1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
|
Virtual Network Adapter (VPN interface)
---------------------------------------
Options in this section relates to configuration of the virtual tun/tap
network interface, including setting the VPN IP address and network
routing.
--bind-dev device
(Linux only) Set ``device`` to bind the server socket to a
`Virtual Routing and Forwarding`_ device
--block-ipv6
On the client, instead of sending IPv6 packets over the VPN tunnel, all
IPv6 packets are answered with an ICMPv6 no route host message. On the
server, all IPv6 packets from clients are answered with an ICMPv6 no
route to host message. This options is intended for cases when IPv6
should be blocked and other options are not available. ``--block-ipv6``
will use the remote IPv6 as source address of the ICMPv6 packets if set,
otherwise will use :code:`fe80::7` as source address.
For this option to make sense you actually have to route traffic to the
tun interface. The following example config block would send all IPv6
traffic to OpenVPN and answer all requests with no route to host,
effectively blocking IPv6 (to avoid IPv6 connections from dual-stacked
clients leaking around IPv4-only VPN services).
**Client config**
::
--ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1
--redirect-gateway ipv6
--block-ipv6
**Server config**
Push a "valid" ipv6 config to the client and block on the server
::
--push "ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
--push "redirect-gateway ipv6"
--block-ipv6
Note: this option does not influence traffic sent from the server
towards the client (neither on the server nor on the client side).
This is not seen as necessary, as such traffic can be most easily
avoided by not configuring IPv6 on the server tun, or setting up a
server-side firewall rule.
--dev device
TUN/TAP virtual network device which can be :code:`tunX`, :code:`tapX`,
:code:`null` or an arbitrary name string (:code:`X` can be omitted for
a dynamic device.)
See examples section below for an example on setting up a TUN device.
You must use either tun devices on both ends of the connection or tap
devices on both ends. You cannot mix them, as they represent different
underlying network layers:
:code:`tun`
devices encapsulate IPv4 or IPv6 (OSI Layer 3)
:code:`tap`
devices encapsulate Ethernet 802.3 (OSI Layer 2).
Valid syntaxes:
::
dev tun2
dev tap4
dev ovpn
When the device name starts with :code:`tun` or :code:`tap`, the device
type is extracted automatically. Otherwise the ``--dev-type`` option
needs to be added as well.
--dev-node node
Explicitly set the device node rather than using :code:`/dev/net/tun`,
:code:`/dev/tun`, :code:`/dev/tap`, etc. If OpenVPN cannot figure out
whether ``node`` is a TUN or TAP device based on the name, you should
also specify ``--dev-type tun`` or ``--dev-type tap``.
Under Mac OS X this option can be used to specify the default tun
implementation. Using ``--dev-node utun`` forces usage of the native
Darwin tun kernel support. Use ``--dev-node utunN`` to select a specific
utun instance. To force using the :code:`tun.kext` (:code:`/dev/tunX`)
use ``--dev-node tun``. When not specifying a ``--dev-node`` option
openvpn will first try to open utun, and fall back to tun.kext.
On Windows systems, select the TAP-Win32 adapter which is named ``node``
in the Network Connections Control Panel or the raw GUID of the adapter
enclosed by braces. The ``--show-adapters`` option under Windows can
also be used to enumerate all available TAP-Win32 adapters and will show
both the network connections control panel name and the GUID for each
TAP-Win32 adapter.
--dev-type device-type
Which device type are we using? ``device-type`` should be :code:`tun`
(OSI Layer 3) or :code:`tap` (OSI Layer 2). Use this option only if
the TUN/TAP device used with ``--dev`` does not begin with :code:`tun`
or :code:`tap`.
--dhcp-option args
Set additional network parameters on supported platforms. May be specified
on the client or pushed from the server. On Windows these options are
handled by the ``tap-windows6`` driver by default or directly by OpenVPN
if dhcp is disabled or the ``wintun`` driver is in use. The
``OpenVPN for Android`` client also handles them internally.
