Note: The SSL library will probably need /dev/urandom to be available
inside the chroot directory ``dir``. This is because SSL libraries
- occasionally need to collect fresh random. Newer linux kernels and some
+ occasionally need to collect fresh randomness. Newer linux kernels and some
BSDs implement a getrandom() or getentropy() syscall that removes the
need for /dev/urandom to be available.
--config file
Load additional config options from ``file`` where each line corresponds
- to one command line option, but with the leading '--' removed.
+ to one command line option, but with the leading :code:`--` removed.
If ``--config file`` is the only option to the openvpn command, the
``--config`` can be removed, and the command can be given as ``openvpn
secret static.key
--daemon progname
- Become a daemon after all initialization functions are completed. This
- option will cause all message and error output to be sent to the syslog
+ Become a daemon after all initialization functions are completed.
+
+ Valid syntaxes::
+
+ daemon
+ daemon progname
+
+ This option will cause all message and error output to be sent to the syslog
file (such as :code:`/var/log/messages`), except for the output of
scripts and ifconfig commands, which will go to :code:`/dev/null` unless
otherwise redirected. The syslog redirection occurs immediately at the
The optional ``progname`` parameter will cause OpenVPN to report its
program name to the system logger as ``progname``. This can be useful in
linking OpenVPN messages in the syslog file with specific tunnels. When
- unspecified, ``progname`` defaults to "openvpn".
+ unspecified, ``progname`` defaults to :code:`openvpn`.
When OpenVPN is run with the ``--daemon`` option, it will try to delay
daemonization until the majority of initialization functions which are
renegotiation (and reauthentication) occurs.
--disable-occ
+ Disable "options consistency check" (OCC).
+
Don't output a warning message if option inconsistencies are detected
between peers. An example of an option inconsistency would be where one
peer uses ``--dev tun`` while the other peer uses ``--dev tap``.
--engine engine-name
Enable OpenSSL hardware-based crypto engine functionality.
+ Valid syntaxes::
+
+ engine
+ engine engine-name
+
If ``engine-name`` is specified, use a specific crypto engine. Use the
``--show-engines`` standalone option to list the crypto engines which
are supported by OpenSSL.
call, improving CPU efficiency by 5% to 10%.
This option can only be used on non-Windows systems, when ``--proto
- udp`` is specified, and when ``--shaper`` is NOT specified.
+ udp`` is specified, and when ``--shaper`` is *NOT* specified.
--group group
Similar to the ``--user`` option, this option changes the group ID of
May be used in order to execute OpenVPN in unprivileged environment.
--keying-material-exporter args
- Save Exported Keying Material [RFC5705] of len bytes (must be between 16
+ Save Exported Keying Material [RFC5705] of ``len`` bytes (must be between 16
and 4095 bytes) using ``label`` in environment
(:code:`exported_keying_material`) for use by plugins in
:code:`OPENVPN_PLUGIN_TLS_FINAL` callback.
--providers legacy default
- Behaviour of changing this option between SIGHUP might not be well behaving.
+ Behaviour of changing this option between :code:`SIGHUP` might not be well behaving.
If you need to change/add/remove this option, fully restart OpenVPN.
--remap-usr1 signal
Control whether internally or externally generated :code:`SIGUSR1` signals
are remapped to :code:`SIGHUP` (restart without persisting state) or
- SIGTERM (exit).
+ :code:`SIGTERM` (exit).
``signal`` can be set to :code:`SIGHUP` or :code:`SIGTERM`. By default,
no remapping occurs.
consider using the ``--persist-key`` and ``--persist-tun`` options.
--status args
- Write operational status to ``file`` every ``n`` seconds.
+ Write operational status to ``file`` every ``n`` seconds. ``n`` defaults
+ to :code:`60` if not specified.
Valid syntaxes:
::
keepalive interval timeout
+ Send ping once every ``interval`` seconds, restart if ping is not received
+ for ``timeout`` seconds.
+
This option can be used on both client and server side, but it is enough
to add this on the server side as it will push appropriate ``--ping``
and ``--ping-restart`` options to the client. If used on both server and
``--nobind`` option.
--mark value
- Mark encrypted packets being sent with value. The mark value can be
+ Mark encrypted packets being sent with ``value``. The mark value can be
matched in policy routing and packetfilter rules. This option is only
supported in Linux and does nothing on other operating systems.
Do not bind to local address and port. The IP stack will allocate a
dynamic port for returning packets. Since the value of the dynamic port
could not be known in advance by a peer, this option is only suitable
- for peers which will be initiating connections by using the --remote
+ for peers which will be initiating connections by using the ``--remote``
option.
--passtos
(2) To provide a basis for the remote to test the existence of its peer
using the ``--ping-exit`` option.
+ When using OpenVPN in server mode see also ``--keepalive``.
+
--ping-exit n
Causes OpenVPN to exit after ``n`` seconds pass without reception of a
ping or other packet from remote. This option can be combined with
--replay-window args
Modify the replay protection sliding-window size and time window.
- Valid syntax:
- ::
+ Valid syntaxes::
- replay-window n [t]
+ replay-window n
+ replay-window n t
- Use a replay protection sliding-window of size **n** and a time window
- of **t** seconds.
+ Use a replay protection sliding-window of size ``n`` and a time window
+ of ``t`` seconds.
- By default **n** is 64 (the IPSec default) and **t** is 15 seconds.
+ By default ``n`` is :code:`64` (the IPSec default) and ``t`` is
+ :code:`15` seconds.
- This option is only relevant in UDP mode, i.e. when either **--proto
- udp** is specified, or no **--proto** option is specified.
+ This option is only relevant in UDP mode, i.e. when either ``--proto
+ udp`` is specified, or no ``--proto`` option is specified.
When OpenVPN tunnels IP packets over UDP, there is the possibility that
packets might be dropped or delivered out of order. Because OpenVPN,
projects / thirdparty / openvpn.git / commitdiff
