OpenVPN 2.0 mipsel-linux [SSL] [LZO] built on Jul 11 2005
General Options:
--config file : Read configuration options from file.
--help : Show options.
--version : Show copyright and version information.
Tunnel Options:
--local host : Local host name or ip address.
--remote host [port] : Remote host name or ip address.
--remote-random : If multiple --remote options specified, choose one randomly.
--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.
--proto p : Use protocol p for communicating with peer.
p = udp (default), tcp-server, or tcp-client
--connect-retry n : For --proto tcp-client, number of seconds to wait
between connection retries (default=5).
--http-proxy s p [up] [auth] : Connect to remote host through an HTTP proxy at
address s and port p. If proxy authentication is required,
up is a file containing username/password on 2 lines, or
'stdin' to prompt from console. Add auth='ntlm' if
the proxy requires NTLM authentication.
--http-proxy-retry : Retry indefinitely on HTTP proxy errors.
--http-proxy-timeout n : Proxy timeout in seconds, default=5.
--http-proxy-option type [parm] : Set extended HTTP proxy options.
Repeat to set multiple options.
VERSION version (default=1.0)
AGENT user-agent
--socks-proxy s [p]: Connect to remote host through a Socks5 proxy at address
s and port p (default port = 1080).
--socks-proxy-retry : Retry indefinitely on Socks proxy errors.
--resolv-retry n: If hostname resolve fails for --remote, retry
resolve for n seconds before failing (disabled by default).
Set n="infinite" to retry indefinitely.
--float : Allow remote to change its IP address/port, such as through
DHCP (this is the default if --remote is not used).
--ipchange cmd : Execute shell command cmd on remote ip address initial
setting or change -- execute as: cmd ip-address port#
--port port : TCP/UDP port # for both local and remote.
--lport port : TCP/UDP port # for local (default=1194).
--rport port : TCP/UDP port # for remote (default=1194).
--nobind : Do not bind to local address and port.
--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.
--dev-type dt : Which device type are we using? (dt = tun or tap) Use
this option only if the tun/tap device used with --dev
does not begin with "tun" or "tap".
--dev-node node : Explicitly set the device node rather than using
/dev/net/tun, /dev/tun, /dev/tap, etc.
--tun-ipv6 : Build tun link capable of forwarding IPv6 traffic.
--ifconfig l rn : TUN: configure device to use IP address l as a local
endpoint and rn as a remote endpoint. l & rn should be
swapped on the other peer. l & rn must be private
addresses outside of the subnets used by either peer.
TAP: configure device to use IP address l as a local
endpoint and rn as a subnet mask.
--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead
pass --ifconfig parms by environment to scripts.
--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the
connection doesn't match the remote side.
--route network [netmask] [gateway] [metric] :
Add route to routing table after connection
is established. Multiple routes can be specified.
netmask default: 255.255.255.255
gateway default: taken from --route-gateway or --ifconfig
Specify default by leaving blank or setting to "nil".
--route-gateway gw : Specify a default gateway for use with --route.
--route-delay n [w] : Delay n seconds after connection initiation before
adding routes (may be 0). If not specified, routes will
be added immediately after tun/tap open. On Windows, wait
up to w seconds for TUN/TAP adapter to come up.
--route-up cmd : Execute shell cmd after routes are added.
--route-noexec : Don't add routes automatically. Instead pass routes to
--route-up script using environmental variables.
--redirect-gateway [flags]: (Experimental) Automatically execute routing
commands to redirect all outgoing IP traffic through the
VPN. Add 'local' flag if both OpenVPN servers are directly
connected via a common subnet, such as with WiFi.
Add 'def1' flag to set default route using using 0.0.0.0/1
and 128.0.0.0/1 rather than 0.0.0.0/0.
--setenv name value : Set a custom environmental variable to pass to script.
--shaper n : Restrict output to peer to n bytes per second.
--keepalive n m : Helper option for setting timeouts in server mode. Send
ping once every n seconds, restart if ping not received
for m seconds.
--inactive n : Exit after n seconds of inactivity on tun/tap device.
--ping-exit n : Exit if n seconds pass without reception of remote ping.
--ping-restart n: Restart if n seconds pass without reception of remote ping.
--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a
remote address.
--ping n : Ping remote once every n seconds over TCP/UDP port.
--fast-io : (experimental) Optimize TUN/TAP/UDP writes.
--explicit-exit-notify n : (experimental) on exit, send exit signal to remote.
--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').
--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.
--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.
--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.
--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.
--passtos : TOS passthrough (applies to IPv4 only).
--tun-mtu n : Take the tun/tap device MTU to be n and derive the
TCP/UDP MTU from it (default=1500).
--tun-mtu-extra n : Assume that tun/tap device might return as many
as n bytes more than the tun-mtu size on read
(default TUN=0 TAP=32).
--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU
from it.
--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?
'no' -- Never send DF (Don't Fragment) frames
'maybe' -- Use per-route hints
'yes' -- Always DF (Don't Fragment)
--mtu-test : Empirically measure and report MTU.
--fragment max : Enable internal datagram fragmentation so that no UDP
datagrams are sent which are larger than max bytes.
Adds 4 bytes of overhead per datagram.
--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size
or --fragment max value, whichever is lower.
--sndbuf size : Set the TCP/UDP send buffer size.
--rcvbuf size : Set the TCP/UDP receive buffer size.
--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).
--mlock : Disable Paging -- ensures key material and tunnel
data will never be written to disk.
--up cmd : Shell cmd to execute after successful tun device open.
Execute as: cmd tun/tap-dev tun-mtu link-mtu \
ifconfig-local-ip ifconfig-remote-ip
(pre --user or --group UID/GID change)
--up-delay : Delay tun/tap open and possible --up script execution
until after TCP/UDP connection establishment with peer.
--down cmd : Shell cmd to run after tun device close.
(post --user/--group UID/GID change and/or --chroot)
(script parameters are same as --up option)
--down-pre : Call --down cmd/script before TUN/TAP close.
--up-restart : Run up/down scripts for all restarts including those
caused by --ping-restart or SIGUSR1
--user user : Set UID to user after initialization.
--group group : Set GID to group after initialization.
--chroot dir : Chroot to this directory after initialization.
--cd dir : Change to this directory before initialization.
--daemon [name] : Become a daemon after initialization.
The optional 'name' parameter will be passed
as the program name to the system logger.
--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.
See --daemon above for a description of the 'name' parm.
--log file : Output log to file which is created/truncated on open.
--log-append file : Append log to file, or create file if nonexistent.
--suppress-timestamps : Don't log timestamps to stdout/stderr.
--writepid file : Write main process ID to file.
--nice n : Change process priority (>0 = lower, <0 = higher).
--echo [parms ...] : Echo parameters to log output.
--verb n : Set output verbosity to n (default=1):
(Level 3 is recommended if you want a good summary
of what's happening without being swamped by output).
: 0 -- no output except fatal errors
: 1 -- startup info + connection initiated messages +
non-fatal encryption & net errors
: 2,3 -- show TLS negotiations & route info
: 4 -- show parameters
: 5 -- show 'RrWw' chars on console for each packet sent
and received from TCP/UDP (caps) or tun/tap (lc)
: 6 to 11 -- debug messages of increasing verbosity
--mute n : Log at most n consecutive messages in the same category.
--status file n : Write operational status to file every n seconds.
--status-version [n] : Choose the status file format version number.
Currently, n can be 1 or 2 (default=1).
--disable-occ : Disable options consistency check between peers.
--gremlin mask : Special stress testing mode (for debugging only).
--comp-lzo : Use fast LZO compression -- may add up to 1 byte per
packet for uncompressible data.
--comp-noadapt : Don't use adaptive compression when --comp-lzo
is specified.
--management ip port [pass] : Enable a TCP server on ip:port to handle
management functions. pass is a password file
or 'stdin' to prompt from console.
--management-query-passwords : Query management channel for private key
and auth-user-pass passwords.
--management-hold : Start OpenVPN in a hibernating state, until a client
of the management interface explicitly starts it.
--management-log-cache n : Cache n lines of log file history for usage
by the management channel.
--plugin m [str]: Load plug-in module m passing str as an argument
to its initialization function.
Multi-Client Server options (when --mode server is used):
--server network netmask : Helper option to easily configure server mode.
--server-bridge IP netmask pool-start-IP pool-end-IP : Helper option to
easily configure ethernet bridging server mode.
--push "option" : Push a config file option back to the peer for remote
execution. Peer must specify --pull in its config file.
--push-reset : Don't inherit global push list for specific
client instance.
--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets
to be dynamically allocated to connecting clients.
--ifconfig-pool-linear : Use individual addresses rather than /30 subnets
in tun mode. Not compatible with Windows clients.
--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool
data to file, at seconds intervals (default=600).
If seconds=0, file will be treated as read-only.
--ifconfig-push local remote-netmask : Push an ifconfig option to remote,
overrides --ifconfig-pool dynamic allocation.
Only valid in a client-specific config file.
--iroute network [netmask] : Route subnet to client.
Sets up internal routes only.
Only valid in a client-specific config file.
--disable : Client is disabled.
Only valid in a client-specific config file.
--client-cert-not-required : Don't require client certificate, client
will authenticate using username/password.
--username-as-common-name : For auth-user-pass authentication, use
the authenticated username as the common name,
rather than the common name from the client cert.
--auth-user-pass-verify cmd method: Query client for username/password and
run script cmd to verify. If method='via-env', pass
user/pass via environment, if method='via-file', pass
user/pass via temporary file.
--client-to-client : Internally route client-to-client traffic.
--duplicate-cn : Allow multiple clients with the same common name to
concurrently connect.
--client-connect cmd : Run script cmd on client connection.
--client-disconnect cmd : Run script cmd on client disconnection.
--client-config-dir dir : Directory for custom client config files.
--ccd-exclusive : Refuse connection unless custom client config is found.
