Skip to content

Instantly share code, notes, and snippets.

What would you like to do?

OpenVPN UCI Directives Cheat Sheet


Item Type Help Text
verb* option Set output verbosity
mlock option BOOL Disable Paging
disable_occ option BOOL Disable options consistency check
cd option Change to directory before initialization
chroot option Chroot to directory after initialization
passtos option BOOL TOS passthrough (applies to IPv4 only)
log option Write log to file
log_append option Append log to file
suppress_timestamps option BOOL Don't log timestamps
nice* option Change process priority
fast_io option BOOL Optimize TUN/TAP/UDP writes
echo option Echo parameters to log
remap_usr1 option Remap SIGUSR1 signals
status option Write status to file every n seconds
status_version option Status file format version
mute option Limit repeated log messages
up option Shell cmd to execute after tun device open
up_delay option BOOL Delay tun/tap open and up script execution
down option Shell cmd to run after tun device close
down_pre option BOOL Call down cmd/script before TUN/TAP close
up_restart option BOOL Run up/down scripts for all restarts
route_up option Execute shell cmd after routes are added
setenv option Pass environment variables to script
tls_verify option Shell command to verify X509 name
client_connect option Run script cmd on client connection
client_disconnect option Run script cmd on client disconnection
learn_address option Executed in server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table
auth_user_pass_verify option Executed in server mode on new client connections, when the client is still untrusted
script_security option Policy level over usage of external programs and scripts
compress option Enable a compression algorithm


Item Type Help Text
mode option Major mode
local option Local host name or IP address
port* option TCP/UDP port # for both local and remote
lport option TCP/UDP port # for local (default=1194)
rport option TCP/UDP port # for remote (default=1194)
float option BOOL Allow remote to change its IP or port
nobind* option BOOL Do not bind to local address and port
dev option tun/tap device
dev_type* option Type of used device
dev_node option Use tun/tap device node
ifconfig* option Set tun/tap adapter parameters
ifconfig_noexec option BOOL Don't actually execute ifconfig
ifconfig_nowarn option BOOL Don't warn on ifconfig inconsistencies
route option Add route after establishing connection
route_gateway option Specify a default gateway for routes
route_delay option Delay n seconds after connection
route_noexec option BOOL Don't add routes automatically
route_nopull option BOOL Don't pull routes automatically
allow_recursive_routing option BOOL Don't drop incoming tun packets with same destination as host
mtu_disc option Enable Path MTU discovery
mtu_test option BOOL Empirically measure MTU
comp_lzo* option Use fast LZO compression
link_mtu option Set TCP/UDP MTU
tun_mtu option Set tun/tap device MTU
tun_mtu_extra option Set tun/tap device overhead
sndbuf option Set the TCP/UDP send buffer size
rcvbuf option Set the TCP/UDP receive buffer size
txqueuelen option Set tun/tap TX queue length
shaper option Shaping for peer bandwidth
inactive option tun/tap inactivity timeout
keepalive* option Helper directive to simplify the expression of --ping and --ping-restart in server mode configurations
ping option Ping remote every n seconds over TCP/UDP port
ping_exit option Remote ping timeout
ping_restart option Restart after remote ping timeout
ping_timer_rem option BOOL Only process ping timeouts if routes exist
persist_tun option BOOL Keep tun/tap device open on restart
persist_key option BOOL Don't re-read key on restart
persist_local_ip option BOOL Keep local IP address on restart
persist_remote_ip option BOOL Keep remote IP address on restart
management option Enable management interface on IP port
management_query_passwords option BOOL Query management channel for private key
management_hold option BOOL Start OpenVPN in a hibernating state
management_log_cache option Number of lines for log file history
topology option 'net30', 'p2p', or 'subnet'


