Advanced Client Settings

DNS Default Domain

Configures a default domain name which clients will append to DNS requests. This can be helpful to ensure name resolution works properly for hosts on the local network where DNS name resolution is used.

For Microsoft Active Directory environments, this would usually be the Active Directory domain name.

DNS servers

When checked, the GUI allows configuring up to four DNS servers for use by clients while connected to the VPN.

For Microsoft Active Directory environments, this is typically the Active Directory Domain Controllers or DNS servers for proper name resolution and authentication when connected via OpenVPN.

Block Outside DNS

Makes Windows 10 clients block access to DNS server except across OpenVPN while connected, forcing clients to use only VPN DNS servers.

This is only relevant on Windows 10 clients using OpenVPN version 2.3.9 and later as they are the only clients prone to leak DNS requests in this way. The option has no effect on other platforms and they will ignore the directive.

Force DNS Cache Update

When checked, the OpenVPN server pushes a set of commands to Windows clients which flush and restart DNS caching to improve client handling of updated DNS servers from the VPN.

NTP servers

When checked, the GUI allows configuring one or two NTP servers which OpenVPN will push to clients for time synchronization. These values can be an IP address or FQDN.

NetBIOS Options

The Enable NetBIOS over TCP/IP option controls whether or not the GUI displays several other NetBIOS and WINS related options.

Node Type

The NetBIOS node type controls how Windows systems function when resolving NetBIOS names. The best practice is to leave this to none to accept the default value from Windows.

The available options include:

b-node:

Use broadcasts for NetBIOS name resolution. This would only be used in the case of a tap bridge as otherwise OpenVPN does not support broadcast messages.

p-node:

Point-to-point name queries to a WINS server. WINS has been deprecated on modern networks, so this option is not useful in most Windows networks.

m-node:

Broadcast then query name server. Similar to b-node but will fall back to DNS.

h-node:

Query name server first, then use broadcast. This option is the most likely to succeed in a current network with proper, functional, DNS.

Scope ID

A NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. The NetBIOS scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID.

WINS Servers

Checking this box allows defining two WINS servers which provide name resolution for clients accessing and browsing NetBIOS resources across the VPN. WINS has been largely deprecated and removed from use, so it is unlikely that most modern environments would benefit from this behavior.