OpenVPN Tunnel Interface 460 vtun[0-9]+ OpenVPN tunnel interface must be named vtunN vtunN OpenVPN interface name #include #include OpenVPN interface device-type tun tap tun TUN device, required for OSI layer 3 tap TAP device, required for OSI layer 2 (tun|tap) tun #include Data Encryption settings Standard Data Encryption Algorithm none des 3des bf128 bf256 aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm none Disable encryption des DES algorithm 3des DES algorithm with triple encryption bf128 Blowfish algorithm with 128-bit key bf256 Blowfish algorithm with 256-bit key aes128 AES algorithm with 128-bit key CBC aes128gcm AES algorithm with 128-bit key GCM aes192 AES algorithm with 192-bit key CBC aes192gcm AES algorithm with 192-bit key GCM aes256 AES algorithm with 256-bit key CBC aes256gcm AES algorithm with 256-bit key GCM (none|des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm) Cipher negotiation list for use in server or client mode none des 3des aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm none Disable encryption des DES algorithm 3des DES algorithm with triple encryption aes128 AES algorithm with 128-bit key CBC aes128gcm AES algorithm with 128-bit key GCM aes192 AES algorithm with 192-bit key CBC aes192gcm AES algorithm with 192-bit key GCM aes256 AES algorithm with 256-bit key CBC aes256gcm AES algorithm with 256-bit key GCM (none|des|3des|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm) #include #include #include Hashing Algorithm md5 sha1 sha256 sha384 sha512 md5 MD5 algorithm sha1 SHA-1 algorithm sha256 SHA-256 algorithm sha384 SHA-384 algorithm sha512 SHA-512 algorithm (md5|sha1|sha256|sha384|sha512) Keepalive helper options Maximum number of keepalive packet failures u32:0-1000 Maximum number of keepalive packet failures 60 Keepalive packet interval in seconds u32:0-600 Keepalive packet interval (seconds) 10 Local IP address of tunnel (IPv4 or IPv6) Subnet-mask for local IP address of tunnel (IPv4 only) Local IP address to accept connections (all if not set) ipv4 Local IPv4 address ipv6 Local IPv6 address Local port number to accept connections u32:1-65535 Numeric IP port OpenVPN mode of operation site-to-site client server site-to-site Site-to-site mode client Client in client-server mode server Server in client-server mode (site-to-site|client|server) Configurable offload options Enable data channel offload on this interface Additional OpenVPN options. You must use the syntax of openvpn.conf in this text-field. Using this without proper knowledge may result in a crashed OpenVPN server. Check system log to look for errors. Do not close and reopen interface (TUN/TAP device) on client restarts OpenVPN communication protocol udp tcp-passive tcp-active udp UDP tcp-passive TCP and accepts connections passively tcp-active TCP and initiates connections actively (udp|tcp-passive|tcp-active) udp IP address of remote end of tunnel ipv4 Remote end IPv4 address ipv6 Remote end IPv6 address Remote host to connect to (dynamic if not set) ipv4 IPv4 address of remote host ipv6 IPv6 address of remote host txt Hostname of remote host Remote port number to connect to u32:1-65535 Numeric IP port OpenVPN tunnel to be used as the default route Tunnel endpoints are on the same subnet Server-mode options Client-specific settings name Client common-name in the certificate #include IP address of the client ipv4 Client IPv4 address ipv6 Client IPv6 address Route to be pushed to the client ipv4net IPv4 network and prefix length ipv6net IPv6 network and prefix length Subnet belonging to the client (iroute) ipv4net IPv4 network and prefix length belonging to the client ipv6net IPv6 network and prefix length belonging to the client Used with TAP device (layer 2) #include First IP address in the pool ipv4 IPv4 address Last IP address in the pool ipv4 IPv4 address Subnet mask pushed to dynamic clients. ipv4 IPv4 subnet mask Gateway IP address ipv4 IPv4 address Pool of client IPv4 addresses #include First IP address in the pool ipv4 IPv4 address Last IP address in the pool ipv4 IPv4 address Subnet mask pushed to dynamic clients. If not set the server subnet mask will be used. Only used with topology subnet or device type tap. Not used with bridged interfaces. ipv4 IPv4 subnet mask Pool of client IPv6 addresses Client IPv6 pool base address with optional prefix length ipv6net Client IPv6 pool base address with optional prefix length (defaults: base = server subnet + 0x1000, prefix length = server prefix length) #include DNS suffix to be pushed to all clients txt Domain Name Server suffix Number of maximum client connections u32:1-4096 Number of concurrent clients #include Route to be pushed to all clients ipv4net IPv4 network and prefix length ipv6net IPv6 network and prefix length Set metric for this route u32:0-4294967295 Metric for this route 0 Reject connections from clients that are not explicitly configured Server-mode subnet (from which client IPs are allocated) ipv4net IPv4 network and prefix length ipv6net IPv6 network and prefix length Topology for clients net30 point-to-point subnet net30 net30 topology point-to-point Point-to-point topology subnet Subnet topology (subnet|point-to-point|net30) net30 multi-factor authentication Time-based one-time passwords Maximum allowed clock slop in seconds 1-65535 Seconds 180 Time drift in seconds 1-65535 Seconds 0 Step value for totp in seconds 1-65535 Seconds 30 Number of digits to use for totp hash 1-65535 Digits 6 Expect password as result of a challenge response protocol disable enable disable Disable challenge-response enable Enable chalenge-response (disable|enable) enable Secret key shared with remote end of tunnel pki openvpn shared-secret Transport Layer Security (TLS) options TLS shared secret key for tls-auth pki openvpn shared-secret #include #include #include Static key to use to authenticate control channel pki openvpn shared-secret Peer certificate SHA256 fingerprint [0-9a-fA-F]{2}:([0-9a-fA-F]{2}:){30}[0-9a-fA-F]{2} Peer certificate fingerprint must be a colon-separated SHA256 hex digest #include TLS negotiation role active passive active Initiate TLS negotiation actively passive Wait for incoming TLS connection (active|passive) Use fast LZO compression on this TUN/TAP interface #include #include