Item Type Help Text
server* option Configure server mode
server_bridge* option Configure server bridge
client* option Configure client mode
client_to_client* option BOOL Allow client-to-client traffic
pull option BOOL Accept options pushed from server
auth_user_pass option Authenticate using username/password
auth_retry option Handling of authentication failures
explicit_exit_notify option Send notification to peer on disconnect
remote* option Remote host name or IP address
remote_random option BOOL Randomly choose remote server
proto* option Use protocol
connect_retry option Connection retry interval
http_proxy option Connect to remote host through an HTTP proxy
http_proxy_retry option BOOL Retry indefinitely on HTTP proxy errors
http_proxy_timeout option Proxy timeout in seconds
http_proxy_option option Set extended HTTP proxy options
socks_proxy option Connect through Socks5 proxy
socks_proxy_retry option BOOL Retry indefinitely on Socks proxy errors
resolv_retry option If hostname resolve fails, retry
redirect_gateway option Automatically redirect default route
verify_client_cert option Specify whether the client is required to supply a valid certificate


Item Type Help Text
secret* option Enable Static Key encryption mode (non-TLS)
auth option HMAC authentication for packets
cipher option Encryption cipher for packets
keysize option Size of cipher key
engine option Enable OpenSSL hardware crypto engines
replay_window option Replay protection sliding window size
mute_replay_warnings option BOOL Silence the output of replay warnings
replay_persist option Persist replay-protection state
tls_server option BOOL Enable TLS and assume server role
ca* option Certificate authority
dh* option Diffie-Hellman parameters
cert* option Local certificate
key* option Local private key
pkcs12* option PKCS#12 file containing keys
key_method option Enable TLS and assume client role
tls_cipher list TLS cipher
tls_ciphersuites list TLS 1.3 or newer cipher
tls_timeout option Retransmit timeout on TLS control channel
reneg_bytes option Renegotiate data chan. key after bytes
reneg_pkts option Renegotiate data chan. key after packets
reneg_sec option Renegotiate data chan. key after seconds
hand_window option Timeframe for key exchange
tran_window option Key transition window
single_session option BOOL Allow only one session
tls_exit option BOOL Exit on TLS negotiation failure
tls_auth option Additional authentication over TLS
tls_crypt option Encrypt and authenticate all control channel packets with the key
auth_nocache option BOOL Don't cache --askpass or --auth-user-pass passwords
tls_remote option Only accept connections from given X509 name
ns_cert_type option Require explicit designation on certificate
remote_cert_tls option Require explicit key usage on certificate
crl_verify option Check peer certificate against a CRL
tls_version_min option The lowest supported TLS version
tls_version_max option The highest supported TLS version
key_direction* option The key direction for 'tls-auth' and 'secret' options
ncp_disable option BOOL This completely disables cipher negotiation
ncp_ciphers list Restrict the allowed ciphers to be negotiated


Item Type Help Text
askpass option
bcast_buffers option
capath option
client_config_dir option
connect_freq option
connect_retry_max option
connect_timeout option
ecdh_curve option
extra_certs option
fragment option
group option
hash_size option
ifconfig_ipv6 option
ifconfig_ipv6_pool option
ifconfig_ipv6_push option
ifconfig_pool option
ifconfig_pool_persist option
ifconfig_push option
ipchange option
iroute option
iroute_ipv6 option
lladdr option
max_clients option
max_routes_per_client option
mssfix option
plugin option
port_share option
prng option
pull_filter option
push option
remote_cert_eku option
remote_cert_ku option
route_ipv6 option
route_metric option
route_pre_down option
server_ipv6 option
syslog option
tcp_queue_limit option
tmp_dir option
topology option
user option
verb option
verify_x509_name option
x509_username_field option


Item Type Help Text
auth_user_pass_optional option BOOL
bind option BOOL
ccd_exclusive option BOOL
comp_noadapt option BOOL
disable option BOOL
duplicate_cn option BOOL
management_forget_disconnect option BOOL
management_signals option BOOL
mktun option BOOL
multihome option BOOL
opt_verify option BOOL
push_reset option BOOL
rmtun option BOOL
tcp_nodelay option BOOL
test_crypto option BOOL
tls_client option BOOL
username_as_common_name option BOOL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment