Client Configuration Options

These options are available in one or more modes for OpenVPN client instances, managed from VPN > OpenVPN, on the Clients tab.

Many of these options are identical to the server options mentioned in Server Configuration Options. This section only notes the differences.

Server mode

For client instances, the server mode choices are limited to Peer to Peer (SSL/TLS) and Peer to Peer (Shared Key). These choices pair with the server options of the same name and type.


Shared key mode has been deprecated by OpenVPN as it is no longer considered sufficiently secure for modern requirements.

Shared key mode will be removed from future versions of OpenVPN. Users should not create any new shared key tunnels and should immediately convert any existing shared key tunnels to SSL/TLS mode.

When an SSL/TLS instance is configured with a /30 tunnel network it behaves in a similar manner to shared key mode. The primary difference is the need to create and distribute the certificate structure to peers. See OpenVPN Site-to-Site Configuration Example with SSL/TLS for information on configuring OpenVPN in SSL/TLS mode.


This option selects the interface, VIP, or failover group that the OpenVPN client instance will use for outgoing connections.

When a CARP type VIP is selected for the Interface on OpenVPN Client instances, the firewall will stop the OpenVPN instance when the CARP VIP is in a backup state. This prevents the secondary HA node from maintaining invalid routes or attempting to make outbound connections which can interfere with the active connection on the primary HA node.


To ensure that a connection uses out the correct WAN when selecting a WAN which is not the default gateway, add a static route for the server IP address. Depending on the protocol in use and contents of the routing table, the firewall may not be able to send traffic out the correct WAN without a static route.

Local Port

For clients, the local port should be blank in nearly every case so that OpenVPN will use a randomized local port. This behavior is more secure, but some server configurations may require a specific source port.

Server host or address

The IP address or fully qualified domain name for the server.


When using a hostname for the remote server address, OpenVPN will resolve the server host name on each connection attempt.

Server Port

The port on which the server is listening, typically 1194.

Proxy Settings

Proxy Host or Address

The IP address or fully qualified domain name for a proxy server through which this client must connect.

Proxy Port

The port on which the proxy is listening for connections.

Proxy Auth Extra Options

Extra authentication options. When set to basic or ntlm the GUI presents Username and Password fields to configure proxy authentication.

User Authentication Settings

Configures authentication option for SSL/TLS mode. This may be optional, depending on the server configuration.

Username and Password

The user credentials to send, if required by the server.

Authentication Retry

When set, OpenVPN will not retry a connection when authentication fails; the OpenVPN process will exit if it receives an authentication failure message instead. The default behavior is to retry authentication.

Cryptographic Settings

The settings in this section are identical to those on their corresponding options on the server side except for the new Client Certificate option. This option sets the certificate for use by this client.


The client certificate, its key, and the associated CA certificate must all be imported to the firewall using the certificate manager before OpenVPN can use them.

Shared Key / TLS Authentication

These options work similar to the server side counterparts, but be aware that the key from the server must be copied here exactly. Do not generate a new key on the client if the server already has a key.

Limit Outgoing Bandwidth

This option limits the speed of outgoing VPN traffic to the given amount, specified in bytes per second. The value must be either empty or between 100 and 100000000.

OpenVPN will not limit traffic when the field is empty.

Don’t Pull Routes

When checked, the client ignores routes pushed from the server. This is useful in cases when the server pushes a default gateway redirect when this client does not need one, or if the server pushes routes for networks that this client prefers to handle in other ways.

Don’t Add/Remove Routes

When checked, OpenVPN will not manage route table entries for this VPN. In this case, the routes must be managed manually. Routes that OpenVPN would normally add are instead passed to --route-up script using environmental variables.

Pull DNS

If this option is set, the firewall will use DNS servers assigned by the remote OpenVPN server for its own purposes, similar to if it had received a DNS server from a dynamic WAN.