 'exe' (calls route.exe). ```text --route-method m | Which method m to use for adding routes on Windows? `adaptive` (default) Try IP helper API first. If that fails, fall back to the route.exe shell command. `ipapi` Use IP helper API. `exe` Call the route.exe shell command. ``` -------------------------------- ### Specify Peer Certificate Fingerprint Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Specify a SHA256 fingerprint or list of fingerprints to verify the peer certificate against. This can be used as an alternative to a PKI for small setups. ```bash peer-fingerprint AD:B0:95:D8:09:... ``` ```bash 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff 11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00 ``` -------------------------------- ### Configure HTTP Proxy with Basic Authentication (File) Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Specify an HTTP proxy with basic authentication, loading credentials from a file. ```config http-proxy proxy.example.net 3128 authfile.txt ``` -------------------------------- ### Configure HTTP Proxy with NTLM Authentication (File) Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Set up an HTTP proxy with NTLM authentication, using credentials stored in a file. ```config http-proxy proxy.example.net 3128 authfile.txt ntlm2 ``` -------------------------------- ### Configure Transition Window for Key Renegotiation Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use --tran-window to specify the number of seconds an old key remains valid after a new key renegotiation begins. Defaults to 3600 seconds. ```bash --tran-window 3600 ``` -------------------------------- ### Configure External Key Options Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Allows usage of an external private key file instead of the --key option. Optional parameters like 'nopadding', 'pkcs1', and 'pss' signal support for different padding algorithms. ```bash management-external-key management-external-key nopadding management-external-key pkcs1 management-external-key pss ``` ```bash management-external-key nopadding pkcs1 management-external-key pkcs1 pss ``` -------------------------------- ### Specify TUN/TAP Device Type Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Explicitly sets the device type to 'tun' (Layer 3) or 'tap' (Layer 2). Use this when the device name used with --dev does not start with 'tun' or 'tap'. ```bash --dev-type tun ``` ```bash --dev-type tap ``` -------------------------------- ### Select Certificate by Issuer String Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use this to load a certificate and private key from the Windows Certificate System Store. The first non-expired certificate matching the issuer string is used. ```bash cryptoapicert "ISSUER:Sample CA" ``` -------------------------------- ### Configure HTTP Proxy with Basic Authentication (Stdin) Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use this to configure an HTTP proxy with basic authentication, prompting the user for credentials. ```config http-proxy proxy.example.net 3128 stdin ``` -------------------------------- ### Username/Password Authentication Methods Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Configure username/password authentication. The 'up' parameter specifies a file with credentials, or credentials can be prompted from the console or inlined. The server must use --auth-user-pass-verify. ```openvpn auth-user-pass ``` ```openvpn auth-user-pass up ``` ```openvpn username [password] ``` -------------------------------- ### Define Client IP Address Pool Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Set aside a pool of subnets to be dynamically allocated to connecting clients, similar to a DHCP server. For tun-style tunnels, each client gets a /30 subnet. For tap-style tunnels, individual addresses are allocated, and an optional netmask is pushed to clients. ```config ifconfig-pool start-IP end-IP [netmask] ``` -------------------------------- ### Configure MTU, Fragmentation, and MSS Fix Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use these options together to work around Path MTU discovery issues. --mssfix attempts to prevent TCP fragmentation, while --fragment handles fragmentation of non-TCP packets. Lowering the maximum UDP packet size to 1300 is a common starting point for MTU problems. ```bash --tun-mtu 1500 --fragment 1300 --mssfix ``` -------------------------------- ### OpenVPN Show Adapters Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Displays available network adapters on the system. ```text --show-adapters ``` -------------------------------- ### Show OpenVPN Cipher Algorithms Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use --show-ciphers to list all available cipher algorithms that can be used with the --cipher option. ```bash openvpn --show-ciphers ``` -------------------------------- ### Show OpenVPN Digest Algorithms Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use --show-digests to list all available message digest algorithms compatible with the --auth option. ```bash openvpn --show-digests ``` -------------------------------- ### Select Certificate by Subject String Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use this to load a certificate and private key from the Windows Certificate System Store. The