### OpenVPN Initialization and Restart Script Example
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
This example demonstrates how the --up script can be invoked for both initial setup and restarts. Ensure UDP port 9999 is blocked by your firewall before running, as it will run indefinitely.
```bash
openvpn --dev tun --port 9999 --verb 4 --ping-restart 10 \
--up 'echo up' --down 'echo down' --persist-tun \
--up-restart
```
--------------------------------
### OpenVPN Configuration File Example
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Example of a basic OpenVPN configuration file for setting up a pre-shared static key connection. It defines the tunnel device, remote peer, and IP addresses for the VPN endpoints.
```openvpn
#
# Sample OpenVPN configuration file for
# using a pre-shared static key.
#
# '#' or ';' may be used to delimit comments.
# Use a dynamic tun device.
dev tun
# Our remote peer
remote mypeer.mydomain
# 10.1.0.1 is our local VPN endpoint
# 10.1.0.2 is our remote VPN endpoint
ifconfig 10.1.0.1 10.1.0.2
```
--------------------------------
### OpenVPN Inline File Support Example
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Supports including files directly within the main configuration for options like --ca, --cert, and --key. Use tags to delimit inline files. This example shows an inline certificate.
```openvpn
----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
```
--------------------------------
### Keepalive Expansion Example - OpenVPN
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Illustrates how the --keepalive directive expands into --ping and --ping-restart options for both server and client modes, including push directives for the server.
```bash
if mode server:
ping 10 # Argument: interval
ping-restart 120 # Argument: timeout*2
push "ping 10" # Argument: interval
push "ping-restart 60" # Argument: timeout
else
ping 10 # Argument: interval
ping-restart 60 # Argument: timeout
```
--------------------------------
### OpenVPN Connection Profiles Example
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use connection profiles to group --remote options and related settings. OpenVPN attempts to connect to each profile sequentially until successful. This example shows UDP and TCP connections, including one with an HTTP proxy.
```openvpn
client
dev tun
remote 198.19.34.56 1194 udp
remote 198.19.34.56 443 tcp
remote 198.19.34.56 443 tcp
http-proxy 192.168.0.8 8080
remote 198.19.36.99 443 tcp
http-proxy 192.168.0.8 8080
persist-key
persist-tun
pkcs12 client.p12
remote-cert-tls server
verb 3
```
--------------------------------
### Get Password from Console or File
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use the --askpass option to prompt for a private key password when the OpenVPN daemon starts. If a file is specified, the password will be read from the first line of that file.
```bash
askpass
```
```bash
askpass file
```
--------------------------------
### Sample PAM Authentication Script (Perl)
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
A sample Perl script demonstrating how to perform PAM authentication with OpenVPN. This script is part of the OpenVPN source distribution and serves as an example for custom authentication logic.
```perl
sample-scripts/auth-pam.pl
```
--------------------------------
### Windows Pathname Example in OpenVPN Config
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Demonstrates how to specify Windows pathnames within an OpenVPN configuration file using double backslashes for escaping. This is necessary for parameters containing whitespace.
```openvpn
secret "c:\\OpenVPN\\secret.key"
```
--------------------------------
### Remote Server Configuration Examples
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Specifies the remote server's hostname or IP address, port, and protocol. Multiple --remote options can be used for redundancy.
```shell
remote server1.example.net
```
```shell
remote server1.example.net 1194
```
```shell
remote server2.example.net 1194 tcp
```
--------------------------------
### IPv6 Routing Setup
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Set up IPv6 routing to direct specified IPv6 networks into OpenVPN's tun device. The gateway parameter is used for IPv6 routes across tap devices.
```bash
route-ipv6 ipv6addr/bits [gateway] [metric]
```
--------------------------------
### Configuring Routes with --up Script and --ifconfig
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
When --ifconfig is used, OpenVPN passes local and remote endpoints to the --up script, enabling route configuration. This example shows how to add a route to a private subnet.
```bash
route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
```
--------------------------------
### Configure TUN/TAP Server with --server
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
The --server directive simplifies OpenVPN server setup for TUN/TAP interfaces, allocating client IP addresses from a specified network. The 'nopool' flag prevents dynamic IP address allocation.
```text
server 10.8.0.0 255.255.255.0
```
--------------------------------
### Specify IPv6 Address Pool for Clients
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Specify an IPv6 address pool for dynamic assignment to clients. The pool starts at the given IPv6 address and matches the offset determined from the start of the IPv4 pool. If the host part of the given IPv6 address is 0, the pool starts at ipv6addr + 1.
