Advanced Options

Custom options

While the GUI supports many commonly used options, OpenVPN contains many more options that are unavailable in the GUI which certain use cases may require.

Custom options may be added in using the Custom option box separated by a semicolon (;) and the firewall will pass the custom directives to OpenVPN.

See also

These options are described further in Custom Configuration Options.

Warning

Use with extreme caution. Due to the nature of how this field operates, the firewall cannot validate its contents. Invalid combinations of directives will cause the OpenVPN instance to fail.

Username as Common Name

Controls whether or not OpenVPN will use the username given by the client in place of the certificate common name for purposes such as determining Client Specific Overrides. This is only relevant when user authentication is enabled. This is typically the best practice, but not a requirement.

UDP Fast I/O

Controls whether or not OpenVPN will use fast I/O operations with UDP writes to its tun or tap device. This behavior optimizes the packet write event loop, improving CPU efficiency by 5% to 10%.

Note

This option is considered experimental as it may not be supported on all platforms. This option is not compatible with OpenVPN bandwidth limiting.

Exit Notify

Controls whether or not OpenVPN will send an explicit exit notification to connected UDP clients or peers when restarting or shutting down. This notification allows peers to immediately disconnect rather than wait for a timeout. This is only relevant to UDP modes as TCP natively supports closing connections.

In SSL/TLS Server modes, clients may be directed to reconnect or use the next server.

Disabled

Does not send an exit notification.

Reconnect to this server / Retry Once

In server mode this directs clients to reconnect to the same server. This is useful if there is only one server and it will be available again shortly.

For clients it directs them to retry sending the notification once before giving up.

Reconnect to next server / Retry Twice

In server mode this directs clients to reconnect to the next server if the client configuration contains multiple servers. This is useful to nudge clients to an alternate server if this server could be down for an extended period.

For clients it directs them to retry sending the notification twice before giving up.

Warning

The firewall ignores this option in Peer-to-Peer Shared Key mode and in SSL/TLS mode with a blank or /30 tunnel network as it will cause the server to exit and not restart.

Send/Receive Buffer

Configures a Send and Receive Buffer size for OpenVPN. The default buffer size can be too small in many cases, depending on hardware and network uplink speeds. Finding the best buffer size can take experimentation. To test the best value for a site, start at 512KiB and test higher and lower values until testing results in peak performance.

Note

For remote access VPNs this may take experimentation with multiple types of clients on different devices, networks, and so on.

Gateway Creation

Controls which types of gateways the firewall will automatically create for this VPN instance when assigned as an interface. The default behavior will create both IPv4 and IPv6 gateways but if the VPN will only ever carry one type of traffic, this option can limit that behavior so the GUI will not display an unnecessary gateway entry.

Verbosity level

Configures the amount of detail OpenVPN will log for this instance, which is useful for troubleshooting problems. Higher numbers will result in higher amounts of detail in the log. During normal operation the default selection is ideal.

Note

When set to higher levels, the OpenVPN status page and dashboard widget will cause additional logging as they interact with the Management process to poll information from the OpenVPN daemons.