- All openvpn parameters must start with ‘--’
- If multiple commands, they must be separated by a space
This will create a new line in the OpenVPN config is created for every occurrence of ‘--’, for example, inserting --auth SHA256 --push "route 192.168.2.0 255.255.255.0":
adds the following lines to the server config file:
push "route 192.168.2.0 255.255.255.0“
If illegal options are given or format is wrong (for example the "--" is missing), the openvpn server will fail to start and in the System > Logs section there will be an error like the following example:
If the override box is selected, then the config file will consist of only the commands from advanced options section (almost same as using a server config file). This is not usually recommended as it would be OpenVPN that will manage the network and not the device.
Examples of most commonly used commands:
Usage: The tls-auth option adds "extra protection" to the TLS channel by requiring that incoming packets have a valid signature generated using a PSK key (that need to be shared between the peers).
This can aid in mitigating denial-of-service attempts from unauthenticated clients, as junk traffic can be dropped much sooner.
Example of Command to add on DAL: - --tls-auth /etc/config/ta.key 0
Where ta.key is the secret file that must be copied into the /etc/config/ path of the DAL router files system (see how to upload files here: Upload and download files).
The second parameter should be '0' on the server and '1' on the clients
Usage: Push commands can be used to push configuration options to the client for remote execution. (Note: the option must be enclosed in double quotes ("") and the client must specify –pull in its config file).
Some example of most commonly used:
Push routes: this allow the client to reach other private subnets behind the server.
Example of Command to add on DAL: ---push "route 192.168.2.0 255.255.255.0“
Push Default Gateway: this will configure all clients to redirect their default network gateway through the VPN, causing all IP traffic such as web browsing and # and DNS lookups to go through the VPN
Example of Command to add on DAL: - --push "redirect-gateway def1 bypass-dhcp"
Push DNS: set the DNS addresse to the Client:
Example of Command to add on DAL: --push "dhcp-option DNS 220.127.116.11"
Usage: Specify the message digest algoritm to use to authenticate data channel packets (The default is SHA1 ).
Example of Command to add on DAL: --auth SHA256
Usage: Define the Cipher Algoritm to use for the encryption of data channel packets.
The default is BF-CBC, but when cipher negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server side will automatically upgrade to AES-256-GCM.
Example of Command to add on DAL: ---cipher AES-128-GCM
CLIENTS COMMUNICATIONS VIA THE TUNNEL
Usage: This allows different clients to be able to "see" each other (By default, clients will only see the server)
Command to add on DAL: --client-to-client