Manage OpenVPN Connect from the Command Line

We introduced support for the command-line interface (CLI) in OpenVPN Connect version 3.3 for macOS. The CLI can be used to manage most application functions using a console on a supported operating system. This document provides an overview of the commands you can use.

Get Started

Locate OpenVPN Connect binary:

/Applications/OpenVPN Connect/OpenVPN Connect.app/contents/MacOS/OpenVPN Connect

Helpers

These commands won’t launch the application but are useful for gathering information from the terminal output.

Commands available

--help

List all of the available commands with a short description.

Help:

--accept-gdpr  -  Accept GDPR for application usage
--hide-tray  -  Launch the application and hide tray icon
--minimize  -  Launch app in the background and UI window does not display
--quit  -  Quit the application
--list-settings  -  Show all application's setting values
--set-setting  -  Change any application setting
  Format:
    --set-setting=<name> --value=<value>
  Setting values (values in [] are default options):
    vpn-protocol: [adaptive]|tcp|udp
    timeout: 10|30|[60]|120|0
    launch-options: [start-app]|connect-latest|restore-connection|none
    seamless-tunnel: true|[false]
    captive-portal-detection: [true]|false
    software-update: [daily]|weekly|monthly|never
    theme: [system]|light|dark
    tray-icon-style: [monochrome]|colorful
    hide-dock-icon: true|[false]
    confirmation-dialogs: [all]|none|on-disconnect|on-reconnect
    security-level: preferred|[legacy]|insecure
    enforce-tls-1-3: true|[false]
    allow-ipv6: [default]|yes|no
    google-dns-fallback: [true]|false
--skip-startup-dialogs  -  Close (skip) information dialogs that OpenVPN Connect shows during the first launch (onboarding tour, update changes, etc.)
--version  -  Show the application version
--list-profiles  -  Show list of profiles imported in the application
--import-profile  -  Import profile by path to a file. All parameters except path are optional and will be saved in the profile configuration
  Format:
    --import-profile=<path-to-profile> --name=<profile-name> --username=<username> --password=<password> --pkp=<private-key-password> --certificate=<cert-id>
--remove-profile  -  Remove profile by ID or profile name. ID has a higher priority
  Format:
    --remove-profile=<profile-id|profile-name>
--list-certificates  -  Show list of certificates imported into the application
--import-certificate  -  Import PKCS12 certificate/key pair (.p12) into the application. Password parameter is optional
  Format:
    --import-certificate=<path-to-pkcs12> --password=<password>
--remove-certificate  -  Remove certificate from the application storage
  Format:
    --remove-certificate=<cert-id>

App version

--version

Displays the application version and build number.

{
 version: "3.2.3",
 build-number: "1900"
}

Launch flags

These commands can launch OpenVPN Connect if it is not running, or can be executed on the running instance. They can be used together in any order.

Launch in background

--minimize

Launches the app in the background. The UI window won’t open.

Hide tray icon

--hide-tray

Launches the application and hides the tray icon.

Configuration

Notifications

Accept GDPR consent

--accept-gdpr

Accepts the General Data Protection (GDPR) consent.

Notice

After installation, if you start the application without this flag and haven’t previously accepted GDPR through the UI, OpenVPN Connect won’t function and won’t accept commands. Instead, you receive an error message.

{
 status: "error",
 error: "Accept GDPR to use the application."
}

Skip startup dialogs

--skip-startup-dialogs

Closes and dismisses the information dialogs that display at first launch of OpenVPN Connect. These dialogs include the onboarding tour and the list of recent changes. The next time the application UI launches, these dialogs won’t display.

Note

This flag doesn't skip the GDPR dialog.

Profiles

List all profiles

--list-profiles

Displays the list of profiles that are imported into OpenVPN Connect. The information includes profile ID, profile name, hostname, type, username, and server override.

[{
 id: <profile-id>,
 name: <profile-name>,
 host: <hostname>,
 type: <autologin|user-locked|server-locked>,
 username: <username>,
 server-override: <hostname|none>
},
...
]

Import a profile

--import-profile=<path-to-the-profile> --name=<display-name> --username=<username> --password=<password> --pkp=<private-key-password> certificate=<cert-id>

Imports a profile from a file location, with the file path as a required parameter. All other parameters are optional, but if provided they are saved in the profile configuration. For example, a password can be used during connection for the specific profile. Also, you can pass these parameters in the UI for each connection.

If the import is successful, the command outputs the profile information.

{
 "message": {
   "id": "<profile-id>",
   "name": "<profile-name>",
   "host": "<hostname>",
   "type": "<autologin|user-locked|server-locked>",
   "username": "<username>",
   "server-override": "<hostname|none>"
 },
 "status": "success"
}

If unsuccessful, the command outputs an error message.

{
 "error": <error-message>,
 "status": "error"
}

Remove a profile

--remove-profile=<profile-id|profile-name>

Removes a profile using either the profile ID or profile name. The command line outputs either a success or error status message.

{
 "message|error": <Result of operation>,
 "status": "success|error"
}

Certificates Management

List all certificates

--list-certificates

Displays the list of imported certificates. The output includes the cert ID, hash, expiration state, and a subject summary.

[{
 cert-id: <cert-id>,
 hash: <hash>,
 is-expired: true|false,
 subject-summary: <Subject Summary>
},
...
]

Import a certificate

--import-certificate=<path-to-certificate> --password=<password>

Imports the PKCS 12 certificate/key pair from a file location. The certificate saves in OS Certificate Storage or keychain. The file path is required, but the password is optional. The command output displays the cert ID, hash, expiration state, and a subject summary.

{
 "message": {
   "cert-id": <cert-id>,
   "hash": <hash>,
   "is-expired": true|false,
   "subject-summary": <Subject Summary>
 },
 "status": "success"
}

If the import fails, the command output displays an error message.

{
 "error": <error-message>,
 "status": "error"
}

Remove a certificate

--remove-certificate=<cert-id>

Removes a certificate by cert ID. The command line outputs either a success or error status message.

{
 "message|error": <Result of operation>,
 "status": "success|error"
}

Settings Management

List all application setting values

--list-settings

Lists all of the application setting values, including protocol, timeout, launch options, seamless tunnel, and others.

{
  "allow-ipv6": "default",
  "captive-portal-detection": true,
  "confirmation-dialogs": "all",
  "enforce-tls-1-3": false,
  "google-dns-fallback": true,
  "hide-dock-icon": false,
  "launch-options": "start-app",
  "seamless-tunnel": false,
  "security-level": "insecure",
  "software-update": "daily",
  "theme": "system",
  "timeout": "60",
  "tray-icon-style": "monochrome",
  "vpn-protocol": "adaptive"
}

Set a setting value

--set-setting=<name> --value=<value>

Changes any of the application settings. The command line outputs either a success or error status message.

{
 "message|error": <Result of operation>,
 "status": "success|error"
}

In this section: