Manage OpenVPN Connect from the Command Line
We introduced support for the command-line interface (CLI) in OpenVPN Connect version 3.3 for macOS. The CLI can be used to manage most application functions using a console on a supported operating system. This document provides an overview of the commands you can use.
Locate OpenVPN Connect binary:
/Applications/OpenVPN Connect/OpenVPN Connect.app/contents/MacOS/OpenVPN Connect
These commands won’t launch the application but are useful for gathering information from the terminal output.
Commands available
--help
List all of the available commands with a short description.
Help: --accept-gdpr - Accept GDPR for application usage --hide-tray - Launch the application and hide tray icon --minimize - Launch app in the background and UI window does not display --quit - Quit the application --list-settings - Show all application's setting values --set-setting - Change any application setting Format: --set-setting=<name> --value=<value> Setting values (values in [] are default options): vpn-protocol: [adaptive]|tcp|udp timeout: 10|30|[60]|120|0 launch-options: [start-app]|connect-latest|restore-connection|none seamless-tunnel: true|[false] captive-portal-detection: [true]|false software-update: [daily]|weekly|monthly|never theme: [system]|light|dark tray-icon-style: [monochrome]|colorful hide-dock-icon: true|[false] confirmation-dialogs: [all]|none|on-disconnect|on-reconnect security-level: preferred|[legacy]|insecure enforce-tls-1-3: true|[false] allow-ipv6: [default]|yes|no google-dns-fallback: [true]|false --skip-startup-dialogs - Close (skip) information dialogs that OpenVPN Connect shows during the first launch (onboarding tour, update changes, etc.) --version - Show the application version --list-profiles - Show list of profiles imported in the application --import-profile - Import profile by path to a file. All parameters except path are optional and will be saved in the profile configuration Format: --import-profile=<path-to-profile> --name=<profile-name> --username=<username> --password=<password> --pkp=<private-key-password> --certificate=<cert-id> --remove-profile - Remove profile by ID or profile name. ID has a higher priority Format: --remove-profile=<profile-id|profile-name> --list-certificates - Show list of certificates imported into the application --import-certificate - Import PKCS12 certificate/key pair (.p12) into the application. Password parameter is optional Format: --import-certificate=<path-to-pkcs12> --password=<password> --remove-certificate - Remove certificate from the application storage Format: --remove-certificate=<cert-id> --import-config - Apply app config file inside the application Format: --import-config=<path to ocfg file>"
App version
--version
Displays the application version and build number.
{ version: "3.2.3", build-number: "1900" }
These commands can launch OpenVPN Connect if it is not running, or can be executed on the running instance. They can be used together in any order.
Launch in background
--minimize
Launches the app in the background. The UI window won’t open.
Hide tray icon
--hide-tray
Launches the application and hides the tray icon.
Notifications
Accept GDPR consent
--accept-gdpr
Accepts the General Data Protection (GDPR) consent.
Notice
After installation, if you start the application without this flag and haven’t previously accepted GDPR through the UI, OpenVPN Connect won’t function and won’t accept commands. Instead, you receive an error message.
{ status: "error", error: "Accept GDPR to use the application." }
Skip startup dialogs
--skip-startup-dialogs
Closes and dismisses the information dialogs that display at first launch of OpenVPN Connect. These dialogs include the onboarding tour and the list of recent changes. The next time the application UI launches, these dialogs won’t display.
Note
This flag doesn't skip the GDPR dialog.
Profiles
List all profiles
--list-profiles
Displays the list of profiles that are imported into OpenVPN Connect. The information includes profile ID, profile name, hostname, type, username, and server override.
[{ id: <profile-id>, name: <profile-name>, host: <hostname>, type: <autologin|user-locked|server-locked>, username: <username>, server-override: <hostname|none> }, ... ]
Import a profile
--import-profile=<path-to-the-profile> --name=<display-name> --username=<username> --password=<password> --pkp=<private-key-password> certificate=<cert-id>
Imports a profile from a file location, with the file path as a required parameter. All other parameters are optional, but if provided they are saved in the profile configuration. For example, a password can be used during connection for the specific profile. Also, you can pass these parameters in the UI for each connection.
If the import is successful, the command outputs the profile information.
{ "message": { "id": "<profile-id>", "name": "<profile-name>", "host": "<hostname>", "type": "<autologin|user-locked|server-locked>", "username": "<username>", "server-override": "<hostname|none>" }, "status": "success" }
If unsuccessful, the command outputs an error message.
{ "error": <error-message>, "status": "error" }
Remove a profile
--remove-profile=<profile-id|profile-name>
Removes a profile using either the profile ID or profile name. The command line outputs either a success or error status message.
{ "message|error": <Result of operation>, "status": "success|error" }
Certificates Management
List all certificates
--list-certificates
Displays the list of imported certificates. The output includes the cert ID, hash, expiration state, and a subject summary.
[{ cert-id: <cert-id>, hash: <hash>, is-expired: true|false, subject-summary: <Subject Summary> }, ... ]
Import a certificate
--import-certificate=<path-to-certificate> --password=<password>
Imports the PKCS 12 certificate/key pair from a file location. The certificate saves in OS Certificate Storage or keychain. The file path is required, but the password is optional. The command output displays the cert ID, hash, expiration state, and a subject summary.
{ "message": { "cert-id": <cert-id>, "hash": <hash>, "is-expired": true|false, "subject-summary": <Subject Summary> }, "status": "success" }
If the import fails, the command output displays an error message.
{ "error": <error-message>, "status": "error" }
Remove a certificate
--remove-certificate=<cert-id>
Removes a certificate by cert ID. The command line outputs either a success or error status message.
{ "message|error": <Result of operation>, "status": "success|error" }
Settings Management
Import a global config file
--import-config=<path to .ocfg file>
Imports configurations from a file location, with the file path as a required parameter. If the import is successful, the command outputs the following message:
{ "message": "The app config has been applied successfully.", "status": "success" }
List all application setting values
--list-settings
Lists all of the application setting values, including protocol, timeout, launch options, seamless tunnel, and others.
{ "allow-ipv6": "default", "captive-portal-detection": true, "confirmation-dialogs": "all", "enforce-tls-1-3": false, "google-dns-fallback": true, "hide-dock-icon": false, "launch-options": "start-app", "seamless-tunnel": false, "security-level": "insecure", "software-update": "daily", "theme": "system", "timeout": "60", "tray-icon-style": "monochrome", "vpn-protocol": "adaptive" }
Set a setting value
--set-setting=<name> --value=<value>
Changes any of the application settings. The command line outputs either a success or error status message.
{ "message|error": <Result of operation>, "status": "success|error" }