```config
ifconfig-ipv6-pool ipv6addr/bits
```
--------------------------------
### Load OpenVPN Plug-in Module
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use the --plugin option to load an external module. The module name is the first argument, followed by an optional initialization string. Enclose multi-argument init strings in double quotes.
```bash
plugin module-name
```
```bash
plugin module-name "arguments"
```
--------------------------------
### OpenVPN Route Method Selection
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Specifies the method for adding routes on Windows. Options include 'adaptive' (default, tries IP helper API then route.exe), 'ipapi' (uses IP helper API), and 'exe' (calls route.exe).
```text
--route-method m
| Which method m to use for adding routes on Windows?
`adaptive` (default)
Try IP helper API first. If that fails, fall back to the route.exe shell command.
`ipapi`
Use IP helper API.
`exe`
Call the route.exe shell command.
```
--------------------------------
### Specify Peer Certificate Fingerprint
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Specify a SHA256 fingerprint or list of fingerprints to verify the peer certificate against. This can be used as an alternative to a PKI for small setups.
```bash
peer-fingerprint AD:B0:95:D8:09:...
```
```bash
00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00
```
--------------------------------
### Configure HTTP Proxy with Basic Authentication (File)
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Specify an HTTP proxy with basic authentication, loading credentials from a file.
```config
http-proxy proxy.example.net 3128 authfile.txt
```
--------------------------------
### Configure HTTP Proxy with NTLM Authentication (File)
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Set up an HTTP proxy with NTLM authentication, using credentials stored in a file.
```config
http-proxy proxy.example.net 3128 authfile.txt ntlm2
```
--------------------------------
### Configure Transition Window for Key Renegotiation
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use --tran-window to specify the number of seconds an old key remains valid after a new key renegotiation begins. Defaults to 3600 seconds.
```bash
--tran-window 3600
```
--------------------------------
### Configure External Key Options
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Allows usage of an external private key file instead of the --key option. Optional parameters like 'nopadding', 'pkcs1', and 'pss' signal support for different padding algorithms.
```bash
management-external-key
management-external-key nopadding
management-external-key pkcs1
management-external-key pss
```
```bash
management-external-key nopadding pkcs1
management-external-key pkcs1 pss
```
--------------------------------
### Specify TUN/TAP Device Type
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Explicitly sets the device type to 'tun' (Layer 3) or 'tap' (Layer 2). Use this when the device name used with --dev does not start with 'tun' or 'tap'.
```bash
--dev-type tun
```
```bash
--dev-type tap
```
--------------------------------
### Select Certificate by Issuer String
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use this to load a certificate and private key from the Windows Certificate System Store. The first non-expired certificate matching the issuer string is used.
```bash
cryptoapicert "ISSUER:Sample CA"
```
--------------------------------
### Configure HTTP Proxy with Basic Authentication (Stdin)
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use this to configure an HTTP proxy with basic authentication, prompting the user for credentials.
```config
http-proxy proxy.example.net 3128 stdin
```
--------------------------------
### Username/Password Authentication Methods
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Configure username/password authentication. The 'up' parameter specifies a file with credentials, or credentials can be prompted from the console or inlined. The server must use --auth-user-pass-verify.
```openvpn
auth-user-pass
```
```openvpn
auth-user-pass up
```
```openvpn
username
[password]
```
--------------------------------
### Define Client IP Address Pool
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Set aside a pool of subnets to be dynamically allocated to connecting clients, similar to a DHCP server. For tun-style tunnels, each client gets a /30 subnet. For tap-style tunnels, individual addresses are allocated, and an optional netmask is pushed to clients.
```config
ifconfig-pool start-IP end-IP [netmask]
```
--------------------------------
### Configure MTU, Fragmentation, and MSS Fix
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use these options together to work around Path MTU discovery issues. --mssfix attempts to prevent TCP fragmentation, while --fragment handles fragmentation of non-TCP packets. Lowering the maximum UDP packet size to 1300 is a common starting point for MTU problems.
```bash
--tun-mtu 1500 --fragment 1300 --mssfix
```
--------------------------------
### OpenVPN Show Adapters
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Displays available network adapters on the system.
