Man page - openvpn3-config-manage(1)

Packages contains this manual

Package:  openvpn3-client
apt-get install openvpn3-client

Manuals in package:
• openvpn3-session-auth(1)
• openvpn3-service-netcfg(8)
• openvpn3-service-client(8)
• openvpn3-log(1)
• openvpn3-session-manage(1)
• openvpn3-admin-init-config(8)
• openvpn3-service-log(8)
• openvpn3-service-backendstart(8)
• openvpn3-session-acl(1)
• openvpn3-admin(8)
• openvpn3-service-configmgr(8)
• openvpn3-systemd(8)
• openvpn3-linux(7)
• openvpn3-session-start(1)
• openvpn2(1)
• openvpn3-admin-netcfg-service(8)
• openvpn3-config-dump(1)
• openvpn3-admin-log-service(8)
• openvpn3-config-manage(1)
• openvpn3-admin-sessionmgr-service(8)
• openvpn3-admin-journal(8)
• openvpn3-service-sessionmgr(8)
• openvpn3-autoload(8)
• openvpn3-config-acl(1)
• openvpn3-as(1)
• openvpn3-config-import(1)
• openvpn3-configs-list(1)
• openvpn3-sessions-list(1)
• openvpn3(1)
• openvpn3-service-devposture(8)
• openvpn3-session-stats(1)
• openvpn3-config-remove(1)

Manual

OPENVPN3-CONFIG-MANAGE

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
SEE ALSO

---

NAME

openvpn3-config-manage - OpenVPN 3 Linux - Configuration Profile Management

SYNOPSIS

openvpn3 config-manage -o DBUS-PATH | --path DBUS-PATH | --config CONFIG-NAME [OPTIONS]
openvpn3 config-manage -h | --help

DESCRIPTION

Manage settings for an imported configuration profile. This allows to override parts of the original config profile. Note that this will not be reflected in the output of openvpn3 config-dump . Use openvpn3 config-manage --show to see the existing overrides.

OPTIONS

-h , --help

Print usage and help details to the terminal

-o DBUS-PATH , --path DBUS-PATH

D-Bus configuration path to the configuration to delete. This can be found in openvpn3 configs-list .

--config-path DBUS-PATH

Alias for --path .

-c CONFIG-NAME , --config CONFIG-NAME

Can be used instead of --path where the configuration profile name is given instead. Available configuration names can be found via openvpn3 configs-list .

-r NEW-CONFIG-NAME , --rename NEW-CONFIG-NAME

Renames the configuration profile

--tag TAG-VALUE

Adds a tag value to a configuration profile

--remove-tag TAG-VALUE

Remove a tag value from a configuration profile

-s , --show

Show the current profile settings

--exists

Checks if a configuration profile exists. Requires either --config or --path . Will exit with 0 if configuration profile is found, otherwise 1 .

--quiet

Don't display informative information when modifying the configuration profile.

--dco BOOL

Enable kernel based Data Channel Offload. This moves the tunnelled network traffic to be handled inside the kernel. This improves the processing of the network traffic and moves the encryption, decryption and packet authentication for the tunnelled network traffic to be handled inside the kernel instead of begin passed via the OpenVPN client process in user space.

This option is only available if openvpn3-linux has been built with this support.
WARNING:

This is currently a tech preview feature and is not ready for production environments. It also requires the ovpn-dco kernel module to be installed to work and at least a Linux 5.4 kernel.

--server-override HOST

Override the remote server hostname/IP address to connect against.

--port-override PORT

Override the remote server port to connect against. Valid values: 1 to 65535 .

--proto-override PROTO

Override the connection protocol. Valid values are tcp and udp .

--ipv6 ARG

Sets the IPv6 connect policy for the client. Valid values are yes , no and default

--persist-tun BOOL

Overrides the --persist-tun argument in the configuration profile. If set to true, the tun adapter will persist during the reconnect. If false, the tun adapter will be torn down before reconnects. Valid values are: true , false

--log-level LEVEL

Overrides the default log level. The default log level is 3 if the configuration file does not contain a --verb option. This override will take place over any other log verbosity settings. Valid values are between 1 and 6 .