first non-expired certificate matching the subject string is used. ```bash cryptoapicert "SUBJ:Peter Runestig" ``` -------------------------------- ### Select Certificate by Template Name or OID Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use this to load a certificate and private key from the Windows Certificate System Store. The first non-expired certificate matching the template name or OID is used. ```bash cryptoapicert "TMPL:Name of Template" ``` ```bash cryptoapicert "TMPL:1.3.6.1.4..." ``` -------------------------------- ### Configure OpenVPN Status File Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Specify the file and interval for writing operational status. The interval defaults to 60 seconds if not provided. ```bash status file status file n ``` -------------------------------- ### Specify PKCS #12 File Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use a PKCS #12 file that contains the local private key, local certificate, and root CA certificate. This can replace separate CA, cert, and key files. ```bash --pkcs12 file ``` -------------------------------- ### Configure Compression Mode in OpenVPN Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Controls OpenVPN's behavior with compression. Use 'asym' to allow only decompression of incoming packets, 'no' to refuse all compression, or 'yes' to enable compression for both directions. 'no' is the default. ```bash allow-compression allow-compression mode ``` -------------------------------- ### Configure HTTP Proxy with Auto-Detected Authentication (Prompt) Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Allows OpenVPN to automatically determine the required authentication method and prompt the user if necessary. ```config http-proxy proxy.example.net 3128 auto ``` -------------------------------- ### Load OpenSSL Providers Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Load a list of OpenSSL providers, useful for external key management or using the legacy provider. Restart OpenVPN if changing this option. ```bash --providers legacy default ``` -------------------------------- ### Show OpenSSL Crypto Acceleration Engines Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use --show-engines to list hardware-based crypto acceleration engines supported by the OpenSSL library. ```bash openvpn --show-engines ``` -------------------------------- ### Set Hash Table Sizes (OpenVPN) Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Configure the real address hash table size (r) and virtual address table size (v) using the hash-size option. By default, both tables are set to 256 buckets. ```bash hash-size r v ``` -------------------------------- ### Select Certificate by Thumbprint Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use this to load a certificate and private key from the Windows Certificate System Store. The first non-expired certificate matching the thumbprint is used. Spaces in the hex string are optional. ```bash cryptoapicert "THUMB:f6 49 24 41 01 b4 ..." ``` -------------------------------- ### Execute command on client connection Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Run a command or script when a client successfully connects. The script receives common name and IP as environment variables and can generate dynamic configuration. A non-zero return status disconnects the client. ```bash --client-connect cmd ``` -------------------------------- ### Show Gateway Information (OpenVPN) Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use --show-gateway to display the current IPv4 and IPv6 default gateway and interface. For IPv6, it queries the route towards ::/128 or a specified target. For IPv4, it looks for a 0.0.0.0/0 route, which might not always match the actual packet route to the VPN gateway if more specific routes exist. ```bash --show-gateway ``` ```bash --show-gateway IPv6-target ``` -------------------------------- ### Run OpenVPN as a Daemon Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use the --daemon option to run OpenVPN in the background. Optionally specify a program name for syslog messages. Initialization scripts can check the return status for successful initialization before daemonization. ```bash --daemon ``` ```bash daemon progname ``` -------------------------------- ### Configure IP Address Method on Windows Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Sets the TAP-Win32 adapter IP address and netmask using a specified method when --ifconfig is used. Do not use without --ifconfig. ```bash --ip-win32 manual ``` ```bash --ip-win32 dynamic [offset] [lease-time] ``` -------------------------------- ### Configure HTTP Proxy with Auto-Detected Authentication (Reject Basic) Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Configure automatic authentication detection but explicitly reject basic authentication. ```config http-proxy proxy.example.net 3128 auto-nct ``` -------------------------------- ### OpenVPN Plug-in Path Resolution Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Specifies how OpenVPN resolves the path to a plug-in module based on the provided argument. DEFAULT_DIR is the build-time configured directory, and CWD is the current working directory. ```text --plugin path Effective directory used ===================== ============================= myplug.so