```text
--show-adapters
```
--------------------------------
### Show OpenVPN Cipher Algorithms
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use --show-ciphers to list all available cipher algorithms that can be used with the --cipher option.
```bash
openvpn --show-ciphers
```
--------------------------------
### Show OpenVPN Digest Algorithms
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use --show-digests to list all available message digest algorithms compatible with the --auth option.
```bash
openvpn --show-digests
```
--------------------------------
### Select Certificate by Subject String
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use this to load a certificate and private key from the Windows Certificate System Store. The first non-expired certificate matching the subject string is used.
```bash
cryptoapicert "SUBJ:Peter Runestig"
```
--------------------------------
### Select Certificate by Template Name or OID
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use this to load a certificate and private key from the Windows Certificate System Store. The first non-expired certificate matching the template name or OID is used.
```bash
cryptoapicert "TMPL:Name of Template"
```
```bash
cryptoapicert "TMPL:1.3.6.1.4..."
```
--------------------------------
### Configure OpenVPN Status File
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Specify the file and interval for writing operational status. The interval defaults to 60 seconds if not provided.
```bash
status file
status file n
```
--------------------------------
### Specify PKCS #12 File
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use a PKCS #12 file that contains the local private key, local certificate, and root CA certificate. This can replace separate CA, cert, and key files.
```bash
--pkcs12 file
```
--------------------------------
### Configure Compression Mode in OpenVPN
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Controls OpenVPN's behavior with compression. Use 'asym' to allow only decompression of incoming packets, 'no' to refuse all compression, or 'yes' to enable compression for both directions. 'no' is the default.
```bash
allow-compression
allow-compression mode
```
--------------------------------
### Configure HTTP Proxy with Auto-Detected Authentication (Prompt)
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Allows OpenVPN to automatically determine the required authentication method and prompt the user if necessary.
```config
http-proxy proxy.example.net 3128 auto
```
--------------------------------
### Load OpenSSL Providers
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Load a list of OpenSSL providers, useful for external key management or using the legacy provider. Restart OpenVPN if changing this option.
```bash
--providers legacy default
```
--------------------------------
### Show OpenSSL Crypto Acceleration Engines
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use --show-engines to list hardware-based crypto acceleration engines supported by the OpenSSL library.
```bash
openvpn --show-engines
```
--------------------------------
### Set Hash Table Sizes (OpenVPN)
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Configure the real address hash table size (r) and virtual address table size (v) using the hash-size option. By default, both tables are set to 256 buckets.
```bash
hash-size r v
```
--------------------------------
### Select Certificate by Thumbprint
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use this to load a certificate and private key from the Windows Certificate System Store. The first non-expired certificate matching the thumbprint is used. Spaces in the hex string are optional.
```bash
cryptoapicert "THUMB:f6 49 24 41 01 b4 ..."
```
--------------------------------
### Execute command on client connection
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Run a command or script when a client successfully connects. The script receives common name and IP as environment variables and can generate dynamic configuration. A non-zero return status disconnects the client.
```bash
--client-connect cmd
```
--------------------------------
### Show Gateway Information (OpenVPN)
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use --show-gateway to display the current IPv4 and IPv6 default gateway and interface. For IPv6, it queries the route towards ::/128 or a specified target. For IPv4, it looks for a 0.0.0.0/0 route, which might not always match the actual packet route to the VPN gateway if more specific routes exist.
```bash
--show-gateway
```
```bash
--show-gateway IPv6-target
```
--------------------------------
### Run OpenVPN as a Daemon
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use the --daemon option to run OpenVPN in the background. Optionally specify a program name for syslog messages. Initialization scripts can check the return status for successful initialization before daemonization.
```bash
--daemon
```
```bash
daemon progname
```
--------------------------------
### Configure IP Address Method on Windows
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Sets the TAP-Win32 adapter IP address and netmask using a specified method when --ifconfig is used. Do not use without --ifconfig.
```bash
--ip-win32 manual
```
```bash
--ip-win32 dynamic [offset] [lease-time]
```
--------------------------------
### Configure HTTP Proxy with Auto-Detected Authentication (Reject Basic)
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Configure automatic authentication detection but explicitly reject basic authentication.
```config
http-proxy proxy.example.net 3128 auto-nct
```
--------------------------------
### OpenVPN Plug-in Path Resolution
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Specifies how OpenVPN resolves the path to a plug-in module based on the provided argument. DEFAULT_DIR is the build-time configured directory, and CWD is the current working directory.