On all other platforms these options are only saved in the client's
environment under the name :code:`foreign_option_{n}` before the
``--up`` script is called. A plugin or an ``--up`` script must be used to
pick up and interpret these as required. Many Linux distributions include
such scripts and some third-party user interfaces such as tunnelblick also
come with scripts that process these options.
Valid syntax:
::
dhcp-options type [parm]
:code:`DOMAIN` ``name``
Set Connection-specific DNS Suffix to :code:`name`.
:code:`ADAPTER_DOMAIN_SUFFIX` ``name``
Alias to :code:`DOMAIN`. This is a compatibility option, it
should not be used in new deployments.
:code:`DOMAIN-SEARCH` ``name``
Add :code:`name` to the domain search list.
Repeat this option to add more entries. Up to
10 domains are supported.
:code:`DNS` ``address``
Set primary domain name server IPv4 or IPv6 address.
Repeat this option to set secondary DNS server addresses.
Note: DNS IPv6 servers are currently set using netsh (the existing
DHCP code can only do IPv4 DHCP, and that protocol only permits
IPv4 addresses anywhere). The option will be put into the
environment, so an ``--up`` script could act upon it if needed.
:code:`WINS` ``address``
Set primary WINS server address (NetBIOS over TCP/IP Name Server).
Repeat this option to set secondary WINS server addresses.
:code:`NBDD` ``address``
Set primary NBDD server address (NetBIOS over TCP/IP Datagram
Distribution Server). Repeat this option to set secondary NBDD
server addresses.
:code:`NTP` ``address``
Set primary NTP server address (Network Time Protocol).
Repeat this option to set secondary NTP server addresses.
:code:`NBT` ``type``
Set NetBIOS over TCP/IP Node type. Possible options:
:code:`1`
b-node (broadcasts)
:code:`2`
p-node (point-to-point name queries to a WINS server)
:code:`4`
m-node (broadcast then query name server)
:code:`8`
h-node (query name server, then broadcast).
:code:`NBS` ``scope-id``
Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an
extended naming service for the NetBIOS over TCP/IP (Known as NBT)
module. The primary purpose of a NetBIOS scope ID is to isolate
NetBIOS traffic on a single network to only those nodes with the
same NetBIOS scope ID. The NetBIOS scope ID is a character string
that is appended to the NetBIOS name. The NetBIOS scope ID on two
hosts must match, or the two hosts will not be able to communicate.
The NetBIOS Scope ID also allows computers to use the same computer
name, as they have different scope IDs. The Scope ID becomes a part
of the NetBIOS name, making the name unique. (This description of
NetBIOS scopes courtesy of NeonSurge@abyss.com)
:code:`DISABLE-NBT`
Disable Netbios-over-TCP/IP.
--ifconfig args
Set TUN/TAP adapter parameters. It requires the *IP address* of the local
VPN endpoint. For TUN devices in point-to-point mode, the next argument
must be the VPN IP address of the remote VPN endpoint. For TAP devices,
or TUN devices used with ``--topology subnet``, the second argument
is the subnet mask of the virtual network segment which is being created
or connected to.
For TUN devices, which facilitate virtual point-to-point IP connections
(when used in ``--topology net30`` or ``p2p`` mode), the proper usage of
``--ifconfig`` is to use two private IP addresses which are not a member
of any existing subnet which is in use. The IP addresses may be
consecutive and should have their order reversed on the remote peer.
After the VPN is established, by pinging ``rn``, you will be pinging
across the VPN.
For TAP devices, which provide the ability to create virtual ethernet
segments, or TUN devices in ``--topology subnet`` mode (which create
virtual "multipoint networks"), ``--ifconfig`` is used to set an IP
address and subnet mask just as a physical ethernet adapter would be
similarly configured. If you are attempting to connect to a remote
ethernet bridge, the IP address and subnet should be set to values which
would be valid on the the bridged ethernet segment (note also that DHCP
can be used for the same purpose).
