Server Configuration

The default VPN server configuration file is located in /etc/vpnserver/vpnserver.yaml and is in YAML format.

All paths in the configuration file are relative to its location (/etc/vpnserver).

Sending a SIGHUP signal to the server will cause it to reload the configuration file. However, some configuration parameters (e.g., vpn.key, vpn.subnet, etc.) require a server restart to take effect.

Split-tunneling is supported out of the box, with provisions for excluded routes (currently only supported on iOS) to allow certain netblocks to be routed outside the VPN tunnel.


key specifies the path to the server's private key

cert specific the path to the server's certificate

bind_addresses specifies which IP addresses to bind on (can include both IPv4 or IPv6 addresses), use the ip:port syntax for IPv4, and [ip]:port syntax for IPv6

bind_concurrency specifies how many total listeners to create for accepting TCP connections

subnet is the IPv4 or IPv6 subnet (in CIDR form) from which to assign client IP addresses. The server is always assigned the .1 or ::1 address. There is no limit on the maximum size of the subnet.

use_host_dns controls whether the DNS servers from /etc/resolv.conf on the server should be sent to the client

dns is the list of DNS servers to assign to clients. It should be used when use_host_dns is disabled

dns_search_domains is the list of DNS search domains to assign to the client

included_routes specifies the list of included routes to be pushed to the client (i.e., these routes will be routed through the VPN server). Note that specifying will actually result in two /1 default routes on the client ( and to prevent DHCP on some systems from resetting the default route. Split-tunneling can be enabled using this option.

excluded_routes specifies the list of routes to be excluded from the VPN. Currently, this is only supported by the iOS client, all other clients will ignore this setting.

auto_ip_forwarding controls whether to automatically enable IP forwarding via sysctl and manage iptables NAT rules for the default IP pool. If you have advanced networking requirements, it is best to disable this and manage them via another mechanism.


Only Applicable to TLS-Based Connections

This section only applies to the built-in HTTPS server and any TLS-based VPN protocols. It does not apply to the Noise protocol.

require_valid_client_cert controls whether or not clients are required to present a valid certificate negotiate a TLS connection.


This is the list of certificates of intermediate certificate authorities (usually only one for most deployments) that will be accepted for verifying client certificates.


level specifies the log level, one of debug, info, warn, error, fatal, panic

tls_peer_info controls whether to dump certificate information to the server log


web controls whether to enable the admin API

administrators is a dictionary of username, password key value pairs of who is allowed to access the admin API


This configuration section is a dictionary of dictionaries, with the keys being plugin identifiers. It is up to each plugin to decide how it should be configured.

Note that only one authentication plugin can be enabled at a time.

Server Configuration

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.