```text
--plugin path Effective directory used
===================== =============================
myplug.so DEFAULT_DIR/myplug.so
subdir/myplug.so DEFAULT_DIR/subdir/myplug.so
./subdir/myplug.so CWD/subdir/myplug.so
/usr/lib/my/plug.so /usr/lib/my/plug.so
```
--------------------------------
### Enable Static Challenge/Response Protocol
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Activate a static challenge-response protocol for user authentication. The challenge text is displayed to the user, and the echo flag determines if user input is shown on the screen.
```bash
static-challenge text echo
```
--------------------------------
### Configure client certificate verification mode
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Specify whether a client certificate is required for authentication. Options include 'none' (username/password only), 'optional' (certificate may be presented), and 'require' (certificate is mandatory).
```bash
--verify-client-cert none
```
```bash
--verify-client-cert optional
```
```bash
--verify-client-cert require
```
--------------------------------
### Accept server-pushed options in OpenVPN
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
This option is for clients connecting to multi-client servers and allows them to accept options pushed by the server. It is implied by the --client option and is crucial for receiving pushed routes.
```OpenVPN
--pull
```
--------------------------------
### Simplify Client Mode Configuration
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
The --client directive is a shortcut for 'pull' and 'tls-client', simplifying client configuration.
```openvpn
--client
```
--------------------------------
### OpenVPN IP Configuration using ipapi
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Automatically set the IP address and netmask using the Windows IP Helper API. This approach does not have ideal semantics, though testing has indicated that it works okay in practice. If you use this option, it is best to leave the TCP/IP properties for the TAP-Win32 adapter in their default state, i.e. "Obtain an IP address automatically."
```text
ipapi
```
--------------------------------
### Expanded --server Directive Logic (TUN/TAP)
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
This illustrates the expanded configuration generated by the --server directive for TUN/TAP devices, including IP addressing, routing, and push options based on topology.
```text
mode server
tls-server
push "topology [topology]"
if dev tun AND (topology == net30 OR topology == p2p):
ifconfig 10.8.0.1 10.8.0.2
if !nopool:
ifconfig-pool 10.8.0.4 10.8.0.251
route 10.8.0.0 255.255.255.0
if client-to-client:
push "route 10.8.0.0 255.255.255.0"
else if topology == net30:
push "route 10.8.0.1"
if dev tap OR (dev tun AND topology == subnet):
ifconfig 10.8.0.1 255.255.255.0
if !nopool:
ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
push "route-gateway 10.8.0.1"
if route-gateway unset:
route-gateway 10.8.0.2
```
--------------------------------
### Enable OpenSSL Hardware Crypto Engine
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use the --engine option to enable hardware-based crypto engine functionality provided by OpenSSL. Specify a specific engine name if needed. Use --show-engines to list supported engines.
```bash
--engine
```
```bash
engine engine-name
```
--------------------------------
### Push Configuration Option to Client
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use --push to send a configuration option to a client for remote execution. The client must have --pull enabled. Certain options, like script execution or TLS parameters, cannot be pushed.
```bash
--push "route ..."
```
--------------------------------
### Show OpenVPN TLS Ciphers
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use --show-tls to display all TLS ciphers supported by the crypto library, sorted by preference. Note that compatibility depends on both peers' configurations.
```bash
openvpn --show-tls
```
--------------------------------
### OpenVPN Adaptive IP Configuration
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Try dynamic method initially and fail over to netsh if the DHCP negotiation with the TAP-Win32 adapter does not succeed in 20 seconds. Failures can occur when third-party firewalls block DHCP negotiation. If netsh failover occurs, adapter properties are reset to static, causing future adaptive mode startups to use netsh immediately. To reset, run OpenVPN once using dynamic mode.
```text
adaptive (Default)
Try dynamic method initially and fail over to netsh if the DHCP negotiation with the TAP-Win32 adapter does not succeed in 20 seconds. Such failures have been known to occur when certain third-party firewall packages installed on the client machine block the DHCP negotiation used by the TAP-Win32 adapter. Note that if the netsh failover occurs, the TAP-Win32 adapter TCP/IP properties will be reset from DHCP to static, and this will cause future OpenVPN startups using the adaptive mode to use netsh immediately, rather than trying dynamic first.To "unstick" the adaptive mode from using netsh, run OpenVPN at least once using the dynamic mode to restore the TAP-Win32 adapter TCP/IP properties to a DHCP configuration.