This option, while primarily a proxy for the ``ifconfig``\(8) command,
is designed to simplify TUN/TAP tunnel configuration by providing a
standard interface to the different ifconfig implementations on
different platforms.
``--ifconfig`` parameters which are IP addresses can also be specified
as a DNS or /etc/hosts file resolvable name.
For TAP devices, ``--ifconfig`` should not be used if the TAP interface
will be getting an IP address lease from a DHCP server.
Examples:
::
# tun device in net30/p2p mode
ifconfig 10.8.0.2 10.8.0.1
# tun/tap device in subnet mode
ifconfig 10.8.0.2 255.255.255.0
--ifconfig-ipv6 args
Configure an IPv6 address on the *tun* device.
Valid syntax:
::
ifconfig-ipv6 ipv6addr/bits [ipv6remote]
The ``ipv6addr/bits`` argument is the IPv6 address to use. The
second parameter is used as route target for ``--route-ipv6`` if no
gateway is specified.
The ``--topology`` option has no influence with ``--ifconfig-ipv6``
--ifconfig-noexec
Don't actually execute ifconfig/netsh commands, instead pass
``--ifconfig`` parameters to scripts using environmental variables.
--ifconfig-nowarn
Don't output an options consistency check warning if the ``--ifconfig``
option on this side of the connection doesn't match the remote side.
This is useful when you want to retain the overall benefits of the
options consistency check (also see ``--disable-occ`` option) while only
disabling the ifconfig component of the check.
For example, if you have a configuration where the local host uses
``--ifconfig`` but the remote host does not, use ``--ifconfig-nowarn``
on the local host.
This option will also silence warnings about potential address conflicts
which occasionally annoy more experienced users by triggering "false
positive" warnings.
--lladdr address
Specify the link layer address, more commonly known as the MAC address.
Only applied to TAP devices.
--persist-tun
Don't close and reopen TUN/TAP device or run up/down scripts across
:code:`SIGUSR1` or ``--ping-restart`` restarts.
:code:`SIGUSR1` is a restart signal similar to :code:`SIGHUP`, but which
offers finer-grained control over reset options.
--redirect-gateway flags
Automatically execute routing commands to cause all outgoing IP traffic
to be redirected over the VPN. This is a client-side option.
This option performs three steps:
(1) Create a static route for the ``--remote`` address which
forwards to the pre-existing default gateway. This is done so that
``(3)`` will not create a routing loop.
(2) Delete the default gateway route.
(3) Set the new default gateway to be the VPN endpoint address
(derived either from ``--route-gateway`` or the second parameter to
``--ifconfig`` when ``--dev tun`` is specified).
When the tunnel is torn down, all of the above steps are reversed so
that the original default route is restored.
Option flags:
:code:`local`
Add the :code:`local` flag if both OpenVPN peers are directly
connected via a common subnet, such as with wireless. The
:code:`local` flag will cause step ``(1)`` above to be omitted.
:code:`autolocal`
Try to automatically determine whether to enable :code:`local`
flag above.
:code:`def1`
Use this flag to override the default gateway by using
:code:`0.0.0.0/1` and :code:`128.0.0.0/1` rather than
:code:`0.0.0.0/0`. This has the benefit of overriding but not
wiping out the original default gateway.
:code:`bypass-dhcp`
Add a direct route to the DHCP server (if it is non-local) which
bypasses the tunnel (Available on Windows clients, may not be
available on non-Windows clients).
:code:`bypass-dns`
Add a direct route to the DNS server(s) (if they are non-local)
which bypasses the tunnel (Available on Windows clients, may
not be available on non-Windows clients).
:code:`block-local`
Block access to local LAN when the tunnel is active, except for
the LAN gateway itself. This is accomplished by routing the local
LAN (except for the LAN gateway address) into the tunnel.
:code:`ipv6`
Redirect IPv6 routing into the tunnel. This works similar to
the :code:`def1` flag, that is, more specific IPv6 routes are added
(:code:`2000::/4`, :code:`3000::/4`), covering the whole IPv6
unicast space.
:code:`!ipv4`
Do not redirect IPv4 traffic - typically used in the flag pair
:code:`ipv6 !ipv4` to redirect IPv6-only.
--redirect-private flags
Like ``--redirect-gateway``, but omit actually changing the default gateway.
Useful when pushing private subnets.
--route args
Add route to routing table after connection is established. Multiple
routes can be specified. Routes will be automatically torn down in
reverse order prior to TUN/TAP device close.
Valid syntaxes:
::
route network/IP
route network/IP netmask
route network/IP netmask gateway
route network/IP netmask gateway metric
This option is intended as a convenience proxy for the ``route``\(8)
shell command, while at the same time providing portable semantics
across OpenVPN's platform space.
``netmask``
defaults to :code:`255.255.255.255` when not given
``gateway``
default taken from ``--route-gateway`` or the second
parameter to ``--ifconfig`` when ``--dev tun`` is specified.
``metric``
default taken from ``--route-metric`` if set, otherwise :code:`0`.
The default can be specified by leaving an option blank or setting it to
:code:`default`.
The ``network`` and ``gateway`` parameters can also be specified as a
DNS or :code:`/etc/hosts` file resolvable name, or as one of three special
keywords:
:code:`vpn_gateway`
The remote VPN endpoint address (derived either from
``--route-gateway`` or the second parameter to ``--ifconfig``
when ``--dev tun`` is specified).
:code:`net_gateway`
The pre-existing IP default gateway, read from the
routing table (not supported on all OSes).
:code:`remote_host`
The ``--remote`` address if OpenVPN is being run in
client mode, and is undefined in server mode.
--route-delay args
Valid syntaxes:
::
route-delay
route-delay n
route-delay n m
Delay ``n`` seconds (default :code:`0`) after connection establishment,
before adding routes. If ``n`` is :code:`0`, routes will be added
immediately upon connection establishment. If ``--route-delay`` is
omitted, routes will be added immediately after TUN/TAP device open and
``--up`` script execution, before any ``--user`` or ``--group`` privilege
downgrade (or ``--chroot`` execution.)
This option is designed to be useful in scenarios where DHCP is used to
set tap adapter addresses. The delay will give the DHCP handshake time
to complete before routes are added.
On Windows, ``--route-delay`` tries to be more intelligent by waiting
``w`` seconds (default :code:`30` by default) for the TAP-Win32 adapter
to come up before adding routes.
--route-ipv6 args
Setup IPv6 routing in the system to send the specified IPv6 network into
OpenVPN's *tun*.
Valid syntax:
::
route-ipv6 ipv6addr/bits [gateway] [metric]
The gateway parameter is only used for IPv6 routes across *tap* devices,
and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or
``--route-ipv6-gateway`` is used.
--route-gateway arg
Specify a default *gateway* for use with ``--route``.
If :code:`dhcp` is specified as the parameter, the gateway address will
be extracted from a DHCP negotiation with the OpenVPN server-side LAN.
Valid syntaxes:
::
route-gateway gateway
route-gateway dhcp
--route-ipv6-gateway gw
Specify a default gateway ``gw`` for use with ``--route-ipv6``.
--route-metric m
Specify a default metric ``m`` for use with ``--route``.
--route-noexec
Don't add or remove routes automatically. Instead pass routes to
``--route-up`` script using environmental variables.
--route-nopull
When used with ``--client`` or ``--pull``, accept options pushed by
server EXCEPT for routes, block-outside-dns and dhcp options like DNS
servers.
When used on the client, this option effectively bars the server from
adding routes to the client's routing table, however note that this
option still allows the server to set the TCP/IP properties of the
client's TUN/TAP interface.
