Enum OvpnCommand 

pub enum OvpnCommand {
    Status(StatusFormat),
    State,
    StateStream(StreamMode),
    Version,
    Pid,
    Help,
    Verb(Option<u8>),
    Mute(Option<u32>),
    Net,
    Log(StreamMode),
    Echo(StreamMode),
    ByteCount(u32),
    Signal(Signal),
    Kill(KillTarget),
    HoldQuery,
    HoldOn,
    HoldOff,
    HoldRelease,
    Username {
        auth_type: AuthType,
        value: Redacted,
    },
    Password {
        auth_type: AuthType,
        value: Redacted,
    },
    AuthRetry(AuthRetryMode),
    ForgetPasswords,
    ChallengeResponse {
        state_id: String,
        response: Redacted,
    },
    StaticChallengeResponse {
        password_b64: Redacted,
        response_b64: Redacted,
    },
    NeedOk {
        name: String,
        response: NeedOkResponse,
    },
    NeedStr {
        name: String,
        value: String,
    },
    Pkcs11IdCount,
    Pkcs11IdGet(u32),
    RsaSig {
        base64_lines: Vec<String>,
    },
    ClientAuth {
        cid: u64,
        kid: u64,
        config_lines: Vec<String>,
    },
    ClientAuthNt {
        cid: u64,
        kid: u64,
    },
    ClientDeny {
        cid: u64,
        kid: u64,
        reason: String,
        client_reason: Option<String>,
    },
    ClientKill {
        cid: u64,
        message: Option<String>,
    },
    Remote(RemoteAction),
    Proxy(ProxyAction),
    LoadStats,
    ClientPendingAuth {
        cid: u64,
        kid: u64,
        extra: String,
        timeout: u32,
    },
    CrResponse {
        response: Redacted,
    },
    Certificate {
        pem_lines: Vec<String>,
    },
    ManagementPassword(Redacted),
    Exit,
    Quit,
    Raw(String),
    RawMultiLine(String),
}

Every command the management interface accepts, modeled as a typed enum.

The encoder handles all serialization — escaping, quoting, multi-line block framing — so callers never assemble raw strings. The Raw variant exists as an escape hatch for commands not yet modeled here.

Sensitive fields (passwords, tokens, challenge responses) are wrapped in Redacted so they are masked in Debug and Display output. Use Redacted::expose to access the raw value for wire encoding.

Variants

Status(StatusFormat)

Request connection status in the given format. Wire: status / status 2 / status 3

State

Print current state (single comma-delimited line). Wire: state

StateStream(StreamMode)

Control real-time state notifications and/or dump history. Wire: state on / state off / state all / state on all / state 3

Version

Print the OpenVPN and management interface version. Wire: version

Pid

Show the PID of the OpenVPN process. Wire: pid

Help

List available management commands. Wire: help

Verb(Option<u8>)

Get or set the log verbosity level (0–15). Verb(None) queries the current level; Verb(Some(n)) sets it. Wire: verb / verb 4

Mute(Option<u32>)

Get or set the mute threshold (suppress repeating messages). Wire: mute / mute 40

Net

(Windows only) Show network adapter list and routing table. Wire: net

Log(StreamMode)

Control real-time log streaming and/or dump log history. Wire: log on / log off / log all / log on all / log 20

Echo(StreamMode)

Control real-time echo parameter notifications. Wire: echo on / echo off / echo all / echo on all

ByteCount(u32)

Enable/disable byte count notifications at N-second intervals. Pass 0 to disable. Wire: bytecount 5 / bytecount 0

Signal(Signal)

Send a signal to the OpenVPN daemon. Wire: signal SIGUSR1

Kill(KillTarget)

Kill a specific client connection (server mode). Wire: kill Test-Client / kill 1.2.3.4:4000

HoldQuery

Query the current hold flag. Wire: hold Response: SUCCESS: hold=0 or SUCCESS: hold=1

HoldOn

Set the hold flag on — future restarts will pause until released. Wire: hold on

HoldOff

Clear the hold flag. Wire: hold off

HoldRelease

Release from hold state and start OpenVPN. Does not change the hold flag itself. Wire: hold release

Username

Supply a username for the given auth type. Wire: username "Auth" myuser

Fields

auth_type: AuthType

Which credential set this username belongs to.

value: Redacted

The username value (redacted in debug output).

Password

Supply a password for the given auth type. The value is escaped and double-quoted per the OpenVPN config-file lexer rules. Wire: password "Private Key" "foo\"bar"

Fields

auth_type: AuthType

Which credential set this password belongs to.

value: Redacted

The password value (redacted in debug output, escaped on the wire).

AuthRetry(AuthRetryMode)

Set the auth-retry strategy. Wire: auth-retry interact

ForgetPasswords

Forget all passwords entered during this management session. Wire: forget-passwords

ChallengeResponse

Respond to a CRV1 dynamic challenge. Wire: password "Auth" "CRV1::state_id::response"

Fields

state_id: String

The opaque state ID from the >PASSWORD: CRV1 notification.

response: Redacted

The user’s response to the challenge (redacted in debug output).

StaticChallengeResponse

Respond to a static challenge (SC). Wire: password "Auth" "SCRV1::base64_password::base64_response"

The caller must pre-encode password and response as base64 — this crate does not include a base64 dependency.

Fields

password_b64: Redacted

Base64-encoded password (redacted in debug output).

response_b64: Redacted

Base64-encoded challenge response (redacted in debug output).

NeedOk

Respond to a >NEED-OK: prompt. Wire: needok token-insertion-request ok / needok ... cancel

Fields

name: String

The prompt name from the >NEED-OK: notification.

response: NeedOkResponse

Accept or cancel.

