Custom configuration options¶

OpenVPN offers dozens of configuration options, many beyond the most commonly used fields presented in the GUI. This is why the Advanced configuration box exists. Additional configuration options may be configured using this input area, separated by semicolons.

This section covers the most frequently used custom options individually. There are many more, though rarely needed. The OpenVPN man page details them all.

Warning

Exercise caution when adding custom options, there is no input validation applied to ensure the validity of options used. If an option is used incorrectly, the OpenVPN client or server may not start. View the OpenVPN logs under Status > System logs on the OpenVPN tab to ensure the options used are valid. Any invalid options will result in a log message, followed by the option that caused the error:

Options error: Unrecognized option or missing parameter(s)

Routing options¶

To add additional routes for a particular OpenVPN client or server, use the Local Network and Remote Network boxes as needed, using a comma-separated list of networks.

The route custom configuration option may also be used, but is no longer necessary. Some users prefer this method, however. The following example adds a route for 10.50.0.0/24:

route 10.50.0.0 255.255.255.0;

To add multiple routes, separate them with a semicolon:

route 10.50.0.0 255.255.255.0;
route 10.254.0.0 255.255.255.0;

The route configuration option is used to add routes locally for networks that are reachable through the VPN. For an OpenVPN server configuration using PKI, additional routes may also be pushed to clients. The GUI can configure these using the Local Network field. To push the routes manually for 10.50.0.0/24 and 10.254.0.0/24 to all clients, use the following custom configuration option:

push "route 10.50.0.0 255.255.255.0";
push "route 10.254.0.0 255.255.255.0";

Redirecting the default gateway¶

OpenVPN also allows the default gateway to be redirected across the VPN, so all non-local traffic from the client is sent through the VPN. This is great for untrusted local networks such as wireless hotspots, as it provides protection against numerous attacks that are a risk on untrusted networks. This is configurable in the GUI now, using the Redirect Gateway checkbox in the OpenVPN instance configuration. To do this manually, add the following custom option:

push "redirect-gateway def1"

The same value may be used as a custom option on the client side by entering redirect-gateway def1 without specifying push . (Note the option is the letters “def” followed by the digit one, not the letter “L”.)