```
--------------------------------
### Show PKCS#11 Token Object List
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Standalone command to show PKCS#11 token object list. Specify cert_private as '1' if certificates are stored as private objects. If p11-kit is present, the provider argument is optional.
```bash
show-pkcs11 [provider] [cert_private]
```
--------------------------------
### Configure Data Channel Renegotiation by Time
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Set the maximum time in seconds after which the data channel key will be renegotiated. A minimum time can also be specified. The effective value is randomized between min and max. Default is 3600 seconds.
```bash
reneg-sec max [min]
```
--------------------------------
### Specify Local Private Key File
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Indicate the file containing the local peer's private key in PEM format. This key should correspond to the certificate generated.
```bash
--key file
```
--------------------------------
### Enable Data Channel Compression in OpenVPN
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
This option enables compression for the OpenVPN data channel.
```bash
--compress algorithm
```
--------------------------------
### Configure TUN Device in net30/p2p Mode
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use this command to set the IP addresses for the TUN device when operating in net30/p2p mode. The first IP is for the client, and the second is for the server.
```bash
ifconfig 10.8.0.2 10.8.0.1
```
--------------------------------
### OpenVPN Register DNS
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Runs 'ipconfig /flushdns' and 'ipconfig /registerdns' on connection initiation. This is known to help Windows recognize pushed DNS servers.
```bash
--register-dns | Run `ipconfig /flushdns` and `ipconfig /registerdns` on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.
```
--------------------------------
### Ignore Unknown Configuration Options
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use --ignore-unknown-option to prevent OpenVPN from failing if it encounters an option not supported by the current version. This allows for graceful degradation with older software versions. Use with caution due to potential security implications. Available since OpenVPN 2.3.3.
```bash
ignore-unknown-options opt1 opt2 opt3 ... optN
```
--------------------------------
### Configure Management Server Socket
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Enable a management server on a Unix socket or TCP port. For Unix sockets, specify 'pw-file' for password protection. For TCP, always use 'pw-file' and consider binding to localhost.
```bash
management socket-name unix
management socket-name unix pw-file
management IP port
management IP port pw-file
```
--------------------------------
### Configure HTTP Proxy with Authentication
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Connect to a remote host through an HTTP proxy, supporting various authentication methods including basic, NTLM, and digest. Credentials can be provided via an authfile, stdin, or inline.
```bash
--http-proxy proxy-server proxy-port [authfile] [auth-method]
```
--------------------------------
### Show OpenVPN Elliptic Curve Groups
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use --show-groups to list all available elliptic curves/groups for use with --ecdh-curve and tls-groups options.
```bash
openvpn --show-groups
```
--------------------------------
### Equivalent to --remote-cert-tls server (OpenVPN)
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
This configuration is equivalent to using the --remote-cert-tls server option, ensuring that the peer certificate is suitable for server authentication. This is a crucial security measure against man-in-the-middle attacks.
```openvpn
remote-cert-ku
remote-cert-eku "TLS Web Server Authentication"
```
--------------------------------
### Up Script Arguments for TUN Device
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Arguments passed to the up script when using a TUN device. The last argument indicates the context, either 'init' or 'restart'.
```bash
cmd tun_dev tun_mtu 0 ifconfig_local_ip ifconfig_remote_ip [init | restart]
```
--------------------------------
### Configure Multi-homed UDP Server
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Enable a multi-homed UDP server when the server has multiple IP addresses and is not using --local to bind to a specific address. This option ensures UDP reply packets are sent from the address the client is communicating with. It is not supported on all platforms and adds processing overhead.
```config
--multihome
```
--------------------------------
### Configure IPv6 Route for Client
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use --iroute-ipv6 to configure a static IPv6 route for a specific client when using --client-config-dir. This directive works similarly to --iroute for IPv4.
```bash
iroute-ipv6 ipv6addr/bits
```
--------------------------------
### Optimize TUN/TAP/UDP I/O
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
The --fast-io option optimizes I/O writes by skipping the poll/epoll/select call, which can improve CPU efficiency by 5-10%. This option is only available on non-Windows systems, requires --proto udp, and cannot be used with --shaper.
```bash
--fast-io
```
--------------------------------
### Push client information to server in OpenVPN
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
This option pushes detailed information about the OpenVPN client to the server, including version, OS platform, supported protocol extensions, cipher negotiation capabilities, MTU support, and UI version if applicable.