NeedStr

Respond to a >NEED-STR: prompt with a string value. Wire: needstr name "John"

Fields

name: String

The prompt name from the >NEED-STR: notification.

value: String

The string value to send (will be escaped on the wire).

Pkcs11IdCount

Query available PKCS#11 certificate count. Wire: pkcs11-id-count

Pkcs11IdGet(u32)

Retrieve a PKCS#11 certificate by index. Wire: pkcs11-id-get 1

RsaSig

Provide an RSA signature in response to >RSA_SIGN:. This is a multi-line command: the encoder writes rsa-sig, then each base64 line, then END.

Fields

base64_lines: Vec<String>

Base64-encoded signature lines.

ClientAuth

Authorize a >CLIENT:CONNECT or >CLIENT:REAUTH and push config directives. Multi-line command: header, config lines, END. An empty config_lines produces a null block (header + immediate END), which is equivalent to client-auth-nt in effect.

Fields

cid: u64

Client ID from the >CLIENT: notification.

kid: u64

Key ID from the >CLIENT: notification.

config_lines: Vec<String>

Config directives to push (e.g. push "route ...").

ClientAuthNt

Authorize a client without pushing any config. Wire: client-auth-nt {CID} {KID}

Fields

cid: u64

Client ID.

kid: u64

Key ID.

ClientDeny

Deny a >CLIENT:CONNECT or >CLIENT:REAUTH. Wire: client-deny {CID} {KID} "reason" ["client-reason"]

Fields

cid: u64

Client ID.

kid: u64

Key ID.

reason: String

Server-side reason string (logged but not sent to client).

client_reason: Option<String>

Optional message sent to the client as part of AUTH_FAILED.

ClientKill

Kill a client session by CID, optionally with a custom message. Wire: client-kill {CID} or client-kill {CID} {message} Default message is RESTART if omitted.

Fields

cid: u64

Client ID.

message: Option<String>

Optional kill message (e.g. "HALT", "RESTART"). Defaults to RESTART on the server if None.

Remote(RemoteAction)

Respond to a >REMOTE: notification (requires --management-query-remote). Wire: remote ACCEPT / remote SKIP / remote MOD host port

Proxy(ProxyAction)

Respond to a >PROXY: notification (requires --management-query-proxy). Wire: proxy NONE / proxy HTTP host port [nct] / proxy SOCKS host port

LoadStats

Request aggregated server stats. Wire: load-stats Response: SUCCESS: nclients=N,bytesin=N,bytesout=N

ClientPendingAuth

Defer authentication for a client, allowing async auth backends. Wire: client-pending-auth {CID} {KID} {EXTRA} {TIMEOUT}

Fields

cid: u64

Client ID.

kid: u64

Key ID.

extra: String

Extra opaque string passed to the auth backend.

timeout: u32

Timeout in seconds before the pending auth expires.

CrResponse

Respond to a CR_TEXT challenge (client-side, OpenVPN 2.6+). Wire: cr-response {base64-response}

Fields

response: Redacted

The base64-encoded challenge-response answer (redacted in debug output).

Certificate

Supply an external certificate in response to >NEED-CERTIFICATE. Multi-line command: header, PEM lines, END. Wire: certificate\n{pem_lines}\nEND

Fields

pem_lines: Vec<String>

PEM-encoded certificate lines.

ManagementPassword(Redacted)

Authenticate to the management interface itself. Sent as a bare line (no command prefix, no quoting) in response to crate::OvpnMessage::PasswordPrompt. Wire: {password}\n

Exit

Close the management session. OpenVPN keeps running and resumes listening for new management connections.

Quit

Identical to Exit.

Raw(String)

Send a raw command string for anything not yet modeled above. The decoder expects a SUCCESS:/ERROR: response.

RawMultiLine(String)

Send a raw command string, expecting a multi-line (END-terminated) response.

Like [Raw], the string is passed through the encoder’s wire-safety gate before sending (see crate::EncoderMode). Unlike Raw, the decoder accumulates the response into [OvpnMessage::MultiLine].

Trait Implementations

impl Clone for OvpnCommand

fn clone(&self) -> OvpnCommand

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for OvpnCommand

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Encoder<OvpnCommand> for OvpnCodec

type Error = Error

The type of encoding errors.

fn encode( &mut self, item: OvpnCommand, dst: &mut BytesMut, ) -> Result<(), Self::Error>

Encodes a frame into the buffer provided.

impl<'_derivative_strum> From<&'_derivative_strum OvpnCommand> for &'static str

fn from(x: &'_derivative_strum OvpnCommand) -> &'static str

Converts to this type from the input type.

impl From<OvpnCommand> for &'static str

fn from(x: OvpnCommand) -> &'static str

Converts to this type from the input type.

impl FromStr for OvpnCommand

fn from_str(line: &str) -> Result<Self, Self::Err>

Parse a human-readable command string into an OvpnCommand.

This accepts the same syntax used by interactive management clients: a command name followed by space-separated arguments.

Commands that cannot be represented as a single line (multi-line bodies like rsa-sig, client-auth config lines, certificate PEM) are parsed with comma-separated lines in the argument position.

Unrecognized commands fall through to OvpnCommand::Raw.

Examples

use openvpn_mgmt_codec::OvpnCommand;

let cmd: OvpnCommand = "version".parse().unwrap();
assert_eq!(cmd, OvpnCommand::Version);

let cmd: OvpnCommand = "state on all".parse().unwrap();
assert_eq!(cmd, OvpnCommand::StateStream(openvpn_mgmt_codec::StreamMode::OnAll));

type Err = String

The associated error which can be returned from parsing.

impl PartialEq for OvpnCommand

fn eq(&self, other: &OvpnCommand) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Eq for OvpnCommand

impl StructuralPartialEq for OvpnCommand