Сети‎ > ‎VPN‎ > ‎Параметры OpenVPN‎ > ‎


SSL Library information:
(Standalone) Show all cipher algorithms to use with the --cipher option.
(Standalone) Show all message digest algorithms to use with the --auth option.
(Standalone) Show all TLS ciphers (TLS used only as a control channel). The TLS ciphers will be sorted from highest preference (most secure) to lowest.
(Standalone) Show currently available hardware-based crypto acceleration engines supported by the OpenSSL library.
  Generate a random key:
Used only for non-TLS static key encryption mode.
(Standalone) Generate a random key to be used as a shared secret, for use with the --secret option. This file must be shared with the peer over a pre-existing secure channel such as scp(1)
--secret file
Write key to file.
  Windows-Specific Options:
--win-sys path
Set the Windows system directory pathname to use when looking for system executables such as route.exe and netsh.exe. By default, if this directive is not specified, OpenVPN will use the SystemRoot environment variable.

This option have changed behaviour in OpenVPN 2.3. Earlier you had to define --win-sys env to use the SystemRoot environment variable, otherwise it defaulted to C:\WINDOWS. It is not needed to use the env keyword any more, and it will just be ignored. A warning is logged when this is found in the configuration file.

--ip-win32 method
When using --ifconfig on Windows, set the TAP-Win32 adapter IP address and netmask using method. Don't use this option unless you are also using --ifconfig.

manual -- Don't set the IP address or netmask automatically. Instead output a message to the console telling the user to configure the adapter manually and indicating the IP/netmask which OpenVPN expects the adapter to be set to.

dynamic [offset] [lease-time] -- Automatically set the IP address and netmask by replying to DHCP query messages generated by the kernel. This mode is probably the "cleanest" solution for setting the TCP/IP properties since it uses the well-known DHCP protocol. There are, however, two prerequisites for using this mode: (1) The TCP/IP properties for the TAP-Win32 adapter must be set to "Obtain an IP address automatically," and (2) OpenVPN needs to claim an IP address in the subnet for use as the virtual DHCP server address. By default in --dev tap mode, OpenVPN will take the normally unused first address in the subnet. For example, if your subnet is netmask, then OpenVPN will take the IP address to use as the virtual DHCP server address. In --dev tun mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is an integer which is > -256 and < 256 and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset. The Windows ipconfig /all command can be used to show what Windows thinks the DHCP server address is. OpenVPN will "claim" this address, so make sure to use a free address. Having said that, different OpenVPN instantiations, including different ends of the same connection, can share the same virtual DHCP server address. The lease-time parameter controls the lease time of the DHCP assignment given to the TAP-Win32 adapter, and is denoted in seconds. Normally a very long lease time is preferred because it prevents routes involving the TAP-Win32 adapter from being lost when the system goes to sleep. The default lease time is one year.

netsh -- Automatically set the IP address and netmask using the Windows command-line "netsh" command. This method appears to work correctly on Windows XP but not Windows 2000.

ipapi -- Automatically set the IP address and netmask using the Windows IP Helper API. This approach does not have ideal semantics, though testing has indicated that it works okay in practice. If you use this option, it is best to leave the TCP/IP properties for the TAP-Win32 adapter in their default state, i.e. "Obtain an IP address automatically."

adaptive -- (Default) Try dynamic method initially and fail over to netsh if the DHCP negotiation with the TAP-Win32 adapter does not succeed in 20 seconds. Such failures have been known to occur when certain third-party firewall packages installed on the client machine block the DHCP negotiation used by the TAP-Win32 adapter. Note that if the netsh failover occurs, the TAP-Win32 adapter TCP/IP properties will be reset from DHCP to static, and this will cause future OpenVPN startups using the adaptive mode to use netsh immediately, rather than trying dynamic first. To "unstick" the adaptive mode from using netsh, run OpenVPN at least once using the dynamic mode to restore the TAP-Win32 adapter TCP/IP properties to a DHCP configuration.

--route-method m
Which method m to use for adding routes on Windows?

adaptive (default) -- Try IP helper API first. If that fails, fall back to the route.exe shell command.
ipapi -- Use IP helper API.
exe -- Call the route.exe shell command.

--dhcp-option type [parm]
Set extended TAP-Win32 TCP/IP properties, must be used with --ip-win32 dynamic or --ip-win32 adaptive. This option can be used to set additional TCP/IP properties on the TAP-Win32 adapter, and is particularly useful for configuring an OpenVPN client to access a Samba server across the VPN.

DOMAIN name -- Set Connection-specific DNS Suffix.

DNS addr -- Set primary domain name server address. Repeat this option to set secondary DNS server addresses.

WINS addr -- Set primary WINS server address (NetBIOS over TCP/IP Name Server). Repeat this option to set secondary WINS server addresses.

NBDD addr -- Set primary NBDD server address (NetBIOS over TCP/IP Datagram Distribution Server) Repeat this option to set secondary NBDD server addresses.

NTP addr -- Set primary NTP server address (Network Time Protocol). Repeat this option to set secondary NTP server addresses.

