Client Specific Overrides¶
Client specific overrides define custom settings which apply to only certain clients connecting to an SSL/TLS server in client/server mode. These settings are determined by the way a connecting client authenticates, either by their username or the common name of their certificate.
Client specific overrides are managed at VPN > OpenVPN on the Client Specific Overrides tab.
Depending on the use cases, overrides may be a required part of a deployment, such as a site-to-site VPN with multiple clients connecting to a single server.
Overrides also enable special behavior such as configuring different routes for different clients, static IP addresses when connecting to the VPN, exceptions to default VPN behaviors, and many more scenarios.
The following settings are available when configuring client specific overrides.
Text describing the override entry, such as a user or site name, or its purpose.
Whether or not this override is enabled. When checked, the override is not active.
- Common Name
The name of the user which OpenVPN will match when a client connects. When using SSL/TLS authentication this is the common name field of the certificate. When using user authentication this is the username.
When SSL/TLS and user authentication are both are active, this behavior is determined by the Username as Common Name option on the OpenVPN server. When checked, it matches the username. When unchecked, it matches the common name of the certificate. If multiple users share the same certificate, check that option.
The special name
DEFAULTwill trigger if the connecting user does not match any other existing overrides. This can be useful when adding options which are only possible on overrides, such as Connection Blocking.
- Connection Blocking
When set, OpenVPN rejects clients matching this override. This can be used as an additional means of blocking a specific user, though this use case should only be temporary.
Do not use this to permanently block a specific user if their credentials have been compromised or terminated. Instead, use a CRL to revoke the client certificate or make changes to the user account such as removing the account or changing its password.
Some administrators use this option to selectively allow clients on specific servers when they share a common CA structure. The best practice is to use a separate certificate structure for each VPN server, but that is not always possible.
To only allow users with an override to connect, create an override for the
DEFAULTcommon name with this option set. With that in place, OpenVPN will reject all clients by default and will allow connections from clients matching other overrides which do not have this option set.
- Server List
The OpenVPN servers for which this override will be active. Select one or more OpenVPN instances which will utilize this override. By default, with no entries selected, overrides are active for all servers.
Many use cases may call for using an override with only a specific VPN. For example if a client has a static IP address inside the VPN, that address may only be valid on one VPN server. Attempting to use that static address on a different VPN will fail.
Multiple overrides can use the same common name, but such entries are only useful if they are active on different VPN instances.
- IPv4/IPv6 Tunnel Network
A specific static virtual IPv4 network or network type alias with a single entry used for private communications between this client and the server expressed using CIDR notation (e.g.
On a server with subnet topology, or for IPv6, the client IP address and the subnet/prefix mask must match the Tunnel Network on the server.
On a server with net30 topology, OpenVPN assumes the first IPv4 network address of the
/30is the server address and it assigns the second network address to the client.
These options express a preference, not a reservation. OpenVPN dynamically allocates addresses to connecting clients near the start of its tunnel network. An override will not prevent another client from using this address if it happens to be assigned the address dynamically.
- IPv4/IPv6 Local Network/s
Networks located on the server side for which OpenVPN will push routes to this client. This can be a comma-separated list of networks in CIDR notation and it can also be a host or network type alias.
This is functionally identical to the same fields on the OpenVPN server configuration. There is no need to duplicate those values here. Only exceptions or differences from the default entries should be in these fields.
- IPv4/IPv6 Remote Network/s
Networks which can be reached through this client. OpenVPN will internally route traffic destined for these networks to this client (
The remote networks listed in the server configuration inform the operating system routing table to deliver the traffic to OpenVPN, while the entries in an override associate networks with specific remote clients.
Unlike local networks, entries in the remote network fields must be set in both the OpenVPN server and an override. For full routing functionality to a client network, both the operating system routing table and OpenVPN must know how to reach the network.
- Redirect Gateway
When set, OpenVPN pushes a default gateway to the client so it will send all of its traffic, including Internet traffic, through this VPN.
- Server Definitions
When set, OpenVPN will not push options from the server configuration to this client.
- Remove Server Routes
When set, OpenVPN will not push routes to this client, but it will push other options.
- DNS Default Domain
When set, the GUI presents a field in sets an alternate default DNS search domain which OpenVPN will push to this client.
- DNS Servers
When set, the GUI presents four fields for alternative DNS servers OpenVPN will push to this client.
- NTP Servers
When set, the GUI presents two fields for alternative NTP servers OpenVPN will push to this client.
- NetBIOS Options
When set, the GUI presents fields for alternate NetBIOS options which OpenVPN will push to this client.
Additional custom options for OpenVPN to apply to this client.
Each directive must be separated by a semicolon (
These options are described further in Custom Configuration Options.