--tmp-dir dir : Temporary directory, used for --client-connect return file.
--hash-size r v : Set the size of the real address hash table to r and the
virtual address table to v.
--bcast-buffers n : Allocate n broadcast buffers.
--tcp-queue-limit n : Maximum number of queued TCP output packets.
--learn-address cmd : Run script cmd to validate client virtual addresses.
--connect-freq n s : Allow a maximum of n new connections per s seconds.
--max-clients n : Allow a maximum of n simultaneously connected clients.
Client options (when connecting to a multi-client server):
--client : Helper option to easily configure client mode.
--auth-user-pass [up] : Authenticate with server using username/password.
up is a file containing username/password on 2 lines,
or omit to prompt from console.
--pull : Accept certain config file options from the peer as if they
were part of the local config file. Must be specified
when connecting to a '--mode server' remote host.
Data Channel Encryption Options (must be compatible between peers):
(These options are meaningful for both Static Key & TLS-mode)
--secret f [d] : Enable Static Key encryption mode (non-TLS).
Use shared secret file f, generate with --genkey.
The optional d parameter controls key directionality.
If d is specified, use separate keys for each
direction, set d=0 on one side of the connection,
and d=1 on the other side.
--auth alg : Authenticate packets with HMAC using message
digest algorithm alg (default=SHA1).
(usually adds 16 or 20 bytes per packet)
Set alg=none to disable authentication.
--cipher alg : Encrypt packets with cipher algorithm alg
(default=BF-CBC).
Set alg=none to disable encryption.
--keysize n : Size of cipher key in bits (optional).
If unspecified, defaults to cipher-specific default.
--engine [name] : Enable OpenSSL hardware crypto engine functionality.
--no-replay : Disable replay protection.
--mute-replay-warnings : Silence the output of replay warnings to log file.
--replay-window n [t] : Use a replay protection sliding window of size n
and a time window of t seconds.
Default n=64 t=15
--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.
--replay-persist file : Persist replay-protection state across sessions
using file.
--test-crypto : Run a self-test of crypto features enabled.
For debugging only.
TLS Key Negotiation Options:
(These options are meaningful only for TLS-mode)
--tls-server : Enable TLS and assume server role during TLS handshake.
--tls-client : Enable TLS and assume client role during TLS handshake.
--key-method m : Data channel key exchange method. m should be a method
number, such as 1 (default), 2, etc.
--ca file : Certificate authority file in .pem format containing
root certificate.
--dh file : File containing Diffie Hellman parameters
in .pem format (for --tls-server only).
Use "openssl dhparam -out dh1024.pem 1024" to generate.
--cert file : Local certificate in .pem format -- must be signed
by a Certificate Authority in --ca file.
--key file : Local private key in .pem format.
--pkcs12 file : PKCS#12 file containing local private key, local certificate
and root CA certificate.
--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).
: Use --show-tls to see a list of supported TLS ciphers.
--tls-timeout n : Packet retransmit timeout on TLS control channel
if no ACK from remote within n seconds (default=2).
--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.
--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.
--reneg-sec n : Renegotiate data chan. key after n seconds (default=3600).
--hand-window n : Data channel key exchange must finalize within n seconds
of handshake initiation by any peer (default=60).
--tran-window n : Transition window -- old key can live this many seconds
after new key renegotiation begins (default=3600).
--single-session: Allow only one session (reset state on restart).
--tls-exit : Exit on TLS negotiation failure.
--tls-auth f [d]: Add an additional layer of authentication on top of the TLS
control channel to protect against DoS attacks.
f (required) is a shared-secret passphrase file.
The optional d parameter controls key directionality,
see --secret option for more info.
--askpass [file]: Get PEM password from controlling tty before we daemonize.
--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.
--crl-verify crl: Check peer certificate against a CRL.
--tls-verify cmd: Execute shell command cmd to verify the X509 name of a
pending TLS connection that has otherwise passed all other
tests of certification. cmd should return 0 to allow
TLS handshake to proceed, or 1 to fail. (cmd is
executed as 'cmd certificate_depth X509_NAME_oneline')
--tls-remote x509name: Accept connections only from a host with X509 name
x509name. The remote host must also pass all other tests
of verification.
--ns-cert-type t: Require that peer certificate was signed with an explicit
nsCertType designation t = 'client' | 'server'.
SSL Library information:
--show-ciphers : Show cipher algorithms to use with --cipher option.
--show-digests : Show message digest algorithms to use with --auth option.
--show-engines : Show hardware crypto accelerator engines (if available).
--show-tls : Show all TLS ciphers (TLS used only as a control channel).
Generate a random key (only for non-TLS static key encryption mode):
--genkey : Generate a random key to be used as a shared secret,
for use with the --secret option.
--secret file : Write key to file.
Tun/tap config mode (available with linux 2.4+):
--mktun : Create a persistent tunnel.
--rmtun : Remove a persistent tunnel.
--dev tunX|tapX : tun/tap device
--dev-type dt : Device type. See tunnel options above for details.
