DOKK / manpages / debian 13 / openvpn3-client / openvpn3-config-manage.1.en
OPENVPN3-CONFIG-MANAGE(1) OpenVPN 3 Linux OPENVPN3-CONFIG-MANAGE(1)

openvpn3-config-manage - OpenVPN 3 Linux - Configuration Profile Management

openvpn3 config-manage -o DBUS-PATH | --path DBUS-PATH | --config CONFIG-NAME [OPTIONS]
openvpn3 config-manage -h | --help

Manage settings for an imported configuration profile. This allows to override parts of the original config profile. Note that this will not be reflected in the output of openvpn3 config-dump. Use openvpn3 config-manage --show to see the existing overrides.

Print usage and help details to the terminal
D-Bus configuration path to the configuration to delete. This can be found in openvpn3 configs-list.
Alias for --path.
Can be used instead of --path where the configuration profile name is given instead. Available configuration names can be found via openvpn3 configs-list.
Renames the configuration profile
Adds a tag value to a configuration profile
Remove a tag value from a configuration profile
Show the current profile settings
Checks if a configuration profile exists. Requires either --config or --path. Will exit with 0 if configuration profile is found, otherwise 1.
Don't display informative information when modifying the configuration profile.
Enable kernel based Data Channel Offload. This moves the tunnelled network traffic to be handled inside the kernel. This improves the processing of the network traffic and moves the encryption, decryption and packet authentication for the tunnelled network traffic to be handled inside the kernel instead of begin passed via the OpenVPN client process in user space.

This option is only available if openvpn3-linux has been built with this support.

This is currently a tech preview feature and is not ready for production environments. It also requires the ovpn-dco kernel module to be installed to work and at least a Linux 5.4 kernel.

Override the remote server hostname/IP address to connect against.
Override the remote server port to connect against. Valid values: 1 to 65535.
Override the connection protocol. Valid values are tcp and udp.
Sets the IPv6 connect policy for the client. Valid values are yes, no and default
Overrides the --persist-tun argument in the configuration profile. If set to true, the tun adapter will persist during the reconnect. If false, the tun adapter will be torn down before reconnects. Valid values are: true, false
Overrides the default log level. The default log level is 3 if the configuration file does not contain a --verb option. This override will take place over any other log verbosity settings. Valid values are between 1 and 6.
If set to true, the DNS resolver settings will include Google DNS servers. Valid values are: true, false
Defines the DNS query scope. This is currently only supported when enabling the systemd-resolved(8) resolver support in openvpn3-service-netcfg(8). Supported values are:
The VPN service provided DNS server(s) will be used for all types of DNS queries.
The VPN service provided DNS server(s) will only be used for queries for DNS domains pushed by the VPN service.
The DNS domains pushed by the VPN service may be queried by DNS servers with systemd-resolved(8) service if their respective interfaces are configured to do global DNS queries. But other non-listed DNS domains will not be sent to this VPN service provider's DNS server.


If set to true, DNS settings will not be configured on the system. Valid values are: true, false
If set to true, DNS lookups will happen synchronously. Valid values are: true, false
This enables device posture checks if the server requests it. The profile name need to match a device posture profile found in the @DEVPOSTURE_PROFILEDIR@ directory. The PROFILE_NAME is without any file extension. For a successful device posture check, the profile must match the protocol the server side expects. This information need to be provided by your VPN server administrator.
If set to true, the client will try to reconnect instead of disconnecting if authentication fails. Valid values are: true, false
This controls whether the client wants to allow compression on traffic between the client to the server. Valid argument values:
Do not compress at all
Only allow server to send compressed data
Both client and server can use compression

By default, OpenVPN 3 Linux only expects to work with servers capable of doing AEAD ciphers on the data channel, such as AES-GCM or ChaCha20-Poly1305 (if supported by the TLS library). To connect to legacy servers not capable of AEAD ciphers on the data channel, it might help to enable legacy cipher algorithms.
Sets the minimum TLS version for the control channel. For this to be functional, the SSL/TLS library in use needs to support this restriction on both server and client. Valid argument values are:
Enforce minimum TLSv1.0
Enforce minimum TLSv1.1
Enforce minimum TLSv1.2
Enforce minimum TLSv1.3. This is currently only supported by OpenSSL 1.1.1.

This sets the acceptable certificate and key parameters. Valid argument values are:
Allows minimum 1024 bits RSA keys with certificates signed with SHA1.
Allows minimum 2048 bits RSA keys with certificates signed with SHA256 or higher. (default)
This follows the NSA Suite-B specification.

HTTP proxy to establish the VPN connection via.
Port where the HTTP proxy is available.
Username to use for the HTTP proxy connection
Password to use for the HTTP proxy connection
Allow HTTP proxy authentication to happen in clear-text. Valid values are: true, false
This removes an override setting from the configuration profile. The OVERRIDE value is the setting arguments enlisted here but without the leading --. For example, if --tls-cert-profile suiteb was set, it can be unset with --unset-override tls-cert-profile.

openvpn3(1) openvpn3-config-acl(1) openvpn3-config-import(1) openvpn3-configs-list(1) openvpn3-config-remove(1)