Enum OvpnCommand

Source

pub enum OvpnCommand {
Show 47 variants
    Status(StatusFormat),
    State,
    StateStream(StreamMode),
    Version,
    Pid,
    Help,
    Verb(Option<u8>),
    Mute(Option<u32>),
    Net,
    Log(StreamMode),
    Echo(StreamMode),
    ByteCount(u32),
    Signal(Signal),
    Kill(KillTarget),
    HoldQuery,
    HoldOn,
    HoldOff,
    HoldRelease,
    Username {
        auth_type: AuthType,
        value: String,
    },
    Password {
        auth_type: AuthType,
        value: String,
    },
    AuthRetry(AuthRetryMode),
    ForgetPasswords,
    ChallengeResponse {
        state_id: String,
        response: String,
    },
    StaticChallengeResponse {
        password_b64: String,
        response_b64: String,
    },
    NeedOk {
        name: String,
        response: NeedOkResponse,
    },
    NeedStr {
        name: String,
        value: String,
    },
    Pkcs11IdCount,
    Pkcs11IdGet(u32),
    RsaSig {
        base64_lines: Vec<String>,
    },
    ClientAuth {
        cid: u64,
        kid: u64,
        config_lines: Vec<String>,
    },
    ClientAuthNt {
        cid: u64,
        kid: u64,
    },
    ClientDeny {
        cid: u64,
        kid: u64,
        reason: String,
        client_reason: Option<String>,
    },
    ClientKill {
        cid: u64,
    },
    ClientPf {
        cid: u64,
        filter_lines: Vec<String>,
    },
    Remote(RemoteAction),
    Proxy(ProxyAction),
    LoadStats,
    ClientPendingAuth {
        cid: u64,
        kid: u64,
        timeout: u32,
        extra: String,
    },
    ClientDenyV2 {
        cid: u64,
        kid: u64,
        reason: String,
        client_reason: Option<String>,
        redirect_url: Option<String>,
    },
    CrResponse {
        cid: u64,
        kid: u64,
        response: String,
    },
    Certificate {
        pem_lines: Vec<String>,
    },
    BypassMessage(String),
    ManagementPassword(String),
    Exit,
    Quit,
    Raw(String),
    RawMultiLine(String),
}

Expand description

Every command the management interface accepts, modeled as a typed enum.

The encoder handles all serialization — escaping, quoting, multi-line block framing — so callers never assemble raw strings. The Raw variant exists as an escape hatch for commands not yet modeled here.

Variants§

§

Status(StatusFormat)

Request connection status in the given format. Wire: status / status 2 / status 3

§

State

Print current state (single comma-delimited line). Wire: state

§

StateStream(StreamMode)

Control real-time state notifications and/or dump history. Wire: state on / state off / state all / state on all / state 3

§

Version

Print the OpenVPN and management interface version. Wire: version

§

Pid

Show the PID of the OpenVPN process. Wire: pid

§

Help

List available management commands. Wire: help

§

Verb(Option<u8>)

Get or set the log verbosity level (0–15). Verb(None) queries the current level; Verb(Some(n)) sets it. Wire: verb / verb 4

§

Mute(Option<u32>)

Get or set the mute threshold (suppress repeating messages). Wire: mute / mute 40

§

Net

(Windows only) Show network adapter list and routing table. Wire: net

§

Log(StreamMode)

Control real-time log streaming and/or dump log history. Wire: log on / log off / log all / log on all / log 20

§

Echo(StreamMode)

Control real-time echo parameter notifications. Wire: echo on / echo off / echo all / echo on all

§

ByteCount(u32)

Enable/disable byte count notifications at N-second intervals. Pass 0 to disable. Wire: bytecount 5 / bytecount 0

§

Signal(Signal)

Send a signal to the OpenVPN daemon. Wire: signal SIGUSR1

§

Kill(KillTarget)

Kill a specific client connection (server mode). Wire: kill Test-Client / kill 1.2.3.4:4000

§

HoldQuery

Query the current hold flag. Returns 0 (off) or 1 (on). Wire: hold

§

HoldOn

Set the hold flag on — future restarts will pause until released. Wire: hold on

§

HoldOff

Clear the hold flag. Wire: hold off

§

HoldRelease

Release from hold state and start OpenVPN. Does not change the hold flag itself. Wire: hold release

§

Username

Supply a username for the given auth type. Wire: username "Auth" myuser

Fields

§auth_type: AuthType

Which credential set this username belongs to.

§value: String

The username value.

§

Password

Supply a password for the given auth type. The value is escaped and double-quoted per the OpenVPN config-file lexer rules. Wire: password "Private Key" "foo\"bar"

Fields

§auth_type: AuthType

Which credential set this password belongs to.

§value: String

The password value (will be escaped on the wire).

§

AuthRetry(AuthRetryMode)

Set the auth-retry strategy. Wire: auth-retry interact

§

ForgetPasswords

Forget all passwords entered during this management session. Wire: forget-passwords

§

ChallengeResponse

Respond to a CRV1 dynamic challenge. Wire: password "Auth" "CRV1::state_id::response"

Fields

§state_id: String

The opaque state ID from the >PASSWORD: CRV1 notification.

§response: String

The user’s response to the challenge.

