summaryrefslogtreecommitdiff
path: root/doc/man-sections/vpn-network-options.rst
blob: 25a26b3452ff75350e5d85da2be76af4f96959b7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
Virtual Network Adapter (VPN interface)
---------------------------------------

Options in this section relates to configuration of the virtual tun/tap
network interface, including setting the VPN IP address and network
routing.

--bind-dev device
  (Linux only) Set ``device`` to bind the server socket to a
  `Virtual Routing and Forwarding`_ device

--block-ipv6
  On the client, instead of sending IPv6 packets over the VPN tunnel, all
  IPv6 packets are answered with an ICMPv6 no route host message. On the
  server, all IPv6 packets from clients are answered with an ICMPv6 no
  route to host message. This options is intended for cases when IPv6
  should be blocked and other options are not available. ``--block-ipv6``
  will use the remote IPv6 as source address of the ICMPv6 packets if set,
  otherwise will use :code:`fe80::7` as source address.

  For this option to make sense you actually have to route traffic to the
  tun interface. The following example config block would send all IPv6
  traffic to OpenVPN and answer all requests with no route to host,
  effectively blocking IPv6 (to avoid IPv6 connections from dual-stacked
  clients leaking around IPv4-only VPN services).

  **Client config**
    ::

       --ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1
       --redirect-gateway ipv6
       --block-ipv6

  **Server config**
    Push a "valid" ipv6 config to the client and block on the server
    ::

       --push "ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
       --push "redirect-gateway ipv6"
       --block-ipv6

  Note: this option does not influence traffic sent from the server
  towards the client (neither on the server nor on the client side).
  This is not seen as necessary, as such traffic can be most easily
  avoided by not configuring IPv6 on the server tun, or setting up a
  server-side firewall rule.

--dev device
  TUN/TAP virtual network device which can be :code:`tunX`, :code:`tapX`,
  :code:`null` or an arbitrary name string (:code:`X` can be omitted for
  a dynamic device.)

  See examples section below for an example on setting up a TUN device.

  You must use either tun devices on both ends of the connection or tap
  devices on both ends. You cannot mix them, as they represent different
  underlying network layers:

  :code:`tun`
      devices encapsulate IPv4 or IPv6 (OSI Layer 3)

  :code:`tap`
      devices encapsulate Ethernet 802.3 (OSI Layer 2).

  Valid syntaxes:
  ::

     dev tun2
     dev tap4
     dev ovpn

  When the device name starts with :code:`tun` or :code:`tap`, the device
  type is extracted automatically.  Otherwise the ``--dev-type`` option
  needs to be added as well.

--dev-node node
  Explicitly set the device node rather than using :code:`/dev/net/tun`,
  :code:`/dev/tun`, :code:`/dev/tap`, etc. If OpenVPN cannot figure out
  whether ``node`` is a TUN or TAP device based on the name, you should
  also specify ``--dev-type tun`` or ``--dev-type tap``.

  Under Mac OS X this option can be used to specify the default tun
  implementation. Using ``--dev-node utun`` forces usage of the native
  Darwin tun kernel support. Use ``--dev-node utunN`` to select a specific
  utun instance. To force using the :code:`tun.kext` (:code:`/dev/tunX`)
  use ``--dev-node tun``. When not specifying a ``--dev-node`` option
  openvpn will first try to open utun, and fall back to tun.kext.

  On Windows systems, select the TAP-Win32 adapter which is named ``node``
  in the Network Connections Control Panel or the raw GUID of the adapter
  enclosed by braces. The ``--show-adapters`` option under Windows can
  also be used to enumerate all available TAP-Win32 adapters and will show
  both the network connections control panel name and the GUID for each
  TAP-Win32 adapter.

--dev-type device-type
  Which device type are we using? ``device-type`` should be :code:`tun`
  (OSI Layer 3) or :code:`tap` (OSI Layer 2). Use this option only if
  the TUN/TAP device used with ``--dev`` does not begin with :code:`tun`
  or :code:`tap`.