DEFAULT_DIR/myplug.so subdir/myplug.so DEFAULT_DIR/subdir/myplug.so ./subdir/myplug.so CWD/subdir/myplug.so /usr/lib/my/plug.so /usr/lib/my/plug.so ``` -------------------------------- ### Enable Static Challenge/Response Protocol Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Activate a static challenge-response protocol for user authentication. The challenge text is displayed to the user, and the echo flag determines if user input is shown on the screen. ```bash static-challenge text echo ``` -------------------------------- ### Configure client certificate verification mode Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Specify whether a client certificate is required for authentication. Options include 'none' (username/password only), 'optional' (certificate may be presented), and 'require' (certificate is mandatory). ```bash --verify-client-cert none ``` ```bash --verify-client-cert optional ``` ```bash --verify-client-cert require ``` -------------------------------- ### Accept server-pushed options in OpenVPN Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html This option is for clients connecting to multi-client servers and allows them to accept options pushed by the server. It is implied by the --client option and is crucial for receiving pushed routes. ```OpenVPN --pull ``` -------------------------------- ### Simplify Client Mode Configuration Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html The --client directive is a shortcut for 'pull' and 'tls-client', simplifying client configuration. ```openvpn --client ``` -------------------------------- ### OpenVPN IP Configuration using ipapi Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Automatically set the IP address and netmask using the Windows IP Helper API. This approach does not have ideal semantics, though testing has indicated that it works okay in practice. If you use this option, it is best to leave the TCP/IP properties for the TAP-Win32 adapter in their default state, i.e. "Obtain an IP address automatically." ```text ipapi ``` -------------------------------- ### Expanded --server Directive Logic (TUN/TAP) Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html This illustrates the expanded configuration generated by the --server directive for TUN/TAP devices, including IP addressing, routing, and push options based on topology. ```text mode server tls-server push "topology [topology]" if dev tun AND (topology == net30 OR topology == p2p): ifconfig 10.8.0.1 10.8.0.2 if !nopool: ifconfig-pool 10.8.0.4 10.8.0.251 route 10.8.0.0 255.255.255.0 if client-to-client: push "route 10.8.0.0 255.255.255.0" else if topology == net30: push "route 10.8.0.1" if dev tap OR (dev tun AND topology == subnet): ifconfig 10.8.0.1 255.255.255.0 if !nopool: ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0 push "route-gateway 10.8.0.1" if route-gateway unset: route-gateway 10.8.0.2 ``` -------------------------------- ### Enable OpenSSL Hardware Crypto Engine Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use the --engine option to enable hardware-based crypto engine functionality provided by OpenSSL. Specify a specific engine name if needed. Use --show-engines to list supported engines. ```bash --engine ``` ```bash engine engine-name ``` -------------------------------- ### Push Configuration Option to Client Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use --push to send a configuration option to a client for remote execution. The client must have --pull enabled. Certain options, like script execution or TLS parameters, cannot be pushed. ```bash --push "route ..." ``` -------------------------------- ### Show OpenVPN TLS Ciphers Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use --show-tls to display all TLS ciphers supported by the crypto library, sorted by preference. Note that compatibility depends on both peers' configurations. ```bash openvpn --show-tls ``` -------------------------------- ### OpenVPN Adaptive IP Configuration Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Try dynamic method initially and fail over to netsh if the DHCP negotiation with the TAP-Win32 adapter does not succeed in 20 seconds. Failures can occur when third-party firewalls block DHCP negotiation. If netsh failover occurs, adapter properties are reset to static, causing future adaptive mode startups to use netsh immediately. To reset, run OpenVPN once using dynamic mode. ```text adaptive (Default) Try dynamic method initially and fail over to netsh if the DHCP negotiation with the TAP-Win32 adapter does not succeed in 20 seconds. Such failures have been known to occur when certain third-party firewall packages installed on the client machine block the DHCP negotiation used by the TAP-Win32 adapter. Note that if the netsh failover occurs, the TAP-Win32 adapter TCP/IP properties will be reset from DHCP to static, and this will cause future OpenVPN startups using the adaptive mode to use netsh immediately, rather than trying dynamic first.To "unstick" the adaptive mode from using netsh, run OpenVPN at least once using the dynamic mode to restore the TAP-Win32 adapter TCP/IP properties to a DHCP configuration. ``` -------------------------------- ### Show PKCS#11 Token Object List Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Standalone command to show