Advanced Options¶
Custom options¶
While the GUI supports many commonly used options, OpenVPN contains many more options that are unavailable in the GUI which certain use cases may require.
Custom options may be added in using the Custom option box with each directive separated by a semicolon (``;``). The firewall will pass the custom directives to OpenVPN.
See also
These options are described further in Custom Configuration Options.
Warning
Use with extreme caution. Due to the nature of how this field operates, the firewall cannot validate its contents. Invalid combinations of directives will cause the OpenVPN instance to fail.
Username as Common Name¶
Controls whether or not OpenVPN will use the username given by the client in place of the certificate common name for purposes such as determining Client Specific Overrides. This is only relevant when user authentication is enabled. This is typically the best practice, but not a requirement.
UDP Fast I/O¶
Controls whether or not OpenVPN will use fast I/O operations with UDP writes to its tun or tap device. This behavior optimizes the packet write event loop, improving CPU efficiency by 5% to 10%.
Warning
OpenVPN considers this option experimental and it may not be supported on all platforms. This option is not compatible with OpenVPN bandwidth limiting.
This option is also not compatible with OpenVPN Data Channel Offload (DCO).
Exit Notify¶
Controls whether or not OpenVPN will send an explicit exit notification to connected UDP clients or peers when restarting or shutting down. This notification allows peers to immediately disconnect rather than wait for a timeout. This is only relevant to UDP modes as TCP natively supports closing connections.
In SSL/TLS Server modes, clients may be directed to reconnect or use the next server.
- Disabled:
Does not send an exit notification.
- Reconnect to this server / Retry Once:
In server mode this directs clients to reconnect to the same server. This is useful if there is only one server and it will be available again shortly.
For clients it directs them to retry sending the notification once before giving up.
- Reconnect to next server / Retry Twice:
In server mode this directs clients to reconnect to the next server if the client configuration contains multiple servers. This is useful to nudge clients to an alternate server if this server could be down for an extended period.
For clients it directs them to retry sending the notification twice before giving up.
Warning
The firewall ignores this option in Peer-to-Peer Shared Key mode and in
SSL/TLS mode with a blank or /30
tunnel network as it will cause the
server to exit and not restart.
This option is not compatible with OpenVPN Data Channel Offload (DCO).
Send/Receive Buffer¶
Configures a Send and Receive Buffer size for OpenVPN. The default buffer size can be too small in many cases, depending on hardware and network uplink speeds. Finding the best buffer size can take experimentation. To test the best value for a site, start at 512KiB and test higher and lower values until testing results in peak performance.
Note
For remote access VPNs this may take experimentation with multiple types of clients on different devices, networks, and so on.
Warning
This option is not compatible with OpenVPN Data Channel Offload (DCO).
Gateway Creation¶
Controls which types of gateways the firewall will automatically create for this VPN instance when assigned as an interface. The default behavior will create both IPv4 and IPv6 gateways but if the VPN will only ever carry one type of traffic, this option can limit that behavior so the GUI will not display an unnecessary gateway entry.
Verbosity level¶
Configures the amount of detail OpenVPN will log for this instance, which is useful for troubleshooting problems. Higher numbers will result in higher amounts of detail in the log. During normal operation the default selection is ideal.
Note
When set to higher levels, the OpenVPN status page and dashboard widget will cause additional logging as they interact with the Management process to poll information from the OpenVPN daemons.