Client Configuration Options¶
These options are available in one or more modes for OpenVPN client instances, managed from VPN > OpenVPN, on the Clients tab.
Many of these options are identical to the server options mentioned in Server Configuration Options. This section only notes the differences.
For client instances, the server mode choices are limited to Peer to Peer (SSL/TLS) and Peer to Peer (Shared Key). These choices pair with the server options of the same name and type.
Shared key mode has been deprecated by OpenVPN as it is no longer considered sufficiently secure for modern requirements.
Shared key mode will be removed from future versions of OpenVPN. Users should not create any new shared key tunnels and should immediately convert any existing shared key tunnels to SSL/TLS mode.
When an SSL/TLS instance is configured with a
/30 tunnel network it
behaves in a similar manner to shared key mode. The primary difference is the
need to create and distribute the certificate structure to peers. See
OpenVPN Site-to-Site Configuration Example with SSL/TLS for information on configuring OpenVPN in
This option selects the interface, VIP, or failover group that the OpenVPN client instance will use for outgoing connections.
When a CARP type VIP is selected for the Interface on OpenVPN Client instances, the firewall will stop the OpenVPN instance when the CARP VIP is in a backup state. This prevents the secondary HA node from maintaining invalid routes or attempting to make outbound connections which can interfere with the active connection on the primary HA node.
To ensure that a connection uses out the correct WAN when selecting a WAN which is not the default gateway, add a static route for the server IP address. Depending on the protocol in use and contents of the routing table, the firewall may not be able to send traffic out the correct WAN without a static route.
For clients, the local port should be blank in nearly every case so that OpenVPN will use a randomized local port. This behavior is more secure, but some server configurations may require a specific source port.
Server host or address¶
The IP address or fully qualified domain name for the server.
When using a hostname for the remote server address, OpenVPN will resolve the server host name on each connection attempt.
The port on which the server is listening, typically
- Proxy Host or Address
The IP address or fully qualified domain name for a proxy server through which this client must connect.
- Proxy Port
The port on which the proxy is listening for connections.
- Proxy Auth Extra Options
Extra authentication options. When set to basic or ntlm the GUI presents Username and Password fields to configure proxy authentication.
User Authentication Settings¶
Configures authentication option for SSL/TLS mode. This may be optional, depending on the server configuration.
- Username and Password
The user credentials to send, if required by the server.
- Authentication Retry
When set, OpenVPN will not retry a connection when authentication fails; the OpenVPN process will exit if it receives an authentication failure message instead. The default behavior is to retry authentication.
The settings in this section are identical to those on their corresponding options on the server side except for the new Client Certificate option. This option sets the certificate for use by this client.
The client certificate, its key, and the associated CA certificate must all be imported to the firewall using the certificate manager before OpenVPN can use them.
Limit Outgoing Bandwidth¶
This option limits the speed of outgoing VPN traffic to the given amount,
specified in bytes per second. The value must be either empty or between
OpenVPN will not limit traffic when the field is empty.
Don’t Pull Routes¶
When checked, the client ignores routes pushed from the server. This is useful in cases when the server pushes a default gateway redirect when this client does not need one, or if the server pushes routes for networks that this client prefers to handle in other ways.
Don’t Add/Remove Routes¶
When checked, OpenVPN will not manage route table entries for this VPN. In this
case, the routes must be managed manually. Routes that OpenVPN would normally
add are instead passed to
--route-up script using environmental variables.
If this option is set, the firewall will use DNS servers assigned by the remote OpenVPN server for its own purposes, similar to if it had received a DNS server from a dynamic WAN.