NBT type -- Set NetBIOS over TCP/IP Node type. Possible options: 1 = b-node (broadcasts), 2 = p-node (point-to-point name queries to a WINS server), 4 = m-node (broadcast then query name server), and 8 = h-node (query name server, then broadcast).

NBS scope-id -- Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer name, as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique. (This description of NetBIOS scopes courtesy of NeonSurge@abyss.com)

DISABLE-NBT -- Disable Netbios-over-TCP/IP.

Note that if --dhcp-option is pushed via --push to a non-windows client, the option will be saved in the client's environment before the up script is called, under the name "foreign_option_{n}".

--tap-sleep n
Cause OpenVPN to sleep for n seconds immediately after the TAP-Win32 adapter state is set to "connected".

This option is intended to be used to troubleshoot problems with the --ifconfig and --ip-win32 options, and is used to give the TAP-Win32 adapter time to come up before Windows IP Helper API operations are applied to it.

Output OpenVPN's view of the system routing table and network adapter list to the syslog or log file after the TUN/TAP adapter has been brought up and any routes have been added.
Ask Windows to renew the TAP adapter lease on startup. This option is normally unnecessary, as Windows automatically triggers a DHCP renegotiation on the TAP adapter when it comes up, however if you set the TAP-Win32 adapter Media Status property to "Always Connected", you may need this flag.
Ask Windows to release the TAP adapter lease on shutdown. This option has the same caveats as --dhcp-renew above.
Run net stop dnscache, net start dnscache, ipconfig /flushdns and ipconfig /registerdns on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.
Put up a "press any key to continue" message on the console prior to OpenVPN program exit. This option is automatically used by the Windows explorer when OpenVPN is run on a configuration file using the right-click explorer menu.
--service exit-event [0|1]
Should be used when OpenVPN is being automatically executed by another program in such a context that no interaction with the user via display or keyboard is possible. In general, end-users should never need to explicitly use this option, as it is automatically added by the OpenVPN service wrapper when a given OpenVPN configuration is being run as a service.

exit-event is the name of a Windows global event object, and OpenVPN will continuously monitor the state of this event object and exit when it becomes signaled.

The second parameter indicates the initial state of exit-event and normally defaults to 0.

Multiple OpenVPN processes can be simultaneously executed with the same exit-event parameter. In any case, the controlling process can signal exit-event, causing all such OpenVPN processes to exit.

When executing an OpenVPN process using the --service directive, OpenVPN will probably not have a console window to output status/error messages, therefore it is useful to use --log or --log-append to write these messages to a file.

(Standalone) Show available TAP-Win32 adapters which can be selected using the --dev-node option. On non-Windows systems, the ifconfig(8) command provides similar functionality.
--allow-nonadmin [TAP-adapter]
(Standalone) Set TAP-adapter to allow access from non-administrative accounts. If TAP-adapter is omitted, all TAP adapters on the system will be configured to allow non-admin access. The non-admin access setting will only persist for the length of time that the TAP-Win32 device object and driver remain loaded, and will need to be re-enabled after a reboot, or if the driver is unloaded and reloaded. This directive can only be used by an administrator.
(Standalone) Show valid subnets for --dev tun emulation. Since the TAP-Win32 driver exports an ethernet interface to Windows, and since TUN devices are point-to-point in nature, it is necessary for the TAP-Win32 driver to impose certain constraints on TUN endpoint address selection.

Namely, the point-to-point endpoints used in TUN device emulation must be the middle two addresses of a /30 subnet (netmask

(Standalone) Show OpenVPN's view of the system routing table and network adapter list.

PKCS#11 Standalone Options:

--show-pkcs11-ids provider [cert_private]
(Standalone) Show PKCS#11 token object list. Specify cert_private as 1 if certificates are stored as private objects.

--verb option can be used BEFORE this option to produce debugging information.

IPv6 Related Options

The following options exist to support IPv6 tunneling in peer-to-peer and client-server mode. As of now, this is just very basic documentation of the IPv6-related options. More documentation can be found on http://www.greenie.net/ipv6/openvpn.html
--ifconfig-ipv6 ipv6addr/bits ipv6remote
configure IPv6 address ipv6addr/bits on the ``tun'' device. The second parameter is used as route target for --route-ipv6 if no gateway is specified.
--route-ipv6 ipv6addr/bits [gateway] [metric]
setup IPv6 routing in the system to send the specified IPv6 network into OpenVPN's ``tun'' device
--server-ipv6 ipv6addr/bits
convenience-function to enable a number of IPv6 related options at once, namely --ifconfig-ipv6, --ifconfig-ipv6-pool, --tun-ipv6 and --push tun-ipv6 Is only accepted if ``--mode server'' or ``--server'' is set.
--ifconfig-ipv6-pool ipv6addr/bits
Specify an IPv6 address pool for dynamic assignment to clients. The pool starts at ipv6addr and increments by +1 for every new client (linear mode). The /bits setting controls the size of the pool.
--ifconfig-ipv6-push ipv6addr/bits ipv6remote
for ccd/ per-client static IPv6 interface configuration, see --client-config-dir and --ifconfig-push for more details.
--iroute-ipv6 ipv6addr/bits
for ccd/ per-client static IPv6 route configuration, see --iroute for more details how to setup and use this, and how --iroute and --route interact.