```OpenVPN
--push-peer-info
```
--------------------------------
### Generate Authentication Token Syntax
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Defines the syntax for generating authentication tokens for clients. The token can have a specified lifetime and renewal time, and supports an external authentication flag.
```bash
auth-gen-token [lifetime] [renewal-time] [external-auth]
```
--------------------------------
### Specify Diffie Hellman Parameters File
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Provide a file containing Diffie Hellman parameters in PEM format. Use 'none' to disable DH key exchange and rely solely on ECDH.
```bash
--dh file
```
--------------------------------
### Client Compression Support Flags
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
These flags indicate the compression algorithms supported by the client. They are used to negotiate compression with the server.
```text
IV_LZO=1
```
```text
IV_LZO_STUB=1
```
```text
IV_LZ4=1
```
```text
IV_LZ4v2=1
```
```text
IV_COMP_STUB=1
```
```text
IV_COMP_STUBv2=1
```
--------------------------------
### Generate CA Certificate and Key
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use this command to create a new certificate authority (CA) certificate and private key. Ensure to edit your openssl.cnf to point to the new root certificate.
```bash
openssl req -nodes -new -x509 -keyout ca.key -out ca.crt
```
--------------------------------
### Configure HTTP Proxy with Inline Credentials
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Specify HTTP proxy credentials directly within the configuration file using a specific format.
```config
http-proxy proxy.example.net 3128 "" basic
```
```config
username
password
```
--------------------------------
### Filter server-pushed options in OpenVPN
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Filter options pushed by the server based on a text prefix. Actions include 'accept', 'ignore', and 'reject'. Filters are applied in order, and unmatched options are accepted by default.
```OpenVPN
pull-filter accept text
```
```OpenVPN
pull-filter ignore text
```
```OpenVPN
pull-filter reject text
```
```OpenVPN
pull-filter ignore "route"
```
```OpenVPN
pull-filter accept "route 192.168.1."
```
```OpenVPN
pull-filter ignore "route "
```
--------------------------------
### Limit Outgoing Bandwidth (OpenVPN)
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use --shaper to limit outgoing tunnel data bandwidth to n bytes per second on the TCP/UDP port. This option requires the mode to be set to `p2p`. For bidirectional limiting, apply it on both peers. The algorithm waits (b / n) seconds before queuing the next write, where b is the datagram size. For low bandwidth tunnels (under 1000 bytes/sec), consider lower MTU values to prevent timeouts. OpenVPN allows n between 100 bytes/sec and 100 Mbytes/sec.
```bash
--shaper n
```
--------------------------------
### Configure tls-crypt-v2 key file
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use client-specific tls-crypt keys for enhanced security. The keyfile on clients is client-specific, while on servers it's used to unwrap client keys. Optional parameters like `force-cookie` and `allow-noncookie` control client handshake behavior.
```config
tls-crypt-v2 keyfile
```
```config
tls-crypt-v2 keyfile force-cookie
```
```config
tls-crypt-v2 keyfile allow-noncookie
```
--------------------------------
### OpenVPN Auth User Pass Verify Script
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Use this script to validate username and password provided by the client. The script receives credentials via environment variables or a temporary file. It must return 0 for success, 1 for failure, or 2 for deferred authentication.
```bash
auth-user-pass-verify cmd method
```
--------------------------------
### Verify client-specific tls-crypt-v2 key metadata
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Run a command to verify the metadata of a client-specific tls-crypt-v2 key. This allows servers to reject connections before exposing the TLS stack. OpenVPN provides `script_type`, `metadata_type`, and `metadata_file` environment variables to the command.
```config
--tls-crypt-v2-verify cmd
```
--------------------------------
### Configure Syslog Logging
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Redirect all OpenVPN output, except for script and ifconfig commands, to the system's syslog file. This redirection happens immediately when the --daemon option is parsed. If --log options are used, they will override syslog redirection.
```bash
--syslog
```
--------------------------------
### Set HTTP Proxy Options
Source: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html
Configure extended HTTP proxy options such as HTTP version, User-Agent, or custom headers.
```config
http-proxy-option VERSION 1.1
```
```config
http-proxy-option AGENT OpenVPN/2.4
```
```config
http-proxy-option X-Proxy-Flag some-flags
```