CLI Reference¶
Commands¶
install¶
Install and configure the OpenVPN server.
interactive¶
Launch the interactive menu-driven interface.
client¶
Manage client certificates.
| Subcommand | Description |
|---|---|
add <name> | Create a new client |
list | List all clients |
revoke <name> | Revoke a client certificate |
renew <name> | Renew a client certificate |
server¶
Manage the server.
| Subcommand | Description |
|---|---|
status | Show server status and connected clients |
renew | Renew the server certificate |
uninstall¶
Completely remove OpenVPN.
Install Options¶
Network¶
| Option | Default | Description |
|---|---|---|
--endpoint <host> | auto-detected | Public IP or hostname |
--endpoint-type <4\|6> | 4 | IPv4 or IPv6 endpoint |
--ip <addr> | auto-detected | Server listening IP |
--port <num> | 1194 | OpenVPN port |
--port-random | — | Use a random port (49152–65535) |
--protocol <udp\|tcp> | udp | Transport protocol |
--mtu <size> | 1500 | Tunnel MTU (576–65535) |
Client IP Stack¶
| Option | Default | Description |
|---|---|---|
--client-ipv4 | enabled | Enable IPv4 for clients |
--no-client-ipv4 | — | Disable IPv4 for clients |
--client-ipv6 | disabled | Enable IPv6 for clients |
--subnet-ipv4 <x.x.x.0> | 10.8.0.0 | VPN IPv4 subnet |
--subnet-ipv6 <prefix> | fd42:42:42:42:: | VPN IPv6 subnet |
DNS¶
| Option | Default | Description |
|---|---|---|
--dns <provider> | cloudflare | DNS provider (see below) |
--dns-primary <ip> | — | Custom primary DNS (with --dns custom) |
--dns-secondary <ip> | — | Custom secondary DNS (with --dns custom) |
Available DNS providers:
| Provider | Description |
|---|---|
system | System resolver |
unbound | Self-hosted Unbound resolver |
cloudflare | Cloudflare DNS (1.1.1.1) |
quad9 | Quad9 DNS (filtered) |
quad9-uncensored | Quad9 DNS (unfiltered) |
fdn | French Data Network |
dnswatch | DNSWatch |
opendns | OpenDNS |
google | Google DNS (8.8.8.8) |
yandex | Yandex DNS |
adguard | AdGuard DNS |
nextdns | NextDNS |
custom | Custom DNS servers |
Security¶
| Option | Default | Description |
|---|---|---|
--cipher <cipher> | AES-128-GCM | Data channel cipher |
--cert-type <ecdsa\|rsa> | ecdsa | Certificate type |
--cert-curve <curve> | prime256v1 | ECDSA curve |
--rsa-bits <2048\|3072\|4096> | 2048 | RSA key size |
--hmac <alg> | SHA256 | HMAC digest algorithm |
--tls-sig <mode> | crypt-v2 | TLS signature mode |
--auth-mode <pki\|fingerprint> | pki | Authentication mode |
--tls-version-min <1.2\|1.3> | 1.2 | Minimum TLS version |
--tls-ciphersuites <list> | — | TLS 1.3 cipher suites |
--tls-groups <list> | — | Key exchange groups |
--server-cert-days <n> | 3650 | Server certificate validity (days) |
Available ciphers:
AES-128-GCM, AES-192-GCM, AES-256-GCM, AES-128-CBC, AES-192-CBC, AES-256-CBC, CHACHA20-POLY1305
Available ECDSA curves:
prime256v1, secp384r1, secp521r1
TLS signature modes:
| Mode | Description |
|---|---|
crypt-v2 | Per-client encryption keys (OpenVPN 2.5+) |
crypt | Shared encryption key (OpenVPN 2.4+) |
auth | HMAC authentication only |
Client¶
| Option | Default | Description |
|---|---|---|
--client <name> | — | Initial client name |
--client-password [pass] | — | Password-protect client key |
--client-cert-days <n> | 3650 | Client certificate validity (days) |
--no-client | — | Skip initial client creation |
--multi-client | — | Allow same cert on multiple devices |
Output¶
| Option | Default | Description |
|---|---|---|
--verbose | — | Detailed output |
--log <path> | /var/log/openvpn/server.log | Log file location |
--no-log | — | Disable file logging |
--no-color | — | Disable colored output |
--format <json\|table> | table | Output format (for list and status) |