--dhcp-option args
  Set additional network parameters on supported platforms. May be specified
  on the client or pushed from the server. On Windows these options are
  handled by the ``tap-windows6`` driver by default or directly by OpenVPN
  if dhcp is disabled or the ``wintun`` driver is in use. The
  ``OpenVPN for Android`` client also handles them internally.

  On all other platforms these options are only saved in the client's
  environment under the name :code:`foreign_option_{n}` before the
  ``--up`` script is called. A plugin or an ``--up`` script must be used to
  pick up and interpret these as required. Many Linux distributions include
  such scripts and some third-party user interfaces such as tunnelblick also
  come with scripts that process these options.

  Valid syntax:
  ::

     dhcp-options type [parm]

  :code:`DOMAIN` ``name``
        Set Connection-specific DNS Suffix to :code:`name`.

  :code:`ADAPTER_DOMAIN_SUFFIX` ``name``
        Alias to :code:`DOMAIN`. This is a compatibility option, it
        should not be used in new deployments.

  :code:`DOMAIN-SEARCH` ``name``
        Add :code:`name` to the domain search list.
        Repeat this option to add more entries. Up to
        10 domains are supported.

  :code:`DNS` ``address``
        Set primary domain name server IPv4 or IPv6 address.
        Repeat this option to set secondary DNS server addresses.

        Note: DNS IPv6 servers are currently set using netsh (the existing
        DHCP code can only do IPv4 DHCP, and that protocol only permits
        IPv4 addresses anywhere). The option will be put into the
        environment, so an ``--up`` script could act upon it if needed.

  :code:`WINS` ``address``
        Set primary WINS server address (NetBIOS over TCP/IP Name Server).
        Repeat this option to set secondary WINS server addresses.

  :code:`NBDD` ``address``
        Set primary NBDD server address (NetBIOS over TCP/IP Datagram
        Distribution Server). Repeat this option to set secondary NBDD
        server addresses.

  :code:`NTP` ``address``
        Set primary NTP server address (Network Time Protocol).
        Repeat this option to set secondary NTP server addresses.

  :code:`NBT` ``type``
        Set NetBIOS over TCP/IP Node type. Possible options:

        :code:`1`
              b-node (broadcasts)

        :code:`2`
              p-node (point-to-point name queries to a WINS server)

        :code:`4`
              m-node (broadcast then query name server)

        :code:`8`
              h-node (query name server, then broadcast).

  :code:`NBS` ``scope-id``
        Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an
        extended naming service for the NetBIOS over TCP/IP (Known as NBT)
        module. The primary purpose of a NetBIOS scope ID is to isolate
        NetBIOS traffic on a single network to only those nodes with the
        same NetBIOS scope ID. The NetBIOS scope ID is a character string
        that is appended to the NetBIOS name. The NetBIOS scope ID on two
        hosts must match, or the two hosts will not be able to communicate.
        The NetBIOS Scope ID also allows computers to use the same computer
        name, as they have different scope IDs. The Scope ID becomes a part
        of the NetBIOS name, making the name unique. (This description of
        NetBIOS scopes courtesy of NeonSurge@abyss.com)

  :code:`DISABLE-NBT`
        Disable Netbios-over-TCP/IP.

--ifconfig args
  Set TUN/TAP adapter parameters. It requires the *IP address* of the local
  VPN endpoint. For TUN devices in point-to-point mode, the next argument
  must be the VPN IP address of the remote VPN endpoint. For TAP devices,
  or TUN devices used with ``--topology subnet``, the second argument
  is the subnet mask of the virtual network segment which is being created
  or connected to.

  For TUN devices, which facilitate virtual point-to-point IP connections
  (when used in ``--topology net30`` or ``p2p`` mode), the proper usage of
  ``--ifconfig`` is to use two private IP addresses which are not a member
  of any existing subnet which is in use. The IP addresses may be
  consecutive and should have their order reversed on the remote peer.
  After the VPN is established, by pinging ``rn``, you will be pinging
  across the VPN.

  For TAP devices, which provide the ability to create virtual ethernet
  segments, or TUN devices in ``--topology subnet`` mode (which create
  virtual "multipoint networks"), ``--ifconfig`` is used to set an IP
  address and subnet mask just as a physical ethernet adapter would be
  similarly configured. If you are attempting to connect to a remote
  ethernet bridge, the IP address and subnet should be set to values which
  would be valid on the the bridged ethernet segment (note also that DHCP
  can be used for the same purpose).

  This option, while primarily a proxy for the ``ifconfig``\(8) command,
  is designed to simplify TUN/TAP tunnel configuration by providing a
  standard interface to the different ifconfig implementations on
  different platforms.

  ``--ifconfig`` parameters which are IP addresses can also be specified
  as a DNS or /etc/hosts file resolvable name.

  For TAP devices, ``--ifconfig`` should not be used if the TAP interface
  will be getting an IP address lease from a DHCP server.

  Examples:
  ::

     # tun device in net30/p2p mode
     ifconfig 10.8.0.2 10.8.0.1

     # tun/tap device in subnet mode
     ifconfig 10.8.0.2 255.255.255.0

--ifconfig-ipv6 args
  Configure an IPv6 address on the *tun* device.

  Valid syntax:
  ::

     ifconfig-ipv6 ipv6addr/bits [ipv6remote]

  The ``ipv6addr/bits`` argument is the IPv6 address to use. The
  second parameter is used as route target for ``--route-ipv6`` if no
  gateway is specified.

  The ``--topology`` option has no influence with ``--ifconfig-ipv6``

--ifconfig-noexec
  Don't actually execute ifconfig/netsh commands, instead pass
  ``--ifconfig`` parameters to scripts using environmental variables.

--ifconfig-nowarn
  Don't output an options consistency check warning if the ``--ifconfig``
  option on this side of the connection doesn't match the remote side.
  This is useful when you want to retain the overall benefits of the
  options consistency check (also see ``--disable-occ`` option) while only
  disabling the ifconfig component of the check.

  For example, if you have a configuration where the local host uses
  ``--ifconfig`` but the remote host does not, use ``--ifconfig-nowarn``
  on the local host.

  This option will also silence warnings about potential address conflicts
  which occasionally annoy more experienced users by triggering "false
  positive" warnings.

--lladdr address
  Specify the link layer address, more commonly known as the MAC address.
  Only applied to TAP devices.

--persist-tun
  Don't close and reopen TUN/TAP device or run up/down scripts across
  :code:`SIGUSR1` or ``--ping-restart`` restarts.

  :code:`SIGUSR1` is a restart signal similar to :code:`SIGHUP`, but which
  offers finer-grained control over reset options.

--redirect-gateway flags
  Automatically execute routing commands to cause all outgoing IP traffic
  to be redirected over the VPN. This is a client-side option.

  This option performs three steps:

  (1)  Create a static route for the ``--remote`` address which
       forwards to the pre-existing default gateway. This is done so that
       ``(3)`` will not create a routing loop.

  (2)  Delete the default gateway route.

  (3)  Set the new default gateway to be the VPN endpoint address
       (derived either from ``--route-gateway`` or the second parameter to
       ``--ifconfig`` when ``--dev tun`` is specified).

  When the tunnel is torn down, all of the above steps are reversed so
  that the original default route is restored.

  Option flags:

  :code:`local`
      Add the :code:`local` flag if both OpenVPN peers are directly
      connected via a common subnet, such as with wireless. The
      :code:`local` flag will cause step ``(1)`` above to be omitted.

  :code:`autolocal`
      Try to automatically determine whether to enable :code:`local`
      flag above.

  :code:`def1`
      Use this flag to override the default gateway by using
      :code:`0.0.0.0/1` and :code:`128.0.0.0/1` rather than
      :code:`0.0.0.0/0`. This has the benefit of overriding but not
      wiping out the original default gateway.

  :code:`bypass-dhcp`
      Add a direct route to the DHCP server (if it is non-local) which
      bypasses the tunnel (Available on Windows clients, may not be
      available on non-Windows clients).

  :code:`bypass-dns`
      Add a direct route to the DNS server(s) (if they are non-local)
      which bypasses the tunnel (Available on Windows clients, may
      not be available on non-Windows clients).

  :code:`block-local`
      Block access to local LAN when the tunnel is active, except for
      the LAN gateway itself. This is accomplished by routing the local
      LAN (except for the LAN gateway address) into the tunnel.

  :code:`ipv6`
      Redirect IPv6 routing into the tunnel. This works similar to
      the :code:`def1` flag, that is, more specific IPv6 routes are added
      (:code:`2000::/4`, :code:`3000::/4`), covering the whole IPv6
      unicast space.

  :code:`!ipv4`
      Do not redirect IPv4 traffic - typically used in the flag pair
      :code:`ipv6 !ipv4` to redirect IPv6-only.

--redirect-private flags
  Like ``--redirect-gateway``, but omit actually changing the default gateway.
  Useful when pushing private subnets.

--route args
  Add route to routing table after connection is established. Multiple
  routes can be specified. Routes will be automatically torn down in
  reverse order prior to TUN/TAP device close.

  Valid syntaxes:
  ::

      route network/IP
      route network/IP netmask
      route network/IP netmask gateway
      route network/IP netmask gateway metric

  This option is intended as a convenience proxy for the ``route``\(8)
  shell command, while at the same time providing portable semantics
  across OpenVPN's platform space.

  ``netmask``
        defaults to :code:`255.255.255.255` when not given

  ``gateway``
        default taken from ``--route-gateway`` or the second
        parameter to ``--ifconfig`` when ``--dev tun`` is specified.

  ``metric``
        default taken from ``--route-metric`` if set, otherwise :code:`0`.

  The default can be specified by leaving an option blank or setting it to
  :code:`default`.

  The ``network`` and ``gateway`` parameters can also be specified as a
  DNS or :code:`/etc/hosts` file resolvable name, or as one of three special
  keywords:

  :code:`vpn_gateway`
      The remote VPN endpoint address (derived either from
      ``--route-gateway`` or the second parameter to ``--ifconfig``
      when ``--dev tun`` is specified).

  :code:`net_gateway`
      The pre-existing IP default gateway, read from the
      routing table (not supported on all OSes).

  :code:`remote_host`
      The ``--remote`` address if OpenVPN is being run in
      client mode, and is undefined in server mode.

--route-delay args
  Valid syntaxes:
  ::

       route-delay
       route-delay n
       route-delay n m

  Delay ``n`` seconds (default :code:`0`) after connection establishment,
  before adding routes. If ``n`` is :code:`0`, routes will be added
  immediately upon connection establishment. If ``--route-delay`` is
  omitted, routes will be added immediately after TUN/TAP device open and
  ``--up`` script execution, before any ``--user`` or ``--group`` privilege
  downgrade (or ``--chroot`` execution.)

  This option is designed to be useful in scenarios where DHCP is used to
  set tap adapter addresses. The delay will give the DHCP handshake time
  to complete before routes are added.

  On Windows, ``--route-delay`` tries to be more intelligent by waiting
  ``w`` seconds (default :code:`30` by default) for the TAP-Win32 adapter
  to come up before adding routes.

--route-ipv6 args
  Setup IPv6 routing in the system to send the specified IPv6 network into
  OpenVPN's *tun*.

  Valid syntax:
  ::

     route-ipv6 ipv6addr/bits [gateway] [metric]

  The gateway parameter is only used for IPv6 routes across *tap* devices,
  and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or
  ``--route-ipv6-gateway`` is used.

--route-gateway arg
  Specify a default *gateway* for use with ``--route``.

  If :code:`dhcp` is specified as the parameter, the gateway address will
  be extracted from a DHCP negotiation with the OpenVPN server-side LAN.

  Valid syntaxes:
  ::

      route-gateway gateway
      route-gateway dhcp

--route-ipv6-gateway gw
  Specify a default gateway ``gw`` for use with ``--route-ipv6``.

--route-metric m
  Specify a default metric ``m`` for use with ``--route``.

--route-noexec
  Don't add or remove routes automatically. Instead pass routes to
  ``--route-up`` script using environmental variables.

--route-nopull
  When used with ``--client`` or ``--pull``, accept options pushed by
  server EXCEPT for routes, block-outside-dns and dhcp options like DNS
  servers.