PKCS#11 token object list. Specify cert_private as '1' if certificates are stored as private objects. If p11-kit is present, the provider argument is optional. ```bash show-pkcs11 [provider] [cert_private] ``` -------------------------------- ### Configure Data Channel Renegotiation by Time Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Set the maximum time in seconds after which the data channel key will be renegotiated. A minimum time can also be specified. The effective value is randomized between min and max. Default is 3600 seconds. ```bash reneg-sec max [min] ``` -------------------------------- ### Specify Local Private Key File Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Indicate the file containing the local peer's private key in PEM format. This key should correspond to the certificate generated. ```bash --key file ``` -------------------------------- ### Enable Data Channel Compression in OpenVPN Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html This option enables compression for the OpenVPN data channel. ```bash --compress algorithm ``` -------------------------------- ### Configure TUN Device in net30/p2p Mode Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use this command to set the IP addresses for the TUN device when operating in net30/p2p mode. The first IP is for the client, and the second is for the server. ```bash ifconfig 10.8.0.2 10.8.0.1 ``` -------------------------------- ### OpenVPN Register DNS Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Runs 'ipconfig /flushdns' and 'ipconfig /registerdns' on connection initiation. This is known to help Windows recognize pushed DNS servers. ```bash --register-dns | Run `ipconfig /flushdns` and `ipconfig /registerdns` on connection initiation. This is known to kick Windows into recognizing pushed DNS servers. ``` -------------------------------- ### Ignore Unknown Configuration Options Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use --ignore-unknown-option to prevent OpenVPN from failing if it encounters an option not supported by the current version. This allows for graceful degradation with older software versions. Use with caution due to potential security implications. Available since OpenVPN 2.3.3. ```bash ignore-unknown-options opt1 opt2 opt3 ... optN ``` -------------------------------- ### Configure Management Server Socket Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Enable a management server on a Unix socket or TCP port. For Unix sockets, specify 'pw-file' for password protection. For TCP, always use 'pw-file' and consider binding to localhost. ```bash management socket-name unix management socket-name unix pw-file management IP port management IP port pw-file ``` -------------------------------- ### Configure HTTP Proxy with Authentication Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Connect to a remote host through an HTTP proxy, supporting various authentication methods including basic, NTLM, and digest. Credentials can be provided via an authfile, stdin, or inline. ```bash --http-proxy proxy-server proxy-port [authfile] [auth-method] ``` -------------------------------- ### Show OpenVPN Elliptic Curve Groups Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use --show-groups to list all available elliptic curves/groups for use with --ecdh-curve and tls-groups options. ```bash openvpn --show-groups ``` -------------------------------- ### Equivalent to --remote-cert-tls server (OpenVPN) Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html This configuration is equivalent to using the --remote-cert-tls server option, ensuring that the peer certificate is suitable for server authentication. This is a crucial security measure against man-in-the-middle attacks. ```openvpn remote-cert-ku remote-cert-eku "TLS Web Server Authentication" ``` -------------------------------- ### Up Script Arguments for TUN Device Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Arguments passed to the up script when using a TUN device. The last argument indicates the context, either 'init' or 'restart'. ```bash cmd tun_dev tun_mtu 0 ifconfig_local_ip ifconfig_remote_ip [init | restart] ``` -------------------------------- ### Configure Multi-homed UDP Server Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Enable a multi-homed UDP server when the server has multiple IP addresses and is not using --local to bind to a specific address. This option ensures UDP reply packets are sent from the address the client is communicating with. It is not supported on all platforms and adds processing overhead. ```config --multihome ``` -------------------------------- ### Configure IPv6 Route for Client Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use --iroute-ipv6 to configure a static IPv6 route for a specific client when using --client-config-dir. This directive works similarly to --iroute for IPv4. ```bash iroute-ipv6 ipv6addr/bits ``` -------------------------------- ### Optimize TUN/TAP/UDP I/O Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html The --fast-io option optimizes I/O writes by skipping the poll/epoll/select call, which can improve CPU efficiency by 5-10%. This option is only available on non-Windows systems, requires --proto udp, and cannot be used with --shaper. ```bash --fast-io ``` -------------------------------- ### Push client information to server in OpenVPN Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html This option pushes detailed information about the OpenVPN client to the server, including version, OS platform, supported protocol extensions, cipher negotiation capabilities, MTU support, and UI version if applicable. ```OpenVPN --push-peer-info ``` -------------------------------- ### Generate Authentication Token Syntax Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Defines the syntax for generating authentication tokens for clients. The token can have a specified lifetime and renewal time, and supports an external authentication flag. ```bash auth-gen-token [lifetime] [renewal-time] [external-auth] ``` -------------------------------- ### Specify Diffie Hellman Parameters File Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Provide a file containing Diffie Hellman parameters in PEM format. Use 'none' to disable DH key exchange and rely solely on ECDH. ```bash --dh file ``` -------------------------------- ### Client Compression Support Flags Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html These flags indicate the compression algorithms supported by the client. They are used to negotiate compression with the server. ```text IV_LZO=1 ``` ```text IV_LZO_STUB=1 ``` ```text IV_LZ4=1 ``` ```text IV_LZ4v2=1 ``` ```text IV_COMP_STUB=1 ``` ```text IV_COMP_STUBv2=1 ``` -------------------------------- ### Generate CA Certificate and Key Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use this command to create a new certificate authority (CA) certificate and private key. Ensure to edit your openssl.cnf to point to the new root certificate. ```bash openssl req -nodes -new -x509 -keyout ca.key -out ca.crt ``` -------------------------------- ### Configure HTTP Proxy with Inline Credentials Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Specify HTTP proxy credentials directly within the configuration file using a specific format. ```config http-proxy proxy.example.net 3128 "" basic ``` ```config username password ``` -------------------------------- ### Filter server-pushed options in OpenVPN Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Filter options pushed by the server based on a text prefix. Actions include 'accept', 'ignore', and 'reject'. Filters are applied in order, and unmatched options are accepted by default. ```OpenVPN pull-filter accept text ``` ```OpenVPN pull-filter ignore text ``` ```OpenVPN pull-filter reject text ``` ```OpenVPN pull-filter ignore "route" ``` ```OpenVPN pull-filter accept "route 192.168.1." ``` ```OpenVPN pull-filter ignore "route " ``` -------------------------------- ### Limit Outgoing Bandwidth (OpenVPN) Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use --shaper to limit outgoing tunnel data bandwidth to n bytes per second on the TCP/UDP port. This option requires the mode to be set to `p2p`. For bidirectional limiting, apply it on both peers. The algorithm waits (b / n) seconds before queuing the next write, where b is the datagram size. For low bandwidth tunnels (under 1000 bytes/sec), consider lower MTU values to prevent timeouts. OpenVPN allows n between 100 bytes/sec and 100 Mbytes/sec. ```bash --shaper n ``` -------------------------------- ### Configure tls-crypt-v2 key file Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use client-specific tls-crypt keys for enhanced security. The keyfile on clients is client-specific, while on servers it's used to unwrap client keys. Optional parameters like `force-cookie` and `allow-noncookie` control client handshake behavior. ```config tls-crypt-v2 keyfile ``` ```config tls-crypt-v2 keyfile force-cookie ``` ```config tls-crypt-v2 keyfile allow-noncookie ``` -------------------------------- ### OpenVPN Auth User Pass Verify Script Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Use this script to validate username and password provided by the client. The script receives credentials via environment variables or a temporary file. It must return 0 for success, 1 for failure, or 2 for deferred authentication. ```bash auth-user-pass-verify cmd method ``` -------------------------------- ### Verify client-specific tls-crypt-v2 key metadata Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Run a command to verify the metadata of a client-specific tls-crypt-v2 key. This allows servers to reject connections before exposing the TLS stack. OpenVPN provides `script_type`, `metadata_type`, and `metadata_file` environment variables to the command. ```config --tls-crypt-v2-verify cmd ``` -------------------------------- ### Configure Syslog Logging Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Redirect all OpenVPN output, except for script and ifconfig commands, to the system's syslog file. This redirection happens immediately when the --daemon option is parsed. If --log options are used, they will override syslog redirection. ```bash --syslog ``` -------------------------------- ### Set HTTP Proxy Options Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html Configure extended HTTP proxy options such as HTTP version, User-Agent, or custom headers. ```config http-proxy-option VERSION 1.1 ``` ```config http-proxy-option AGENT OpenVPN/2.4 ``` ```config http-proxy-option X-Proxy-Flag some-flags ```