will run a script such as:.B ifconfig $1 10.4.0.1 pointopoint 10.4.0.2 mtu $2(Note: remove "pointopoint" from command line on OpenBSD).Note that OpenVPN also provides the.B --ifconfigoption to automatically ifconfig the TUN device,eliminating the need to define an.B --upscript, unless you also want to configure routesin the.B --upscript.If.B --ifconfigis also specified, OpenVPN will pass the ifconfig localand remote endpoints on the command line to the.B --upscript so that they can be used to configure routes such as:.B route add -net 10.0.0.0 netmask 255.255.255.0 gw $5.TP.B --down cmdShell command to run after tun/tap device close(post.B --userUID change and/or.B --chroot).  Called with the same parameters as the.B --upoption above..TP.B --user userChange the user ID of the OpenVPN process to.B userafter initialization, dropping privileges in the process.This option is useful to protect the systemin the event that some hostile party was able to gain control ofan OpenVPN session.  Though OpenVPN's security features makethis unlikely, it is provided as a second line of defense.By setting.B userto.I nobodyor somebody similarly unprivileged, the hostile party would belimited in what damage they could cause.  Of course onceyou take away privileges, you cannot return themto an OpenVPN session.  This means, for example, that ifyou want to reset an OpenVPN daemon with a.B SIGUSR1signal(for example in responseto a DHCP reset), you should make use of one or more of the.B --persistoptions to ensure that OpenVPN doesn't need to execute any privilegedoperations in order to restart (such as re-reading key filesor running.BR ifconfigon the tun device)..TP.B --group groupSimilar to the.B --useroption,this option changes the group ID of the OpenVPN process to.B groupafter initialization..TP.B --cd dirChange directory to.B dirprior to reading any files such asconfiguration files, key files, scripts, etc..B dirshould be an absolute path, with a leading "/",and without any referencesto the current directory such as "." or "..".This option is useful when you are runningOpenVPN in .B --daemonmode, and you want to consolidate all ofyour OpenVPN control files in one location..TP.B --chroot dirChroot to.B dirbefore initialization.  .B --chrootessentially redefines.B diras being the toplevel directory tree (/).  OpenVPN will thereforebe unable to access any file outside this tree.This can be desirable from a security standpoint.The caveat here is that every file thatOpenVPN might possibly need must exist within the chroot directory tree,including special files such.B /dev/random(which is used by OpenVPN to generate random keys and IVs)..TP.B --daemonBecome a daemon and write all messages to the syslog file (such as /var/log/messages)..TP.B --inetdUse this option when OpenVPN is being run from the inetd or.BR xinetd(8)server.This option precludes the use of.B --daemon, --local,or.B --remote.Note that each OpenVPN tunnel requires a separate UDP port anda separate inetd or xinetd entry.  See the OpenVPN HOWTO for an exampleon using OpenVPN with xinetd:.I http://openvpn.sourceforge.net/howto.html.TP.B --writepid fileWrite OpenVPN's main process ID to.B file..TP.B --nice nChange process priority after initialization(.B ngreater than 0 is lower priority,.B nless than zero is higher priority)..TP.B --nice-work nChange priority of background TLS work thread.  The TLS threadfeature is enabled when OpenVPN is builtwith pthread support, and you are running OpenVPNin TLS mode (i.e. with.B --tls-clientor.B --tls-serverspecified).Using a TLS thread offloads the CPU-intensive process of SSL/TLS-basedkey exchange to a background thread so that it does not becomea latency bottleneck in the tunnel packet forwarding process.The parameter.B nis interpreted exactly as with the.B --niceoption above, but in relation to the work thread ratherthan the main thread..TP.B --verb nSet output verbosity to.B n(default=1).  Each level shows all info from the previous levels.Level 5 is recommended if you want a good summaryof what's happening without being swamped by output..B 0 --no output except fatal errors.br.B 1 --show startup information + connection initiated messages + non-fatal encryption & net errors.br.B 2 --show all parameter settings.br.B 3 --show key negotiations +.B --gremlinnet outages.br.B 4 --show partial TLS debug info.br.B 5 --show adaptive compression state changes (on or off).br.B 6 --show hex representation of keys.br.B 7 --show verbose key negotiations.br.B 8 --show all debug info.TP.B --mute nLog at most.B nconsecutive messages in the same category.  This is useful tolimit repetitive logging of similar message types..TP.B --gremlinSimulate dropped & corrupted packets + network outages(for debugging and testing only).  This is apowerful tool for verifying the robustness of the OpenVPN protocol,especially in TLS mode.  When used with TLS parameters that forcefrequent key renegotiations such as.B --reneg-sec 10,this option will stress-test the ability of OpenVPN peers to recoverfrom errors and remain in sync.Current parameter settings will cause.B --gremlinto drop 2% of packets and corrupt another 2%.  A packet corruption willalter a random byte in the packet to a random value.  It mightalso increase or decrease the size of the packet by one byte..B --gremlinwill also simulate network outages by going "down"for a period of 10 to 60 seconds.Between simulated outages, OpenVPN willremain up for periods of 10 to 300 seconds.  To see gremlinmessages, set.B --verbto 3 or higher.  To change gremlin constants, consult thefile gremlin.c included in the OpenVPN source distribution..TP.B --comp-lzoUse fast LZO compression -- may add up to 1 byte perpacket for incompressible data..TP.B --comp-noadaptWhen used in conjunction with.B --comp-lzo,this option will disable OpenVPN's adaptive compression algorithm.Normally, adaptive compression is enabled with.B --comp-lzo.Adaptive compression tries to optimize the case where you havecompression enabled, but you are sending predominantly incompressible(or pre-compressed) packets over the tunnel.  With adaptive compression,OpenVPN will periodically sample the compression process to see ifit's actually saving us anything.  