--topology mode
Configure virtual addressing topology when running in ``--dev tun``
mode. This directive has no meaning in ``--dev tap`` mode, which always
uses a :code:`subnet` topology.
If you set this directive on the server, the ``--server`` and
``--server-bridge`` directives will automatically push your chosen
topology setting to clients as well. This directive can also be manually
pushed to clients. Like the ``--dev`` directive, this directive must
always be compatible between client and server.
``mode`` can be one of:
:code:`net30`
Use a point-to-point topology, by allocating one /30 subnet
per client. This is designed to allow point-to-point semantics when some
or all of the connecting clients might be Windows systems. This is the
default on OpenVPN 2.0.
:code:`p2p`
Use a point-to-point topology where the remote endpoint of
the client's tun interface always points to the local endpoint of the
server's tun interface. This mode allocates a single IP address per
connecting client. Only use when none of the connecting clients are
Windows systems.
:code:`subnet`
Use a subnet rather than a point-to-point topology by
configuring the tun interface with a local IP address and subnet mask,
similar to the topology used in ``--dev tap`` and ethernet bridging
mode. This mode allocates a single IP address per connecting client and
works on Windows as well. Only available when server and clients are
OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched
with the ``--topology`` directive code. When used on Windows, requires
version 8.2 or higher of the TAP-Win32 driver. When used on \*nix,
requires that the tun driver supports an ``ifconfig``\(8) command which
sets a subnet instead of a remote endpoint IP address.
*Note:* Using ``--topology subnet`` changes the interpretation of the
arguments of ``--ifconfig`` to mean "address netmask", no longer "local
remote".
--tun-mtu n
Take the TUN device MTU to be **n** and derive the link MTU from it
(default :code:`1500`). In most cases, you will probably want to leave
this parameter set to its default value.
The MTU (Maximum Transmission Units) is the maximum datagram size in
bytes that can be sent unfragmented over a particular network path.
OpenVPN requires that packets on the control and data channels be sent
unfragmented.
MTU problems often manifest themselves as connections which hang during
periods of active usage.
It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal
with MTU sizing issues.
--tun-mtu-extra n
Assume that the TUN/TAP device might return as many as ``n`` bytes more
than the ``--tun-mtu`` size on read. This parameter defaults to 0, which
is sufficient for most TUN devices. TAP devices may introduce additional
overhead in excess of the MTU size, and a setting of 32 is the default
when TAP devices are used. This parameter only controls internal OpenVPN
buffer sizing, so there is no transmission overhead associated with
using a larger value.
TUN/TAP standalone operations
-----------------------------
These two standalone operations will require ``--dev`` and optionally
``--user`` and/or ``--group``.
--mktun
(Standalone) Create a persistent tunnel on platforms which support them
such as Linux. Normally TUN/TAP tunnels exist only for the period of
time that an application has them open. This option takes advantage of
the TUN/TAP driver's ability to build persistent tunnels that live
through multiple instantiations of OpenVPN and die only when they are
deleted or the machine is rebooted.
One of the advantages of persistent tunnels is that they eliminate the
need for separate ``--up`` and ``--down`` scripts to run the appropriate
``ifconfig``\(8) and ``route``\(8) commands. These commands can be
placed in the the same shell script which starts or terminates an
OpenVPN session.
Another advantage is that open connections through the TUN/TAP-based
tunnel will not be reset if the OpenVPN peer restarts. This can be
useful to provide uninterrupted connectivity through the tunnel in the
event of a DHCP reset of the peer's public IP address (see the
``--ipchange`` option above).
One disadvantage of persistent tunnels is that it is harder to
automatically configure their MTU value (see ``--link-mtu`` and
``--tun-mtu`` above).
On some platforms such as Windows, TAP-Win32 tunnels are persistent by
default.
--rmtun
(Standalone) Remove a persistent tunnel.
|