  When used on the client, this option effectively bars the server from
  adding routes to the client's routing table, however note that this
  option still allows the server to set the TCP/IP properties of the
  client's TUN/TAP interface.

--topology mode
  Configure virtual addressing topology when running in ``--dev tun``
  mode. This directive has no meaning in ``--dev tap`` mode, which always
  uses a :code:`subnet` topology.

  If you set this directive on the server, the ``--server`` and
  ``--server-bridge`` directives will automatically push your chosen
  topology setting to clients as well. This directive can also be manually
  pushed to clients. Like the ``--dev`` directive, this directive must
  always be compatible between client and server.

  ``mode`` can be one of:

  :code:`net30`
    Use a point-to-point topology, by allocating one /30 subnet
    per client. This is designed to allow point-to-point semantics when some
    or all of the connecting clients might be Windows systems. This is the
    default on OpenVPN 2.0.

  :code:`p2p`
    Use a point-to-point topology where the remote endpoint of
    the client's tun interface always points to the local endpoint of the
    server's tun interface. This mode allocates a single IP address per
    connecting client. Only use when none of the connecting clients are
    Windows systems.

  :code:`subnet`
    Use a subnet rather than a point-to-point topology by
    configuring the tun interface with a local IP address and subnet mask,
    similar to the topology used in ``--dev tap`` and ethernet bridging
    mode. This mode allocates a single IP address per connecting client and
    works on Windows as well. Only available when server and clients are
    OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched
    with the ``--topology`` directive code. When used on Windows, requires
    version 8.2 or higher of the TAP-Win32 driver. When used on \*nix,
    requires that the tun driver supports an ``ifconfig``\(8) command which
    sets a subnet instead of a remote endpoint IP address.

  *Note:* Using ``--topology subnet`` changes the interpretation of the
  arguments of ``--ifconfig`` to mean "address netmask", no longer "local
  remote".

--tun-mtu n
  Take the TUN device MTU to be **n** and derive the link MTU from it
  (default :code:`1500`). In most cases, you will probably want to leave
  this parameter set to its default value.

  The MTU (Maximum Transmission Units) is the maximum datagram size in
  bytes that can be sent unfragmented over a particular network path.
  OpenVPN requires that packets on the control and data channels be sent
  unfragmented.

  MTU problems often manifest themselves as connections which hang during
  periods of active usage.

  It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal
  with MTU sizing issues.

--tun-mtu-extra n
  Assume that the TUN/TAP device might return as many as ``n`` bytes more
  than the ``--tun-mtu`` size on read. This parameter defaults to 0, which
  is sufficient for most TUN devices. TAP devices may introduce additional
  overhead in excess of the MTU size, and a setting of 32 is the default
  when TAP devices are used. This parameter only controls internal OpenVPN
  buffer sizing, so there is no transmission overhead associated with
  using a larger value.


TUN/TAP standalone operations
-----------------------------
These two standalone operations will require ``--dev`` and optionally
``--user`` and/or ``--group``.

--mktun
  (Standalone) Create a persistent tunnel on platforms which support them
  such as Linux. Normally TUN/TAP tunnels exist only for the period of
  time that an application has them open. This option takes advantage of
  the TUN/TAP driver's ability to build persistent tunnels that live
  through multiple instantiations of OpenVPN and die only when they are
  deleted or the machine is rebooted.

  One of the advantages of persistent tunnels is that they eliminate the
  need for separate ``--up`` and ``--down`` scripts to run the appropriate
  ``ifconfig``\(8) and ``route``\(8) commands. These commands can be
  placed in the the same shell script which starts or terminates an
  OpenVPN session.

  Another advantage is that open connections through the TUN/TAP-based
  tunnel will not be reset if the OpenVPN peer restarts. This can be
  useful to provide uninterrupted connectivity through the tunnel in the
  event of a DHCP reset of the peer's public IP address (see the
  ``--ipchange`` option above).

  One disadvantage of persistent tunnels is that it is harder to
  automatically configure their MTU value (see ``--link-mtu`` and
  ``--tun-mtu`` above).

  On some platforms such as Windows, TAP-Win32 tunnels are persistent by
  default.

--rmtun
  (Standalone) Remove a persistent tunnel.