If not, we will disable compressionfor a period of time, then re-sample..B .SS Data Channel Encryption Options:These options are meaningful for both Static & TLS-negotiated key modes(must be compatible between peers)..TP.B --secret fileEnable Static Key encryption mode (non-TLS).Use pre-shared secret file which was generated with.B --genkey.Static key encryption mode has certain advantages, the biggestprobably being the ease of configuration.  There are no certificatesor certificate authorities or complicated negotiation handshakes and protocols.The only requirement is that you have a pre-existing secure channel withyour peer (such as.B ssh) to initially copy the key.  This requirement, along with thefact that your key never changes unless you manually generate a new one,makes it somewhat less secure than TLS mode (see below).  If an attackermanages to steal your key, everything that was ever encrypted withit is compromised.  Contrast that to the perfect forward security features ofTLS mode where even if an attacker was able to steal your private key,he would gain no information to help him decrypt past sessions.One interesting aspect of Static Key encryption mode is thatit is a handshake-free protocol without any distinguishing signature or feature(such as a header or protocol handshake sequence) that would mark the ciphertext packets as beinggenerated by OpenVPN.  Anyone eavesdropping on the wirewould see nothingbut random-looking data..TP.B --auth algAuthenticate packets with an HMAC using messagedigest algorithm.B alg.(The default is.B SHA1).HMAC is a commonly used message authentication algorithm (MAC) that usesa data string, a secure hash algorithm, and a key, to producea digital signature.  HMAC has the property that it is infeasiblefor an attacker with access to a signed string to find another stringwhich would sign to the same signature or generate a valid signaturefor his own string.OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC the resulting ciphertext.In static-key encryption mode, the HMAC keyis included in the key file generated by.B --genkey.In TLS mode, the HMAC key is dynamically generated and sharedbetween peers via the TLS control channel.  If OpenVPN receives a packet witha bad HMAC it will drop the packet.HMAC usually adds 16 or 20 bytes per packet.Set.B alg=noneto disable authentication.For more information on HMAC see.I http://www.cs.ucsd.edu/users/mihir/papers/hmac.html.TP.B --cipher algEncrypt packets with cipher algorithm.B alg.The default is.B BF-CBC,an abbreviation for Blowfish in Cipher Block Chaining mode.Blowfish has the advantages of being fast, very secure, and allowing key sizesof up to 448 bits.  Blowfish is designed to be used in situations wherekeys are changed infrequently.For more information on blowfish, see.I http://www.counterpane.com/blowfish.htmlTo see other ciphers that are available withOpenVPN, use the.B --show-ciphersoption.OpenVPN supports the CBC, CFB, and OFB cipher modes.Set.B alg=noneto disable encryption..TP.B --keysize nSize of cipher key in bits (optional).If unspecified, defaults to cipher-specific default.  The.B --show-ciphersoption (see below) shows all available OpenSSL ciphers,their default key sizes, and whether the key size canbe changed.  Use care in changing a cipher's defaultkey size.  Many ciphers have not been extensivelycryptanalyzed with non-standard key lengths, and alarger key may offer no real guarantee of greatersecurity, or may even reduce security..TP.B --no-replayDisable OpenVPN's protection against replay attacks.Don't use this option unless you are prepared to makea tradeoff of greater efficiency in exchange for lesssecurity.OpenVPN provides datagram replay protection by default.Replay protection is accomplishedby tagging each outgoing datagram with an identifierthat is guaranteed to be unique for the key being used.The peer that receives the datagram will check forthe uniqueness of the identifier.  If the identifierwas already received in a previous datagram, OpenVPNwill drop the packet.  Replay protection is importantto defeat attacks such as a SYN flood attack, wherethe attacker listens in the wire, intercepts a TCPSYN packet (identifying it by the context in whichit occurs in relation to other packets), then floodsthe receiving peer with copies of this packet.OpenVPN's replay protection is implemented in slightlydifferent ways, depending on the key management modeyou have selected.In Static Key modeor when using an CFB or OFB mode cipher, OpenVPN uses a64 bit unique identifier that combines a time stamp withan incrementing sequence number.When using TLS mode for key exchange and a CBC ciphermode, OpenVPN uses only a 32 bit sequence number withouta time stamp, since OpenVPN can guarantee the uniquenessof this value for each key.  As in IPSec, if the sequence number isclose to wrapping back to zero, OpenVPN will triggera new key exchange.To check for replays, OpenVPN usesthe.I sliding windowalgorithm usedby IPSec..TP.B --no-ivDisable OpenVPN's use of IV (cipher initialization vector).Don't use this option unless you are prepared to makea tradeoff of greater efficiency in exchange for lesssecurity.OpenVPN uses an IV by default, and requires it for CFB andOFB cipher modes (which are totally insecure without it).Using an IV is important for security when multiplemessages are being encrypted/decrypted with the same key.IV is implemented differently depending on the cipher mode used.In CBC mode, OpenVPN will start with a random IV and carry forwardthe residuals across datagrams in a manner similarto that used by IPSec (see RFC 2405 for more information). In CFB/OFB mode, OpenVPN uses a unique sequence number and time stampas the IV.  In fact, in CFB/OFB mode, OpenVPN uses a datagramspace-saving optimization that uses the unique identifier fordatagram replay protection as the IV..TP.B --test-cryptoDo a self-test of OpenVPN's crypto options by encrypting anddecrypting test packets using the data channel encryption optionsspecified above.  This option does not require a peer to function,and therefore can be specified without.B --devor.B --remote.