--dns-fallback-google BOOL

If set to true, the DNS resolver settings will include Google DNS servers. Valid values are: true , false

--dns-scope SCOPE

Defines the DNS query scope. This is currently only supported when enabling the systemd-resolved (8) resolver support in openvpn3-service-netcfg (8). Supported values are:
global: (default)

The VPN service provided DNS server(s) will be used for all types of DNS queries.

tunnel:

The VPN service provided DNS server(s) will only be used for queries for DNS domains pushed by the VPN service.

NOTE

The DNS domains pushed by the VPN service may be queried by DNS servers with systemd-resolved (8) service if their respective interfaces are configured to do global DNS queries. But other non-listed DNS domains will not be sent to this VPN service provider's DNS server.

--dns-setup-disabled BOOL

If set to true, DNS settings will not be configured on the system. Valid values are: true , false

--dns-sync-lookup BOOL

If set to true, DNS lookups will happen synchronously. Valid values are: true , false

--enterprise-profile PROFILE_NAME

This enables device posture checks if the server requests it. The profile name need to match a device posture profile found in the @DEVPOSTURE_PROFILEDIR@ directory. The PROFILE_NAME is without any file extension. For a successful device posture check, the profile must match the protocol the server side expects. This information need to be provided by your VPN server administrator.

--auth-fail-retry BOOL

If set to true, the client will try to reconnect instead of disconnecting if authentication fails. Valid values are: true , false

--allow-compression ARG

This controls whether the client wants to allow compression on traffic between the client to the server. Valid argument values:

	no:		Do not compress at all
	asym:		Only allow server to send compressed data
	yes:		Both client and server can use compression

--enable-legacy-algorithms BOOL

By default, OpenVPN 3 Linux only expects to work with servers capable of doing AEAD ciphers on the data channel, such as AES-GCM or ChaCha20-Poly1305 (if supported by the TLS library). To connect to legacy servers not capable of AEAD ciphers on the data channel, it might help to enable legacy cipher algorithms.

--tls-version-min ARG

Sets the minimum TLS version for the control channel. For this to be functional, the SSL/TLS library in use needs to support this restriction on both server and client. Valid argument values are:
tls_1_0:

Enforce minimum TLSv1.0

tls_1_1:

Enforce minimum TLSv1.1

tls_1_2:

Enforce minimum TLSv1.2

tls_1_3:

Enforce minimum TLSv1.3. This is currently only supported by OpenSSL 1.1.1.

--tls-cert-profile ARG

This sets the acceptable certificate and key parameters. Valid argument values are:
legacy:

Allows minimum 1024 bits RSA keys with certificates signed with SHA1.

preferred:

Allows minimum 2048 bits RSA keys with certificates signed with SHA256 or higher. (default)

suiteb:

This follows the NSA Suite-B specification.

--proxy-host PROXY-SERVER

HTTP proxy to establish the VPN connection via.

--proxy-port PROXY-PORT

Port where the HTTP proxy is available.

--proxy-username PROXY-USER

Username to use for the HTTP proxy connection

--proxy-password PROXY-PASSWORD

Password to use for the HTTP proxy connection

--proxy-auth-cleartext BOOL

Allow HTTP proxy authentication to happen in clear-text. Valid values are: true , false

--unset-override OVERRIDE

This removes an override setting from the configuration profile. The OVERRIDE value is the setting arguments enlisted here but without the leading -- . For example, if --tls-cert-profile suiteb was set, it can be unset with --unset-override tls-cert-profile .

SEE ALSO

openvpn3 (1) openvpn3-config-acl (1) openvpn3-config-import (1) openvpn3-configs-list (1) openvpn3-config-remove (1)

---