Docs Config OpenVPN

OpenVPN

Copy the certificate contents from an existing .ovpn config file, and you can use that OpenVPN connection as a Clash outbound node.

Example Config

config.yaml YAML
proxies:
  - name: "openvpn"
    type: openvpn
    server: vpn.example.com
    port: 1194
    proto: udp
    # auth-user-pass mode
    username: "user"
    password: "pass"
    ca: |
      -----BEGIN CERTIFICATE-----
      MIIB...example
      -----END CERTIFICATE-----
    udp: true

Field Reference

protoDefault: udp

The protocol type — supports udp/tcp.

username / passwordOptional

The username and password for auth-user-pass authentication — choose either this or the cert/key certificate mode (both can't be empty).

caRequired

The CA certificate content — copy it directly from the <ca> tag in the .ovpn file.

cert / keyOptional

The client certificate and private key content, copied from the corresponding tags in the .ovpn file; can be omitted when using username/password authentication.

tls-cryptOptional

The TLS encryption key, copied from the corresponding tag in the .ovpn file — no need to keep the tag itself.

cipher / authOptional

cipher defaults to AES-128-GCM, supporting the AES-GCM/CBC families and CHACHA20-POLY1305; auth defaults to SHA256 and is ignored when using an AEAD cipher.

peer-infoOptional

Key-value pairs passed through to the server, appended after the built-in IV_VER/IV_PROTO/IV_CIPHERS — the server may use these for access decisions.

dialer-proxy / remote-dns-resolve / dnsOptional

Works the same as other protocols — see the dialer-proxy docs.