5 Local host name or IP address for bind
8 Remote host name or IP address
11 When multiple --remote address/ports are specified, initially randomize the order of the list as a kind of basic load-balancing measure
14 Use protocol p for communicating with remote host
17 For --proto tcp-client, take n as the number of seconds to wait between connection retries (default=5)
20 For --proto tcp-client, take n as the number of retries of connection attempt (default=infinite)
23 Try to sense HTTP or SOCKS proxy settings automatically
25 http-proxy server port [authfile|'auto'] [auth-method]
26 Connect to remote host through an HTTP proxy at address server and port port
29 Retry indefinitely on HTTP proxy errors
32 Set proxy timeout to n seconds, default=5
34 http-proxy-option type [parm]
35 Set extended HTTP proxy options
37 socks-proxy server [port]
38 Connect to remote host through a Socks5 proxy at address server and port port (default=1080)
41 Retry indefinitely on Socks proxy errors
44 If hostname resolve fails for --remote, retry resolve for n seconds before failing
47 Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used)
50 Execute shell command cmd when our remote ip-address is initially authenticated or changes
53 TCP/UDP port number for both local and remote
56 TCP/UDP port number for bind
59 TCP/UDP port number for remote
62 Bind to local address and port
65 Do not bind to local address and port
67 dev tunX | tapX | null
68 TUN/TAP virtual network device ( X can be omitted for a dynamic device
71 Which device type are we using? device-type should be tun or tap
74 Configure virtual addressing topology when running in --dev tun mode
77 Build a tun link capable of forwarding IPv6 traffic
80 Explicitly set the device node rather than using /dev/net/tun, /dev/tun, /dev/tap, etc
83 Specify the link layer address, more commonly known as the MAC address
86 Set alternate command to execute instead of default iproute2 command
89 Set TUN/TAP adapter parameters
92 Don't actually execute ifconfig/netsh commands, instead pass --ifconfig parameters to scripts using environmental variables
95 Don't output an options consistency check warning if the --ifconfig option on this side of the connection doesn't match the remote side
97 route network/IP [netmask] [gateway] [metric]
98 Add route to routing table after connection is established
101 Specify a default gateway gw for use with --route
104 Specify a default metric m for use with --route
107 Delay n seconds (default=0) after connection establishment, before adding routes
110 Execute shell command cmd after routes are added, subject to --route-delay
113 Don't add or remove routes automatically
116 When used with --client or --pull, accept options pushed by server EXCEPT for routes
118 redirect-gateway flags...
119 (Experimental) Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN
122 Sets an upper bound on the size of UDP packets which are sent between OpenVPN peers
125 Take the TUN device MTU to be n and derive the link MTU from it (default=1500)
128 Assume that the TUN/TAP device might return as many as n bytes more than the --tun-mtu size on read
131 Should we do Path MTU discovery on TCP/UDP channel? Only supported on OSes such as Linux that supports the necessary system call to set
134 To empirically measure MTU on connection startup, add the --mtu-test option to your configuration
137 Enable internal datagram fragmentation so that no UDP datagrams are sent which are larger than max bytes
140 Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes
143 Set the TCP/UDP socket send buffer size
146 Set the TCP/UDP socket receive buffer size
148 socket-flags flags...
149 Apply the given flags to the OpenVPN transport socket
152 (Linux only) Set the TX queue length on the TUN/TAP interface
155 Limit bandwidth of outgoing tunnel data to n bytes per second on the TCP/UDP port
158 Causes OpenVPN to exit after n seconds of inactivity on the TUN/TAP device
161 Ping remote over the TCP/UDP control channel if no packets have been sent for at least n seconds (specify --ping on both peers to cause ping packets to be sent in both directions since OpenVPN ping packets are not echoed like IP ping packets)
164 Causes OpenVPN to exit after n seconds pass without reception of a ping or other packet from remote
167 Similar to --ping-exit, but trigger a SIGUSR1 restart after n seconds pass without reception of a ping or other packet from remote
170 A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations
173 Run the --ping-exit / --ping-restart timer only if we have a remote address
176 Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts
179 Don't re-read key files across SIGUSR1 or --ping-restart
182 Preserve initially resolved local IP address and port number across SIGUSR1 or --ping-restart restarts
185 Preserve most recently authenticated remote IP address and port number across SIGUSR1 or --ping-restart restarts
188 Disable paging by calling the POSIX mlockall function
191 Shell command to run after successful TUN/TAP device open (pre --user UID change)
194 Delay TUN/TAP open and possible --up script execution until after TCP/UDP connection establishment with peer
197 Shell command to run after TUN/TAP device close (post --user UID change and/or --chroot )
200 Call --down cmd/script before, rather than after, TUN/TAP close
203 Enable the --up and --down scripts to be called for restarts as well as initial program start
206 Set a custom environmental variable name=value to pass to script
208 setenv-safe name value
209 Set a custom environmental variable OPENVPN_name=value to pass to script
212 Don't output a warning message if option inconsistencies are detected between peers
215 Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process
218 Similar to the --user option, this option changes the group ID of the OpenVPN process to group after initialization
221 Change directory to dir prior to reading any files such as configuration files, key files, scripts, etc
224 Chroot to dir after initialization
227 #Become a daemon after all initialization functions are completed
230 #Direct log output to system logger, but do not become a daemon
233 Set the TOS field of the tunnel packet to what the payload's TOS is
235 inetd [wait|nowait] [progname]
236 Use this option when OpenVPN is being run from the inetd or xinetd(8) server
239 Output logging messages to file, including output to stdout/stderr which is generated by called scripts
242 Append logging messages to file
245 Avoid writing timestamps to log messages, even when they otherwise would be prepended
248 Write OpenVPN's main process ID to file
251 Change process priority after initialization ( n greater than 0 is lower priority, n less than zero is higher priority)
254 (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation
257 Echo parms to log output
260 Control whether internally or externally generated SIGUSR1 signals are remapped to SIGHUP (restart without persisting state) or SIGTERM (exit)
263 Set output verbosity to n (default=1)
266 Write operational status to file every n seconds
269 Choose the status file format version number
272 Log at most n consecutive messages in the same category
275 Use fast LZO compression -- may add up to 1 byte per packet for incompressible data
278 When used in conjunction with --comp-lzo, this option will disable OpenVPN's adaptive compression algorithm
280 management IP port [pw-file]
281 Enable management interface on <IP> <port> to handle daemon management functions
283 management-query-passwords
284 Query management channel for private key password and --auth-user-pass username/password
286 management-forget-disconnect
287 Make OpenVPN forget passwords when management session disconnects
290 Start OpenVPN in a hibernating state, until a client of the management interface explicitly starts it with the hold release command
293 Send SIGUSR1 signal to OpenVPN if management session disconnects
295 management-log-cache n
296 Cache the most recent n lines of log file history for usage by the management channel
298 plugin module-pathname [init-string]
299 Load plug-in module from the file module-pathname, passing init-string as an argument to the module initialization function