mode m Set OpenVPN major mode local host Local host name or IP address for bind remote host [port] Remote host name or IP address remote-random When multiple --remote address/ports are specified, initially randomize the order of the list as a kind of basic load-balancing measure proto p Use protocol p for communicating with remote host connect-retry n For --proto tcp-client, take n as the number of seconds to wait between connection retries (default=5) connect-retry-max n For --proto tcp-client, take n as the number of retries of connection attempt (default=infinite) auto-proxy Try to sense HTTP or SOCKS proxy settings automatically http-proxy server port [authfile|'auto'] [auth-method] Connect to remote host through an HTTP proxy at address server and port port http-proxy-retry Retry indefinitely on HTTP proxy errors http-proxy-timeout n Set proxy timeout to n seconds, default=5 http-proxy-option type [parm] Set extended HTTP proxy options socks-proxy server [port] Connect to remote host through a Socks5 proxy at address server and port port (default=1080) socks-proxy-retry Retry indefinitely on Socks proxy errors resolv-retry n If hostname resolve fails for --remote, retry resolve for n seconds before failing float Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used) ipchange cmd Execute shell command cmd when our remote ip-address is initially authenticated or changes port port TCP/UDP port number for both local and remote lport port TCP/UDP port number for bind rport port TCP/UDP port number for remote bind Bind to local address and port nobind Do not bind to local address and port dev tunX | tapX | null TUN/TAP virtual network device ( X can be omitted for a dynamic device dev-type device-type Which device type are we using? device-type should be tun or tap topology mode Configure virtual addressing topology when running in --dev tun mode tun-ipv6 Build a tun link capable of forwarding IPv6 traffic dev-node node Explicitly set the device node rather than using /dev/net/tun, /dev/tun, /dev/tap, etc lladdr address Specify the link layer address, more commonly known as the MAC address iproute cmd Set alternate command to execute instead of default iproute2 command ifconfig l rn Set TUN/TAP adapter parameters ifconfig-noexec Don't actually execute ifconfig/netsh commands, instead pass --ifconfig parameters to scripts using environmental variables ifconfig-nowarn Don't output an options consistency check warning if the --ifconfig option on this side of the connection doesn't match the remote side route network/IP [netmask] [gateway] [metric] Add route to routing table after connection is established route-gateway gw Specify a default gateway gw for use with --route route-metric m Specify a default metric m for use with --route route-delay [n] [w] Delay n seconds (default=0) after connection establishment, before adding routes route-up cmd Execute shell command cmd after routes are added, subject to --route-delay route-noexec Don't add or remove routes automatically route-nopull When used with --client or --pull, accept options pushed by server EXCEPT for routes redirect-gateway flags... (Experimental) Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN link-mtu n Sets an upper bound on the size of UDP packets which are sent between OpenVPN peers tun-mtu n Take the TUN device MTU to be n and derive the link MTU from it (default=1500) tun-mtu-extra n Assume that the TUN/TAP device might return as many as n bytes more than the --tun-mtu size on read mtu-disc type Should we do Path MTU discovery on TCP/UDP channel? Only supported on OSes such as Linux that supports the necessary system call to set mtu-test To empirically measure MTU on connection startup, add the --mtu-test option to your configuration fragment max Enable internal datagram fragmentation so that no UDP datagrams are sent which are larger than max bytes mssfix max Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes sndbuf size Set the TCP/UDP socket send buffer size rcvbuf size Set the TCP/UDP socket receive buffer size socket-flags flags... Apply the given flags to the OpenVPN transport socket txqueuelen n (Linux only) Set the TX queue length on the TUN/TAP interface shaper n Limit bandwidth of outgoing tunnel data to n bytes per second on the TCP/UDP port inactive n [bytes] Causes OpenVPN to exit after n seconds of inactivity on the TUN/TAP device ping n Ping remote over the TCP/UDP control channel if no packets have been sent for at least n seconds (specify --ping on both peers to cause ping packets to be sent in both directions since OpenVPN ping packets are not echoed like IP ping packets) ping-exit n Causes OpenVPN to exit after n seconds pass without reception of a ping or other packet from remote ping-restart n Similar to --ping-exit, but trigger a SIGUSR1 restart after n seconds pass without reception of a ping or other packet from remote keepalive n m A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations ping-timer-rem Run the --ping-exit / --ping-restart timer only if we have a remote address persist-tun Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts persist-key Don't re-read key files across SIGUSR1 or --ping-restart persist-local-ip Preserve initially resolved local IP address and port number across SIGUSR1 or --ping-restart restarts persist-remote-ip Preserve most recently authenticated remote IP address and port number across SIGUSR1 or --ping-restart restarts mlock Disable paging by calling the POSIX mlockall function up cmd Shell command to run after successful TUN/TAP device open (pre --user UID change) up-delay Delay TUN/TAP open and possible --up script execution until after TCP/UDP connection establishment with peer down cmd Shell command to run after TUN/TAP device close (post --user UID change and/or --chroot ) down-pre Call --down cmd/script before, rather than after, TUN/TAP close up-restart Enable the --up and --down scripts to be called for restarts as well as initial program start setenv name value Set a custom environmental variable name=value to pass to script setenv-safe name value Set a custom environmental variable OPENVPN_name=value to pass to script disable-occ Don't output a warning message if option inconsistencies are detected between peers user user Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process group group Similar to the --user option, this option changes the group ID of the OpenVPN process to group after initialization cd dir Change directory to dir prior to reading any files such as configuration files, key files, scripts, etc chroot dir Chroot to dir after initialization #daemon [progname] #Become a daemon after all initialization functions are completed #syslog [progname] #Direct log output to system logger, but do not become a daemon passtos Set the TOS field of the tunnel packet to what the payload's TOS is inetd [wait|nowait] [progname] Use this option when OpenVPN is being run from the inetd or xinetd(8) server log file Output logging messages to file, including output to stdout/stderr which is generated by called scripts log-append file Append logging messages to file suppress-timestamps Avoid writing timestamps to log messages, even when they otherwise would be prepended writepid file Write OpenVPN's main process ID to file nice n Change process priority after initialization ( n greater than 0 is lower priority, n less than zero is higher priority) fast-io (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation echo [parms...] Echo parms to log output remap-usr1 signal Control whether internally or externally generated SIGUSR1 signals are remapped to SIGHUP (restart without persisting state) or SIGTERM (exit) verb n Set output verbosity to n (default=1) status file [n] Write operational status to file every n seconds status-version [n] Choose the status file format version number mute n Log at most n consecutive messages in the same category comp-lzo [mode] Use fast LZO compression -- may add up to 1 byte per packet for incompressible data comp-noadapt When used in conjunction with --comp-lzo, this option will disable OpenVPN's adaptive compression algorithm management IP port [pw-file] Enable management interface on to handle daemon management functions management-query-passwords Query management channel for private key password and --auth-user-pass username/password management-forget-disconnect Make OpenVPN forget passwords when management session disconnects management-hold Start OpenVPN in a hibernating state, until a client of the management interface explicitly starts it with the hold release command management-signal Send SIGUSR1 signal to OpenVPN if management session disconnects management-log-cache n Cache the most recent n lines of log file history for usage by the management channel plugin module-pathname [init-string] Load plug-in module from the file module-pathname, passing init-string as an argument to the module initialization function