OpenVPN — mihomo
mihomo can dial an OpenVPN server as an outbound, running a userspace client that stands up a tun-style stack device and routes matched traffic through the encrypted tunnel. The control channel is authenticated with certificates (ca / cert / key), optional tls-crypt, and/or auth-user-pass credentials; the data channel is encrypted with the negotiated cipher.
Outbound
Entry under proxies: with type: openvpn. Embeds BasicOption (common outbound fields).
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
name | string | (required) | <string> | Unique proxy name. |
server | string | (required) | <host> | OpenVPN server host/IP. |
port | int | (required) | <port> | Server port. |
proto | string | udp | udp | tcp | Transport protocol of the OpenVPN tunnel. |
dev | string | tun | tun | Virtual device type (e.g. `tun`). |
cipher | string | (server-negotiated) | AES-256-GCM | AES-128-GCM | <cipher> | Data-channel cipher, e.g. `AES-256-GCM`. |
auth | string | (unset) | SHA256 | SHA512 | <digest> | HMAC digest for the control channel, e.g. `SHA256`. |
comp-lzo | string | (unset) | yes | no | adaptive | LZO compression setting. |
ca | string | (required) | <PEM> | CA certificate (PEM, inline or file path). |
cert | string | (unset) | <PEM> | Client certificate (PEM). |
key | string | (unset) | <PEM> | Client private key (PEM). |
tls-crypt | string | (unset) | <key> | tls-crypt static key for control-channel encryption/authentication. |
username | string | (unset) | <string> | auth-user-pass username. |
password | string | (unset) | <string> | auth-user-pass password. |
ping | int | (unset) | <seconds> | Keepalive ping interval (seconds). |
ping-restart | int | (unset) | <seconds> | Restart the tunnel after this many seconds without a ping (seconds). |
mtu | int | 1500 | <integer> | Tunnel MTU. |
udp | bool | false | true | false | Allow UDP traffic through the proxy. |
remote-dns-resolve | bool | false | true | false | Resolve destination names using the tunnel's DNS. |
dns | []string | [] | [<server>] | DNS servers used for the tunnel. |
Source: adapter/outbound/openvpn.go:43-66 · pinned at v1.19.27 (5184081)
Examples
Outbound — certificate authentication:
yaml
proxies:
- name: ovpn-cert
type: openvpn
server: vpn.example.com
port: 1194
proto: udp
cipher: AES-256-GCM
auth: SHA256
ca: |
-----BEGIN CERTIFICATE-----
<ca-certificate>
-----END CERTIFICATE-----
cert: |
-----BEGIN CERTIFICATE-----
<client-certificate>
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
<client-private-key>
-----END PRIVATE KEY-----
udp: trueOutbound — username/password authentication with keepalive:
yaml
proxies:
- name: ovpn-userpass
type: openvpn
server: vpn.example.com
port: 1194
proto: tcp
ca: |
-----BEGIN CERTIFICATE-----
<ca-certificate>
-----END CERTIFICATE-----
username: <username>
password: <password>
ping: 10
ping-restart: 60
udp: trueNotes
protoselects the link transport:udp(default) ortcp. The data-channelcipheris negotiated with the server; set it explicitly to pin a value such asAES-256-GCM.cais required.cert+keyprovide certificate authentication;username+passwordprovideauth-user-passauthentication. They can be combined when the server requires both. PEM material may be given inline (block scalar) or as a file path.tls-cryptsupplies the static key that encrypts and authenticates the control channel, hiding the OpenVPN handshake.pingsends a keepalive at the given interval;ping-restarttears the tunnel down after that many seconds with no received packet so it can be re-established. Both are expressed in seconds.mtusets the tunnel MTU and defaults to1500.remote-dns-resolveroutes destination-name lookups through the tunnel using the servers listed indns; it has no effect unlessdnsis non-empty.
Cross-core notes
- OpenVPN is mihomo-specific among these three cores. Neither Xray-core nor sing-box ships an OpenVPN outbound — to bridge an OpenVPN endpoint with those cores you would run a separate OpenVPN client and point a
socks/httpor TUN inbound at it.
Source: adapter/outbound/openvpn.go:43-66 · v1.19.27 (5184081)