Controlling a Running OpenVPN Process
Running on Linux/BSD/Unix
OpenVPN accepts several signals:
- SIGUSR1 — Conditional restart, designed to restart without root privileges. 
- SIGHUP — Hard restart. 
- SIGUSR2 — Output connection statistics to log file or syslog. 
- SIGTERM, SIGINT — Exit. 
Use the writepid directive to write the OpenVPN daemon's PID to a file, so that you know where to send the signal (if you are starting openvpn with an initscript, the script may already be passing a --writepid directive on the openvpn command line).
Running on Windows as a GUI
Refer to the OpenVPN GUI page.
Running in a Windows command prompt window
You can start OpenVPN on Windows by right-clicking on an OpenVPN configuration file (.ovpn file) and selecting "Start OpenVPN on this config file."
Once running in this fashion, several keyboard commands are available:
- F1 — Conditional restart (doesn't close/reopen TAP adapter). 
- F2 — Show connection statistics. 
- F3 — Hard restart. 
- F4 — Exit. 
Running as a Windows service
When OpenVPN is started as a service on Windows, the only way to control it is:
- Via the service control manager (Control Panel / Administrative Tools / Services), which gives start/stop control. 
- Via the management interface (see below). 
Modifying a live server configuration
While most configuration changes require you to restart the server, two directives refer to files that can be dynamically updated on the fly. They will immediately affect the server without needing to restart the server process.
client-config-dir — This directive sets a client configuration directory, which the OpenVPN server will scan on every incoming connection, searching for a client-specific configuration file (refer to the manuals for more information). Files in this directory can be updated on the fly without restarting the server. Note that changes in this directory will only take effect for new connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a currently connected client (or one that has disconnected but where the server has not timed out its instance object), kill the client instance object by using the management interface (described below). This will cause the client to reconnect and use the new client-config-dir file.
crl-verify — This directive names a Certificate Revocation List file, described below in the Revoking Certificates topic. The CRL file can be modified on the fly, and changes will take effect immediately for new connections or existing connections that are renegotiating their SSL/TLS channel (occurs once per hour by default). If you want to kill a currently connected client whose certificate has just been added to the CRL, use the management interface (described below).
Status file
The default server.conf file has a line status openvpn-status.log that outputs a list of current client connections to the file openvpn-status.log once per minute.
Using the management interface
The OpenVPN management interface allows a great deal of control over a running OpenVPN process. You can use the management interface directly by telneting to the management interface port or indirectly by using an OpenVPN GUI, which connects to the management interface.
To enable the management interface on either an OpenVPN server or client, add this to the configuration file:
management localhost 7505
This tells OpenVPN to listen on TCP port 7505 for management interface clients (port 7505 is an arbitrary choice — you can use any free port).
Once OpenVPN is running, you can connect to the management interface using a telnet client. For example:
ai:~ # telnet localhost 7505
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 15 2005
Commands:
echo [on|off] [N|all]  : Like log, but only show messages in echo buffer.
exit|quit              : Close management session.
help                   : Print this message.
hold [on|off|release]  : Set/show hold flag to on/off state, or
                         release current hold and start tunnel.
kill cn                : Kill the client instance(s) having common name cn.
kill IP:port           : Kill the client instance connecting from IP:port.
log [on|off] [N|all]   : Turn on/off realtime log display
                         + show last N lines or 'all' for entire history.
mute [n]               : Set log mute level to n, or show level if n is absent.
net                    : (Windows only) Show network info and routing table.
password type p        : Enter password p for a queried OpenVPN password.
signal s               : Send signal s to daemon,
                         s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n]             : Show current daemon status info using format #n.
test n                 : Produce n lines of output for testing/debugging.
username type u        : Enter username u for a queried OpenVPN username.
verb [n]               : Set log verbosity level to n, or show if n is absent.
version                : Show current version number.
END
exit
Connection closed by foreign host.
ai:~ #For more information, see the OpenVPN Management Interface Documentation.