Custom configuration options¶
OpenVPN offers dozens of configuration options, many beyond the most commonly used fields presented in the GUI. This is why the Advanced configuration box exists. Additional configuration options may be configured using this input area, separated by semicolons.
This section covers the most frequently used custom options individually. There are many more, though rarely needed. The OpenVPN man page details them all.
Warning
Exercise caution when adding custom options, there is no input validation applied to ensure the validity of options used. If an option is used incorrectly, the OpenVPN client or server may not start. View the OpenVPN logs under Status > System logs on the OpenVPN tab to ensure the options used are valid. Any invalid options will result in a log message, followed by the option that caused the error:
Options error: Unrecognized option or missing parameter(s)
Routing options¶
To add additional routes for a particular OpenVPN client or server, use the Local Network and Remote Network boxes as needed, using a comma- separated list of networks.
The route
custom configuration option may also be used, but is no longer
necessary. Some users prefer this method, however. The following example adds a
route for 10.50.0.0/24
:
route 10.50.0.0 255.255.255.0;
To add multiple routes, separate them with a semicolon:
route 10.50.0.0 255.255.255.0;
route 10.254.0.0 255.255.255.0;
The route
configuration option is used to add routes locally for networks
that are reachable through the VPN. For an OpenVPN server configuration using
PKI, additional routes may also be pushed to clients. The GUI can configure
these using the Local Network field. To push the routes manually for
10.50.0.0/24
and 10.254.0.0/24
to all clients, use the following custom
configuration option:
push "route 10.50.0.0 255.255.255.0";
push "route 10.254.0.0 255.255.255.0";
Redirecting the default gateway¶
OpenVPN also allows the default gateway to be redirected across the VPN, so all non-local traffic from the client is sent through the VPN. This is great for untrusted local networks such as wireless hotspots, as it provides protection against numerous attacks that are a risk on untrusted networks. This is configurable in the GUI now, using the Redirect Gateway checkbox in the OpenVPN instance configuration. To do this manually, add the following custom option:
push "redirect-gateway def1"
The same value may be used as a custom option on the client side by entering
redirect-gateway def1
without specifying push
. (Note the option is the
letters “def” followed by the digit one, not the letter “L”.)