§

StaticChallengeResponse

Respond to a static challenge (SC). Wire: password "Auth" "SCRV1::base64_password::base64_response"

The caller must pre-encode password and response as base64 — this crate does not include a base64 dependency.

Fields

§password_b64: String

Base64-encoded password.

§response_b64: String

Base64-encoded challenge response.

§

NeedOk

Respond to a >NEED-OK: prompt. Wire: needok token-insertion-request ok / needok ... cancel

Fields

§name: String

The prompt name from the >NEED-OK: notification.

§response: NeedOkResponse

Accept or cancel.

§

NeedStr

Respond to a >NEED-STR: prompt with a string value. Wire: needstr name "John"

Fields

§name: String

The prompt name from the >NEED-STR: notification.

§value: String

The string value to send (will be escaped on the wire).

§

Pkcs11IdCount

Query available PKCS#11 certificate count. Wire: pkcs11-id-count

§

Pkcs11IdGet(u32)

Retrieve a PKCS#11 certificate by index. Wire: pkcs11-id-get 1

§

RsaSig

Provide an RSA signature in response to >RSA_SIGN:. This is a multi-line command: the encoder writes rsa-sig, then each base64 line, then END.

Fields

§base64_lines: Vec<String>

Base64-encoded signature lines.

§

ClientAuth

Authorize a >CLIENT:CONNECT or >CLIENT:REAUTH and push config directives. Multi-line command: header, config lines, END. An empty config_lines produces a null block (header + immediate END), which is equivalent to client-auth-nt in effect.

Fields

§cid: u64

Client ID from the >CLIENT: notification.

§kid: u64

Key ID from the >CLIENT: notification.

§config_lines: Vec<String>

Config directives to push (e.g. push "route ...").

§

ClientAuthNt

Authorize a client without pushing any config. Wire: client-auth-nt {CID} {KID}

Fields

§cid: u64

Client ID.

§kid: u64

Key ID.

§

ClientDeny

Deny a >CLIENT:CONNECT or >CLIENT:REAUTH. Wire: client-deny {CID} {KID} "reason" ["client-reason"]

Fields

§cid: u64

Client ID.

§kid: u64

Key ID.

§reason: String

Server-side reason string (logged but not sent to client).

§client_reason: Option<String>

Optional message sent to the client as part of AUTH_FAILED.

§

ClientKill

Immediately kill a client session by CID. Wire: client-kill {CID}

Fields

§cid: u64

Client ID.

§

ClientPf

Push a packet filter to a specific client. Multi-line command: header, filter block, END. Requires --management-client-pf.

Fields

§cid: u64

Client ID.

§filter_lines: Vec<String>

Packet filter rules (e.g. [CLIENTS ACCEPT], +10.0.0.0/8).

§

Remote(RemoteAction)

Respond to a >REMOTE: notification (requires --management-query-remote). Wire: remote ACCEPT / remote SKIP / remote MOD host port

§

Proxy(ProxyAction)

Respond to a >PROXY: notification (requires --management-query-proxy). Wire: proxy NONE / proxy HTTP host port [nct] / proxy SOCKS host port

§

LoadStats

Request aggregated server stats. Wire: load-stats Response: SUCCESS: nclients=N,bytesin=N,bytesout=N

§

ClientPendingAuth

Defer authentication for a client, allowing async auth backends. Wire: client-pending-auth {CID} {KID} {TIMEOUT} {EXTRA}

Fields

§cid: u64

Client ID.

§kid: u64

Key ID.

§timeout: u32

Timeout in seconds before the pending auth expires.

§extra: String

Extra opaque string passed to the auth backend.

§

ClientDenyV2

Extended deny with optional redirect URL (OpenVPN 2.5+). Wire: client-deny-v2 {CID} {KID} "reason" ["client-reason"] ["redirect-url"]

Fields

§cid: u64

Client ID.

§kid: u64

Key ID.

§reason: String

Server-side reason string.

§client_reason: Option<String>

Optional message sent to the client.

§redirect_url: Option<String>

Optional URL the client should be redirected to.

§

CrResponse

Respond to a challenge-response authentication (OpenVPN 2.5+). Wire: cr-response {CID} {KID} {RESPONSE}

Fields

§cid: u64

Client ID.

§kid: u64

Key ID.

§response: String

The challenge-response answer.

§

Certificate

Supply an external certificate in response to >NEED-CERTIFICATE. Multi-line command: header, PEM lines, END. Wire: certificate\n{pem_lines}\nEND

Fields

§pem_lines: Vec<String>

PEM-encoded certificate lines.

§

BypassMessage(String)

(Windows only) Send a bypass message to the OpenVPN service. Wire: bypass-message "message"

§

ManagementPassword(String)

Authenticate to the management interface itself. Sent as a bare line (no command prefix, no quoting) in response to crate::OvpnMessage::PasswordPrompt. Wire: {password}\n

§

Exit

Close the management session. OpenVPN keeps running and resumes listening for new management connections.

§

Quit

Identical to Exit.

§

Raw(String)

Send a raw command string for anything not yet modeled above. The decoder expects a SUCCESS:/ERROR: response.

§

RawMultiLine(String)

Send a raw command string, expecting a multi-line (END-terminated) response.

Like [Raw], the string is sanitized (newlines/NUL stripped) before sending. Unlike Raw, the decoder accumulates the response into [OvpnMessage::MultiLine].